Comments (7)
openprivacy
commented on August 18, 2024
1
If I understand what's being asked, I've used hyperGRC to implement partial coverage by multiple components for two recent federal ATOs. I have defined only four components so far - AWS, Drupal, Agency and Contractor - but I will be getting a bit finer grained on my next pass. The hyperGRC example components are already finer grained. I have a goal to publish the AWS and Drupal components and their implementation narratives (all in yaml, of course) - let me know if this would be interesting to you.
from discuss.
git-ingham
commented on August 18, 2024
Just another thought on this. It seems to me that this would be common. For example, using a cloud provider, the provider covers some parts, the organization covers other parts, and some parts need controls provided by both. If I was in such a situation, I presume I would include the cloud provider's OpenControl file, but I need to be able to augment it, but would rather not completely re-implement it.
from discuss.
git-ingham
commented on August 18, 2024
This looks close to what I am asking:
opencontrol/schemas#24
Adding this here because it might help others.
from discuss.
shawndwells
commented on August 18, 2024
There isn't a great way to solve this.
Often the component-level content can use partial, but then an organizational answer could be complete that outlines how each partial adds up.
from discuss.
JJediny
commented on August 18, 2024
It's not ideal but if you convert the Customer Responsibility Matrix (CRM), otherwise known as what's left for someone to do to fully implement the control, into an OpenControl certification then you can get this by layering both overlays.
But the logic isn't supported for this in current tooling, that is, there is currently no way to understand the hierarchy of implementation_status between more than one certification, but seems feasible to do.
Example:
https://gist.github.com/JJediny/bd051fefba1ca94d885ebad23d464533
opencontrol/schemas#24 (comment)
from discuss.
mogul
commented on August 18, 2024
@openprivacy I for one am very interested!
from discuss.
JJediny
commented on August 18, 2024
I created a diagram of the idea I mentioned above that would be great to get feedback on.
About representing the Customer Responsibilities independently from components as a new schema/yaml file I usedrequirements as a placeholder. Having another standalone file would allow for layering inheritance, allow the IaaS/PaaS/SaaS provider to maintain it independently and vendor it rather than putting it in the system control writeup, and provide a cleaner way to handle implementation_status.
DRAFT - FOR DISCUSSION ONLY
from discuss.
Related Issues (20)
- introductions to security compliance? HOT 7
- OpenControl edit workflow for non-technical users? HOT 6
- Script to convert FedRAMP controls spreadsheet to opencontrols files HOT 2
- add new root repository: introduction - with examples HOT 1
- re-org of repositories with table of contents for all HOT 1
- Risk assessment schema: Extend to three question types and provide validation HOT 5
- Translation of RiskVision controls spreadsheet to opencontrol YAML HOT 4
- has anyone done textual analysis of SSPs, or tried automating feedback on them? HOT 15
- OpenControl template HOT 4
- public SSPs? HOT 9
- As someone who isn't able to sign up for accounts, I want to be able to follow / participate in OpenControl HOT 3
- Introduction to ATOs HOT 1
- Map Components to Multiple Certifications HOT 8
- listening for control changes HOT 5
- code for parsing SSPs? HOT 3
- FedRAMP Challenges HOT 6
- Starting OpenControl Virtual Meetings HOT 9
- OpenControl Agenda topics HOT 1
- Is OpenControl deprecated? HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discuss.