├── LICENSE ├── README.md ├── catalogs └── im8-reform.json └── profiles ├── low-risk-level-0.json ├── low-risk-level-1.json ├── low-risk-level-2.json ├── medium-risk-level-0.json ├── medium-risk-level-1.json └── medium-risk-level-2.json /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Government Technology Agency of Singapore 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Singapore Government ICT&SS Policy 2 | 3 | Welcome to the GitHub repository for the Singapore Government's ICT&SS (Infocomm Technology and Smart System) Policy Reform, also known as IM8 Reform. This initiative is part of Singapore's broader effort to support its Smart Nation ambitions by accelerating digital transformation across government agencies. The goal is to improve service delivery, system security, operational management, and policy definition to better protect ICT&SS assets. 4 | 5 | ## Overview 6 | 7 | The [ICT&SS Policy Reform](http://go.gov.sg/tech-standards) is a transformative initiative aimed at making policy controls leaner, more relevant, and more effective. By allowing for differentiated treatment based on the risk impact levels of systems, agencies can assess risks and apply the appropriate controls tailored to their specific business and technical contexts. 8 | 9 | This repository is a public reference for industry partners, providing access to similar control requirements used by agencies. This collaborative approach ensures that the industry can learn and even improve the government's policy standards. 10 | 11 | The reform effort is currently focused on low-risk cloud systems, with the first tranche of recommended controls for these systems available in this repository. These controls will be updated progressively to reflect ongoing improvements and feedback. 12 | 13 | ## Controls and Profiles 14 | 15 | This catalog lists the control requirements for both government agencies and implementation partners, enabling a collaborative effort to apply the appropriate level of controls for their platforms or systems. 16 | 17 | A catalog consists of a central pool of recommended controls designed for low-risk cloud systems that have minimal disruptive impact on an agency’s core functions or the Whole-of-Government. 18 | 19 | - **Controls**: Each control includes the following elements: 20 | - **Statement:** A clear and concise description of the control requirement. 21 | - **Guidance:** Recommendations on how to implement the control effectively. 22 | - **Risk Statement:** An explanation of the risks that the control is intended to mitigate. 23 | - **References:** Links or mapping to other relevant policy standards or frameworks that the control aligns with. 24 | 25 | - **Profiles**: Each control is classified into one of three profile levels: 26 | - **Level 0 (Must-Haves)**: These are essential controls that must be implemented for all systems. 27 | - **Level 1 (Should-Haves)**: These controls are strongly recommended and should be implemented where feasible. 28 | - **Level 2 (Good-to-Haves)**: These are best-practices that can be implemented to enhance security but are not mandatory. 29 | 30 | A control may be tagged as a requirement for low-risk systems but classified differently for systems with higher risk. 31 | 32 | ## Developed in OSCAL 33 | 34 | The ICT&SS policy controls are developed and published using the Open Security Controls Assessment Language (OSCAL), an open-source schema developed by NIST. OSCAL enables a standardised approach to documenting and automating security controls, making it easier for agencies and partners to implement, assess, and maintain compliance with the policy requirements. 35 | 36 | The controls are codified in a machine-readable policy format, which enables future automation to monitor and assess the effectiveness of technical control implementation. Industry partners can learn more about OSCAL [here](https://pages.nist.gov/OSCAL/). 37 | 38 | By adopting OSCAL, the Singapore Government ensures that its ICT&SS policies are not only transparent and accessible but also interoperable with a wide range of tools and platforms used in the industry. This enhances the effectiveness and efficiency of security control implementation across different systems and agencies. 39 | 40 | ## How to Use This Repository 41 | 42 | - **Browse the Controls and Profiles**: The controls are organised in profiles by risk impact levels and system types. 43 | - **Contribute**: We welcome contributions. Please refer to the contributing guidelines to understand how you can participate. 44 | - **Stay Updated**: This repository will be regularly updated with new controls and revisions. Watch this repository to stay informed about the latest changes. 45 | 46 | ## License 47 | 48 | This project is licensed under the [MIT License](LICENSE), allowing for wide use and collaboration while ensuring proper attribution. 49 | 50 | ## Contact 51 | 52 | For more information or to provide feedback, please contact [GovTech Singapore](https://go.gov.sg/ictpolicy). 53 | 54 | --- 55 | 56 | By making these policies open source, we aim to foster greater collaboration and innovation in securing Singapore's digital infrastructure. Thank you for your interest and contributions! -------------------------------------------------------------------------------- /profiles/low-risk-level-0.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": { 3 | "uuid": "41cb1662-d32f-4f2f-9544-70bc8ba5804e", 4 | "metadata": { 5 | "title": "Low-Risk - Level 0", 6 | "last-modified": "2025-05-13T18:00:00+08:00", 7 | "version": "2025.05.13", 8 | "oscal-version": "1.1.2", 9 | "props": [ 10 | { 11 | "name": "label", 12 | "value": "low-risk-level-0" 13 | }, 14 | { 15 | "name": "risk", 16 | "value": "low-risk" 17 | }, 18 | { 19 | "name": "level", 20 | "value": "0" 21 | } 22 | ], 23 | "roles": [ 24 | { 25 | "id": "creator", 26 | "title": "Creator" 27 | }, 28 | { 29 | "id": "contact", 30 | "title": "Contact" 31 | } 32 | ], 33 | "parties": [ 34 | { 35 | "uuid": "e738ab7c-ed26-4fe6-a1e7-f485265d50cc", 36 | "type": "organization", 37 | "name": "IM8-reform Executive Committee", 38 | "email-addresses": [ 39 | "kevin_kb_ng@tech.gov.sg", 40 | "hunter_nield@tech.gov.sg", 41 | "eugene_lim@tech.gov.sg", 42 | "loke_yew_leong@moe.gov.sg" 43 | ] 44 | } 45 | ], 46 | "responsible-parties": [ 47 | { 48 | "role-id": "creator", 49 | "party-uuids": [ 50 | "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" 51 | ] 52 | }, 53 | { 54 | "role-id": "contact", 55 | "party-uuids": [ 56 | "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" 57 | ] 58 | } 59 | ], 60 | "remarks": "The Level 0 baseline includes controls that provide central oversight of systems' security. Agencies cannot deviate from controls in this baseline." 