Melissa leads the DevOps team at ACME Bank and uses SD Elements Projects to get security control recommendations. While Melissa and her team have addressed the recommendations, they are reflected only in the Projects that they use.

In another part of the organization, Rob leads one of the engineering teams that works on the AWS-hosted web server that serves users trying to access the bank’s web portal. While modeling this web server in SD Elements, Rob’s team selects the AWS answer for the survey question related to hosting. Based on this and other answers in the Project survey, SD Elements generates Countermeasures for the team, including some related to AWS setup.

Rob’s team reviews the generated Countermeasures in their Project, but since the ones related to AWS setup are outside their domain of control and responsibility, Rob consults with the DevOps team. Melissa discusses the situation with her team and confirms that some of these Countermeasures are already addressed. She advises Rob to ignore those Countermeasures or mark them as not applicable.

Upon receiving the next SD Elements release announcement email, Melissa reads about a new feature called Reusable Components. She decides to give it a try, working with Jane (the content administrator for SD Elements at ACME bank) to create a custom Reusable Component called ACME AWS. Melissa and Jane then add the AWS-related Countermeasures that Melissa’s team is responsible for to the ‘Mark as complete’ list of the new Reusable Component. They also add the Countermeasures that DevOps wants other teams to perform to the component’s ‘Mark as incomplete’ list. Finally, they add a new Answer called ACME AWS to the SD Elements Survey’s hosting Question, and map that Answer to the Reusable Component they created.

Melissa informs other team leads about the new Survey Answer, and instructs them to select ACME AWS if the module they are working on is deployed by her team. When teams select this Answer, the ACME AWS Reusable Component gets added to their SD Elements Project and Countermeasures related to AWS (those on the ‘Mark as complete’ list) get marked as ‘Completed’ automatically. Teams like Rob’s are happy since they see only the Jira tickets that concern them, and Melissa is happy because leads no longer ping her to review duplicate work requests.