Spiral: Determine approach to documenting in the SSP and Component Definition a mapped control or statement.

Question

Spiral: Determine approach to documenting in the SSP and Component Definition a mapped control or statement.

iMichaela opened this issue a year ago · 1 comments

Problem Statement

The mapping of controls or statements of controls is needed in the SSP and possibly Component Definition so the results of the assessment against one regulatory framework can be used to automatically infer the compliance status against other mapped frameworks.

For each control satisfaction, by-component, a mapping-record assembly is needed to document:

the mapping relation (by uuid) to other control(s)
the mapping document (by uuid) where the above mapping is to be found
the locally tailored relation based on the control/statement implementation
evidence requirements when different
anything else?

Answer 1 · 2023-07-08T01:01:56.000Z

A mapping-record assembly which allows documenting a particular mapping relation for a control-implementation/implemented-requirements/by-components or control-implementation/implemented-requirements/statements/by-components needs to be researched and added to the SSP model and potentially to CDef model as well.