-
Notifications
You must be signed in to change notification settings - Fork 687
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple formats used in NIST 800-53 control ID references #12027
Comments
Before I get too far in hacking IDs I should ask about the intent here, starting in the gnome lock rule for AC-11 Device Lock where the references key has:
The first 3 and the last one are valid IDS for the current rev5 catalog and a match for the rule and the .1 appears to come from 53A but I can't find AC-11.1(iii) anywhere. In the generic For now it seems like the (NIST) IDs with extra spaces are all I should try "fixing" but I'm not very certain about that either. Thanks for any feedback! |
To be more specific using examples
|
Thanks for this issue. This project currently doesn't have a standard (as you have seen) for this. This is something that we should establish and put in the style guide. I don't have strong opinion on this on any feedback from the community is appreciated. Another issue is that the references are not versioned. To my best knowledge there are at least 2, if not more, versions of 800-53 in use in this project. While we are at writing the style guide for 800-53 we should at at least think about this issue as well. |
For my current (work) target of generating a controls file using rev5 i decided on a couple of things:
The above is based mainly on comparing the rh nist control files to the oscal/content repo and the nist pub attachments, where the current rev5 controls use mainly the following:
cheesy test output from my ad-hoc tools:
Feel free to flame/refactor that ^^ as i only have so much time for this part for right now; it will get bigger over the next few months (for me anyway). |
Finally, when I analyze or generate a list of controls I still need to (manually) verify whether the existing reference/id/rule actually makes sense when compared to the rev5 control text. Anyone got an AI handy? |
Also I only have a small number of current data points BUT one customer (a while back) asked for a GPOS STIG and the same customer on a newer project timeline asked for 800-53 rev5. I fully expect the first one to come back with 800-53 rev5 the next time they bring the topic up. I guess my point is that nobody is asking us for rev4 controls. |
Share the context
Analysis of NIST rev5 control ID references in OpenEmbedded expanded profile revealed some discrepancies when trying to map references to the OSCAL profiles from NIST.
Description of problem:
Using the following to define 800-53 ID formats:
AC-11(1)
ac-2.12
Proposed change:
References:
The text was updated successfully, but these errors were encountered: