Map Components to Multiple Certifications

[weirdscience]

Repost from certifications and standards repo,

Is there a way to use the same component file to track compliance with two certifications that use different marking taxonomies (e.g PCI and FISMA or SOC2 and FISMA)? If so, can someone share an example, love it.

I'm working on a project to maintain compliance with a couple different standards and certifications related to PKI. I'm not so much interested in writing an SSP (or CPS in the PKI world) as much as maintaining compliance with the standards when they change. Depending on the standard, they might be in the same format (RFC 3647) or just a bullet list. I wanted to use opencontrol to do this. It's not FISMA, but still a federal system and I'm not interested in FISMA it's outside of my scope.

[afeld]

Is there a way to use the same component file to track compliance with two certifications that use different marking taxonomies

Yes, OpenControl Components can refer to multiple frameworks by having multiple satisfies entries.

can someone share an example

Not sure I know of one, sorry!

I'm not so much interested in writing an SSP (or CPS in the PKI world) as much as maintaining compliance with the standards

For a particular system, or the mapping in isolation?

[weirdscience]

Here's an example and the test repo I setup - https://github.com/weirdscience/OpenControl-PKI-Compliance

For example, I'm working with four standards (Google, Microsoft, Adobe, and Mozilla) and they all have the same system availability requirement but each standard do not follow a standardized numbering or control scheme. For example the requirements might look like this:
Google 4.1
Adobe 1.1
Microsoft A-1n
Adobe xiii

I list that control in section 2 of my compliance document. How would I map those standard requirements to a single satisfies section in my components file?

[weirdscience]

Is there a way to use the same component file to track compliance with two certifications that use different marking taxonomies

Yes, OpenControl Components can refer to multiple frameworks by having multiple satisfies entries.

Would that look like this? The same text in each satisfies entries?

satisfies:

• control_key: AC-17
  covered_by: []
  implementation_statuses:

  • none
    control_origins:
  • service provider hybrid
    narrative:
  • text: |
    'To help the organization meet the requirements of this control,
    Docker Enterprise Edition can be configured to allow/prohibit remote
    access to the Engine.'
    standard_key: NIST-800-53

• control_key: PCI-17
  covered_by: []
  implementation_statuses:

  • none
    control_origins:
  • service provider hybrid
    narrative:
  • text: |
    'To help the organization meet the requirements of this control,
    Docker Enterprise Edition can be configured to allow/prohibit remote
    access to the Engine.'
    standard_key: PCI

• control_key: GGLA-1.1
  covered_by: []
  implementation_statuses:

  • none
    control_origins:
  • service provider hybrid
    narrative:
  • text: |
    'To help the organization meet the requirements of this control,
    Docker Enterprise Edition can be configured to allow/prohibit remote
    access to the Engine.'
    parameters:
  • key: "GGLA-1.1(a)"
    text: |
    "SLA 99.99%"
  • key: "GGLA-1.1(b)"
    text: |
    "SLA 24x7x6"
    standard_key: Google Root Program

I'm not so much interested in writing an SSP (or CPS in the PKI world) as much as maintaining compliance with the standards

For a particular system, or the mapping in isolation?

For a system. Ignore that because it may eventually be used to draft the document if the format is correct.

[weirdscience]

Has anyone used the same components yaml for multiple certifications and did not have to repeat the same satisifies statements?

[weirdscience]

Has anyone been successful at this?

[weirdscience]

?

[trevorbryant]

@weirdscience, are you in the slack channel? There might be somebody that may know just enough to get you a response there.

[alisabryant]

@weirdscience did you ever find one or start the discussion in slack? I think this is a great place to start and would be interested in what you have come across. You might want to check this out as well https://github.com/redteam-project/sckg