Open eddie-knight opened 4 months ago
Would love to participate in the follow - up discussion on design intent of control catalog.
@eddie-knight -- The issue was update, per the 3/7/2024 discussion. Anyone should feel free to enhance and add (or delete) information above.
Would love to be part of follow-up call on this
See Security Control Framework Mappings to ATT&CK repo: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main
and project summary: https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/nist-800-53-control-mappings/
Scoping decisions made for the NIST-800-53 to ATT&ACK use case are worth discussing: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main/frameworks/attack_12_1/nist800_53_r4
Thanks for adding context @iMichaela and the additional resources @mlysaght2017. This will help accelerate things a lot.
I'm also going to be bringing another proposal/PR to Tuesday's Steerco call related to overall project structure, which should dramatically streamline this design effort.
See Security Control Framework Mappings to ATT&CK repo: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main
and project summary: https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/nist-800-53-control-mappings/
Scoping decisions made for the NIST-800-53 to ATT&ACK use case are worth discussing: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main/frameworks/attack_12_1/nist800_53_r4
Great initiative, but I have concerns over the 800-53 version . Rev 4 is obsolete. WE are at Rev 5 (available in OSCAL) and getting ready fro another update, Rev 6 (sometimes this year or so).
@eddie-knight and team - PwC UK led by Tom Nash thomas.nash@pwc.com delivered a fantastic end to end controls assessment automation with OSCAL. Tom agreed to present to this team their pilot so the team gets a better understanding of OSCAL and the processes that can leverage it. Please let me know if I should facilitate it.
Awesome @iMichaela! Very happy to discuss this on the steerco call tomorrow.
@eddie-knight - please let me know if you need my support in the steering committee meeting for this issue. I can try to free myself and join.
Thank you @iMichaela! I think your notes here should be sufficient if you're not available.
If there's anything we can't tackle, we'll try to use this issue or a followup meeting to address it further.
From the discussion on 3/14, some key decisions need to be captured for the next WG meeting about the outcome from FINOS CCC work such as
From the discussion on 3/14, some key decisions need to be captured for the next WG meeting about the outcome from FINOS CCC work such as
- group controls by mitigation
- group controls by threat
- group controls by NIST control family
- least common denominator / a set of controls that will be part of CCC
@zeal-somani can you elaborate on the note above? In particular the statement referring to grouping controls by NIST family. NIST 800-53 catalog is already represented in OSCAL, and I do not recommend doing it again. Also multi-grouping is not possible in the context of one catalog.
This issue will be closed as stale in 7 days. Please update this issue if it is still needed.
Feature Request
This was drafted in collaboration with @iMichaela.
This may relate to #131.
Description of Problem:
We currently have a blocker for OSCAL development stemming from a lack of clarity around the FINOS' assurance process which needs to be supported by the information captured in the CCC catalog and the way the information is represented in OSCAL.
Potential Solutions:
We should have a dedicated design session with the maintainers, steering committee, and any interested community members to dive into this issue and clear the blocker.
Before the design session, decisions need to be made and considerations need to be addressed for the design session to be efficient, and for all of us, collectively, to move the project forward.
Additional Considerations
Decisions that would trigger different approached for representing the catalog in OSCAL:
Decisions that would affect who does what and where the work takes place: