Open kscarfone opened 7 years ago
aj-stein-nist
commented
1 year ago Actually we may want to discuss this during an upcoming triage meeting: this historic seems to describe profiles and profile resolution at the high level, it is not clear what else we should do with in this area that is not already covered with it and/or mapping and other predefined efforts. This is very open-ended, and I do not even recall why I labelled it research earlier this year. I will ask the team to review.
iMichaela
commented
1 year ago Actually we may want to discuss this during an upcoming triage meeting: this historic seems to describe profiles and profile resolution at the high level, it is not clear what else we should do with in this area that is not already covered with it and/or mapping and other predefined efforts. This is very open-ended, and I do not even recall why I labelled it research earlier this year. I will ask the team to review.
@aj-stein-nist -- You probably labeled it 'research' because it is precursor to the OSCAL mapping model. A mapping between frameworks (e.g. CSF) and controls (e.g. 800-53) requires both, source and target, to be itemized and represented in OSCAL. The mapping of a framework to controls might require a 'support' type relations, which would be important to consider while DEFINE-ing the OSCAL Mapping model.
aj-stein-nist
commented
1 year ago The mapping of a framework to controls might require a 'support' type relations, which would be important to consider while DEFINE-ing the OSCAL Mapping model.
Should we need review existing mapping work, and potentially add to requirements, and close out this issue then? It seems the historical nature of this is no longer applicable. Let us know.
As a compliance auditor, I can customize a framework by choosing which parts of the framework are included, modifying the framework, and extending the framework.
Required Resources:
Goals:
Acceptance Criteria: