Closed mlysaght2017 closed 1 month ago
@mlysaght2017 -
props
and links
and stored as external artifacts for flexibility, in case they have distinct life cycle.QUESTION: How will the Component Definition in MD will be re-formatted in OSCAL to be useful and consumed by any GRC tool of choice that 'speaks' OSCAL? Any vision here or do we need to brainstorm, build the tool?
This issue will be closed as stale in 7 days. Please update this issue if it is still needed.
Closed as stale. An update may reopen this issue.
Feature Request
Description of Problem:
The PoC aims to help decision making related to #139
It's still unclear how we want to assess the security of services and use OSCAL as part of that assessment. This PoC will investigate how the OSCAL Control Layer (Catalog Model and Profile Model) and Implementation Layer (Component Definition Model) can be used if the logical controls and their associated control objectives are represented in the CCC catalog.
Potential Solutions:
OSCAL Control Layer:
Catalog:
This approach will have the following information in one OSCAL CCC Catalog:
A secondary threat-centric analysis can then be performed (automatically) reporting on which threats are properly defended through a bridging to MITRE ATT&CK TTPs via existing mappings (if they exist)
OSCAL Implementation Layer:
Component Definition:
This approach will have the following information in the OSCAL Component Definitions for each service
DoD: