Open
Description
User Story
As a security practitioner, in order to be able to more precisely define the origin of control requirements and who is responsible for their implementation, I would like to review and consider possible additional of default values for control origination for implemented requirements of a control in a control implementation of a SSP to support the notion of shared origin or that of a third-party/outsourced entity that is part of the service offered by a CSP and used in a customer's environment as part of that service.
This a continuation of discussion during review of https://github.com/usnistgov/OSCAL/pull/1460/files#r988165640 to make this a dedicated work item in this issue and determine it outside the context of #784.
Goals
- Analyze and model new origination concepts from ACSC ISM and other control catalogs different from that of NIST SP 800-53
- Review potential options for the addition/removal of defaults
- If additions or changes are required, implement them as part of a PR as a result of a recommendation to make necessary changes
Dependencies
No response
Acceptance Criteria
- All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
- A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
- The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
Metadata
Metadata
Assignees
Type
Projects
Status
Todo