jenglish
commented
5 years ago This is an interesting question! TBH I don't really have any good ideas how to represent this with the OpenControl data model.
(We have a similar problem here, sort of the converse though: in our case, we have a centrally-managed IA system for all the Linux machines, but not for our Windows boxes. But when it comes time to fill out an 800-171 compliance checklist, 3.1.1 ssptool reports 3.1.1 as "complete" because we did implement that control, just not for every subsystem in the organization.)
git-ingham
It would be nice to somehow tell ssptool that a set of partial coverage results in a complete solution.
For example, suppose we look at "Limit system access to authorized users" (800-171 3.1.1), and we apply it to desktop users. Part of the solution comes from the security policy saying this is required, but that, by itself, is not sufficient. Part of the solution comes from the system configuration that requires authentication. Again, that, by itself is good, but not sufficient. We also want a regular configuration audit that verifies that the configuration is actually applied and active. The combination of all three of these means the issue is covered.
It might be that I need to change how I have set up the OpenControl data. I am trying to split it out by various parts (security policy, active directory configuration, audit, etc). At one of my customer organizations, they have different roles responsible for these different parts, and it is convenient for each role to have a OpenControl set for which that person is responsible.
Thanks