Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Baseline Tailor needs to be more security control baseline centric and less control-centric #47

Open
its-a-lisa-at-work opened this issue Jan 16, 2020 · 1 comment
Open

Baseline Tailor needs to be more security control baseline centric and less control-centric #47

its-a-lisa-at-work opened this issue Jan 16, 2020 · 1 comment
Labels
BT UI enhancement

Comments

@its-a-lisa-at-work
Copy link

I have observed that the baseline version 0.13 tool has the ability to select baselines for controls based on low, moderate or high baselines but not not mapped to the confidentiality, integrity and availability. I believe if we make the selection more granular for each, it will give a better experience choosing controls and make it easier for those trying to tailor the controls. It will result in 27 baselines instead of 3 baselines.
@its-a-lisa-at-work its-a-lisa-at-work changed the title Control baseline selector Control baseline selector enhancement Jan 16, 2020
@joshualubell
Copy link
Member

joshualubell commented Jan 17, 2020
edited
Loading

Thanks for raising this issue.

I think maybe the issue underlying your observation is that, despite having "baseline" in its name, "Baseline Tailor" focuses more on individual controls than on control baselines. According to the RMF (NIST SP 800-37r2), baselines are developed at the organizational level. However, security categorization (determining the impact level based on CIA) is done at the system level. From a documentation standpoint, a tailored baseline doesn't include categorization info for individual systems. Instead, categorization info is included as part of the system security plan (SSP), which in turn is part an authorization package (which an authorization official uses to determine whether the system is allowed to operate or be used). FYI, the proposed OSCAL language) includes a data format for SSPs.

So, although I don't think the current user interface does a good job supporting this, my vision for Baseline Tailor is that people would use it do create tailored baselines (by copy-pasting from the Security Control Editor "XML Representation" field into a file for each control in the baseline and tweaking the file using an XML text editor), using the SP 800-53 baselines as a starting point. I considered system categorization to be out of scope.

Having said that, I think it would be great if the Baseline Tailor user interface were more baseline-centric, such that the user interactions with the UI produced XML representing a baseline (perhaps as an OSCAL "profile"). But this would require a major rewrite of the UI, and also the ability to import/export partially completed baselines.

@joshualubell joshualubell changed the title Control baseline selector enhancement Baseline Tailor needs to be more security control baseline centric and less control-centric Jan 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BT UI enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshualubell @its-a-lisa-at-work