Terminology change: differentiate security controls from security requirements

[vanessuniq]

Change the term 'control' in components to 'requirements' to deconflict the concept unit testing controls (using inspect) from the security controls from NIST

[rlakey]

Would like to discuss this one further to understand what we are changing.

[vanessuniq]

@aaronlippold or @ejaronne can better explain this.

[vanessuniq]

My understanding is that these are not security controls, but requirements that help to fulfill a security control.

[rlakey]

I guess I would still call them controls vs. requirements. The requirement is part of the control at this point?

Also I'm sure there is a lot of plumbing that refers to controls.

[aaronlippold]

The suggested update was for the UX only to deconflict the NIST control with the SRG 'requirement'. No backend changes just trying to clarify communication to the user. Let's put this PR as draft and we can talk about it as a team on our next sync call.

[aaronlippold]

Requirement, Item, control etc. what communicates the elments from the SRG best to the Vulcan end-user without them having to ask the 'is that the same as the NIST Control' or 'you know NIST has controls as well...'

[rlakey]

Saw this and thought i would post it as a further data point. I still feel once a component is created in vulcan those are controls at that point based on requirements. I don't think it should be confusing to understand that there are different frameworks involved that map to each other and that terminology and the context in which the terms are used matters.

[vanessuniq]

Is this still on discussion? Should I move forward and replace the term or close this issue @rlakey @aaronlippold @ejaronne

[aaronlippold]

I thought we generally agreed but happy to double check

[rlakey]

We did not agree to this.