Mike, Actually just the opposite is occurring with SRG's and CCI's. NIST IR 8011 which is out in draft specifically discusses the same context of using "control items" for granularity. CCI's are decomposed 800-53 controls which are normally more targeted to being measurable. The same CCI may be met in various operating systems by different methods. They were not intended to be standard "rule" language. The document I was referencing can be reviewed at http://csrc.nist.gov/publications/drafts/nistir-8011/nistir_8011_ipd-draft_vol1_overview.pdf
DISA actually starts from the CCI's for requirements instead of doing a reverse mapping. This provides us a better picture in relation to risk or unmet requirements which are levied down from the federal government through NIST in the 800-53 controls and then into the DoD through the CNSS 1253 baselines. DoD systems must be authorized and accredited based off of those baselines in accordance with how they categorize their information systems in a similar process defined in the NIST 800-60. -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
