Control Tags
Risk and compliance control linkage
Link scenarios to standardized security and compliance requirements using NIST OSCAL format.
Overview
Control tags connect BDD specifications to compliance controls from established catalogs (NIST 800-53, ISO 27001, CIS, etc.).
Purpose
- Links test scenarios to OSCAL catalog controls
- Enables automated compliance evidence collection
- Provides standardized control traceability
- Supports audit and assessment reporting
Tag Formats
Single Control: @control:<control-id>
Multiple Controls: @controls:<id1>,<id2>
Control ID Format
Pattern: <family>-<number> or <family>-<number>(<enhancement>)
Examples:
ac-2- Account Management (NIST 800-53)au-3- Audit Record Contentia-5(1)- Password-Based Authentication (enhancement)
When to Use Control Tags
Always Use When
- Testing security requirements
- Validating access controls
- Audit and compliance scenarios
- Authentication and authorization
- Data protection and encryption
- Incident response procedures
Example
@ov @control:ac-2
Scenario: Account creation requires approval
Given a user registration request
When an administrator reviews the request
Then the account should require approval
And the approval should be logged
Related Documentation
- Risk Controls - Complete risk control documentation
- GxP Tagging - Regulatory compliance tagging
- Verification Tags - Types of validation
Tutorials | How-to Guides | Explanation | Reference
You are here: Explanation — understanding-oriented discussion that clarifies concepts.