Identification of Framework Satisfaction with cDefs

[brian-ruf]

Author Use Case: As a cloud service provider, I want to enable my customers to select cloud services based on preexisting framework validation assessments of those components.

Consumer Use Case: As a consumer of cloud services that needs to deploy a system in compliance with a specific framework, I want select cloud services that have already been audited/assessed and found to satisfy that framework.

Example: if a customer wants to only select/utilize cloud services that have been subject to - and passed - a SOC 2 Type 2 assessment, the CSP should be able to expose that fact within OSCAL content.

[brian-ruf]

Recommendation for consideration

The CSP publishes a "validation" component for each framework. These can be spread across several files or a single component definition file can be used for all framework "validation" components.

The CSP also publishes a component definition for each service or other component. When the component was in-scope for a specific framework audit and found to satisfy that audit, a "validation" link is used that cites the appropriate framework "validation" component above.