Technical Question: Parts vs Groups #36
-
|
Hi, not sure if this is the right place to raise this question, happy to take it to another forum. Just let me know! SHORT VERSION: "groups" and "parts" seem to be somewhat redundant structural elements. How are they intended to be used? LONG VERSION: As with most existing control sets, the one I am working on divides requirements into logical groupings. Currently, this is based on a semi-structured narrative document outline, but I would like to express this grouping in OSCAL. When looking at the specification, I see both "groups" and "parts" defined as potential structural elements. The difference between these is not clear to me. Of course, a catalog can directly express groups, not parts, so that suggests that outline sections are equivalent to groups, but when reading about parts, I see that "A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section)." This makes me wonder - what is the difference between "groups" and "parts" |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
First off, sorry no one else jumped to answer. I had to think about this one but I have a practical answer, it might not explain why. In a catalog, you can have:
You cannot have top-level parts, you can only have controls at the top-level or groups therein. So you can have a "part of a group [of groups or controls]" or a "part of a control" but not the other way around. I got this practical explanation from the current model definition and the the current version of the NIST SP 800-53 and 800-53A catalog. As for why? That's less clear and a good question. I think the answer is in the colloquial way you'd express that in English, but I am not sure there is a lot of depth in this beyond how we use these terms in English. Is this the kind of answer you were looking for? |
Beta Was this translation helpful? Give feedback.
-
|
A thoughtful reply, thanks! I have come to the same conclusion about how OSCAL works in practice, and I see the benefit of "groups of controls" and "groups of groups" as an organizing structure for controls. Thinking about 800-53 and how much structure is built into the controls there, I can also see the benefit of "parts of controls" as an internal organizing structure for control details. I am still confused about the "parts of groups" since I don't see a clear use for an internal structure of groups that isn't better served by just using groups. Maybe something like an Introduction to a section that explains what it is about before you get into the actual requirements? |
Beta Was this translation helpful? Give feedback.
First off, sorry no one else jumped to answer. I had to think about this one but I have a practical answer, it might not explain why. In a catalog, you can have:
You cannot have top-level parts, you can only have controls at the top-level or groups therein. So you can have a "part of a group [of groups or controls]" or a "part of a control" but not the other way around.
I got this practical explanation from the current model definition and the the current version of the NIST SP 800-53 and 800-53A catalog.
As for why? That's less clear and a good question. I think the answer is in the …