61 | }, 62 | "imports": [ 63 | { 64 | "href": "trestle://catalogs/im8-reform.json", 65 | "include-controls": [ 66 | { 67 | "with-ids": [ 68 | "pm-3", 69 | "pm-4", 70 | "pm-5", 71 | "is-11", 72 | "is-14", 73 | "lm-12" 74 | ] 75 | } 76 | ] 77 | } 78 | ], 79 | "merge": { 80 | "combine": { 81 | "method": "merge" 82 | }, 83 | "as-is": true 84 | }, 85 | "modify": { 86 | } 87 | } 88 | } -------------------------------------------------------------------------------- /profiles/low-risk-level-1.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": { 3 | "uuid": "ae8c267e-93f5-41fe-9937-b90a9be53e12", 4 | "metadata": { 5 | "title": "Low-Risk - Level 1", 6 | "last-modified": "2025-05-13T18:00:00+08:00", 7 | "version": "2025.05.13", 8 | "oscal-version": "1.1.2", 9 | "props": [ 10 | { 11 | "name": "label", 12 | "value": "low-risk-level-1" 13 | }, 14 | { 15 | "name": "risk", 16 | "value": "low-risk" 17 | }, 18 | { 19 | "name": "level", 20 | "value": "1" 21 | } 22 | ], 23 | "roles": [ 24 | { 25 | "id": "creator", 26 | "title": "Creator" 27 | }, 28 | { 29 | "id": "contact", 30 | "title": "Contact" 31 | } 32 | ], 33 | "parties": [ 34 | { 35 | "uuid": "e738ab7c-ed26-4fe6-a1e7-f485265d50cc", 36 | "type": "organization", 37 | "name": "IM8-reform Executive Committee", 38 | "email-addresses": [ 39 | "kevin_kb_ng@tech.gov.sg", 40 | "hunter_nield@tech.gov.sg", 41 | "eugene_lim@tech.gov.sg", 42 | "loke_yew_leong@moe.gov.sg" 43 | ] 44 | } 45 | ], 46 | "responsible-parties": [ 47 | { 48 | "role-id": "creator", 49 | "party-uuids": [ 50 | "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" 51 | ] 52 | }, 53 | { 54 | "role-id": "contact", 55 | "party-uuids": [ 56 | "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" 57 | ] 58 | } 59 | ], 60 | "remarks": "The Level 1 baseline includes controls that support a standard secure product. Agencies can seek approval from the agency's ICT and Digitalisation Steering Committee (IDSC) or delegated approval authority such as the agency CIO or CISO for deviations from controls in this baseline in any default system security plan. Deviations must be documented in a custom System Security Plan with explanations for each deviation and submitted centrally. If a control is not applicable to the system, the agency does not need to seek IDSC approval but must provide explanation for why it is not applicable." 