Open rafael5 opened 5 years ago
Having OpenControl Components also serve as (essentially) survey templates would be a pretty major expansion. This feels out of scope to me - curious to hear from others.
If OpenControl cannot integrate and the risk assessment questionnaires to controls - which is the largest component of what agencies do now with heavyweight tools like RiskVision and eMASS - then there is no argument to replace those heavyweight tools with something more lightweight like OpenControl.
It won't be possible to see OpenControl as an alternative without this feature.
NIST OCIL was specifically developed for interactive checklist content (part of the scap portfolio of standards).
Have you had a chance to review OCIL?
On Mar 25, 2019, at 9:04 AM, Aidan Feldman notifications@github.com wrote:
Having OpenControl Components also serve as (essentially) survey templates would be a pretty major expansion. This feels out of scope to me - curious to hear from others.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
I am looking at OCIL now. Thank you!
https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/ocil
cc #58
My review of the VA's risk assessment questionnaire shows there is at least three types of answer responses.
Recommendations
If the YAML scheme does not have these three data response types, it will need to be extended to do so.
The YAML scheme also needs to provide the capability for data quality validation (i.e. for NULL, REQUIRED, MIN=1, MAX=1 responses) via scripts.
See specific example the three question response types, with data validation specified. This example is from RiskVision:
RiskVision Q&A Scheme
Survey Header
Question-Response Items