-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optional security-sensitivity-level #1798
Comments
We have to consider short-term accommodation and long-term approach for supporting community needs.
We are comfortable reviewing this for possible inclusion in upcoming sprints and not deferring this work. More to follow. |
This issue (short-term approach) also addresses concerns raised by European OSCAL users as well. I worked today with @Arminta-Jenkins-NIST and show where to make the changes (against the |
@aj-stein-nist How do you want to document the long-term design principles in support of non-(NIST/FedRAMPP) processes and procedures? |
User Story
As an OSCAL implementer, I need to be able to address different compliance regimes. These regimes will define security-sensitivity-level differently and often will not use FIPS 199 as a baseline. In some cases, the sensitivity level is deterministically related to the related control profile, so specifying both a profile and sensitivity level is unnecessary. The sensitivity level will automatically determine the profile, and the chosen profile implies the sensitivity level.
For example, a CA under the FPKI common policy will determine which certificate types and profiles should be issued, and the set of controls that apply to that CA are completely determined by the chosen certificate types. In this case, it is unnecessary and irrelevant to identify a security-sensitivity-level. Furthermore, if the individual or team completing the SSP chooses the wrong combination of security-sensitivity-level and profile, this is an error condition, and the SSP should be rejected as invalid.
Goals
Security-sensitivity-level and security-impact-level should be optional attributes.
Dependencies
No response
Acceptance Criteria
Revisions
No response
The text was updated successfully, but these errors were encountered: