Start exploring mechanisms to do mappings and gathering/utilizing example SSPs in Kraken.

See https://github.com/cisagov/ScubaGear/tree/oscal-exploration/oscal OSCAL exploration branch for more info.

@amart241 Since SCBs are not being modified in Lionfish, move last acceptance critieria to standalone issue in Marlin to accomplish publishing.

@schrolla, what is the status of the SCuBA to 800-53 mapping? Slide 10 of the SCuBA overview at https://csrc.nist.gov/csrc/media/Presentations/2024/cisa-s-scuba-overview/5-CISAs_SCuBA_Overview-Mamika_Huynh.pdf states [emphasis added]:

When developing the baselines, users would ask whether our baselines would meet their
800-53 controls. As a response, the SCuBA M365 and GWS baseline policies were mapped
to NIST SP 800-53 Rev. 5, FedRAMP High baseline.

However, the OSCAL information you reference above states the mapping is incomplete (and the corresponding json file is quite thin on the control mapping).

Thanks for the help.

@schrolla, what is the status of the SCuBA to 800-53 mapping? Slide 10 of the SCuBA overview at https://csrc.nist.gov/csrc/media/Presentations/2024/cisa-s-scuba-overview/5-CISAs_SCuBA_Overview-Mamika_Huynh.pdf states [emphasis added]:

When developing the baselines, users would ask whether our baselines would meet their
800-53 controls. As a response, the SCuBA M365 and GWS baseline policies were mapped
to NIST SP 800-53 Rev. 5, FedRAMP High baseline.

However, the OSCAL information you reference above states the mapping is incomplete (and the corresponding json file is quite thin on the control mapping).

Thanks for the help.

@faulkdev Thanks for the question. If you are referring to the OSCAL exploration branch I commented on above, yes, it is incomplete and this issue is working on a more complete updated mapping than what is present in the proof of concept branch referenced above since the focus of that branch was exploring the code to use such a mapping rather than a complete mapping itself. In short, work in progress with more to come.

@schrolla, Do you have any other formats (Excel) that have more mappings from SCuBA to 800-53? Thanks.

@schrolla, Do you have any other formats (Excel) that have more mappings from SCuBA to 800-53? Thanks.

An updated mapping is still be developed. Watching this issue for updates is the best way to be informed when new mappings are available and to find out in what format they will be made available.

@schrolla, We're standing by, here. In the interim, perhaps CISA could update their public information on SCuBA removing the the statement that CISA has performed a mapping to FedRAMP High and providing an ETA for that work. Thank you.

It would be of greater value if we could either map to CIS which is a much wider used standard, and a few forks of SCuBA do this already by adding the map value to the rego, however, they aren't without issue (current baseline version, L1, L2, E3, E5, etc).

We respectfully disagree with a CIS mapping being of more value than the CISA-advertised mapping to 800-53r5 / FedRAMP High. Given CISA BOD 25-01 and the SCuBA focus on FCEB, both USG organizations and their federal contractors are looking for a clear (and clean) mapping between SCuBA and 800-53r5 (the "glue" among / "basis" for other requirements such as FedRAMP, RMF, DoD Cloud SRG, STIGs, CNSSI 1253, C-SCRM, 171/CMMC, StateRAMP, etc.). CIS has a mapping between CIS v8 & 800-53r5 moderate & low baselines (with 119 unmapped 800-53r5 moderate controls) available to those organizations requiring only CIS or a similar framework.