Map controls to various frameworks #233
Comments
|
@pxp928 What I was thinking was that FRSCA should standardize how evidence is stored and made available, with a goal of providing stable interfaces to automated assessment tools. This would then allow the mapping of a specific pipeline to arbitrary frameworks to happen outside of the FRSCA project itself - for instance, cncf/tag-security#845. I think this is also related to #147. The evidence could leverage the Assessment Results Model which would point to specific Reviewed Controls, or similar. |
|
Howdy, member of the wider OSCAL community here. I see NIST has SSDF in Excel, but not OSCAL. I am trying to explore buidling a SSDF OSCAL catalog in oscal-club/examples#2. In terms of order of operations, that is likely super helpful to do before using SSDF as a basis for assessment plans and related assessments results in a structured way with observations. So maybe related to this and #147. Not sure if this work would be helpful to you all. |
Current Behavior
Currently there is no mapping between the FRSCA and a specific framework such as SSDF. What controls are met by FRSCA and how can they be presented as evidence to an auditor
Expected Behavior
Create mapping for various relevant frameworks to FRSCA
The text was updated successfully, but these errors were encountered: