Investigate support for OSCAL #451
Replies: 3 comments
-
|
Agree, OSCAL support would be really helpful to promote this tool being part of a larger automation of security pipelines and building resulting OQE in a dependable and reliable manner. |
Beta Was this translation helpful? Give feedback.
-
|
I attended the virtual two-day OSCAL Workshop that NIST held last week. I learned there is currently no consensus on how to represent CCI in any of the Models. We'll keep an eye on the OSCAL/CCI gitter conversation, where some workarounds are being suggested For now, I am unsure how to use the draft SAR Model to express the assessment of a STIG rule whose CCI maps to an apportioned statement of a control. For example, CCI-001545 maps to AC-1, text indicator b.1. But I believe SAR items must map to an entire control from the Control Catalog. We hope there is further collaboration between NIST and DISA on this issue . |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the quick and thorough response. Good to know what's going on. |
Beta Was this translation helpful? Give feedback.
-
Is your feature request related to a problem? Please describe.
Transfer and exchange of data between systems is sometimes done with spreadsheets, or other ad-hoc solutions, but OSCAL should provide a formal definition for this.
Describe the solution you'd like
Explore ways to make use of OSCAL data imports and provide exports.
https://pages.nist.gov/OSCAL/learnmore/
Beta Was this translation helpful? Give feedback.
All reactions