Cloud Controls Matrix

Good morning,

I've been over the current metrics specification and catalogue. Very nice work! I have recently began exploring NIST's OSCAL project. The standards included seem to be geared solely towards 800-53 and FedRamp, and there is no mention of "Continuous Audit" activities, at least not that I have seen.

Is there an ongoing effort to attempt to integrate the Continuous Audit Metrics, or even STAR & CCMv4, into the OSCAL ecosystem?

------------------------------
[Bruce] [Lavoie] [Developer]
[Developer]
[Egyde-KPMG]
[Montreal] [Quebec]
------------------------------

Dear members,
My colleague Alain Pannetrat, manager of the Continuous Metrics WG, has replied to this post, which has been reposted here.
Best regards,
Lefteris

------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------

Original Message:
Sent: Jun 13, 2022 05:18:09 AM
From: Bruce Lavoie
Subject: Metrics Catalogue and NIST OSCAL

Good morning,

I've been over the current metrics specification and catalogue. Very nice work! I have recently began exploring NIST's OSCAL project. The standards included seem to be geared solely towards 800-53 and FedRamp, and there is no mention of "Continuous Audit" activities, at least not that I have seen.

Is there an ongoing effort to attempt to integrate the Continuous Audit Metrics, or even STAR & CCMv4, into the OSCAL ecosystem?

------------------------------
[Bruce] [Lavoie] [Developer]
[Developer]
[Egyde-KPMG]
[Montreal] [Quebec]
------------------------------