Open git-ingham opened 5 years ago
This is an interesting question! TBH I don't really have any good ideas how to represent this with the OpenControl data model.
(We have a similar problem here, sort of the converse though: in our case, we have a centrally-managed IA system for all the Linux machines, but not for our Windows boxes. But when it comes time to fill out an 800-171 compliance checklist, 3.1.1 ssptool reports 3.1.1 as "complete" because we did implement that control, just not for every subsystem in the organization.)
I opened this discussion over here. I will close this one.
@jenglish It looks like in the schema for components, there is a covered_by
key. I can place the appropriate reference into the component.yaml to reference a partial coverage. However, nothing seems to use this. I do not see it showing up anywhere in the ssptool web site.
There is also the control_origins
key with inherited
as a possible value. Again, nothing seems to use this.
A follow-up note is that there is no discussion over in opencontrol/discuss. I did find a related question from two years ago that seems to also be going nowhere.
I wasn't sure what covered_by
was intended to represent. Going by the kwalify schema, it appears that it's a reference to a Verification record in another Component. ssptool
doesn't do anything with Verifications either.
It would be nice to somehow tell ssptool that a set of partial coverage results in a complete solution.
For example, suppose we look at "Limit system access to authorized users" (800-171 3.1.1), and we apply it to desktop users. Part of the solution comes from the security policy saying this is required, but that, by itself, is not sufficient. Part of the solution comes from the system configuration that requires authentication. Again, that, by itself is good, but not sufficient. We also want a regular configuration audit that verifies that the configuration is actually applied and active. The combination of all three of these means the issue is covered.
It might be that I need to change how I have set up the OpenControl data. I am trying to split it out by various parts (security policy, active directory configuration, audit, etc). At one of my customer organizations, they have different roles responsible for these different parts, and it is convenient for each role to have a OpenControl set for which that person is responsible.
Thanks