About Control Catalog

Purpose

This catalog lists out the same control requirements to government agencies and industry partners so that both parties can work together to apply the right level of controls for their systems.

The catalog consists of a central pool of recommended controls meant for low-risk systems that have no disruptive impact to agency’s core function or Whole-of-Government.

The controls are expressed using Open Security Controls Assessment Language (OSCAL) which are codified in machine-readable policy format. It enables future automation to monitor and assess the effectiveness of technical control implementation. Industry partners can get more info about OSCAL here.

The controls are categorised into domain areas as listed on the left. Each control can either be a basic hygiene requirement which should be implemented or a guideline which is best practice for consideration.  A control can be tagged as requirement for low-risk systems but tagged as guideline for systems in sandbox stage. The list of controls for these 2 profiles are listed here. You may refer to sample JSON files here.

Each system is to define a system security plan that comprises the implementable controls.  Agencies and their industry partners are to apply the controls identified for each system.

The first tranche of recommended controls for low-risk systems are published here and will progressively be updated in this website.

We invite the industry players to join us in the ICT&SS Reform journey. For  any feedback, please provide here.