GithubHelp home page GithubHelp logo

Comments (5)

afeld avatar afeld commented on September 6, 2024 1

Right...but doesn't a control being listed in the certification make it implicitly "required"? I'm not understanding why any new fields would be required in the YAML.

https://github.com/opencontrol/schemas#certifications

from compliance-masonry.

afeld avatar afeld commented on September 6, 2024

CM can specify and consume RequiredControls

Mind explaining this? @jcscottiii @ctro and I saw that added to the schema in #112 but weren't sure why it actually needs to be present in the YAML. What constitutes a non-required control?

from compliance-masonry.

ctro avatar ctro commented on September 6, 2024

I think that these requirements came from Gabe, specifically "specify and consume Required Controls".

This is why the one commit I made to gap analysis added that YAML. Gabe envisioned adding all "required" controls to the project's yaml. Then, you can check for the existence of those requiredControls in your actual documentation.

Is this because projects don't want/need to implement ALL of the controls for some Certification?? In this case diffing against all controls wouldn't be too useful.

I am also unsure of what makes a control required or not.

Maybe defining your list of requiredControls is the first step of using CM. How many controls are usually required for a project though? 10? 30? 400?

from compliance-masonry.

afeld avatar afeld commented on September 6, 2024

All good questions. Maybe this is related to some controls being partially fulfilled by the different layers, e.g. that the platform itself has monitoring, but that is not the same thing as an application having monitoring. @mogul @dlapiduz Any guesses?

from compliance-masonry.

mogul avatar mogul commented on September 6, 2024

The required controls are determined by the baseline you're shooting for. So if you're trying to document a FISMA Moderate system, that will imply a certain set of controls need to be satisfied, which means that you should have something showing up under each of them in your assembled docs. The gap report should say "To get FISMA Moderate, there should be something here, here, and here". If it were FISMA Low, it'd be a smaller set. If it was PCI or HIPAA, it would be a different set. Make sense?

from compliance-masonry.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.