Closed yruss972 closed 3 years ago
An additional thought- the AND mappings could be used to enhance the completion status report so that a component implementing a subset of the required controls would get a partial status vs complete, etc.
Control mappings are a somewhat fuzzy concept. The introductory paragraphs in SP 800-171 Appendix D state that the mapping tables are for informational purposes only, and (paraphrasing) that mapped controls are not in strict correspondence with requirements. CMMC has similar language.
My current thinking is that ssptool should split the satisfies relation into two separate relations:
satisfies
and implementation_status
verifications
(which ssptool does not currently use).Firstly, thanks for all the hard work :) Regarding control mappings, I see multiple use cases:
About the auditor's role and the split between relevant/satisfying, maybe another implementation status would be good, ie. in_review, proposed, or proposed complete, meaning the organization thinks it is sufficient, and then completed would only be used once the auditor accepts the proposals.
I see the verification keys as all the pieces of evidence to be provided to the auditor and I'm working to have those all automatically collected continuously using pipelines running on our opencontrol repos. I would definitely like to see them included.
Assuming a certification mapping alternate standards like this:
This is interpreted so that any of the MY-TSC controls can satisfy the parent TSC control.
It would be cool if we could use a syntax like:
to say we if we satisfy (CC6.1.1 AND CC6.1.2) OR CC6.1.3 OR CC6.1.4), then we satisfy CC6.1
I'm not sure if there are any accepted patterns for how to do this in the YAML world- might be nice to specify the operator ie:
The AND would be very useful in rolling up controls which have been broken down. The XOR would be useful in alternate exclusive controls, ie. MFA vs Two man rule, etc.