Versions Compared

Old Version 26

changes.mady.by.user Jay Hill

Saved on

compared with

New Version 27

changes.mady.by.user Jay Hill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleThe Problem

What problem are we trying to solve?

We currently rely on a team of expert mappers to meticulously add content into the UCF. The process works well but is slow. With the advent of automation and AI, Unified Compliance risks attacks from competitors who will use technology to accelerate content acquisition.We risk losing customers to other platforms if we fall behind on the extent of

coverageCustomers are not able keep up to date with compliance requirements in the face of the quickly evolving best practices, implementation guide, new segments, etc.

We will also find it difficult to take on new market segments without automation.

...

Expand
titleGoals

What does success look like? What metrics do we measure today that we can affect? What metrics should we absolutely add? Why it is important to affect those metrics?

Goal

Metric

Why Important?

Reliably extract citations from Authority Documents

When AI is not needed, 100% accuracy.

When AI is utilized, greater than 80% accuracy where 20% of Citations need to be reworked (e.g., split, merged, rejected …)

If there is poor accuracy requiring extensive human correction, then there is little value.

Reliably extract glossaries from Authority Documents

When AI is not needed, 100% accuracy.

When AI is utilized, greater than 95% accuracy where only 5% of term-definition pairs need to be reworked. Glossaries are substantially easier to identify and extract than citations.

If there is poor accuracy requiring extensive human correction, then there is little value.

Reliably automate the end-to-end process of capturing, transforming, and loading STIG, NIST 800-53, FedRAMP, eCFR compliance content into the Unified Compliance platform.

100% of identified Authority Documents for all four compliance content contributor sources is loaded into the UCF.

All four Authority Documents sources are related to securing and hardening IT infrastructure for both the private and public sector.

To provide value to customers with Security Operation's requirements, UC needs to maximize the breadth of security coverage to ensure we can provide security guidance for as many IT assets as possible.

Ingested compliance content, including Authority Documents, Citations, and Glossaries, are available for access via the UC 4.0 API Gateway

100% of identified Authority Documents for all four compliance content contributor sources are available for access via the UCF 4.0 API Gateway

We are in the migration phase from CCH to UC 4.0. To ensure we don’t elongate the migration process, all new content must come into UC 4.0 and out the API Gateway.

Scope and Features

Expand
titleSection Explanation. Click to expand.

The section focusses on the details of the solution including what is in scope, what is out of scope and additional information to help in the product and engineering collaboration process.

...

Expand
titleOut of Scope / Future Functionality

List the known features that are out of scope for this project or might be revisited at a later time.

As is case with the assumptions, it is important to list these out so that architects and engineers can plan accordingly for these later updates.

Feature

Comments

Tagging and Mapping of content to the Common Controls.

This project ends at the AD, Citation and Glossary extraction, transformation, and load.

Follow-on projects will include the tagging and mapping.

Human-in-the-loop for content capture.

Later projects can include additional human validation. To limit scope of this project, steps such as metadata change detection can be reviewed and validated after the fact looking at logs and other information.

Human-in-the-loop for the AD cataloging.

Same as above

Human-in-the-loop for transformation into the common data format

Same as above

Human-in-the-loop for loading into the UCF

Same as above

Corpora Management and Administration

A non-production version of a corpora exists. Any work on the corpora is out of scope for this product.

Corpora Data Loads

The focus of this PRD is to load compliance content into the UCF 4.0 application for customer consumption over the API Gateway with API Responses in the Common Data Format.

Follow-on projects can tap into the pipeline and use the content for other purposes.

Fit-for-purpose frontend for each step in the content ingestion process.

UX/UI for any other aspect of the process outside of human review and approval of suggested citations and suggested term-definition pairs.

Later product updates could include additional front-end steps for tasks throughout the process.

Dictionary term management.

For glossaries, all that is needed for the terms is the term-definition pair. Once we move into creating and managing dictionaries, we will add more details like part of speech, synonyms …

Expand
titleProcess flows and UX

If we have them, link to:

  • user journeys, process flow, or other diagrams related to the requirements.

  • mockups, prototypes, or screenshots related to the requirements.

...

Expand
titleOpen Questions

List any open questions that come to mind throughout the lifecycle of this initiative.

Question

Answer

Date Answered

What do we do with deprecated authority documents?

How do we identify and capture AD versions?

For STIGs, how do we identify which files are authority documents?

For NIST 800-53, how do we identify which files are authority documents?

For FedRAMP, how do we identify which files are authority documents?

For eCFRs, how do we identify which files are authority documents?

Specifically, what is required to catalog an AD?

In this first pass, what should constitute content changes?

We don’t want to get too crazy and make this a massive project.

Need to discuss.

...