Controls referenced by various certifications cannot be found

[isimluk]

Hello!

I am using this repo together with https://github.com/opencontrol/standards and I tried to intersect controls referenced here with controls defined there (in standards). I have generated following report of the inconsistencies.

Interestingly, controls that are referenced does not exists in the NIST-800-53. Or at least, they are not available at https://nvd.nist.gov/800-53/

Report:

Certification DHS 4300A references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control PE-7 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control PE-7 (2) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SA-5 (6) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SA-6 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (2) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (3) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SC-9 (4) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification DHS 4300A references control UL-2 in standard NIST-800-53 that is not defined in the repo.
Certification FedRAMP High references control IA-6 (8) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 H-H-H references control UL-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 L-L-L references control UL-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-5 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-6 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-7 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control AR-8 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-1 (2) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DI-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control DM-3 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-4 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control IP-4 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control SE-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control SE-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-1 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-2 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-2 (1) in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control TR-3 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control UL-1 in standard NIST-800-53 that is not defined in the repo.
Certification ICD 503 M-M-M references control UL-2 in standard NIST-800-53 that is not defined in the repo.

Please advice. 🙏

[trevorbryant]

@isimluk, I haven't been familiar on the OpenControl schema's usage today and where it stands generally. There has been much more attention on OSCAL as it's being NIST lead. There are agency plans to integrate OSCAL into their traditional A&As and FedRAMP.

However, these controls you listed are under Appendix J Privacy Control Catalog of NIST 800-53. I don't know why they were not included in the OpenControl efforts but they should have been included as they are essential to the organization's privacy requirements.

Perhaps that's what the "open" in OpenControl meant. 😛

ID PRIVACY CONTROLS
AP Authority and Purpose
AP-1 Authority to Collect
AP-2 Purpose Specification

AR Accountability, Audit, and Risk Management
AR-1 Governance and Privacy Program
AR-2 Privacy Impact and Risk Assessment
AR-3 Privacy Requirements for Contractors and Service Providers
AR-4 Privacy Monitoring and Auditing
AR-5 Privacy Awareness and Training
AR-6 Privacy Reporting
AR-7 Privacy-Enhanced System Design and Development
AR-8 Accounting of Disclosures

DI Data Quality and Integrity
DI-1 Data Quality
DI-2 Data Integrity and Data Integrity Board
DM Data Minimization and Retention
DM-1 Minimization of Personally Identifiable Information
DM-3 Minimization of PII Used in Testing, Training, and Research

IP Individual Participation and Redress
IP-1 Consent
IP-2 Individual Access
IP-3 Redress
IP-4 Complaint Management

SE Security
SE-1 Inventory of Personally Identifiable Information
SE-2 Privacy Incident Response

TR Transparency
TR-1 Privacy Notice
TR-2 System of Records Notices and Privacy Act Statements
TR-3 Dissemination of Privacy Program Information

UL Use Limitation
UL-1 Internal Use
UL-2 Information Sharing with Third Parties

[isimluk]

@trevorbryant, thanks for the pointers! Interestingly, these identifiers aren't present in the stock OSCAL catalogs that are shipped with OSCAL upstream (i.e. https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml )

Will have to dig deeper why these are omitted. Thanks!

[trevorbryant]

That's interesting that they'd exclude the privacy controls. I disagree with that, but perhaps it was overlooked (as they generally are...) or not selected with reason.

By the way, we do have a Slack space if you'd like to continue discussions there.

[shawndwells]

That's interesting that they'd exclude the privacy controls. I disagree with that, but perhaps it was overlooked (as they generally are...) or not selected with reason.

In regards to OpenControl they were not included because NIST does not provide an XML edition of the privacy overlay. At least that could be found at the time.

By the way, we do have a Slack space if you'd like to continue discussions there.

Slack/instant message apps are for sync communications, which does not work for distributed teams across time zones or conversations related to a single topic.