Extending 800-53 with additional controls

[michaeldavie-amzn]

The Canadian Centre for Cyber Security publishes a modified version of NIST 800-53. While I have been able to capture most of their modifications in an OSCAL profile using the alters functionality, in some cases they have added new controls such as AC-17(400).

Is there a way to capture these additional controls in a separate OSCAL catalog, and for oscal-cli to merge them into their existing NIST 800-53 structure?

[david-waltermire]

Yes. You can add new controls in a new catalog. You would then import both the original and the new catalog in the same OSCAL profile. Once resolved, the resulting catalog would contain selected controls from both source catalogs.

[michaeldavie-amzn]

I've captured the extra controls in a separate catalog, but for some reason the controls in the second catalog (only) are being imported twice. Below is a snippet from the profile.

    "imports": [
      {
        "href": "NIST_SP-800-53_rev5_catalog.json",
        "include-all": {},
        "exclude-controls": [
          {
            "with-ids": ["sc-19"]
          }
        ]
      },
      {
        "href": "cccs-catalog.json",
        "include-all": {}
      }
    ],
    "merge": {
      "as-is": true
    },

[david-waltermire]

I'll look into this. It might be a bug.

[david-waltermire]

It would be helpful if someone could help create a PR with a unit test to reproduce this error.