Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controls referenced by various certifications cannot be found #7

Open
isimluk opened this issue Mar 13, 2020 · 4 comments
Open

Controls referenced by various certifications cannot be found #7

isimluk opened this issue Mar 13, 2020 · 4 comments

Comments

@isimluk
Copy link

isimluk commented Mar 13, 2020

Hello!

I am using this repo together with https://github.com/opencontrol/standards and I tried to intersect controls referenced here with controls defined there (in standards). I have generated following report of the inconsistencies.

Interestingly, controls that are referenced does not exists in the NIST-800-53. Or at least, they are not available at https://nvd.nist.gov/800-53/

Report:

Certification DHS 4300A references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control PE-7 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control PE-7 (2) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SA-5 (6) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SA-6 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (2) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (3) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (4) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control UL-2 in standard NIST-800-53 that is not defined in the repo.
Certification FedRAMP High references control IA-6 (8) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control UL-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control UL-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control UL-2 in standard NIST-800-53 that is not defined in the repo.

Please advice. 🙏
@trevorbryant
Copy link
Contributor

trevorbryant commented Mar 13, 2020
edited
Loading

@isimluk, I haven't been familiar on the OpenControl schema's usage today and where it stands generally. There has been much more attention on OSCAL as it's being NIST lead. There are agency plans to integrate OSCAL into their traditional A&As and FedRAMP.

However, these controls you listed are under Appendix J Privacy Control Catalog of NIST 800-53. I don't know why they were not included in the OpenControl efforts but they should have been included as they are essential to the organization's privacy requirements.

Perhaps that's what the "open" in OpenControl meant. 😛

ID PRIVACY CONTROLS
AP Authority and Purpose
AP-1 Authority to Collect
AP-2 Purpose Specification

AR Accountability, Audit, and Risk Management
AR-1 Governance and Privacy Program
AR-2 Privacy Impact and Risk Assessment
AR-3 Privacy Requirements for Contractors and Service Providers
AR-4 Privacy Monitoring and Auditing
AR-5 Privacy Awareness and Training
AR-6 Privacy Reporting
AR-7 Privacy-Enhanced System Design and Development
AR-8 Accounting of Disclosures

DI Data Quality and Integrity
DI-1 Data Quality
DI-2 Data Integrity and Data Integrity Board
DM Data Minimization and Retention
DM-1 Minimization of Personally Identifiable Information
DM-3 Minimization of PII Used in Testing, Training, and Research

IP Individual Participation and Redress
IP-1 Consent
IP-2 Individual Access
IP-3 Redress
IP-4 Complaint Management

SE Security
SE-1 Inventory of Personally Identifiable Information
SE-2 Privacy Incident Response

TR Transparency
TR-1 Privacy Notice
TR-2 System of Records Notices and Privacy Act Statements
TR-3 Dissemination of Privacy Program Information

UL Use Limitation
UL-1 Internal Use
UL-2 Information Sharing with Third Parties

@isimluk
Copy link
Author

isimluk commented Mar 13, 2020

@trevorbryant, thanks for the pointers! Interestingly, these identifiers aren't present in the stock OSCAL catalogs that are shipped with OSCAL upstream (i.e. https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml )

Will have to dig deeper why these are omitted. Thanks!

@trevorbryant
Copy link
Contributor

That's interesting that they'd exclude the privacy controls. I disagree with that, but perhaps it was overlooked (as they generally are...) or not selected with reason.

By the way, we do have a Slack space if you'd like to continue discussions there.

@shawndwells
Copy link
Member

That's interesting that they'd exclude the privacy controls. I disagree with that, but perhaps it was overlooked (as they generally are...) or not selected with reason.

In regards to OpenControl they were not included because NIST does not provide an XML edition of the privacy overlay. At least that could be found at the time.

By the way, we do have a Slack space if you'd like to continue discussions there.

Slack/instant message apps are for sync communications, which does not work for distributed teams across time zones or conversations related to a single topic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shawndwells @isimluk @trevorbryant