61 | }, 62 | "imports": [ 63 | { 64 | "href": "trestle://profiles/low-risk-level-0.json", 65 | "include-all": {} 66 | }, 67 | { 68 | "href": "trestle://catalogs/im8-reform.json", 69 | "include-controls": [ 70 | { 71 | "with-ids": [ 72 | "ac-1", 73 | "ac-2", 74 | "ac-3", 75 | "ac-4", 76 | "ac-5", 77 | "ac-6", 78 | "ac-7", 79 | "ac-8", 80 | "ac-9", 81 | "ac-12", 82 | "ac-14", 83 | "as-1", 84 | "as-2", 85 | "as-3", 86 | "as-4", 87 | "as-5", 88 | "as-6", 89 | "as-7", 90 | "as-8", 91 | "as-9", 92 | "as-11", 93 | "br-1", 94 | "br-3", 95 | "cs-3", 96 | "cs-4", 97 | "cs-7", 98 | "cs-9", 99 | "cs-10", 100 | "dc-1", 101 | "dc-2", 102 | "dp-1", 103 | "dp-2", 104 | "dp-3", 105 | "dp-4", 106 | "dp-5", 107 | "is-1", 108 | "is-2", 109 | "is-3", 110 | "is-4", 111 | "is-5", 112 | "is-6", 113 | "is-7", 114 | "is-9", 115 | "is-10", 116 | "lm-1", 117 | "lm-2", 118 | "lm-3", 119 | "lm-4", 120 | "lm-6", 121 | "lm-8", 122 | "lm-7", 123 | "lm-9", 124 | "lm-10", 125 | "ns-1", 126 | "ns-2", 127 | "ns-3", 128 | "ns-4", 129 | "ns-5", 130 | "ns-6", 131 | "ns-7", 132 | "ns-8", 133 | "ns-9", 134 | "ns-10", 135 | "pm-1", 136 | "pm-2", 137 | "pm-6", 138 | "tp-1", 139 | "tp-5", 140 | "sc-1", 141 | "sc-3", 142 | "sc-4", 143 | "sc-5", 144 | "sc-6", 145 | "sd-1", 146 | "sd-2", 147 | "sd-4", 148 | "sd-5", 149 | "sd-6", 150 | "sd-7", 151 | "sd-8", 152 | "st-1", 153 | "st-2", 154 | "st-3", 155 | "st-4", 156 | "st-5", 157 | "tp-3" 158 | ] 159 | } 160 | ] 161 | } 162 | ], 163 | "merge": { 164 | "combine": { 165 | "method": "merge" 166 | }, 167 | "as-is": true 168 | }, 169 | "modify": { 170 | } 171 | } 172 | } -------------------------------------------------------------------------------- /profiles/low-risk-level-2.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": { 3 | "uuid": "2d8d4144-8d64-4e39-8749-294291500f92", 4 | "metadata": { 5 | "title": "Low-Risk - Level 2", 6 | "last-modified": "2025-05-13T18:00:00+08:00", 7 | "version": "2025.05.13", 8 | "oscal-version": "1.1.2", 9 | "props": [ 10 | { 11 | "name": "label", 12 | "value": "low-risk-level-2" 13 | }, 14 | { 15 | "name": "risk", 16 | "value": "low-risk" 17 | }, 18 | { 19 | "name": "level", 20 | "value": "2" 21 | } 22 | ], 23 | "roles": [ 24 | { 25 | "id": "creator", 26 | "title": "Creator" 27 | }, 28 | { 29 | "id": "contact", 30 | "title": "Contact" 31 | } 32 | ], 33 | "parties": [ 34 | { 35 | "uuid": "e738ab7c-ed26-4fe6-a1e7-f485265d50cc", 36 | "type": "organization", 37 | "name": "IM8-reform Executive Committee", 38 | "email-addresses": [ 39 | "kevin_kb_ng@tech.gov.sg", 40 | "hunter_nield@tech.gov.sg", 41 | "eugene_lim@tech.gov.sg", 42 | "loke_yew_leong@moe.gov.sg" 43 | ] 44 | } 45 | ], 46 | "responsible-parties": [ 47 | { 48 | "role-id": "creator", 49 | "party-uuids": [ 50 | "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" 51 | ] 52 | }, 53 | { 54 | "role-id": "contact", 55 | "party-uuids": [ 56 | "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" 57 | ] 58 | } 59 | ], 60 | "remarks": "The Level 2 baseline includes controls that extend the security and maturity of a system. Agencies do not need to seek approval for deviations from controls in this baseline in any default system security plan. Deviations must be documented in a custom System Security Plan with explanations for each deviation and submitted centrally." 