Question - Compliance Package Items Customization

Is there a way to add custom tabs and fields to compliance package items?

My motivation for this is to help dealing with NIST 800-53. NIST assigns a “security control baseline” designation to each control. We are only required to comply with portions of 800-53 marked as “Low”. I’d like to enter this information into Eramba so I can filter out compliance package items that are out of scope.

Note: See NIST 800-53B for a table mapping each control to their security control baselines.

It doesn’t look like you can customize compliance package items, but there are two ways to handle this in my mind -

  1. Customize your compliance package to be a “800-53 low baseline” package that only contains the relevant package items that you need to comply with. Of course, you have a downside here of not being able to track compliance with the higher level requirements should that be of interest (though, you can load a secondary compliance package with all of NIST 800-53 in that case).

  2. If you still want to use the entire 800-53 baseline and then mark them as not applicable, then set the “Compliance Strategy” to “Not Applicable” for the Compliance Analysis for the particular item. Then you can use a filter to remove all the Not Applicable items from your views…

Thank you. I had not thought of your 1st suggestion, and will consider it. Your second suggestion is also good, and perhaps the better choice.