The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer
Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams intended to clarify the specification. What happens when a tool developer interprets those clarifying features as implying a different model than the normative prose intends? What does this say about relying on derived data models in the tools that support the specification? A cautionary tale involving the security control baselines from the National Institute of Standards and Technology Special Publication 800-53 provides some answers — and insights.
The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer, Proceedings of Balisage: The Markup Conference, Washington, DC, [online], https://doi.org/10.4242/BalisageVol26.Lubell01, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932872
(Accessed November 30, 2021)