Set of partials == complete?

[git-ingham]

It would be nice to somehow tell the system that a set of partial coverage results in a complete solution.

For example, suppose we look at "Limit system access to authorized users" (800-171 3.1.1), and we apply it to desktop users. Part of the solution comes from the security policy saying this is required, but that, by itself, is not sufficient. Part of the solution comes from the system configuration that requires authentication. Again, that, by itself is good, but not sufficient. We also want a regular configuration audit that verifies that the configuration is actually applied and active. The combination of all three of these means the issue is covered.

It might be that I need to change how I have set up the OpenControl data. I am trying to split it out by various parts (security policy, active directory configuration, audit, etc). At one of my customer organizations, they have different roles responsible for these different parts, and it is convenient for each role to have a OpenControl set for which that person is responsible.

The key thing I want to avoid is duplication of data. As an example, the network underlies many systems. I do not want to have to duplicate the network onto desktops, individual (or clusters) of servers, etc just to be able to show that the security controls provided by the network are part of (not all of!) the needed controls. Note that not all systems are connected to the organization's network; cloud-based systems should not inherit much (if anything) from the network OpenControl data.

Thanks

[git-ingham]

Just another thought on this. It seems to me that this would be common. For example, using a cloud provider, the provider covers some parts, the organization covers other parts, and some parts need controls provided by both. If I was in such a situation, I presume I would include the cloud provider's OpenControl file, but I need to be able to augment it, but would rather not completely re-implement it.

[git-ingham]

This looks close to what I am asking:
opencontrol/schemas#24
Adding this here because it might help others.

[shawndwells]

There isn't a great way to solve this.

Often the component-level content can use partial, but then an organizational answer could be complete that outlines how each partial adds up.

[JJediny]

It's not ideal but if you convert the Customer Responsibility Matrix (CRM), otherwise known as what's left for someone to do to fully implement the control, into an OpenControl certification then you can get this by layering both overlays.

But the logic isn't supported for this in current tooling, that is, there is currently no way to understand the hierarchy of implementation_status between more than one certification, but seems feasible to do.

Example:
https://gist.github.com/JJediny/bd051fefba1ca94d885ebad23d464533

opencontrol/schemas#24 (comment)

[openprivacy]

If I understand what's being asked, I've used hyperGRC to implement partial coverage by multiple components for two recent federal ATOs. I have defined only four components so far - AWS, Drupal, Agency and Contractor - but I will be getting a bit finer grained on my next pass. The hyperGRC example components are already finer grained. I have a goal to publish the AWS and Drupal components and their implementation narratives (all in yaml, of course) - let me know if this would be interesting to you.

[mogul]

@openprivacy I for one am very interested!

[JJediny]

I created a diagram of the idea I mentioned above that would be great to get feedback on.

About representing the Customer Responsibilities independently from components as a new schema/yaml file I usedrequirements as a placeholder. Having another standalone file would allow for layering inheritance, allow the IaaS/PaaS/SaaS provider to maintain it independently and vendor it rather than putting it in the system control writeup, and provide a cleaner way to handle implementation_status.

DRAFT - FOR DISCUSSION ONLY