User Story
As an OSCAL user using multiple OSCAL models, I need to be able to represent all equivalent controls from all relevant frameworks that I have to adhere to via a single internal control, so that the implementation, conformance and assessments could be done on those internal controls for better efficiency.
Goals
Use Case
I am using the Catalog, Profile and SSP Models to represent the multiple compliance standards and framework that I have to be compliant with.
We are moving to an approach where we will use a single internal control that maps to one or more controls across all the standards that we have to be compliance with.
Control Mapping model - Why it isn't sufficient for me
While Control Mapping model was designed specifically to have mappings across 2 catalogs, there are use cases where multiple catalogs have to be mapped to an internal catalog. In essence, this requested model can be considered as an extension to the Control Mapping model in a way.
If this request seems reasonable and is inline with the philosophy and principles of this project, could you please consider it?
Current Approach
I am maintaining a spreadsheet that has the following
| Internal Control Number |
Internal Control |
Mapped Controls |
| AC-1 |
Perform monthly User Access Reviews |
N-800-171-1.1.1, CISv8-1.2.1,ISO27001-A5.1 |
| AI-2 |
Maintain an inventory of all InfoSec Assets |
S-2.3.1, I-1.2.4 |
The main reason for us to choose OSCAL as opposed to spreadsheets is to have a "Compliance-as-Code" approach where we can have these as YAML/JSON files in our Git repo and have all changes tracked and versioned. The multi-compliance control mapping is the only spreadsheet based artifact.
Dependencies
None - This is a request for a new model, that might reference existing Catalogs, if any.
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response
User Story
As an OSCAL user using multiple OSCAL models, I need to be able to represent all equivalent controls from all relevant frameworks that I have to adhere to via a single internal control, so that the implementation, conformance and assessments could be done on those internal controls for better efficiency.
Goals
Use Case
I am using the Catalog, Profile and SSP Models to represent the multiple compliance standards and framework that I have to be compliant with.
We are moving to an approach where we will use a single internal control that maps to one or more controls across all the standards that we have to be compliance with.
Control Mapping model - Why it isn't sufficient for me
While Control Mapping model was designed specifically to have mappings across 2 catalogs, there are use cases where multiple catalogs have to be mapped to an internal catalog. In essence, this requested model can be considered as an extension to the Control Mapping model in a way.
If this request seems reasonable and is inline with the philosophy and principles of this project, could you please consider it?
Current Approach
I am maintaining a spreadsheet that has the following
The main reason for us to choose OSCAL as opposed to spreadsheets is to have a "Compliance-as-Code" approach where we can have these as YAML/JSON files in our Git repo and have all changes tracked and versioned. The multi-compliance control mapping is the only spreadsheet based artifact.
Dependencies
None - This is a request for a new model, that might reference existing Catalogs, if any.
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response