April 4th, 2020
Slides
- Overview (PDF)
Agenda
- Review closed and open pull requests in OSCAL repo.
- Discuss current work.
- Discuss renaming
system-security-plan
andplan-of-action-and-milestones
elements in the respective OSCAL models to better align with how the data is produced, used, and referred to in other risk management frameworks - Open discussion.
Notes
Brainstormed a few options for renaming
system-security-plan
andplan-of-action-and-milestones
elements.Suggested names for
system-security-plan
included:- system-implementation
- system-control(s)-implementation
- ssp (using just the acronym)
- system-descriptor
- system
There was some support for
system
. The emerging consensus seemed to be around keeping the name as-is for the OSCAL 1.x.Suggested names for
plan-of-action-and-milestones
included:- open action
- milestone (since it highlights a deadline)
- weakness (some consensus that this term is a bit too general and overused in other contexts)
No emerging consensus around any given new name. The emerging consensus seemed to be around keeping the name as-is for the OSCAL 1.x.
Adam Oline offered to provide a sample SSP in Word aligned with the data provided by CSAM. He is going to post this to issue #364. Once posted, we need to discuss how to get this converted into OSCAL format. Looking for volunteers to help with this.