usnistgov / OSCAL-DEFINE

Develop Enhancements, Future Implementations and New Education
Other
12 stars 7 forks source link

SSP system characteristics needs to be expanded to support multiple frameworks #34

Open nikitawootten-nist opened 1 year ago

nikitawootten-nist commented 1 year ago

Problem Statement

We are interested in reworking the System Security Plan (SSP)'s system characteristics to support categorization frameworks other then fips-199. Currently the system characteristics assemblies expect users to record categorization data for a given information-type following the CIA triad of impacts and expects the user to respond with fips-199-low, -moderate, or -high. This design does not allow for users to record impacts that do not fit into the CIA triad, such as having dedicated privacy impact values. Additionally, authors writing additional OSCAL constraints would benefit from a field communicating the system categorization framework.

This issue was originally raised during the OSCAL Workshop, and in the issue https://github.com/usnistgov/OSCAL/issues/1795.