Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NIST Control Assignments and Minimum Requirements #48

Open
JJediny opened this issue Aug 5, 2016 · 3 comments
Open

Add NIST Control Assignments and Minimum Requirements #48

JJediny opened this issue Aug 5, 2016 · 3 comments
Assignees
@JJediny
Labels
HighBar

Comments

@JJediny
Copy link
Member

JJediny commented Aug 5, 2016

Work in Progress: NIST Control Assignments and Minimum Requirements for Low, Moderate, High Systems (w/ NIST/FEDRAMP/DOD Requirements) from http://iasecontent.disa.mil/cloud/SRG/index.html

https://gist.github.com/JJediny/7820bd39c6a2221bbe893271e1d2f969

@gregelin I remember a related issue on OpenSCAP?
@JJediny JJediny self-assigned this Aug 5, 2016
@gregelin
Copy link
Contributor

gregelin commented Aug 6, 2016

Very interesting…

We’ve also tried to capture some assignment data. We don’t have a structure yet, either. Pretty critical we can represent assignments.

On Aug 5, 2016, at 5:50 PM, John Jediny [email protected] wrote:

Work in Progress: NIST Control Assignments and Minimum Requirements for Low, Moderate, High Systems (w/ NIST/FEDRAMP/DOD Requirements) from http://iasecontent.disa.mil/cloud/SRG/index.html http://iasecontent.disa.mil/cloud/SRG/index.html
https://gist.github.com/JJediny/7820bd39c6a2221bbe893271e1d2f969 https://gist.github.com/JJediny/7820bd39c6a2221bbe893271e1d2f969
@gregelin https://github.com/gregelin I remember a related issue on OpenSCAP?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub #48, or mute the thread https://github.com/notifications/unsubscribe-auth/AABhk8cyNzx0Xth4SHIK0uHUVCAZ45J-ks5qc7A_gaJpZM4JeFv9.

@JJediny
Copy link
Member Author

JJediny commented Aug 10, 2016
edited
Loading

@gregelin updated the GIST but still a lot of cleaning up and restructuring to do...

After working through it this structure seems to be useful as it adds the answer per the specific system alongside the minimum requirements under system. Also added whether/which control enhancement is required per a Low/Moderate/High system to tell whether an answer is required for a specific system depending on if it is L/M/H according to FIPS determination:

TO DO:

  • use key instead of id to be consistent with the rest of Open Control
  • finalize structure
  • update document with final structure
  • review for accurate representation against DOD Cloud guide
# TO DO - Figure out overarching schema as document generated from unstructured text
# Only Half is valid YAML
#####
# DOD Guide uses Impact Level -> which generally equites to FIPS levels
# 2 = Low
# 3-5 = Moderate
# 6 = High
---
- control: AC-1
  applies:
    Low: true
    Moderate: true
    High: true
  assignments:
  - id: a
    requirement: Develops, documents, and disseminates to
    assignment: organization-defined personnel or roles
    answer: All Project Members
    system:
    - High: all personnel
      source: DoD RMF TAG
  - id: b.1
    requirement: Reviews and updates the current Access control policy
    assignment: organization-defined frequency
    answer: Every Year during Annual FISMA Assessment
    system:
    - Moderate: at least every 3 years
      source: FedRAMP v2
  - id: b.2
    requirement: Reviews and updates the current Access control procedures
    assignment: organization-defined frequency
    answer: Every Year during Annual FISMA Assessment
    system:
    - Low: at least annually
      source: FedRAMP v2

@mogul mogul added the HighBar label Jan 29, 2017
@anweiss anweiss mentioned this issue May 11, 2017
Open
@anweiss
Copy link

anweiss commented Aug 7, 2017

Any thoughts/progress on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JJediny JJediny

Labels
HighBar
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gregelin @mogul @anweiss @JJediny