Spiral 4: Create draft of responsibility model.

usnistgov / OSCAL-DEFINE

Develop Enhancements, Future Implementations and New Education

Other

12 stars 6 forks source link

Spiral 4: Create draft of responsibility model. #17

Open Compton-US opened 1 year ago

Compton-US commented 1 year ago

This issue covers work for the spiral supporting Effort https://github.com/usnistgov/OSCAL-DEFINE/issues/5

Compton-US commented 1 year ago

This is a very important thread to thoroughly consider in this spiral: https://github.com/usnistgov/OSCAL/issues/1300

Compton-US commented 11 months ago

Additional input needed to go into the document, but the latest spiral was moved out of my personal fork into the project for visibility, will add changes/updates to the branch referenced below.

https://github.com/usnistgov/OSCAL-DEFINE/blob/research-responsibility-model-spiral-4/research-2023/effort-responsibility-sharing/2023-05-01.004.md

Compton-US commented 11 months ago

Preliminary brief and discussion around CRM support in OSCAL.

briefing-2023-08-23.pdf

Compton-US commented 11 months ago

Consider trying this in working branch as a concept for export.

david-waltermire commented 11 months ago

@Compton-NIST The intent of the export is to provide a container for descriptive data that is to be made public, while the data in the containing object can be kept private. This gives SSP authors the ability to have BOTH public and private information. This mirrors capabilities that are available in GRC tools today.

While deprecating the use of export and providing an exportable flag is simple, at face value it looks like the descriptive information can only be public or private. Under this solution, how would an SSP author represent both public and private information? This is not clear from the examples in your briefing.

Compton-US commented 11 months ago

@david-waltermire-nist Thanks for this. More depth is on the way, and I can demonstrate this concept of public vs private. I have a round of feedback to process, and I'll share updates here. Hopefully by end of this week.

iMichaela commented 11 months ago

@Compton-NIST - Please find below some food for thoughts. I summarized the proposal discussed and then try to look at a DB scenario documented as CDef ->used in SaaS SSP -> with provided and responsibilities -> carried into PaaS CRM -> leveraged in SaaS SSP where some responsibilities are satisfied, others are passed on to -> SaaS CRM for the Client SSP.

Let's discuss tomorrow some concerns I tried to capture. I included the usnistgov/OSCAL/#1300 issue to discuss it since it makes sense for the CRM to document the implementation-status similar to the SSP.

Compton-US commented 11 months ago

Latest briefing on state of the modeling.

Note that there is awareness of the uuid concerns noted above, but for now I'm assuming CDef as a pass through for the identifiers that should exist in the SSPs. I'm minimized those in the diagrams to focus on the essential parts. Technically, the CDef should not be required if full SSPs are shared.

~briefing-2023-08-31.pdf~. See below.

Compton-US commented 11 months ago

Updated with corrections to a few identifiers in the Application Owner SSP. briefing-2023-08-31.pdf

Compton-US commented 9 months ago

To Do:

[ ] Need to add context in the SSP and CDef models so that visitors to the reference understand the intentions in the prototype.