Closed aj-stein-nist closed 10 months ago
work is being done here: https://hackmd.io/zUxatAFfQaesBVGA6eY6jQ
Moving to Sprint 77.
Finished the proposed value stream inventory. @Arminta-Jenkins-NIST and others, please review https://hackmd.io/zUxatAFfQaesBVGA6eY6jQ . If the content is OK, we can move it here in the issue.
Although this is not technically done, it is very close. We will talk about moving this forward in sprint planning.
During sprint review today, the team agreed that the inventory itself is complete, which is the core of this issue. New issues to build out the gaps in tutorials needs to be completed outside of this ticket, and acceptance criteria around socialization of this work and publication on the website were not done. These will be added to a follow-on issue.
Sprint review. This issue is done and we will close it after adding checkboxes. Will adjust #1688 to adapt and plan next work
Aligned with [#1688] (https://github.com/usnistgov/OSCAL/issues/1688). See: Original HackMD
This document aims to capture a list of value streams for OSCAL adopters of how to use OSCAL models as part of any system security assurance/assessment, risk management or data governance program. A value stream is a thematic collection of work items, varying in scope of work by quantity or quality (large epics to small issues), related to the same theme in that work.
The list is partial, not exhaustive. We would like to hear from readers and community members on ways they have found to use OSCAL models, together or separately, to accomplish their goals.
:::info NOTE: Each use case is designated with a number to make it easier to reference. Additionally, use cases show which OSCAL models support them with their abbreviations or acronyms, for example CDEF for 'component definition'. :::
Use Case | Models |
---|---|
UC1 | Controls |
UC2 | Control Statements |
UC3 | Policy Requirements |
UC4 | Text |
UC5 | CDef, SSP |
UC6 | SSP |
UC7 | AP |
UC8 | AR |
UC9 | POA&M |
UC10 | CDef |
*[(OSCAL) control statement]: an actionable element in an OSCAL control.
:::info (OSCAL) In OSCAL, a control describes and documents a requirement, policy, method, countermeasure or guideline bearing on a system or data security or privacy. Because requirements can be defined at many levels of specificity, many control regimens support information hierarchies within and among controls (for example: controls and control enhancements in NIST SP 800-53), and OSCAL supports this. Controls themselves can often be decomposed into parts or line items, which can be called "control statements." :::
Requirements are usually externally or internally imposed mandates such as laws, regulations, contractual obligations and even internal policies
Controls are safeguards and countermeasures identified and required to be implemented or which are employed to reduce identified risk below the treshole level. Controls are step-by-step procedures applied to address risk.
Work will continue in 1688.
User Story
As a developer, integrator, or technologist that is a very novice user to OSCAL, in order to understand minimally viable context for implementing support for it in my software, I want a list of value streams on the website that identify how I use OSCAL models, in part or in whole, as part of my governance program.
Goals
NOTE: Examples at a first WIP attempt of doing so can be found in this draft document related to usnistgov/OSCAL#1688.
Dependencies
No response
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions