Question

OSCAL: the Open Security Controls Assessment Language for IriusRisk

  • 19 December 2022
  • 4 replies
  • 110 views

Hi Guys, 

Has anyone come across of using OSCAL security controls on IriusRisk or have experience? I would love to get some insights on that.

Thanks


4 replies

Userlevel 5

Hello @Paresh.kerai ! Thank you for your question :) I’m reaching out to the community and see if anyone who may have experience to share. Stay tuned!

Userlevel 2
Badge

OSCAL seems designed as a control catalogue, and it’s great that there is finally a standard format for defining controls!  

From the point of view of threat modeling, what it lacks is the “why” behind each control, i.e. the threat or risk that it’s mitigating.  So on it’s own, you could certainly use it to manage a library of controls, but if you wanted to use it for threat modeling and as a threat catalog then you’d need a mapping between controls and threats.  If you had that mapping, then you could use this as a threat-control catalog to help speed up or standardise threat model output.

Hi @stephendv 
thank you for the response, and I agree if there is a threat to control mapping in place, then the value would help speed up the assessment. 

Is it possible to import the mapping on the IriusRisk tool itself?

Thanks

Maybe I’m wrong but the Open Threat Model specification (OTM) might be better for this rather than OSCAL, since it already provides that threat-control mapping. Since both can be independent you could have the OSCAL control defined in a catalog and the OTM threat model where the mitigations are like:

mitigations:
- name: My mitigation 1
id: fd6136f4-e2ff-11eb-ba80-0242ac130004
description: My description
riskReduction: 50
attributes:
oscal-catalog: b954d3b7-d2c7-453b-8eb2-459e8d3b8462
oscal-group-id: ac
oscal-control-id: ac-1

What would be the best attributes to include is unknown to me.

Reply


V2