Schemas harmonized in the Federated Compliance Mapping model

As of this writing there are several framework schemas that are in active use:

• NIST’s Control Correlation Identifier (CCI) – The CCI provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies.

• NIST Derived Relationship Mapping – The Derived Relationship Mapping (DRMs) Analysis Tool provides Users the ability to generate DRMs for Reference Documents with the Cybersecurity Framework as the Focal Document. The DRMs are non-authoritative and represent a starting point when attempting to compare Reference Documents. Refer to Sections 3.3 – 3.5 of NIST Interagency Report (IR) 8278, National Cybersecurity OLIR Program: Guidelines for OLIR Users and Developers for additional guidance around understanding and utilizing Derived Relationship Maps.

• NIST National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, 800-70, R4 (and greater) - to facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP.

• NIST Open Security Controls Assessment Language (OSCAL) – NIST, in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results.

• TagVault Software Identification (SWID) Tagging – NIST has developed a SWID Tag validation methodology and schema that can be used to verify that a produced SWID has properly implemented the requirements defined in NISTIR 8060. TagVault has turned it into a queryable API and reference framework.

• Unified Compliance Framework – the UCF has been at the forefront of compliance frameworks before the term GRC was coined by Michael Rasmussen. The Unified Compliance team have multiple patents regarding compliance frameworks, dictionary structures, etc. Their structure and framework standard will be presented throughout. The patents covered in this section include the following:

In addition to these schemas, there are guidelines for doing the mapping that can be found in the following which we will reference throughout:

• ISO 19770-8 (2020) Information technology – IT asset management – Part 8: Guidelines for mapping of industry practices to/from the ISO/IEC 19770 family of standards

• NISTIR 8278 National Cybersecurity Online Informative References (OLIR) Program: Guidance for OLIR Users and Developers

• Unified Compliance Framework – Unified Compliance Schema and Mapping Standard