There are similarities in different security models that lend themselves to assessment mapping options. For example, a completed NIST assessment, which requires input from all organizational controls, can be applied where applicable to the CFS assessment template. Providing mapping options between matching data collected for different security models saves organizations from redundant work and improves the consistency of control entries across various assessments.
In addition, after completing at least one assessment, the list of common controls creates a template for the assessment to assessment mapping. Customers can either
- select from mapping templates created by Axio,
- create their own mapping template (in progress, currently requires administrative steps by Axio), or
- select from mapping templates created by industry peers (development in progress).
Editing a mapping template from any source provides granular control over the assessment mapping, whether updating a common control and having it applied to multiple assessments or how a specific control maps.
With the current deployment, Axio360 provides a list of preconfigured maps that users can select:
|Available maps||Source model||Target Model|
|C2M2-v1.1-to-v2.1||C2M2 v1.1||C2M2 v.2.1|
|CMMC-v1-to-CMMC-v2||CMMC v1||CMMC v2|
More maps will be uploaded as they become available. Check back for updates.
CRI maps are not supported at this point.
To use the Assessment Mapping feature, follow these steps:
- In the left navigation menu select the Assessments icon.
- From the list of new assessments, select the type of assessment you want to create. For example C2M2 v2.1 Full Assessment.
- On the New Assessment modal
- provide an assessment name and meaningful description for easy identification.
- specify tags and a target score from the availalbe drop-down menus.
from the Select an assessment map (Optional) drop-down, select a completed assessment map. For this example, we selected a C2M2 v1.1 to v2.1 map, named C2M2 Take 2. This is just a test name and will be different for your environment.
- from the Source Assessment to use (Optional) drop-down, select a previously completed assessment based on the model that you wish to map into the new assessment.
- Click Save.
Once the new assessment opens with the mapped data, you can start your assessment work based on the new model.
The assessment practices show a status message if the data has been mapped from a source assessment. Practices that are net new in the target assessment show up as not implemented and need to have a mapped from status message.