61 | }, 62 | "imports": [ 63 | { 64 | "href": "trestle://profiles/low-risk-level-1.json", 65 | "include-all": {} 66 | }, 67 | { 68 | "href": "trestle://catalogs/im8-reform.json", 69 | "include-controls": [ 70 | { 71 | "with-ids": [ 72 | "ac-10", 73 | "ac-11", 74 | "ac-13", 75 | "as-10", 76 | "as-12", 77 | "as-13", 78 | "as-14", 79 | "br-2", 80 | "sc-7", 81 | "sc-8", 82 | "sc-9", 83 | "sd-3", 84 | "cs-1", 85 | "cs-2", 86 | "cs-5", 87 | "cs-6", 88 | "cs-8", 89 | "cs-11", 90 | "is-8", 91 | "is-12", 92 | "is-13", 93 | "dp-6", 94 | "ck-1", 95 | "ck-2", 96 | "ns-11", 97 | "lm-5", 98 | "lm-11", 99 | "lm-13", 100 | "lm-14", 101 | "lm-15", 102 | "lm-16", 103 | "lm-17", 104 | "lm-19", 105 | "lm-20", 106 | "sc-2" 107 | ] 108 | } 109 | ] 110 | } 111 | ], 112 | "merge": { 113 | "combine": { 114 | "method": "merge" 115 | }, 116 | "as-is": true 117 | }, 118 | "modify": { 119 | } 120 | } 121 | } -------------------------------------------------------------------------------- /profiles/medium-risk-level-0.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": { 3 | "uuid": "ae80675f-94e8-4dc2-9839-9e48fc5a4e8a", 4 | "metadata": { 5 | "title": "Medium-Risk - Level 0", 6 | "last-modified": "2025-05-13T18:00:00+08:00", 7 | "version": "2025.05.13", 8 | "oscal-version": "1.1.2", 9 | "props": [ 10 | { 11 | "name": "label", 12 | "value": "medium-risk-level-0" 13 | }, 14 | { 15 | "name": "risk", 16 | "value": "medium-risk" 17 | }, 18 | { 19 | "name": "level", 20 | "value": "0" 21 | } 22 | ], 23 | "roles": [ 24 | { 25 | "id": "creator", 26 | "title": "Creator" 27 | }, 28 | { 29 | "id": "contact", 30 | "title": "Contact" 31 | } 32 | ], 33 | "parties": [ 34 | { 35 | "uuid": "d42526af-0b2b-4b27-82b3-2a2f24db5f07", 36 | "type": "organization", 37 | "name": "IM8-reform Medium Risk Working Group", 38 | "email-addresses": [ 39 | "kevin_kb_ng@tech.gov.sg", 40 | "hunter_nield@tech.gov.sg", 41 | "goh_sheen_an@tech.gov.sg", 42 | "alex_ng@tech.gov.sg", 43 | "nitya@open.gov.sg", 44 | "andy_hh_chua@tech.gov.sg", 45 | "nicholas_tan_from.persolkelly@tech.gov.sg", 46 | "ivan_leong@htx.gov.sg", 47 | "samuel_huang@tech.gov.sg", 48 | "eileen_goh@tech.gov.sg", 49 | "eugene_lim@tech.gov.sg" 50 | ] 51 | } 52 | ], 53 | "responsible-parties": [ 54 | { 55 | "role-id": "creator", 56 | "party-uuids": [ 57 | "d42526af-0b2b-4b27-82b3-2a2f24db5f07" 58 | ] 59 | }, 60 | { 61 | "role-id": "contact", 62 | "party-uuids": [ 63 | "d42526af-0b2b-4b27-82b3-2a2f24db5f07" 64 | ] 65 | } 66 | ], 67 | "remarks": "The Level 0 baseline includes controls that provide central oversight of systems' security. Agencies cannot deviate from controls in this baseline." 68 | }, 69 | "imports": [ 70 | { 71 | "href": "trestle://catalogs/im8-reform.json", 72 | "include-controls": [ 73 | { 74 | "with-ids": [ 75 | "ac-2", 76 | "ac-3", 77 | "ac-5", 78 | "ac-6", 79 | "as-1", 80 | "as-3", 81 | "as-7", 82 | "as-8", 83 | "br-1", 84 | "dp-1", 85 | "ns-1", 86 | "ns-5", 87 | "pm-3", 88 | "pm-4", 89 | "pm-5", 90 | "is-11", 91 | "is-14", 92 | "lm-3", 93 | "lm-4", 94 | "lm-6", 95 | "lm-9", 96 | "lm-12", 97 | "sd-8", 98 | "st-1", 99 | "st-3", 100 | "st-4" 101 | ] 102 | } 103 | ] 104 | } 105 | ], 106 | "merge": { 107 | "combine": { 108 | "method": "merge" 109 | }, 110 | "as-is": true 111 | }, 112 | "modify": { 113 | } 114 | } 115 | } -------------------------------------------------------------------------------- /profiles/medium-risk-level-1.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": { 3 | "uuid": "5a4e4538-be2a-4821-aceb-0665675e0fcf", 4 | "metadata": { 5 | "title": "Medium-Risk - Level 1", 6 | "last-modified": "2025-05-13T18:00:00+08:00", 7 | "version": "2025.05.13", 8 | "oscal-version": "1.1.2", 9 | "props": [ 10 | { 11 | "name": "label", 12 | "value": "medium-risk-level-1" 13 | }, 14 | { 15 | "name": "risk", 16 | "value": "medium-risk" 17 | }, 18 | { 19 | "name": "level", 20 | "value": "1" 21 | } 22 | ], 23 | "roles": [ 24 | { 25 | "id": "creator", 26 | "title": "Creator" 27 | }, 28 | { 29 | "id": "contact", 30 | "title": "Contact" 31 | } 32 | ], 33 | "parties": [ 34 | { 35 | "uuid": "d42526af-0b2b-4b27-82b3-2a2f24db5f07", 36 | "type": "organization", 37 | "name": "IM8-reform Medium Risk Working Group", 38 | "email-addresses": [ 39 | "kevin_kb_ng@tech.gov.sg", 40 | "hunter_nield@tech.gov.sg", 41 | "goh_sheen_an@tech.gov.sg", 42 | "alex_ng@tech.gov.sg", 43 | "nitya@open.gov.sg", 44 | "andy_hh_chua@tech.gov.sg", 45 | "nicholas_tan_from.persolkelly@tech.gov.sg", 46 | "ivan_leong@htx.gov.sg", 47 | "samuel_huang@tech.gov.sg", 48 | "eileen_goh@tech.gov.sg", 49 | "eugene_lim@tech.gov.sg" 50 | ] 51 | } 52 | ], 53 | "responsible-parties": [ 54 | { 55 | "role-id": "creator", 56 | "party-uuids": [ 57 | "d42526af-0b2b-4b27-82b3-2a2f24db5f07" 58 | ] 59 | }, 60 | { 61 | "role-id": "contact", 62 | "party-uuids": [ 63 | "d42526af-0b2b-4b27-82b3-2a2f24db5f07" 64 | ] 65 | } 66 | ], 67 | "remarks": "The Level 1 baseline includes controls that support a standard secure product. Agencies can seek approval from the agency's ICT and Digitalisation Steering Committee (IDSC) or delegated approval authority such as the agency CIO or CISO for deviations from controls in this baseline in any default system security plan. Deviations must be documented in a custom System Security Plan with explanations for each deviation and submitted centrally. If a control is not applicable to the system, the agency does not need to seek IDSC approval but must provide explanation for why it is not applicable." 68 | }, 69 | "imports": [ 70 | { 71 | "href": "trestle://profiles/medium-risk-level-0.json", 72 | "include-all": {} 73 | }, 74 | { 75 | "href": "trestle://catalogs/im8-reform.json", 76 | "include-controls": [ 77 | { 78 | "with-ids": [ 79 | "ac-1", 80 | "ac-4", 81 | "ac-7", 82 | "ac-8", 83 | "ac-9", 84 | "ac-12", 85 | "ac-14", 86 | "as-2", 87 | "as-4", 88 | "as-5", 89 | "as-6", 90 | "as-9", 91 | "as-11", 92 | "br-2", 93 | "br-3", 94 | "cs-3", 95 | "cs-4", 96 | "cs-7", 97 | "cs-8", 98 | "cs-9", 99 | "cs-10", 100 | "dc-1", 101 | "dc-2", 102 | "dp-2", 103 | "dp-3", 104 | "dp-4", 105 | "dp-5", 106 | "ck-1", 107 | "ck-2", 108 | "is-1", 109 | "is-2", 110 | "is-3", 111 | "is-4", 112 | "is-5", 113 | "is-6", 114 | "is-7", 115 | "is-9", 116 | "is-10", 117 | "is-12", 118 | "is-13", 119 | "lm-1", 120 | "lm-2", 121 | "lm-5", 122 | "lm-7", 123 | "lm-8", 124 | "lm-10", 125 | "lm-19", 126 | "ns-2", 127 | "ns-3", 128 | "ns-4", 129 | "ns-6", 130 | "ns-7", 131 | "ns-8", 132 | "ns-9", 133 | "ns-10", 134 | "pm-1", 135 | "pm-2", 136 | "pm-6", 137 | "tp-1", 138 | "sc-1", 139 | "sc-3", 140 | "sc-4", 141 | "sc-5", 142 | "sc-6", 143 | "sd-1", 144 | "sd-2", 145 | "sd-3", 146 | "sd-4", 147 | "sd-5", 148 | "sd-6", 149 | "sd-7", 150 | "st-2", 151 | "st-5" 152 | ] 153 | } 154 | ] 155 | } 156 | ], 157 | "merge": { 158 | "combine": { 159 | "method": "merge" 160 | }, 161 | "as-is": true 162 | }, 163 | "modify": { 164 | } 165 | } 166 | } -------------------------------------------------------------------------------- /profiles/medium-risk-level-2.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": { 3 | "uuid": "f105a061-5ab0-4f92-b4d6-8a6827d3cb53", 4 | "metadata": { 5 | "title": "Medium-Risk - Level 2", 6 | "last-modified": "2025-05-13T18:00:00+08:00", 7 | "version": "2025.05.13", 8 | "oscal-version": "1.1.2", 9 | "props": [ 10 | { 11 | "name": "label", 12 | "value": "medium-risk-level-2" 13 | }, 14 | { 15 | "name": "risk", 16 | "value": "medium-risk" 17 | }, 18 | { 19 | "name": "level", 20 | "value": "2" 21 | } 22 | ], 23 | "roles": [ 24 | { 25 | "id": "creator", 26 | "title": "Creator" 27 | }, 28 | { 29 | "id": "contact", 30 | "title": "Contact" 31 | } 32 | ], 33 | "parties": [ 34 | { 35 | "uuid": "d42526af-0b2b-4b27-82b3-2a2f24db5f07", 36 | "type": "organization", 37 | "name": "IM8-reform Medium Risk Working Group", 38 | "email-addresses": [ 39 | "kevin_kb_ng@tech.gov.sg", 40 | "hunter_nield@tech.gov.sg", 41 | "goh_sheen_an@tech.gov.sg", 42 | "alex_ng@tech.gov.sg", 43 | "nitya@open.gov.sg", 44 | "andy_hh_chua@tech.gov.sg", 45 | "nicholas_tan_from.persolkelly@tech.gov.sg", 46 | "ivan_leong@htx.gov.sg", 47 | "samuel_huang@tech.gov.sg", 48 | "eileen_goh@tech.gov.sg", 49 | "eugene_lim@tech.gov.sg" 50 | ] 51 | } 52 | ], 53 | "responsible-parties": [ 54 | { 55 | "role-id": "creator", 56 | "party-uuids": [ 57 | "d42526af-0b2b-4b27-82b3-2a2f24db5f07" 58 | ] 59 | }, 60 | { 61 | "role-id": "contact", 62 | "party-uuids": [ 63 | "d42526af-0b2b-4b27-82b3-2a2f24db5f07" 64 | ] 65 | } 66 | ], 67 | "remarks": "The Level 2 baseline includes controls that extend the security and maturity of a system. Agencies do not need to seek approval for deviations from controls in this baseline in any default system security plan. Deviations must be documented in a custom System Security Plan with explanations for each deviation and submitted centrally." 68 | }, 69 | "imports": [ 70 | { 71 | "href": "trestle://profiles/medium-risk-level-1.json", 72 | "include-all": {} 73 | }, 74 | { 75 | "href": "trestle://catalogs/im8-reform.json", 76 | "include-controls": [ 77 | { 78 | "with-ids": [ 79 | "ac-10", 80 | "ac-11", 81 | "ac-13", 82 | "as-10", 83 | "as-12", 84 | "as-13", 85 | "as-14", 86 | "sc-9", 87 | "cs-1", 88 | "cs-2", 89 | "cs-5", 90 | "cs-6", 91 | "cs-11", 92 | "is-8", 93 | "dp-6", 94 | "ns-11", 95 | "lm-11", 96 | "lm-13", 97 | "lm-14", 98 | "lm-15", 99 | "lm-16", 100 | "lm-17", 101 | "sc-2", 102 | "sc-7", 103 | "sc-8" 104 | ] 105 | } 106 | ] 107 | } 108 | ], 109 | "merge": { 110 | "combine": { 111 | "method": "merge" 112 | }, 113 | "as-is": true 114 | }, 115 | "modify": { 116 | } 117 | } 118 | } --------------------------------------------------------------------------------