Is there an 800-53 control mapping for SAF itself? #43
Assignees
Labels
research
Research spikes / prototypes required / etc
Comments
Hope that helps to clarify. For more on the SAF framework, please visit https://saf.mitre.org/#/, or email if you'd like to discuss at [email protected] Thanks! |
|
@ejaronne Thanks for the feedback. I actually meant for SAF itself. As in, "as a user, I want to deploy SAF but my ISSO is asking for 800-53 control mappings for SAF before it can be deployed." |
|
I’m not really tracking what you are asking for here. Can you give an example of a similar mapping on another tool. Are we taking the app dev SRG mapping to make a checklist
Yours,--------------------Aaron LippoldChief Architect – MITRE Security Automation Framework (SAF)https://saf.mitre.orgPrincipal Cyber Security ***@***.*** https://info.mitre.org/orgs/L521Cyber Assessments
From: Trevor Vaughan ***@***.***>Sent: Thursday, January 20, 2022 18:01To: mitre/safCc: Aaron L Lippold; AssignSubject: [EXT] Re: [mitre/saf] Is there an 800-53 control mapping for SAF itself? (Issue #43)
@ejaronne Thanks for the feedback. I actually meant for SAF itself.As in, "as a user, I want to deploy SAF but my ISSO is asking for 800-53 control mappings for SAF before it can be deployed."—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were assigned.Message ID: ***@***.***>
|
|
@aaronlippold The compliance as code material for OpenShift is a massively complex example. I was working under the theory that an application developed under Government contract would be designed for deployment and carry its FISMA-required artifacts along with it. I suppose, at a minimum, a mapping of the product to the Application Development STIG would work. |
|
Given the saf-cli is a set of JavaScript and typescript the ASD would be the most applicable. This work then be folded into the package for the system you would be deploying. Heimdall and Vulcan would have the ASD plus the DB STIG and the webserver STIG. The inspec profiles and hardening content would not need a STIG alignment. Happy to chat on zoom.
Yours,--------------------Aaron LippoldChief Architect – MITRE Security Automation Framework (SAF)https://saf.mitre.orgPrincipal Cyber Security ***@***.*** https://info.mitre.org/orgs/L521Cyber Assessments
From: Trevor Vaughan ***@***.***>Sent: Thursday, January 20, 2022 18:38To: mitre/safCc: Aaron L Lippold; MentionSubject: [EXT] Re: [mitre/saf] Is there an 800-53 control mapping for SAF itself? (Issue #43)
@aaronlippold The compliance as code material for OpenShift is a massively complex example.I was working under the theory that an application developed under Government contract would be designed for deployment and carry its FISMA-required artifacts along with it.I suppose, at a minimum, a mapping of the product to the Application Development STIG would work.—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@aaronlippold That sounds reasonable. It sounds like the answer to my question is that there isn't one but there should be. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In order to be used on Federal systems, software needs to be mapped to 800-53.
A mapping in OSCAL would be ideal.
The text was updated successfully, but these errors were encountered: