[Infra Only] Add NIST 800-53 Rev 5 control framework with OSCAL metadata and CIS mappings (Split per product)#14685
Open
ggbecker wants to merge 9 commits intoComplianceAsCode:masterfrom
Conversation
ggbecker
requested review from
a team,
Mab879,
jan-cerny,
marcusburghardt and
vojtapolasek
as code owners
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
ggbecker
force-pushed
the
nist-800-53-control-split-per-product-infra-only
branch
3 times, most recently
from
785e0cb to
20f615a
Compare
Add toolkit for generating and maintaining product-specific NIST 800-53 control files with CIS benchmark mappings. Components: - Sync toolkit: Scripts to generate control files from CIS benchmarks and NIST OSCAL catalog - Documentation: README files explaining architecture and workflows - Weekly automation: GitHub Actions workflow for keeping files up to date Control files are organized by product (rhel8, rhel9, rhel10) and split into 21 family files (AC, AU, CM, IA, SC, SI, etc.).
Add interactive web-based viewer for NIST 800-53 control files with comprehensive gap analysis, statistics dashboard, and backlog management. Features: - Dashboard view with coverage statistics and product comparison - Gap analysis showing controls without rules - Interactive filtering by family, baseline level, status, and gaps - Select All/Deselect All checkboxes for all filter categories - Full OSCAL metadata integration (description, guidance, parameters) - TODO/backlog management per control with localStorage persistence - Self-contained HTML with embedded data (works with file:// protocol) Components: - utils/nist_sync/generate_nist_viewer.py: Data generator script - utils/nist_sync/nist_viewer_template.html: Interactive HTML template - utils/nist_sync/VIEWER_README.md: Comprehensive documentation - cmake/SSGCommon.cmake: CMake macro for building viewer - .github/workflows/gh-pages.yaml: GitHub Pages integration Build with: ninja nist-viewer Published at: https://complianceascode.github.io/content-pages/nist-viewer/
Replace single-page viewer with multi-page web application for better organization and navigation. Changes: - Create templates/ directory with 6 HTML page templates and 2 shared components - index.html: Dashboard with overview stats and charts - controls.html: Controls browser with advanced filtering - control-detail.html: Individual control details with OSCAL metadata and TODO management - gaps.html: Gap analysis by priority and family - statistics.html: Detailed metrics and cross-product comparison - family.html: Control family breakdown and family-specific views - _shared_styles.html: Common CSS for all pages - _shared_header.html: Navigation header and product selector - Update generate_nist_viewer.py to generate multiple HTML files instead of single file - Embed data in all pages for offline access (no CORS issues) - Pages communicate via URL parameters and localStorage - Update VIEWER_README.md with multi-page architecture documentation Benefits: - Better separation of concerns (each page has focused functionality) - Easier to maintain and extend (modify individual pages without affecting others) - Clearer navigation with dedicated pages for each view - Improved user experience with logical page organization
Update the NIST viewer dashboard to make family names in the "Coverage by Control Family" section clickable links that navigate to the family detail page. Also add the family acronym in parentheses for clarity. Changes: - Family names now link to family.html?family=<family_id> - Added acronym in parentheses, e.g., "Access Control (AC)" - Link styled in blue (#0366d6) to indicate interactivity - Clicking a family name navigates to the family-specific view Example: "Access Control" → "Access Control (AC)" (clickable) This improves navigation and makes it easier to understand the relationship between full family names and their abbreviations.
Reorganize the NIST viewer to generate product-specific pages in
separate subdirectories instead of using a single set of pages with
localStorage-based product switching. This improves performance and
clarity.
Changes:
Generator (generate_nist_viewer.py):
- Generate pages in product-specific subdirectories: rhel8/, rhel9/, rhel10/
- Embed only that product's data in each page (reduces file size from 7.5MB to 2.5MB per page)
- Add CURRENT_PRODUCT constant to each page
- Create product selector with links to other product directories
- Generate redirect index.html that points to rhel9 by default
Template changes:
- _shared_header.html: Replace dropdown selector with static product links
- Remove localStorage-based product switching
- Replace getCurrentProduct() with CURRENT_PRODUCT constant
- Simplify data access since each page only has one product's data
Benefits:
- 67% smaller file sizes per page (only one product's data embedded)
- Faster page loads (less data to parse)
- Clearer separation between products
- Direct URLs to specific products (e.g., rhel9/index.html)
- No client-side state management needed
Structure:
build/nist-controls-viewer/
index.html (redirects to rhel9/)
rhel8/
index.html, controls.html, gaps.html, etc.
rhel9/
index.html, controls.html, gaps.html, etc.
rhel10/
index.html, controls.html, gaps.html, etc.
