Continuous Audit Metrics

  • 1.  Metrics Catalogue and NIST OSCAL

    Posted Jun 13, 2022 08:55:00 AM
    Good morning,

    I've been over the current metrics specification and catalogue. Very nice work! I have recently began exploring NIST's OSCAL project. The standards included seem to be geared solely towards 800-53 and FedRamp, and there is no mention of "Continuous Audit" activities, at least not that I have seen.

    Is there an ongoing effort to attempt to integrate the Continuous Audit Metrics, or even STAR & CCMv4, into the OSCAL ecosystem?

    [Bruce] [Lavoie] [Developer]
    [Montreal] [Quebec]

  • 2.  RE: Metrics Catalogue and NIST OSCAL

    Posted Jun 14, 2022 07:42:00 AM
    We have a translation of the CCMv4, CAIQ and auditing guidelines in OSCAL. It should be available soon.

    On the other hand, we haven't found a suitable way to translate the metrics catalog into OSCAL. I think NIST is working towards filling that gap in a future release of OSCAL.

    Alain Pannetrat
    Senior Researcher & Product Manager
    Cloud Security Alliance

  • 3.  RE: Metrics Catalogue and NIST OSCAL

    Posted Jun 14, 2022 08:55:00 AM

    Very eager to get my hands on those mappings. As for the Continuous Audit Metrics, I will invest research time into Prometheus Metrics. It offers Cloud Provider abstraction, on top of being the basis of Open Metrics. If technically possible, the initial areas of interest would most likely be:

    • Expressing the Continuous Audit Metrics via Prometheus/OpenMetrics.
    • Expressing those derived Metrics to OSCAL




  • 4.  RE: Metrics Catalogue and NIST OSCAL

    Posted Jul 07, 2022 08:11:00 AM
    Hi Alain - I am interested in this translation from CSA. Would this work be open sourced?

    Zeal Somani (Google)

    Zeal Somani