Future CCI & STIG Mapping

[flickerfly]

This is more a placeholder for the coming idea of OSCAL having a mapping for things like STIGs and CCIs to controls. I've heard that will be supported in 1.0.1. These are very interesting to my use. I'm wondering if this API would be interested in directly supporting them, have some sort of modular capability that I could write elsewhere and include or if that's just an "out of scope" type thing and this is meant to strictly focus on NIST OSCAL and not related things from DISA or wherever?

[rgauss]

Hi @flickerfly, we'd love to flesh out some of the use cases there, particularly those references/relationships that may not be clearly defined enough with the existing OSCAL model.

Can you give an example or two?

[flickerfly]

This is an interesting example service that shows connections between CCIs and STIGSs. https://rmfdb.com/controls/AC-1 I see it as an educational resource, helping people understand how these are related, but it is very bare bones and based on unknown sources for the CCI data.

So for control AC-1, as an organization being audited, I need to be aware of the "organization guidance". As an auditor, I need to be aware of the "Auditor Guidance". In the case of AC-1, this includes information about frequency to address the control variable "organization-defined frequency".

As a system administrator complying with STIG requirements, I'd like to be able to directly map my SCAP scans based on STIG guidance to controls from an audit to more easily and precisely provide proof of compliance on a control by control basis. I'd also like to have a view/report of each component and where those scans may be falling short of requirements.

As someone internally managing an audit and reviewing our compliance status prior to submission, I'd like to be able to scan over all the controls and find places where we may have not yet satisfied STIG or CCI guidance.

I know these simple use cases stretch beyond the scope of the API, but I hope they give some idea of the kinds of problems I'd like to solve with this foundation.

The OSCAL issue that is tracking what I think this would need to support is usnistgov/OSCAL#87. The discussion there may also be helpful to understand what I'm thinking about.