Many adjustments to the OSCAL Metaschema models.

- Added missing allowed values used in the OSCAL NIST catalogs and profiles for SP 800-53.
- Added deprecation information for older allowed values for which their use should be discontinued.
- Deprecated depends-on in parameter, since this construct only allows a single dependency.
- In part deprecated and replaced the following names: objective->assessment-objective, assessment->assessment-method
- Deprecated profile merge/combine/@merge since this behavior is not defined in the profile resolution specification.
- Added warnings for non-required UUID flags per usnistgov#1044. Resolves usnistgov#1044.

src/metaschema/oscal_assessment-common_metaschema.xml

@@ -63,8 +63,8 @@
       </model>
       <constraint>
          <allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]">
-            <enum value="objective">(deprecated) Use 'assessment-objective' instead.</enum>
-            <enum value="assessment">(deprecated) Use 'assessment-method' instead</enum>
+            <enum value="objective" deprecated="1.0.1">**(deprecated)** Use 'assessment-objective' instead.</enum>
+            <enum value="assessment" deprecated="1.0.1">**(deprecated)** Use 'assessment-method' instead</enum>
             <enum value="assessment-objective">The part defines an assessment objective.</enum>
             <enum value="assessment-method">The part defines an assessment method.</enum>
          </allowed-values>

src/metaschema/oscal_catalog_metaschema.xml

@@ -6,6 +6,7 @@
    <!ENTITY allowed-values-control-group-property-name SYSTEM "shared-constraints/allowed-values-control-group-property-name.ent">
 ]>
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xmlns:meta="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
       xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema/toolchains/xslt-M4/validate/metaschema.xsd">
       <schema-name>OSCAL Control Catalog Model</schema-name>
       <schema-version>1.0.0</schema-version>
@@ -199,8 +200,8 @@
                         <enum value="overview">An introduction to a control or a group of controls.</enum>
                         <enum value="statement">A set of control implementation requirements.</enum>
                         <enum value="guidance">Additional information to consider when selecting, implementing, assessing, and monitoring a control.</enum>
-                        <enum value="assessment">(deprecated) Use 'assessment-method' instead.</enum>
-                        <enum value="assessment-method">The part describes a method-based assessment over a set of assessment objects.</enum>
+                        <enum value="assessment" deprecated="1.0.1">**(deprecated)** Use 'assessment-method' instead.</enum>
+                        <enum value="assessment-method" deprecated="1.0.1">The part describes a method-based assessment over a set of assessment objects.</enum>
                   </allowed-values>
                   <allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='statement']//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                         <enum value="item">An individual item within a control statement.</enum>
@@ -209,22 +210,22 @@
                         </remarks>
                   </allowed-values>
                   <allowed-values target=".//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-                        <enum value="objective">(deprecated) Use 'assessment-objective' instead.</enum>
+                        <enum value="objective" deprecated="1.0.1">**(deprecated)** Use 'assessment-objective' instead.</enum>
                         <enum value="assessment-objective">The part describes a set of assessment objectives.</enum>
                         <remarks>
                               <p>Objectives can be nested.</p>
                         </remarks>
                   </allowed-values>
                   <allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-                        <enum value="objects">(deprecated) Use 'assessment-objects' instead.</enum>
+                        <enum value="objects" deprecated="1.0.1">**(deprecated)** Use 'assessment-objects' instead.</enum>
                         <enum value="assessment-objects">Provides a listing of assessment objects.</enum>
                         <remarks>
                               <p>Assessment objects appear on assessment methods.</p>
                         </remarks>
                   </allowed-values>
 
                   <allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-                        <enum value="method">(deprecated) Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment".</enum>
+                        <enum value="method" deprecated="1.0.1">**(deprecated)** Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment".</enum>
                   </allowed-values>
                   <allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name">
                         <enum value="method">The assessment method to use. This typically appears on parts with the name "assessment".</enum>

src/metaschema/oscal_control-common_metaschema.xml

@@ -113,7 +113,10 @@
                                 <p>A <code>class</code> can be used in validation rules to express extra constraints over named items of a specific <code>class</code> value.</p>
                         </remarks>
                 </define-flag>
-                <flag ref="depends-on"/>
+                <define-flag name="depends-on" as-type="token" deprecated="1.0.1">
+                        <formal-name>Depends on</formal-name>
+                        <description>**(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.</description>
+                </define-flag>
                 <model>
                         <assembly ref="property" max-occurs="unbounded">
                                 <group-as name="props" in-json="ARRAY"/>
@@ -169,6 +172,9 @@
                         <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name">
                                 <enum value="aggregates">The parent parameter provides an aggregation of 2 or more other parameters, each described by this property.</enum>
                         </allowed-values>
+                        <expect target="." test="not(exists(@depends-on))">
+                                <message>depends-on is deprecated</message>
+                        </expect>
                 </constraint>
                 <remarks>
                         <p>In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The <code>value</code> may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.</p>
@@ -247,11 +253,6 @@
                         <p>A set of parameter value choices, that may be picked from to set the parameter value.</p>
                 </remarks>
         </define-assembly>
-        <define-flag name="depends-on" as-type="token">
-                <!-- TODO: Work out cross-reference constraints -->
-                <formal-name>Depends on</formal-name>
-                <description>Another parameter invoking this one</description>
-        </define-flag>
         <define-flag name="control-id" as-type="token">
                 <formal-name>Control Identifier Reference</formal-name>
                 <!-- Identifier Reference -->

src/metaschema/oscal_implementation-common_metaschema.xml

@@ -270,6 +270,11 @@
                         <group-as name="port-ranges" in-json="ARRAY"/>
                   </assembly>
             </model>
+            <constraint>
+                  <expect level="WARNING" target="." test="@uuid">
+                        <message>It is a best practice to provide a UUID.</message>
+                  </expect>
+            </constraint>
       </define-assembly>
       <define-assembly name="port-range">
             <formal-name>Port Range</formal-name>

src/metaschema/oscal_poam_metaschema.xml

@@ -87,7 +87,7 @@
     <define-assembly name="poam-item">
         <formal-name>POA&amp;M Item</formal-name>
         <description>Describes an individual POA&amp;M item.</description>
-        <define-flag name="uuid" required="no" as-type="uuid">
+        <define-flag name="uuid" as-type="uuid">
             <formal-name>POA&amp;M Item Universally Unique Identifier</formal-name>
             <!-- Identifier Declaration -->
             <description>A <a href="/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="/concepts/identifier-use/#instance">instance</a> scope that can be used to reference this POA&amp;M item entry in <a href="/concepts/identifier-use/#poam-identifiers">this OSCAL instance</a>. This UUID should be assigned <a href="/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
@@ -152,5 +152,10 @@
             </define-assembly>
             <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
         </model>
+        <constraint>
+            <expect level="WARNING" target="." test="@uuid">
+                <message>It is a best practice to provide a UUID.</message>
+            </expect>
+        </constraint>
     </define-assembly>
 </METASCHEMA>

src/metaschema/oscal_profile_metaschema.xml

@@ -100,7 +100,7 @@
                               <constraint>
                                     <allowed-values>
                                           <enum value="use-first">Use the first definition - the first control with a given ID is used; subsequent ones are discarded</enum>
-                                          <enum value="merge">**(deprecated)** **(unspecified)** Merge - controls with the same ID are combined</enum>
+                                          <enum value="merge" deprecated="1.0.1">**(deprecated)** **(unspecified)** Merge - controls with the same ID are combined</enum>
                                           <enum value="keep">Keep - controls with the same ID are kept, retaining the clash</enum>
                                     </allowed-values>
                               </constraint>
@@ -213,7 +213,10 @@
                                     <p>A <code>class</code> can be used in validation rules to express extra constraints over named items of a specific <code>class</code> value.</p>
                               </remarks>
                         </define-flag>
-                        <flag ref="depends-on"/>
+                        <define-flag name="depends-on" as-type="token" deprecated="1.0.1">
+                              <formal-name>Depends on</formal-name>
+                              <description>**(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.</description>
+                        </define-flag>
                         <model>
                               <assembly ref="property" max-occurs="unbounded">
                                     <group-as name="props" in-json="ARRAY"/>

src/metaschema/oscal_ssp_metaschema.xml

@@ -281,6 +281,11 @@
             </model>
           </define-assembly>
         </model>
+        <constraint>
+          <expect level="WARNING" target="." test="@uuid">
+            <message>It is a best practice to provide a UUID.</message>
+          </expect>
+        </constraint>
       </define-assembly>
     </model>
     <constraint>