This page contains information to assist our customers with utilizing the Components module in RegScale. It describes what it is, why you would use it, the benefits, and provides instructions on getting started.
What is it?
The OSCAL component definition model represents a description of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact. The component definition model allows grouping related components into capabilities, and documenting how the combination of components in a capability together can satisfy specific controls that are not fully satisfied by a single component on its own. Learn more on the NIST OSCAL Components Website.
Why would you use it?
These component definitions can be used by organizations implementing the thing defined by a given component to provide a significant amount of implementation details needed when documenting a system's control implementation in a system security plan. This information can be used by the system security plan author as a starting point for their work, saving time and cost. There are many reasons to document components which include:
- Accelerate implementation by leveraging vendor provided component implementations
- Bite off one piece at a time for documentation to make implemenation more manageable
- Save money by reducing duplication of effort and layering in controls for components
- Ability to focus effort by Subject Matter Expert (SME) for each component to improve granularity versus a ISSO/generalist approach to a broad boundary
What are the benefits?
The component module results in multiple benefits for an organization; to include:
- Fuller understanding of each information system's security implementation
- Verification of compliance with regulations to reduce fines and audit risks
- Validation of control implementations to reduce risk
- Strong accountability for risk acceptance for senior organization officials
- Delegation of common control implementations to vendor's who adopt the OSCAL standard over time
- Leveraging consistent vendor best practices for a given component
How do I use it?
The component module in RegScale Community Edition (CE) provides a number of key features that are useful in managing a robust program, to include:
- Tracking metadata for components that roll up to a broader System Security Plan (SSP)
- Tracking expiration dates for component security authorizations and the dates controls were last assessed/tested
- Real-time tracking and dashboards
- Automation via our Application Programming Interfaces (APIs) - scripting evidence collection and documentation gathering
- Single pane of glass assignment tracking via our work bench
- Automated workflows for review and approval
- Interactive timeline builder
- Social collaboration via our News Feed (LinkedIn for Compliance) and real-time commenting system
- Secure evidence management with our file upload and encryption system
- Audit history including every view, update, print, email, etc.
- Calendar view to see data calls scheduled within any given period
- Dashboards, Status Boards, and Score Cards to visualize progress in real-time
For our Enterprise Edition (EE) customers, you get all the great features above, plus we add:
- Ability to create custom fields to extend the schema and build out customer specific data entry forms
- Integration with Microsoft Teams and Slack for real-time collaboration
- Ability to host a multi-tenant version to segregate data by site, customer, organization, etc. to run many different programs with complete data isolation from a single installation
- Real-time interactive dashboard with Microsoft PowerBI AddOn
Updated 3 months ago