Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add supplemental_data to saf attest to support data exchange and provide evidence to the attested claim. #574

Open
aaronlippold opened this issue Jul 29, 2022 · 5 comments
Open

Add supplemental_data to saf attest to support data exchange and provide evidence to the attested claim. #574

aaronlippold opened this issue Jul 29, 2022 · 5 comments
Assignees
@Amndeep7 @ejaronne @camdenmoors
Labels
enhancement New feature or request

Comments

@aaronlippold
Copy link
Member

No description provided.

@aaronlippold aaronlippold added the enhancement New feature or request label Jul 29, 2022
@aaronlippold aaronlippold changed the title Add the ability to saf attest to add an optional cci: (one or more) to an attestation for better support for eMass. Add the ability to saf attest to add an optional cci: (one or more) to an attestation for better eMass alignment. Jul 29, 2022
@aaronlippold
Copy link
Member Author

We could either allow the user to provide a specific cci or cci's.

We could also use @ejaronne process for deriving a cci from an 800-53 control.

This may cause use to add a --derive-cci flag if we take option b.

@aaronlippold
Copy link
Member Author

aaronlippold commented Jul 29, 2022
edited
Loading

In the use case for CCI specification:

The list of CCIs from the control family level would be too broad given in the end you really need to widdle it down to the specific part of the sub-control family item or area you are really talking about.

If we add the ability to get the cci list at the control family or even enhancement level, then allow the user to sub-select given the title, and the topic this would be very useful given they can 'pick the one or two which are relevant during the attestation process.

@aaronlippold
Copy link
Member Author

So after talking with @cwolf I think we should wrap this in another object called either,

  • supporting_data
  • supplepmental_data

So that we have a more generalized approach and it doesn't tie it to just a 'CCI' much as we have with passthrough - this data is there to support the 'claim' of the attestation, be that a CCI or link to a file, link to a screenshot, etc.

@aaronlippold
Copy link
Member Author

aaronlippold commented Aug 7, 2022
edited
Loading

So we would have:

attestation: {
  stuff...
  supporting_data: {
    cci: [string],
    ref: https://www....
    img: https://link...
  } 
}

@aaronlippold
Copy link
Member Author

This would be an optional - but highly suggested in HDF style - field that would allow us to maintain cross-data support between eMass and HDF data and allow users to be a bit more correct and specific when working at the control family level.

Attesting to AC-3 or IA-4 doesn't really help much - given my next question is what in AC-3 or IA-4 are you saying you covered?

@aaronlippold aaronlippold changed the title Add the ability to saf attest to add an optional cci: (one or more) to an attestation for better eMass alignment. Add supplemental_data to saf attest to support data exchange and provide evidence to the attested claim. Aug 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Amndeep7 Amndeep7

@ejaronne ejaronne

@camdenmoors camdenmoors

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aaronlippold @Amndeep7 @ejaronne @camdenmoors