Enriching copy of SP800-53 with explicit links? #181
Labels
enhancement
The issue adds a new feature, capability, or artifact to the repository.
User Story
The issue is a user story for a development task.
Comments
wendellpiez
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User Story:
Picking up on #86, we have code in a working branch here: https://github.com/wendellpiez/oscal-content/tree/issue86-opd-analysis
But there are (policy-level) data governance questions to be addressed first.
The idea/concept of enhancing the copy here raises issues of fidelity to upstream data sources, since these links will not be given in the authoritative (canonical) representation of SP800-53 to be found at https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/public-comments#/home.
Essentially, the OSCAL would represent an 'improved' version - which could also pose a maintenance challenge if we need to update to reflect changes in the upstream, as then we have a branching situation. (Indeed we already have that situation; this makes it worse.)
We need a policy level determination about whether / how we can make changes like this.
Do we do so in coordination with our upstream sources? Can we do so without such coordination? With what guarantees?
Looking at #86 and the WIP branch you can see that improvements to the data are pretty easily made once they are specified.
An alternative approach might be not to do this but to show others how to do it.
Goals:
Dependencies:
Up to this point the OSCAL team has maintained this data set on behalf of the FISMA team. Continuing to do that probably requires some planning.
Until then, there is nothing that prevents us from making (or encouraging others to make) improvements to a public data set. It's just that when we do so we need to be overt as to its status, clarifying its status (or lack of status as the case may be).
Acceptance Criteria
The text was updated successfully, but these errors were encountered: