Original post by @Paresh.kerai
Hi Guys,
Has anyone come across of using OSCAL security controls on IriusRisk or have experience? I would love to get some insights on that.
Thanks
Original post by @stephendv
OSCAL seems designed as a control catalogue, and it’s great that there is finally a standard format for defining controls!
From the point of view of threat modeling, what it lacks is the “why” behind each control, i.e. the threat or risk that it’s mitigating. So on it’s own, you could certainly use it to manage a library of controls, but if you wanted to use it for threat modeling and as a threat catalog then you’d need a mapping between controls and threats. If you had that mapping, then you could use this as a threat-control catalog to help speed up or standardise threat model output.
Original post by @Paresh.kerai
Hi @stephendv, thank you for the response, and I agree if there is a threat to control mapping in place, then the value would help speed up the assessment.
Is it possible to import the mapping on the IriusRisk tool itself?
Original post by @areyes
Maybe I’m wrong but the Open Threat Model specification (OTM) might be better for this rather than OSCAL, since it already provides that threat-control mapping. Since both can be independent you could have the OSCAL control defined in a catalog and the OTM threat model where the mitigations are like:
mitigations:
- name: My mitigation 1
id: fd6136f4-e2ff-11eb-ba80-0242ac130004
description: My description
riskReduction: 50
attributes:
oscal-catalog: b954d3b7-d2c7-453b-8eb2-459e8d3b8462
oscal-group-id: ac
oscal-control-id: ac-1
What would be the best attributes to include is unknown to me.