Open brandtkeller opened 5 months ago
flowchart TD
A[Report] -->|default/specified OSCAL files| B(Build Report)
B --> C{Check for existence of models & Collect/identify Catalog}
C -->|Components Exist| D[Component Report]
C -->|SSP Exists| E[System Report]
C -->|Assessment Results Exist| F[Assessment Report]
That makes perfect sense ^
This would evaluate the percent of controls met from provided component-definition files against the catalog (or
control-implementation.source
)Variables at play here being that we do not have an identifier for what delineates a technical control vs an administrative control.
That said, given the processing and mapping of
implemented-requirements.control-id
against whole catalog(s) would still be valuable context and we could later support a filtering when we/oscal establish a method for performing the identification of a control as technical or administrative (or other).Valuable context:
All of this work likely falls under a "helper" function of sorts - but could be something that is reported on more regularly when stable.