Open fchiarini opened 9 months ago
@fchiarini - Thank you for submitting this research issue . I believe this is an interesting idea and I would like to encourage you and your team to contribute and develop the HVT catalog of controls and any derived profile(s) you find suitable. While what you are providing as an example is not OSCAL, we are confident OSCAL can represent already the HVT controls and profile(s) you are proposing. We are here to support you or any community member interested in generating information in OSCAL and make it available publicly. I cannot emphasize the excitement of seeing the community coming with new ideas and offering to work towards accomplishing them.
Problem Statement
High Value Targets (HVTs) are information systems for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to an organization’s ability to perform its mission or conduct business. NIST 800-160 and MITRE CREF define a set of defensive controls (a subset of NIST 800-53, for which profiles are already in place) however they fail to be applied by the cybersecurity community because of their complexity and lack of regulator interest to mandate (possibly again due to complexity). For this reason, focusing on the assets that matter most to advanced cyber adversaries (i.e. High Value Targets), is the most important step of any organization wanting to define and execute a threat-informed and risk aware security strategy.
I have been collaborating with MITRE -as part of MITRE CREF- and ResilienCyCon from 2022 on the concept of High Value Target. From 2023 I have launched the concept of Cyber Resilience Officer, which is the role that would be in charge within an organization of such OSCAL-defined control profile for HVTs. The concept got endorced by NIST NICE and a Cyber Resiliency competency area is being added. In addition, the HVT concept is part of the OASIS Indicators of Behavior work now and a proposal for addition of HVT attributes is on the table for STIX/TAXXI.
More about High Value Target: www.highvaluetarget.org More about Cyber Resilience Officer: www.cyberresilienceofficer.org
As an example (please bear in mind I am not an OSCAL expert yet): <?xml version="1.0" encoding="UTF-8"?>