Skip to content

Requesting a Compliance Crosswalk Model #2145

Description

@benignbala

User Story

As an OSCAL user using multiple OSCAL models, I need to be able to represent all equivalent controls from all relevant frameworks that I have to adhere to via a single internal control, so that the implementation, conformance and assessments could be done on those internal controls for better efficiency.

Goals

Use Case

I am using the Catalog, Profile and SSP Models to represent the multiple compliance standards and framework that I have to be compliant with.

We are moving to an approach where we will use a single internal control that maps to one or more controls across all the standards that we have to be compliance with.

Control Mapping model - Why it isn't sufficient for me

While Control Mapping model was designed specifically to have mappings across 2 catalogs, there are use cases where multiple catalogs have to be mapped to an internal catalog. In essence, this requested model can be considered as an extension to the Control Mapping model in a way.

If this request seems reasonable and is inline with the philosophy and principles of this project, could you please consider it?

Current Approach

I am maintaining a spreadsheet that has the following

Internal Control Number Internal Control Mapped Controls
AC-1 Perform monthly User Access Reviews N-800-171-1.1.1, CISv8-1.2.1,ISO27001-A5.1
AI-2 Maintain an inventory of all InfoSec Assets S-2.3.1, I-1.2.4

The main reason for us to choose OSCAL as opposed to spreadsheets is to have a "Compliance-as-Code" approach where we can have these as YAML/JSON files in our Git repo and have all changes tracked and versioned. The multi-compliance control mapping is the only spreadsheet based artifact.

Dependencies

None - This is a request for a new model, that might reference existing Catalogs, if any.

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions