Display catalog entries for profiles for four more frameworks

[kscarfone]

User Story Candidate: As a compliance auditor, I can see all control catalog entries that correspond to profiles for at least four other frameworks (possible selections include FedRAMP, HIPAA, NIST CSF, and PCI DSS). Required Resources:

• Need a subset (or the entirety) of FedRAMP, HIPAA, NIST CSF, and PCI DSS Goals:
  1. Refine the draft profile model from User Story 3.
  2. Develop one instance document for each of the four frameworks: FedRAMP, HIPAA Security Rule, NIST CSF, and PCI DSS.
  3. Refine the Schematron from User Story 3 to enforce profile constraints and validate the profiles against the referenced control catalogs and controls. Acceptance Criteria:
  4. Validate that the OSCAL instance documents have been created as defined in Goal 2 and are valid according to the Schematron required by Goal 3.
  5. Validate that the OSCAL profile model at least partially represents the FedRAMP, HIPAA Security Rule, NIST CSF, and PCI DSS baselines.

[kscarfone]

Resource locations:

• FedRAMP: https://www.fedramp.gov/resources/documents-2016/ has spreadsheets for FedRAMP low, moderate, and high security controls
• HIPAA Security Rule text available in PDF, text, and XML formats at https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/content-detail.html. HIPAA is defined in two parts of this. Title 45 – Public Welfare, Subtitle A, Subchapter C, Parts 160 – General Administrative Requirements (https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/xml/CFR-2007-title45-vol1-part160.xml). Title 45 – Public Welfare, Subtitle A, Subchapter C, Part 164 – Security and Privacy, Subparts A (https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/xml/CFR-2007-title45-vol1-part164-subpartA.xml) and C (https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/xml/CFR-2007-title45-vol1-part164-subpartC.xml)
• CSF version 1.0 available in Excel format at https://www.nist.gov/document-3764 and PDF format at https://www.nist.gov/document-3766. Also a downloadable database version at https://www.nist.gov/cyberframework/csf-reference-tool
• PCI DSS version 3.2 available in PDF format for download (with free registration) at https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss. Can download an Excel version of the PCI DSS 3.2 requirements from https://www.pcisecuritystandards.org/documents/Prioritized-Approach-v3_2.xlsx?agreement=true&time=1500574583285, under the Prioritized Approach Milestones tab

[david-waltermire]

We are differentiating between a Profile, which would represent FedRAMP baselines, catalogs (i.e., SP 800-53, ISO/IEC 27001, and COBIT), and frameworks (i.e. HIPPA, NIST CSF, PCI DSS). We should rephrase and/or breakup this user story to reflect these semantics. We may want to make the framework efforts dependent on usnistgov/OSCAL#53.

[david-waltermire]

These frameworks are outside the scope of the OSCAL team's current efforts. Closing. New specific issues can be created in the future where needed.