Spiral: Determine approach to documenting in the SSP and Component Definition a mapped control or statement.

[iMichaela]

Problem Statement

The mapping of controls or statements of controls is needed in the SSP and possibly Component Definition so the results of the assessment against one regulatory framework can be used to automatically infer the compliance status against other mapped frameworks.

For each control satisfaction, by-component, a mapping-record assembly is needed to document:

• the mapping relation (by uuid) to other control(s)
• the mapping document (by uuid) where the above mapping is to be found
• the locally tailored relation based on the control/statement implementation
• evidence requirements when different
• anything else?

[iMichaela]

A mapping-record assembly which allows documenting a particular mapping relation for a control-implementation/implemented-requirements/by-components or control-implementation/implemented-requirements/statements/by-components needs to be researched and added to the SSP model and potentially to CDef model as well.