Product selector in header shows:
"Product: RHEL8 | RHEL9 | RHEL10" with current product in bold
Update documentation to reflect the new product-specific directory structure where each product (rhel8, rhel9, rhel10) has its own subdirectory with a complete set of viewer pages. Changes: - Updated directory tree showing product subdirectories - Documented file size improvement (2.5MB vs 7.5MB per page) - Added note about product-specific data embedding - Updated manual generation instructions - Clarified that index.html redirects to rhel9 by default - Removed references to localStorage-based product switching
Extend the NIST viewer to support all 6 status types defined in the control file format, not just the initial 3. This allows proper representation of controls that are inherently met, do not meet requirements, or are not applicable. Status types and their visual representation: 1. automated - Green (#28a745) - Technical controls implemented 2. manual - Blue (#0366d6) - Manual processes required 3. inherently met - Purple (#6f42c1) - Met by system design 4. does not meet - Red (#dc3545) - Does not satisfy requirement 5. not applicable - Gray (#6c757d) - Not relevant to this product 6. pending - Yellow (#ffd33d) - Not yet evaluated Changes: Generator (generate_nist_viewer.py): - Add is_inherently_met, is_does_not_meet, is_not_applicable flags - Track counts for all 6 statuses in statistics - Calculate percentages for progress bars Templates: - _shared_styles.html: Add badge styles for 3 new status types - index.html: Add stat cards for inherently met, not applicable, does not meet - index.html: Update family progress bars to show all 6 status types - controls.html, family.html, gaps.html, statistics.html: Update statusClass determination to handle all 6 types Dashboard now shows: - 7 stat cards (Total + 6 status types) - Multi-segment progress bars with up to 6 colors - Proper filtering and display for all status types Example control file usage: ```yaml - id: pe-1 title: Physical Protection Policy levels: [low, moderate, high] rules: [] status: not applicable notes: Physical security is managed at datacenter level ``` This allows organizations to properly track controls that are: - Satisfied through architectural choices (inherently met) - Not relevant to their deployment model (not applicable) - Identified as gaps that cannot be remediated (does not meet)
Update utils/nist_sync/README.md to streamline workflow documentation: - Simplify description and remove overly detailed architecture sections - Clarify that reference files are auto-generated - Simplify weekly automation and manual sync workflows - Remove references to change detection and manual additions tracking
ggbecker
force-pushed
the
nist-800-53-control-split-per-product-infra-only
branch
from
20f615a to
372aff9
Compare
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
@ggbecker: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Mab879
reviewed
Apr 29, 2026
|
|
||
| NIST 800-53 control files are now **product-specific** instead of global: | ||
|
|
||
| ### OLD Architecture (Deprecated) |
Member
There was a problem hiding this comment.
Why are we documenting this?
On latest master.
$ ls controls/nist_800_53
ls: cannot access 'controls/nist_800_53': No such file or directory
| @@ -0,0 +1,286 @@ | |||
| # NIST 800-53 Control Files | |||
Member
There was a problem hiding this comment.
Can we but this in the docs folder?
| product: rhel8 | ||
| controls_dir: nist_800_53 | ||
| levels: | ||
| - id: low |
Member
There was a problem hiding this comment.
Should we use inheritance here, so we don't have to list each?
| @@ -0,0 +1,655 @@ | |||
| name: CIS-NIST Control File Sync | |||
Member
There was a problem hiding this comment.
There is enough bash here, maybe should place it in a file. Would be easier to review and run ShellCheck on.
| done | ||
|
|
||
| - name: Upload artifacts | ||
| uses: actions/upload-artifact@v4 |
Member
There was a problem hiding this comment.
Double check all versions and use SHA hashes.
| @@ -0,0 +1,326 @@ | |||
| # NIST 800-53 Control Viewer & Gap Analysis | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a subset of commits present in #14648 so it can be merged sooner and others can experiment to enable the NIST-800-53 for their products.
Description:
Add NIST 800-53 / CIS synchronization toolkit and product-specific control files for rhel8, rhel9, and rhel10.
This PR introduces:
Each product (rhel8, rhel9, rhel10) now has dedicated NIST 800-53 control files in
products/{product}/controls/nist_800_53/that map CIS benchmark requirements to NIST controls.Rationale:
Enable NIST 800-53 compliance profiles based on CIS benchmark mappings. This allows users to assess and remediate systems against NIST 800-53 controls using the existing CIS benchmark rule base.
The product-specific architecture ensures:
Review Hints:
Testing the toolkit locally:
cd utils/nist_sync ./test_workflow_local.sh