From 95f07b3cb3912d817bae4934d3fba802b333e452 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 26 Aug 2021 17:57:22 -0400 Subject: [PATCH 01/35] party should be required, but was marked as optional by mistake --- src/metaschema/oscal_metadata_metaschema.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 7ae1c7acbd..760e2e5760 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -252,7 +252,7 @@ - + Party Name The full name of the party. This is typically the legal name associated with the party. From 4dc25b7184becf66885848467cf0af1607ec1074 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Tue, 31 Aug 2021 11:46:26 -0400 Subject: [PATCH 02/35] documented the default value for with-child-controls --- src/metaschema/oscal_profile_metaschema.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 430df8d6bf..5e08736f37 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -439,7 +439,7 @@ Include child controls with an included control. - When importing a control, only include child controls that are also explicitly called. + (default) When importing a control, only include child controls that are also explicitly called. From e421ab9509ccf065801b23c3d0790e6f1db69106 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Tue, 7 Sep 2021 10:03:15 -0400 Subject: [PATCH 03/35] Adding missing structuring directive from Profile resolution. --- src/metaschema/oscal_profile_metaschema.xml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 5e08736f37..f970496bce 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -91,9 +91,15 @@ - - - + + Flat + Use the flat structuring method. + + + As is + An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. + + @@ -110,14 +116,6 @@

This setting permits a profile designer to apply a rule for the resolution of such cases. In a well-designed profile, such collisions would ordinarily be avoided, but this setting can be useful for defining what to do when it occurs.

 - - As is - An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. - - - Flat - A Flat element indicates that the controls should be structured in a completely flat list. It does not contain any elements or attributes. - Combination method How clashing controls should be handled From 28a014781c539b292294323cfa9cfd9a95fa1bc6 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 9 Dec 2021 08:39:33 -0500 Subject: [PATCH 04/35] Release 1.0 metaschema adjustments (#1065) * Many fixes to the constraints in the OSCAL metaschemas to repair broken Metapaths. * fixing defects in metaschema constraints * Updating to latest Metaschema toolchain. Removed use of the "require" constraint. * updating readme with current links --- build/metaschema | 2 +- .../oscal_assessment-common_metaschema.xml | 20 +++++------ src/metaschema/oscal_catalog_metaschema.xml | 2 +- .../oscal_control-common_metaschema.xml | 20 +++++------ src/metaschema/oscal_metadata_metaschema.xml | 36 ++++++++----------- src/metaschema/oscal_profile_metaschema.xml | 21 ++--------- 6 files changed, 38 insertions(+), 63 deletions(-) diff --git a/build/metaschema b/build/metaschema index 25a56e7810..9c884726d9 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 25a56e7810d3f4602ddd09c7feac528d4c6326de +Subproject commit 9c884726d926dba8f2a3c7ce6c3f1e89d5bab6a4 diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index bff93b60b4..ed3b1d4d1f 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -1677,17 +1677,15 @@ - - - The assessment method to use. This typically appears on parts with the name "assessment". - - - - The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. - The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). - The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. - - + + The assessment method to use. This typically appears on parts with the name "objective". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. +

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 92385a917a..dd7743ca85 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -166,7 +166,7 @@ - + &allowed-values-control-group-property-name; The status of a control. For example, a value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used. diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 29e616be61..dc03e9e7da 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -84,17 +84,15 @@ &allowed-values-control-group-property-name; - - - The assessment method to use. This typically appears on parts with the name "assessment". - - - - The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. - The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). - The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. - - + + The assessment method to use. This typically appears on parts with the name "assessment". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. +

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 760e2e5760..f20a00a3db 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -125,7 +125,7 @@ - + @@ -136,7 +136,9 @@ - + The link identifies the authoritative location for this file. Defined by RFC 6596. The link identifies an alternative location or format for this file. Defined by the HTML Living Standard @@ -252,7 +254,7 @@ - + Party Name The full name of the party. This is typically the legal name associated with the party. @@ -541,13 +543,11 @@

- - - -

A title is required when a citation is provided.

- - - + + +

A title is required when a citation is provided.

+ +

A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource. Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

@@ -669,17 +669,11 @@ - - - - - - - - - - - + + + + +

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index f970496bce..eb96632218 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -91,15 +91,8 @@ - - Flat - Use the flat structuring method. - - - As is - An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. - - + + @@ -249,14 +242,6 @@ - - - - -

Since multiple set-parameter entries can be provided, each parameter must be set only once.

- - - @@ -437,7 +422,7 @@ Include child controls with an included control. - (default) When importing a control, only include child controls that are also explicitly called. + When importing a control, only include child controls that are also explicitly called. From 52731c730ba1f613aba2c547e85e04507a7e3d12 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 13 Jan 2022 11:14:24 -0500 Subject: [PATCH 05/35] adjusting the profile model to align with OSCAL 1.0.0 --- src/metaschema/oscal_profile_metaschema.xml | 83 +++++++++++---------- 1 file changed, 43 insertions(+), 40 deletions(-) diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index eb96632218..0701c611ab 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -87,12 +87,51 @@ Merge controls - A Merge element merges controls in resolution. + A Merge element provides structuring directives that drive how controls are organized after resolution. - + + Combination rule + A Combine element defines whether and how to combine multiple (competing) versions of the same control + + Combination method + How clashing controls should be handled + + + Use the first definition - the first control with a given ID is used; subsequent ones are discarded + **(deprecated)** **(unspecified)** Merge - controls with the same ID are combined + Keep - controls with the same ID are kept, retaining the clash + + + + + + + +

Whenever combining controls from multiple (import) pathways, an issue arises of what to do with clashing invocations (multiple competing versions of a control).

+

This setting permits a profile designer to apply a rule for the resolution of such cases. In a well-designed profile, such collisions would ordinarily be avoided, but this setting can be useful for defining what to do when it occurs.

+ + - - + + As-Is Structuring Directive + An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. This method has been deprecated and should not be used. The `source` structuring directive syntax should be used instead. + + + Custom grouping + A Custom element frames a structure for embedding represented controls in resolution. + + + + + + + + + +

The custom element represents a custom arrangement or organization of controls in the resolution of a catalog.

+

While the as-is element provides for a restitution of a control set's organization (in one or more source catalogs), this element permits the definition of an entirely different structure.

+ + @@ -100,42 +139,6 @@

Implicitly, a merge element is also a filter: controls that are included in a profile, but not included (implicitly or explicitly) in the scope of a merge element, will not be merged into (will be dropped) in the resulting resolution.

 - - Combination rule - A Combine element defines whether and how to combine multiple (competing) versions of the same control - - -

Whenever combining controls from multiple (import) pathways, an issue arises of what to do with clashing invocations (multiple competing versions of a control).

-

This setting permits a profile designer to apply a rule for the resolution of such cases. In a well-designed profile, such collisions would ordinarily be avoided, but this setting can be useful for defining what to do when it occurs.

- - - - Combination method - How clashing controls should be handled - - - Use the first definition - the first control with a given ID is used; subsequent ones are discarded - Merge - controls with the same ID are combined - Keep - controls with the same ID are kept, retaining the clash - - - - - Custom grouping - A Custom element frames a structure for embedding represented controls in resolution. - - - - - - - - - -

The custom element represents a custom arrangement or organization of controls in the resolution of a catalog.

-

While the as-is element provides for a restitution of a control set's organization (in one or more source catalogs), this element permits the definition of an entirely different structure.

- - Control group A group of (selected) controls or of groups of controls From 2cd81e61e2820efdb4f01cb9b3051720b728709f Mon Sep 17 00:00:00 2001 From: Josiah Ritchie Date: Thu, 13 Jan 2022 13:01:43 -0500 Subject: [PATCH 06/35] Removes duplicate import (#1077) Found import json was done twice. This removes the duplicate. --- src/utils/util/oscal-content-validator.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/utils/util/oscal-content-validator.py b/src/utils/util/oscal-content-validator.py index dfa20b4f56..2e1fbe83a6 100755 --- a/src/utils/util/oscal-content-validator.py +++ b/src/utils/util/oscal-content-validator.py @@ -5,7 +5,6 @@ import json import argparse from jsonschema import validate -import json import xmlschema From e73068aa98d17d58e27c2961eb557725b1a5a555 Mon Sep 17 00:00:00 2001 From: Wendell Piez Date: Fri, 14 Jan 2022 12:57:35 -0500 Subject: [PATCH 07/35] Improvements, extensions and repairs to profile resolver (#1071) * party should be required, but was marked as optional by mistake * documented the default value for with-child-controls * Adding missing structuring directive from Profile resolution. * Release 1.0 metaschema adjustments (#1065) * Many fixes to the constraints in the OSCAL metaschemas to repair broken Metapaths. * fixing defects in metaschema constraints * Updating to latest Metaschema toolchain. Removed use of the "require" constraint. * updating readme with current links * Permits provision of a fresh UUID for a resolved catalog at runtime, or more graceful fallbacks. * New improved version moves UUID generation logic into the profile processor XSLT shell. (So the internal process is platform-agnostic and will not attempt any external references.) * Further syntax improvements; start at an XSpec for file set (not working yet) * Adding missing 'random' utility XSLT * Providing XSpec support for normalized comparison * Samples corrected (wrt metadata/oscal-version); added XSpec for running full set with XSLT to produce it * Peeled off 'safe' profile resolver for XSpec to avoiding runtime errors. 'Full' set now runs (showing 11 passed 6 failed) * Making UUID-generation more robust (will fail instead of break) * Refining top-level profile resolution testing; more improvements to interface * Repairing broken test; extending testing under XSpec * More refinements to end-to-end XSpec for profile resolution Co-authored-by: David Waltermire --- .../base-test_profile.xml | 2 +- .../base2-test_profile.xml | 2 +- .../broken_profile.xml | 2 +- .../build-xspec.xsl | 49 +++++++ .../circular_profile.xml | 2 +- .../example-set.xspec | 29 ++++ .../exclude-call-test_profile.xml | 2 +- .../full-set.xspec | 127 ++++++++++++++++++ .../full-test_profile.xml | 2 +- .../home_profile.xml | 2 +- .../import-twice_profile.xml | 2 +- .../include-all-no-children-test_profile.xml | 2 +- .../include-all-test_profile.xml | 2 +- ...nclude-call-with-children-test_profile.xml | 2 +- .../include-loose-param-test_profile.xml | 2 +- .../include-match-test_profile.xml | 2 +- .../merge-implicit-keep_profile.xml | 2 +- .../merge-keep-resources_profile.xml | 2 +- .../merge-keep_profile.xml | 2 +- .../modify-adds_profile.xml | 8 +- .../base-test_profile_RESOLVED.xml | 25 +++- .../base2-test_profile_RESOLVED.xml | 2 +- .../broken_profile_RESOLVED.xml | 2 +- .../circular_profile_RESOLVED.xml | 2 +- .../exclude-call-test_profile_RESOLVED.xml | 2 +- .../full-test_profile_RESOLVED.xml | 8 +- .../output-expected/home_profile_RESOLVED.xml | 2 +- .../import-twice_profile_RESOLVED.xml | 2 +- ...-all-no-children-test_profile_RESOLVED.xml | 11 +- .../include-all-test_profile_RESOLVED.xml | 11 +- ...ll-with-children-test_profile_RESOLVED.xml | 9 +- ...lude-loose-param-test_profile_RESOLVED.xml | 8 +- .../include-match-test_profile_RESOLVED.xml | 2 +- .../merge-implicit-keep_profile_RESOLVED.xml | 2 +- .../merge-keep-resources_profile_RESOLVED.xml | 2 +- .../merge-keep_profile_RESOLVED.xml | 2 +- .../modify-adds_profile_RESOLVED.xml | 4 +- .../profile-resolution/readme.md | 30 +++++ .../oscal-profile-RESOLVE.xsl | 47 ++++++- .../oscal-profile-resolve-metadata.xsl | 13 +- .../oscal-profile-test-helper.xsl | 75 +++++++++++ .../util/resolver-pipeline/random-util.xsl | 107 +++++++++++++++ 42 files changed, 543 insertions(+), 70 deletions(-) create mode 100644 src/specifications/profile-resolution/profile-resolution-examples/build-xspec.xsl create mode 100644 src/specifications/profile-resolution/profile-resolution-examples/example-set.xspec create mode 100644 src/specifications/profile-resolution/profile-resolution-examples/full-set.xspec create mode 100644 src/utils/util/resolver-pipeline/oscal-profile-test-helper.xsl create mode 100644 src/utils/util/resolver-pipeline/random-util.xsl diff --git a/src/specifications/profile-resolution/profile-resolution-examples/base-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/base-test_profile.xml index 1270255e49..e5c442901f 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/base-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/base-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:35.84-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/base2-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/base2-test_profile.xml index d8692080e8..bce45d3316 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/base2-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/base2-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:37.3-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/broken_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/broken_profile.xml index 4c0495cba2..b91a200a94 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/broken_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/broken_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:38.564-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/build-xspec.xsl b/src/specifications/profile-resolution/profile-resolution-examples/build-xspec.xsl new file mode 100644 index 0000000000..1e6a6e4ef7 --- /dev/null +++ b/src/specifications/profile-resolution/profile-resolution-examples/build-xspec.xsl @@ -0,0 +1,49 @@ + + + + + + + + autogenerated { current-dateTime() } following model in example-set.xspec + + + + + + + { document-uri(document('')) ! replace(.,'/[^/]+$','') }?select=*_profile.xml + + looking for profile examples in { $collection-at } + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/specifications/profile-resolution/profile-resolution-examples/circular_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/circular_profile.xml index fdca9e1038..6bbe128b81 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/circular_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/circular_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:39.562-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/example-set.xspec b/src/specifications/profile-resolution/profile-resolution-examples/example-set.xspec new file mode 100644 index 0000000000..b5d8326d73 --- /dev/null +++ b/src/specifications/profile-resolution/profile-resolution-examples/example-set.xspec @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/exclude-call-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/exclude-call-test_profile.xml index 7bd5d82707..f789dd8c68 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/exclude-call-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/exclude-call-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:40.346-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/full-set.xspec b/src/specifications/profile-resolution/profile-resolution-examples/full-set.xspec new file mode 100644 index 0000000000..9d48f283dc --- /dev/null +++ b/src/specifications/profile-resolution/profile-resolution-examples/full-set.xspec @@ -0,0 +1,127 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/full-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/full-test_profile.xml index 5210f78e0c..177a0a7b22 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/full-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/full-test_profile.xml @@ -8,7 +8,7 @@ Full test Profile 2020-05-30T14:39:41.149-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/home_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/home_profile.xml index 7c66adbf8f..7a8e6e75eb 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/home_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/home_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:41.965-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/import-twice_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/import-twice_profile.xml index eeefe1a650..48cefdbb97 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/import-twice_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/import-twice_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:42.758-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/include-all-no-children-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/include-all-no-children-test_profile.xml index d474b71186..98caaec3c7 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/include-all-no-children-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/include-all-no-children-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:44.216-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml index 01e6be9e3d..10c801ae2c 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:44.948-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/include-call-with-children-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/include-call-with-children-test_profile.xml index b2d4271b1f..f6a0a7a1ca 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/include-call-with-children-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/include-call-with-children-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:45.684-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/include-loose-param-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/include-loose-param-test_profile.xml index 855d01f488..7f6336784a 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/include-loose-param-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/include-loose-param-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:46.462-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/include-match-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/include-match-test_profile.xml index 508ffc8306..4e6bf1b087 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/include-match-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/include-match-test_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:47.217-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/merge-implicit-keep_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/merge-implicit-keep_profile.xml index b1490c9974..9755a1495c 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/merge-implicit-keep_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/merge-implicit-keep_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:47.95-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml index 5f043c9ec4..b062ac37ec 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:48.703-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/merge-keep_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/merge-keep_profile.xml index d208c615d2..c372a96f40 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/merge-keep_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/merge-keep_profile.xml @@ -7,7 +7,7 @@ Test Profile 2020-05-30T14:39:49.443-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/modify-adds_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/modify-adds_profile.xml index 9e66fa5dd3..c286a320c2 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/modify-adds_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/modify-adds_profile.xml @@ -7,7 +7,7 @@ Example 2020-05-30T14:39:50.536-04:00 1.2 - 1.0.0-rc2 + 1.0.0 @@ -35,10 +35,10 @@ - - + + - + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml index 599dfd20cd..be7795892a 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml @@ -1,11 +1,11 @@ + uuid="4e44c016-f69e-4ef0-9041-7c3afc2c6ae7"> Test Profile 2021-04-06T15:00:48.692-04:00 1.0 - 1.0.0-rc2 + 1.0.0 @@ -34,16 +34,29 @@ Control C3 - - + +

C3 ccccc cccccccccccccc.

 Control C3-A - - + +

C3 A ccccc cccccccccccccc.

 + + Control C3-A-1 + + +

C3 A-1 ccccc cccccccccccccc.

+ + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml index 95d92b1e60..8e5e6948f4 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:49.259-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml index 1e39461087..df127be426 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:49.676-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml index 4983090a27..87db19e179 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:49.96-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml index f8e2aa6cb6..6a9e9c0917 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:50.316-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml index 5d0f438f72..12f9ea4553 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Full test Profile 2021-04-06T15:00:50.63-04:00 1.0 - 1.0.0-rc2 + 1.0.0 @@ -17,10 +17,8 @@

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: -

-

Parameter a1.a is set: -

+

Parameter A.a is set: ...

+

Parameter a1.a is set: ...

Also, we refer to a citation.

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml index 51c3fa68e1..14d6ffe505 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:50.936-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml index 4aac4a383f..cae4377852 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:51.268-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml index 0e7490447d..94f72f228a 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:51.584-04:00 1.0 - 1.0.0-rc2 + 1.0.0 @@ -17,10 +17,8 @@

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: -

-

Parameter a1.a is set: -

+

Parameter A.a is set: ...

+

Parameter a1.a is set: ...

Also, we refer to a citation.

 @@ -29,8 +27,7 @@

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

-

Parameter A.b is set: -

+

Parameter A.b is set: ...

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml index 0467084871..45a907be3c 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:51.847-04:00 1.0 - 1.0.0-rc2 + 1.0.0 @@ -17,10 +17,8 @@

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: -

-

Parameter a1.a is set: -

+

Parameter A.a is set: ...

+

Parameter a1.a is set: ...

Also, we refer to a citation.

 @@ -29,8 +27,7 @@

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

-

Parameter A.b is set: -

+

Parameter A.b is set: ...

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml index aed9a60503..850a35c9ff 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:52.172-04:00 1.0 - 1.0.0-rc2 + 1.0.0 @@ -45,6 +45,13 @@

C3 A ccccc cccccccccccccc.

 + + Control C3-A-1 + + +

C3 A-1 ccccc cccccccccccccc.

+ + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml index 9034568145..a20ef91888 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:52.401-04:00 1.0 - 1.0.0-rc2 + 1.0.0 @@ -17,10 +17,8 @@

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: -

-

Parameter a1.a is set: -

+

Parameter A.a is set: ...

+

Parameter a1.a is set: ...

Also, we refer to a citation.

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml index 764ce7ba77..cf2af06b5c 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:52.649-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml index fe0c2e2a3e..c60632f323 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:52.97-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml index 649114eabf..7ac3c90d65 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:53.229-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml index 56e66bb951..f2c4327c0d 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Test Profile 2021-04-06T15:00:53.459-04:00 1.0 - 1.0.0-rc2 + 1.0.0 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml index 5cd749e4e8..10f629276b 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml @@ -5,7 +5,7 @@ Example 2021-04-06T15:00:53.695-04:00 1.2 - 1.0.0-rc2 + 1.0.0 @@ -20,7 +20,7 @@ - + off - + + + + + + + + ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$ + + + + + + + + + + + + + + + + + 00000000-0000-4000-B000-000000000000 + + + - + @@ -73,6 +105,14 @@ + + + + + + + + @@ -82,6 +122,7 @@ + + + + ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$ + + + @@ -22,8 +28,7 @@ - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ... + + + + ... + + + + + + + + + + + + diff --git a/src/utils/util/resolver-pipeline/random-util.xsl b/src/utils/util/resolver-pipeline/random-util.xsl new file mode 100644 index 0000000000..25e7701df8 --- /dev/null +++ b/src/utils/util/resolver-pipeline/random-util.xsl @@ -0,0 +1,107 @@ + + + + + + + + + + + + + + + { r:make-uuid(current-dateTime()) } + { r:make-uuid($germ) } + { r:make-uuid('a') } + { r:make-uuid('a') } + { r:make-uuid('b') } + + + { . } + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ________-____-4___-=___-____________ + + + + + + + + + + + + + + + + From fff1a88fc85171cce6919b3c14f3188272025016 Mon Sep 17 00:00:00 2001 From: Guy Zylberberg Date: Tue, 18 Jan 2022 16:59:18 +0200 Subject: [PATCH 08/35] Create requirements.txt (#1082) oscal-content-validator.py uses external libraries which are not documented properly. Added the Python's convention requirements.txt file to properly declare them. --- src/utils/util/requirements.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 src/utils/util/requirements.txt diff --git a/src/utils/util/requirements.txt b/src/utils/util/requirements.txt new file mode 100644 index 0000000000..5d85005ef4 --- /dev/null +++ b/src/utils/util/requirements.txt @@ -0,0 +1,2 @@ +jsonschema +xmlschema From 30643e0014b480f80c1f3f7318fea0602551395e Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Mon, 24 Jan 2022 11:17:11 -0500 Subject: [PATCH 09/35] Add description of Risk Redux control_freak project. (#1104) --- docs/content/tools/_index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/tools/_index.md b/docs/content/tools/_index.md index 3f28121dd1..670951a04d 100644 --- a/docs/content/tools/_index.md +++ b/docs/content/tools/_index.md @@ -38,3 +38,4 @@ See the [NIST Software Disclaimer](https://www.nist.gov/disclaimer) for more inf | [XML Jelly Sandwich](https://github.com/wendellpiez/XMLjellysandwich) | Wendell Piez (NIST) | Interactive XSLT in the browser includes [OSCAL demonstrations](https://wendellpiez.github.io/XMLjellysandwich/oscal/). | open source | | [Xacta 360](https://www.telos.com/offerings/xacta-360-continuous-compliance-assessment/) | Telos | Xacta 360 is a cyber risk management and compliance analytics platform that enables users to create and submit FedRAMP system security plans (SSPs) in OSCAL format. Future OSCAL capabilities are forthcoming as the standard evolves. | [license](https://cdn.telos.com/wp-content/uploads/2021/06/22150746/Xacta-360-EULA-US.pdf) | | [Atlasity: Continuous Compliance Automation](https://atlasity.io/partnership/) | C2 Labs | Atlasity CE (release 2.0) runs in any environment and supports the development of OSCAL v1.0 content for Catalogs, Profiles, System Security Plans and Components. Additional detail can be found in this blog post: [Atlasity Delivers Free Tools to Create OSCAL Content](https://www.c2labs.com/post/atlasity-delivers-free-tools-to-create-oscal-content). | community edition | +| [control_freak](https://controlfreak.risk-redux.io/) | Risk Redux | This tool seeks to provide folks with a searchable and easy-to-navigate reference for NIST SP 800-53 Revision 5. It is [an open-source application from the Risk Redux project](https://github.com/risk-redux/control_freak), built using parsed content directly from the OSCAL repositories. | open-source | From fe90c044eb149e74429d625956255bd3585338f4 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Mon, 24 Jan 2022 11:20:11 -0500 Subject: [PATCH 10/35] Update Documentation for External Developers (#1094) * Update contributing bullet around making a PR. * Tweak pull request template. * Add Michaela's PR template recommendations. * Edits to CONTRIBUTING.md per Michaela's feedback. --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- CONTRIBUTING.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index d4847967a9..f9de7bb764 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -4,7 +4,7 @@ ### All Submissions: -- [ ] Have you followed the guidelines in our [Contributing](https://github.com/usnistgov/OSCAL/blob/master/CONTRIBUTING.md) document? +- [ ] Have you selected the correct base branch per [Contributing](https://github.com/usnistgov/OSCAL/blob/master/CONTRIBUTING.md) guidance? - [ ] Have you checked to ensure there aren't other open [Pull Requests](https://github.com/usnistgov/OSCAL/pulls) for the same update/change? - [ ] Have you squashed any non-relevant commits and commit messages? \[[instructions](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History)\] - [ ] Do all automated CI/CD checks pass? diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b78341323d..da82cd66e7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -45,6 +45,8 @@ The OSCAL project uses a typical GitHub fork and pull request [workflow](https:/ 1. Once you have staged your changes, you will need to commit them. When committing, you will need to include a commit message. The commit message should describe the nature of your changes (e.g., added new feature X which supports Y). You can also reference an issue from the OSCAL repository by using the hash symbol. For example, to reference issue #34, you would include the text "#34". The full command would be: ```git commit -m "added new feature X which supports Y addressing issue #34"```. 1. Next, you must push your changes to your personal repo. You can do this with the command: ```git push```. 1. Finally, you can [create a pull request](https://help.github.com/articles/creating-a-pull-request-from-a-fork/). + - Please allow the NIST OSCAL maintainers to make changes to your pull request, to efficiently merge it, by selecting on your fork the setting to [always allow edits from the maintainers](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork). + - Review [the OSCAL release and versioning strategy](./versioning-and-branching.md) and [choose the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) accordingly. Normally, you should target the `develop` branch as the base branch unless otherwise asked. A maintainer from the NIST team may ask you to target the `main` branch, or a `release-x.y` branch when targeting an upcoming OSCAL release. Please select the appropriate branch before requesting a review from a maintainer so delays of your pull request are avoided. ### Repository structure From 198bcfb6596c925570c0ddd7974dd045feafb385 Mon Sep 17 00:00:00 2001 From: Rene2mt <76444659+Rene2mt@users.noreply.github.com> Date: Tue, 25 Jan 2022 17:05:15 -0500 Subject: [PATCH 11/35] Issue #860 identifier scoping documentation (#941) - Revised the identifier use documentation to provide better descriptions of the different types of human- and machine-oriented identifiers used in OSCAL to include information about their uniqueness and scope. - Updated OSCAL src/metaschema documentation to provide more information for each identifier declaration about its scope, uniqueness, and how it may be cross-referenced. Co-authored-by: David Waltermire Co-authored-by: Brad Hards Co-authored-by: Alexander Stein --- docs/content/concepts/_index.md | 1 + .../content/concepts/identifier-use/_index.md | 118 ++++++++++++++++++ .../oscal-model-relationships.svg | 4 + .../oscal_assessment-common_metaschema.xml | 82 ++++++++---- .../oscal_assessment-plan_metaschema.xml | 14 ++- .../oscal_assessment-results_metaschema.xml | 21 ++-- src/metaschema/oscal_catalog_metaschema.xml | 8 +- src/metaschema/oscal_component_metaschema.xml | 21 ++-- .../oscal_control-common_metaschema.xml | 13 +- ...oscal_implementation-common_metaschema.xml | 26 ++-- src/metaschema/oscal_metadata_metaschema.xml | 56 ++++++--- src/metaschema/oscal_poam_metaschema.xml | 12 +- src/metaschema/oscal_profile_metaschema.xml | 12 +- src/metaschema/oscal_ssp_metaschema.xml | 50 +++++--- 14 files changed, 334 insertions(+), 104 deletions(-) create mode 100644 docs/content/concepts/identifier-use/_index.md create mode 100644 docs/content/concepts/identifier-use/oscal-model-relationships.svg diff --git a/docs/content/concepts/_index.md b/docs/content/concepts/_index.md index 3facc70ace..7bd51ad0c7 100644 --- a/docs/content/concepts/_index.md +++ b/docs/content/concepts/_index.md @@ -18,6 +18,7 @@ This section of the OSCAL website presents: - Key [terminology](terminology/) used in OSCAL; - An overview of the OSCAL [layers and models](layer/), to include who and what processes they apply to; +- An oververview of [identifier use](identifier-use) in OSCAL models; - A [processing specification](processing/) for handling some types of OSCAL content; - Illustrative [examples](examples/) of how to represent control implementation and risk management data in OSCAL XML, JSON, and YAML formats; and - A discussion of how OSCAL [relates](relations-to-other/) to and draws inspiration from other documentary standards. diff --git a/docs/content/concepts/identifier-use/_index.md b/docs/content/concepts/identifier-use/_index.md new file mode 100644 index 0000000000..25dd314d50 --- /dev/null +++ b/docs/content/concepts/identifier-use/_index.md @@ -0,0 +1,118 @@ +--- +title: Identifier Use +description: Provides details on the scope and uniqueness of identifiers used within the OSCAL models. +suppresstopiclist: true +weight: 50 +toc: + enabled: true +sidenav: + focusrenderdepth: 2 + activerenderdepth: 2 + inactiverenderdepth: 2 +--- + +This page reviews important concepts to be aware of when declaring or referencing identifiers in OSCAL models, with in-depth explanations of identifier uniqueness and scope. + +### **Identifier Type** +By design, OSCAL supports [*machine-oriented*](#machine-oriented) and [*human-oriented*](#human-oriented) identifiers. The OSCAL models dictate which are used for different data items. + +#### Machine-Oriented + +[*Machine-oriented*](#machine-oriented) identifiers provide a persistent identity for an entity within the OSCAL models, which can be used in other locations within related OSCAL models to reference the associated entity. + +These identifiers are intended to be auto-generated by tools when the entity is initially created. In OSCAL, a machine-oriented identifier is implemented using a Universally Unique Identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122). A UUID is represented in OSCAL using the [UUID datatype](/reference/datatypes/#uuid). +UUIDs were chosen because: +- Programming interfaces exist in most programming environments to generate a UUID +- UUIDs can be issued without a central authority +- UUIDs are represented in 128 bits, providing for a large address space with low risk of identifier collisions for randomly generated values + +The opaque nature of UUIDs, which consist of a series of hexadecimal characters, makes them less than ideal for wildcard matching scenarios. Thus, their use in OSCAL is intended for identification only where an exact match is required. Where wildcard matching is needed, the other data elements associated with the entity should be evaluated for a match instead. + +{{}}The opaque nature of UUIDs, which consist of a series of hexadecimal characters, makes them less than ideal for wildcard matching scenarios. Thus, their use in OSCAL is intended for identification only where an exact match is required. Where wildcard matching is needed, the other data elements associated with the entity should be evaluated for a match instead. {{}} + +The [OSCAL XML Reference Index](/reference/latest/complete/xml-index/#/@uuid) and [OSCAL JSON Reference Index](/reference/latest/complete/json-index/#/uuid) provide a listing of UUIDs in the core OSCAL models. References to these identifiers typically follow a naming convention of the object type followed by “-uuid”. For example, see the XML reference index for [location-uuid](/reference/latest/complete/xml-index/#/location-uuid) (or [location-uuids](/reference/latest/complete/json-index/#/uuid) in the JSON reference index). + +#### Human-Oriented + +A [*human-oriented*](#human-oriented) identifier incorporates semantic that support readability and processing by humans. OSCAL implements [*human-oriented*](#human-oriented) identifiers as [token](/reference/datatypes/#token) data types, which are non-colonized names. For example, control identifiers in a catalog may use a nomenclature that is familiar to the intended audience, allowing them to quickly determine what security control is being referred to, simply by its identifier value. + +The [OSCAL XML Reference Index](/reference/latest/complete/xml-index/#/@id) and [OSCAL JSON Reference Index](/reference/latest/complete/json-index/#/id) provide a comprehensive listing of the [*human-oriented*](#human-oriented) IDs in the core OSCAL models. References to these IDs are typically named according to the referenced object type (e.g., control) followed by “-id”, as seen here in the [XML Reference Index](/reference/latest/complete/xml-index/#/@control-id) (and likewise [JSON Reference Index](/reference/latest/complete/json-index/#/control-id) in the JSON reference index). + +### **Uniqueness** +OSCAL identifier uniqueness is categorized as *locally-unique* or *globally-unique*. As implied by the category name, [*locally-unique*](#locally-unique) identifiers must be unique within the current document, whereas [*globally-unique*](#globally-unique) identifiers are guaranteed to be unique across all other identifiers. OSCAL’s [*machine-oriented*](#machine-oriented) UUID identifiers are always [*globally-unique*](#globally-unique). [*Human-oriented*](#human-oriented) identifiers must be defined and managed organizationally and are more susceptible to identifier duplication or collisions. Thus, [*human-oriented*](#human-oriented) identifiers are less likely or cannot be guaranteed to be [*globally-unique*](#globally-unique). + +### **Scope** + +Identifiers that are only intended for use within the same OSCAL instance are categorized as *instance* scope. However, since OSCAL supports composition relationships, there are many cases where identifiers in a source OSCAL instance need to be referenced from other OSCAL instances. These are considered *cross-instance* scoped identifier references. The figure below illustrates how the core OSCAL models relationships are established through import and link mechanisms, enabling [*cross-instance*](#cross-instance) references. + +![A diagram depicting the relationships between OSCAL models. The solid black arrows depict relationships implemented via the import mechanism (e.g., import, import-profile, import-component-definition, import-ssp, and import-ap), whereas the dashed red line arrows illustrate relationships established through links.](oscal-model-relationships.svg) + +The following import types are supported: +- import - see [XML index](/reference/latest/complete/xml-index/#/import) or [JSON index](/reference/latest/complete/json-index/#/imports) +- import-component-definition - see [XML index](/reference/latest/complete/xml-index/#/import-component-definition) or [JSON index](/reference/latest/complete/json-index/#/import-component-definitions) +- import-profile - see [XML index](/reference/latest/complete/xml-index/#/import-profile) or [JSON index](/reference/latest/complete/json-index/#/import-profile) +- import-ssp - see [XML index](/reference/latest/complete/xml-index/#/import-ssp) or [JSON index](/reference/latest/complete/json-index/#/import-ssp) +- import-ap - see [XML index](/reference/latest/complete/xml-index/#/import-ap) or [JSON index](/reference/latest/complete/json-index/#/import-ap) + +When implementing [*cross-instance*](#cross-instance) references, identifier must be referenced in the context of the containing resource. The appropriate import attribute should be used (similar to a namespacing) to deconflict identifiers with the same values in the associated OSCAL instances. This is particularly important for [*human-oriented*](#human-oriented) identifiers that may not be globally unique but still require [*cross-instance*](#cross-instance) scoping. For example, this technique allows for the same control IDs to be used and referenced in a profile and its imported catalog(s) without conflict. + +The next section describes the identifier scoping per defining model. + +#### **Catalog Identifiers** +Identifiers defined in a catalog may be referenced locally or from an importing profile ([see the diagram in the Scope section](#scope)). Additionally, identifiers defined in a catalog may be referenced in other upstream OSCAL instances in a hierarchical set of associated OSCAL documents (e.g., SSPs, assessment plans, assessment results, and POA&Ms). The table below provides a listing of the core OSCAL catalog model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|Catalog|Machine-Oriented|[XML Index](/reference/latest/catalog/xml-index/#/@uuid) | [JSON Index](/reference/latest/catalog/json-index/#/uuid)| +|Catalog|Human-Oriented|[XML Index](/reference/latest/catalog/xml-index/#/@id) | [JSON Index](/reference/latest/catalog/json-index/#/id)| + +#### **Profile Identifiers** +Identifiers defined in a profile may be referenced locally or from an importing profile or SSP ([see the diagram in the Scope section](#scope)). Component definitions can reference these identifiers through its [control-implementation - source](/reference/latest/component-definition/xml-reference/#/component-definition/component/control-implementation/@source) reference to the profile. Other upstream OSCAL models, including assessment plans, assessment results, and POA&Ms can also reference these profile identifiers via the hierarchical set of associated OSCAL documents. The table below provides a listing of the core OSCAL profile model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|Profile|Machine-Oriented|[XML Index](/reference/latest/profile/xml-index/#/@uuid) | [JSON Index](/reference/latest/profile/json-index/#/uuid)| +|Profile|Human-Oriented|[XML Index](/reference/latest/profile/xml-index/#/@id) | [JSON Index](/reference/latest/profile/json-index/#/id)| + +#### **Component Definition Identifiers** +Identifiers defined in a component definition may be referenced locally or from an importing component definition instance ([see the diagram in the Scope section](#scope)). SSPs may also reference identifiers from a component definitions through its implementation of links for a given component.Other upstream OSCAL models, including assessment plans, assessment results, and POA&Ms can also reference these component definition indirectly (e.g., via reference to an SSP component that has a a link to a component definition). The table below provides a listing of the core OSCAL component definition model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|Component Definition|Machine-Oriented|[XML Index](/reference/latest/component-definition/xml-index/#/@uuid) | [JSON Index](/reference/latest/component-definition/json-index/#/uuid)| +|Component Definition|Human-Oriented|[XML Index](/reference/latest/component-definition/xml-index/#/@id) | [JSON Index](/reference/latest/component-definition/json-index/#/id)| + +#### **SSP Identifiers** +Identifiers defined in an SSP may be referenced locally or from an importing AP or POA&M ([see the diagram in the Scope section](#scope)). SSP identifiers can also be referenced from the AR through its hierarchical relationship with AP. The table below provides a listing of the core OSCAL SSP model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|SSP|Machine-Oriented|[XML Index](/reference/latest/system-security-plan/xml-index/#/@uuid) | [JSON Index](/reference/latest/system-security-plan/json-index/#/uuid)| +|SSP|Human-Oriented|[XML Index](/reference/latest/system-security-plan/xml-index/#/@id) | [JSON Index](/reference/latest/system-security-plan/json-index/#/id)| + +#### **AP Identifiers** +Identifiers defined in an AP may be referenced locally or from an importing AR ([see the diagram in the Scope section](#scope)). The table below provides a listing of the core OSCAL AP model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|AP|Machine-Oriented|[XML Index](/reference/latest/assessment-plan/xml-index/#/@uuid) | [JSON Index](/reference/latest/assessment-plan/json-index/#/uuid)| +|AP|Human-Oriented|[XML Index](/reference/latest/assessment-plan/xml-index/#/@id) | [JSON Index](/reference/latest/assessment-plan/json-index/#/id)| + +#### **AR Identifiers** +Identifiers defined in an AR may be referenced locally ([see the diagram in the Scope section](#scope)). However, observations, risks, and findings may also be referenced implicitly in the POA&M. The table below provides a listing of the core OSCAL AR model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|AR|Machine-Oriented|[XML Index](/reference/latest/assessment-results/xml-index/#/@uuid) | [JSON Index](/reference/latest/assessment-results/json-index/#/uuid)| +|AR|Human-Oriented|[XML Index](/reference/latest/assessment-results/xml-index/#/@id) | [JSON Index](/reference/latest/assessment-results/json-index/#/id)| + +#### **POA&M Identifiers** +Identifiers defined in a POA&M are only referenced locally ([see the diagram in the Scope section](#scope)). The table below provides a listing of the core OSCAL POA&M model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|POA&M|Machine-Oriented|[XML Index](/reference/latest/plan-of-action-and-milestones/xml-index/#/@uuid) | [JSON Index](/reference/latest/plan-of-action-and-milestones/json-index/#/uuid)| +|POA&M|Human-Oriented|[XML Index](/reference/latest/plan-of-action-and-milestones/xml-index/#/@id) | [JSON Index](/reference/latest/plan-of-action-and-milestones/json-index/#/id)| + +### **Consistency** +Identifier (value) must be managed across revisions of the same document. In general, [OSCAL identifiers](/concepts/layer/overview/#identifier-use) have *per-subject* consistency. They should only be changed if the underlying identified subject has changed in a significant way that no longer represents the same identified subject. diff --git a/docs/content/concepts/identifier-use/oscal-model-relationships.svg b/docs/content/concepts/identifier-use/oscal-model-relationships.svg new file mode 100644 index 0000000000..5fa0fa4236 --- /dev/null +++ b/docs/content/concepts/identifier-use/oscal-model-relationships.svg @@ -0,0 +1,4 @@ + + + +
import-profile
import-profile
Catalog
Catalog
import
import
import
import
Profile
Profile
SSP
SSP
Component Definition
Component Def...
link
link
import-ssp
import-ssp
POAM
POAM
import-ap
import-ap
AR
AR
AP
AP
import-component-definition
import-component-definition
import-ssp
import-ssp
control implementation source
control implementation source
observations, risks, findings/poam items
observations, risks, findings/poam itemsText is not SVG - cannot display \ No newline at end of file diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index ed3b1d4d1f..84b3912c75 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -77,7 +77,8 @@ A local definition of a control objective. Uses catalog syntax for control objective and assessment activities. Assessment Method Universally Unique Identifier - Uniquely identifies this defined assessment method. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given assessment method across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -103,7 +104,8 @@ Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment. Assessment Activity Universally Unique Identifier - Uniquely identifies this assessment activity. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given included activity across revisions of the document. + + A machine-oriented, globally unique> identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -126,7 +128,8 @@ Step Universally Unique Identifier - Uniquely identifies a step. This UUID may be referenced elsewhere in an OSCAL document when referring to this step. A UUID should be consistently used for a given test step across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -204,7 +207,8 @@ Represents a scheduled event or milestone, which may be associated with a series of assessment actions. Task Universally Unique Identifier - Uniquely identifies this assessment task. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Task Type @@ -288,7 +292,8 @@ Task Universally Unique Identifier Reference - References a unique task by UUID. + + A machine-oriented identifier reference to a unique task. @@ -304,7 +309,8 @@ Activity Universally Unique Identifier Reference - References an activity defined in the list of activities. + + A machine-oriented identifier reference to an activity defined in the list of activities. @@ -350,6 +356,7 @@

Identifies the person or organization responsible for performing a specific role related to the task.

+ @@ -495,7 +502,8 @@ Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log. Assessment Subject Placeholder Universally Unique Identifier - Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task. + + A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -508,7 +516,8 @@ Task Universally Unique Identifier - Uniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -589,7 +598,8 @@ Subject Universally Unique Identifier Reference - A pointer to a component, inventory-item, location, party, user, or resource using it's UUID. + + A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID. @@ -609,7 +619,8 @@ Identifies the Subject - A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. + + A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. type @@ -653,7 +664,8 @@ Assessment Platform Universally Unique Identifier - Uniquely identifies this assessment Platform. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -672,7 +684,8 @@ Component Universally Unique Identifier Reference - A reference to a component that is implemented as part of an inventory item. + + A machine-oriented identifier reference to a component that is implemented as part of an inventory item. @@ -728,7 +741,8 @@ Finding Target Identifier Reference - Identifies the specific target qualified by the type. + + A machine-oriented identifier reference for a specific target qualified by the type. @@ -790,7 +804,8 @@ Describes an individual observation. Observation Universally Unique Identifier - Uniquely identifies this observation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given observation across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -930,7 +945,8 @@ Actor Universally Unique Identifier Reference - A pointer to the tool or person based on the associated type. + + A machine-oriented identifier reference to the tool or person based on the associated type. Actor Role @@ -951,7 +967,8 @@ Identifies an individual task for which the containing object is a consequence of. Task Universally Unique Identifier Reference - References a unique task by UUID. + + A machine-oriented identifier reference to a unique task. @@ -979,7 +996,8 @@ Assessment Subject Placeholder Universally Unique Identifier Reference - References a unique assessment subject placeholder defined by this task. + + A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task. @@ -1028,7 +1046,8 @@ An identified risk. Risk Universally Unique Identifier - Uniquely identifies this risk. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given risk across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1085,11 +1104,13 @@ Mitigating Factor Universally Unique Identifier - Uniquely identifies this mitigating factor. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given mitigating factor across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Implementation UUID - Points to an implementation statement in the SSP. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1130,7 +1151,8 @@ Risk Log Entry Universally Unique Identifier - Uniquely identifies a risk log entry. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1170,7 +1192,8 @@ Response Universally Unique Identifier Reference - References a unique risk response by UUID. + + A machine-oriented identifier reference to a unique risk response. @@ -1218,7 +1241,8 @@ Observation Universally Unique Identifier Reference - References an observation defined in the list of observations. + + A machine-oriented identifier reference to an observation defined in the list of observations. @@ -1238,7 +1262,8 @@ Used to indicate who created a log entry in what role. Party UUID Reference - A pointer to the party who is making the log entry. + + A machine-oriented identifier reference to the party who is making the log entry. Actor Role @@ -1519,7 +1544,8 @@ Describes either recommended or an actual plan for addressing the risk. Remediation Universally Unique Identifier - Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given remediation across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Remediation Intent @@ -1561,7 +1587,8 @@ Required Universally Unique Identifier - Uniquely identifies this required asset. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given required asset across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1623,7 +1650,8 @@ Part Identifier - A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Part Name diff --git a/src/metaschema/oscal_assessment-plan_metaschema.xml b/src/metaschema/oscal_assessment-plan_metaschema.xml index 9bef67975c..24ee462070 100644 --- a/src/metaschema/oscal_assessment-plan_metaschema.xml +++ b/src/metaschema/oscal_assessment-plan_metaschema.xml @@ -20,7 +20,8 @@ assessment-plan Assessment Plan Universally Unique Identifier - Uniquely identifies this assessment plan. This UUID must be changed each time the content of the plan changes. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -118,6 +119,17 @@ + + diff --git a/src/metaschema/oscal_assessment-results_metaschema.xml b/src/metaschema/oscal_assessment-results_metaschema.xml index ebb24f1b5c..28ef12b224 100644 --- a/src/metaschema/oscal_assessment-results_metaschema.xml +++ b/src/metaschema/oscal_assessment-results_metaschema.xml @@ -22,7 +22,8 @@ assessment-results Assessment Results Universally Unique Identifier - Uniquely identifies this assessment results file. This UUID must be changed each time the content of the results changes. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -74,7 +75,8 @@ Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition. Results Universally Unique Identifier - Uniquely identifies this set of results. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given set of results across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -199,7 +201,8 @@ Assessment Log Entry Universally Unique Identifier - Uniquely identifies an assessment event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -259,7 +262,8 @@ Describes an individual finding. Finding Universally Unique Identifier - Uniquely identifies this finding. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given finding across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -290,7 +294,8 @@ Implementation Statement UUID - Identifies the implementation statement in the SSP to which this finding is related. + + A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related. @@ -299,7 +304,8 @@ Observation Universally Unique Identifier Reference - References an observation defined in the list of observations. + + A machine-oriented identifier reference to an observation defined in the list of observations. @@ -309,7 +315,8 @@ Risk Universally Unique Identifier Reference - References an risk defined in the list of risks. + + A machine-oriented identifier reference to a risk defined in the list of risks. diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index dd7743ca85..b89d40e74b 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -24,7 +24,7 @@ catalog Catalog Universally Unique Identifier - A globally unique identifier for this catalog instance. This UUID should be changed when this document is revised. + A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised. @@ -65,7 +65,8 @@ Group Identifier - A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document. Group Class @@ -130,7 +131,8 @@ Control Identifier - A unique identifier for a specific control instance that can be used to reference the control in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same control across minor revisions of the document. + + A human-oriented, locally unique identifier with instance scope that can be used to reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same control across revisions of the document. Control Class diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml index 7a9fe80aec..fb97e12319 100644 --- a/src/metaschema/oscal_component_metaschema.xml +++ b/src/metaschema/oscal_component_metaschema.xml @@ -33,7 +33,8 @@ component-definition Component Definition Universally Unique Identifier - A globally unique identifier for this component definition instance. This UUID should be changed when this document is revised. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component definition elsewhere in this or other OSCAL instances. The locally defined UUID of the component definition can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -79,7 +80,8 @@ A defined component that can be part of an implemented system. Component Identifier - The unique identifier for the component. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. type @@ -249,7 +251,8 @@ A grouping of other components and/or capabilities. Capability Identifier - A unique identifier for a capability. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this capability elsewhere in this or other OSCAL instances. The locally defined UUID of the capability can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Capability Name @@ -289,7 +292,8 @@ TBD Component Reference - A reference to a component by its identifier + + A machine-oriented identifier reference to a component. @@ -304,7 +308,8 @@ Defines how the component or capability supports a set of controls. Control Implementation Set Identifier - A unique identifier for the set of implemented controls. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a set of implemented controls elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation set can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -346,7 +351,8 @@ Describes how the containing component or capability implements an individual control. Control Implementation Identifier - A unique identifier for a specific control implementation. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a specific control implementation elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -402,7 +408,8 @@ Control Statement Reference Universally Unique Identifier - A globally unique identifier that can be used to reference this control statement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index dc03e9e7da..931dddae7d 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -20,9 +20,10 @@ Part A partition of a control's definition or a child of another part. - + Part Identifier - A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined part elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Part Name @@ -120,9 +121,10 @@ param - + Parameter Identifier - A unique identifier for a specific parameter instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same parameter across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -264,6 +266,7 @@ Control Identifier Reference - A reference to a control with a corresponding id value. + + A human-oriented identifier reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index 6829307fef..40dedfef70 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -30,7 +30,8 @@ A defined component that can be part of an implemented system. Component Identifier - The unique identifier for the component. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -249,7 +250,8 @@ Information about the protocol used to provide a service. Service Protocol Information Universally Unique Identifier - A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Protocol Name @@ -337,7 +339,8 @@ A type of user that interacts with the system based on an associated role. User Universally Unique Identifier - The unique identifier for the user class. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -422,7 +425,8 @@ --> Inventory Item Universally Unique Identifier - A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + A machine-oriented identifier reference to a component that is implemented as part of an inventory item. @@ -631,7 +636,8 @@ --> Control Statement Reference - A reference to a control statement by its identifier + + A human-oriented identifier reference to a control statement. Set Parameter Value @@ -653,11 +659,12 @@ System Identification - A unique identifier for the system described by this system security plan. + + A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document. id Identification System Type - Identifies the identification system from which the provided identifier was assigned. + Identifies the identification system from which the provided identifier was assigned. The identifier was assigned by FedRAMP. @@ -671,7 +678,8 @@ Parameter ID - A reference to a parameter within a control, who's catalog has been imported into the current implementation context. + + A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context. System ISSO diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index f20a00a3db..2487f072a9 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -156,7 +156,8 @@ A location, with associated metadata that can be referenced. Location Universally Unique Identifier - A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -212,7 +213,8 @@ Location Reference - References a location defined in metadata. + + A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -225,7 +227,8 @@ Location Reference - References a location defined in metadata. + + A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -233,6 +236,9 @@ + +

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

+ @@ -240,7 +246,8 @@ A responsible entity which is either a person or an organization. Party Universally Unique Identifier - A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given party across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Party Type @@ -310,7 +317,9 @@ Organizational Affiliation - Identifies that the party object is a member of the organization associated with the provided UUID. + + A machine-oriented identifier reference to another party (person or organization) that this subject is associated with. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). + @@ -318,8 +327,7 @@ -

Parties of both the person or organization type can be associated with an organization using the member-of-organization. -

+

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

 @@ -335,7 +343,8 @@ Party Reference - References a party defined in metadata. + + A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -343,6 +352,9 @@ + +

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

+ @@ -350,11 +362,8 @@ Defines a function assumed or expected to be assumed by a party in a specific situation. - Role Identifier - A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document. - -

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

- + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL instance must be referenced in the context of the containing resource (e.g., import, import-component-definition, import-profile, import-ssp or import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -380,12 +389,14 @@

Permissible values to be determined closer to the application (e.g. by a receiving authority).

- +

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

+ Role Identifier Reference - A reference to the roles served by the user. + + A human-oriented identifier reference to roles served by the user. @@ -407,7 +418,8 @@ Resource Universally Unique Identifier - A globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined resource elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -600,7 +612,8 @@ Property Universally Unique Identifier - A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -704,7 +717,8 @@ A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object. Responsible Role - The role that the party is responsible for. + + A human-oriented identifier reference to roles served by the user. @@ -736,7 +750,8 @@ A reference to one or more roles with responsibility for performing a function relative to the containing object. Responsible Role ID - The role that is responsible for the business function. + + A human-oriented identifier reference to roles responsible for the business function. @@ -914,7 +929,8 @@ Document Identifier - A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element. + + A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element. identifier diff --git a/src/metaschema/oscal_poam_metaschema.xml b/src/metaschema/oscal_poam_metaschema.xml index bce14bc6be..65936c509d 100644 --- a/src/metaschema/oscal_poam_metaschema.xml +++ b/src/metaschema/oscal_poam_metaschema.xml @@ -23,7 +23,8 @@ plan-of-action-and-milestones POA&M Universally Unique Identifier - Uniquely identifies this POA&M. This UUID must be changed each time the content of the POA&M changes. + + A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -88,7 +89,8 @@ Describes an individual POA&M item. POA&M Item Universally Unique Identifier - Uniquely identifies the POA&M entry. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given POA&M item across revisions of the document. + + A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -132,7 +134,8 @@ Observation Universally Unique Identifier Reference - References an observation defined in the list of observations. + + A machine-oriented identifier reference to an observation defined in the list of observations. @@ -143,7 +146,8 @@ Risk Universally Unique Identifier Reference - References an risk defined in the list of risks. + + A machine-oriented identifier reference to a risk defined in the list of risks. diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 0701c611ab..18e2aad3ce 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -22,8 +22,9 @@ Each OSCAL profile is defined by a Profile element profile - Catalog Universally Unique Identifier - A globally unique identifier for this profile instance. This UUID should be changed when this document is revised. + Profile Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this profile elsewhere in this or other OSCAL instances. The locally defined UUID of the profile can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This identifier should be assigned per-subject, which means it should be consistently used to identify the same profile across revisions of the document. @@ -36,6 +37,7 @@

An OSCAL document that describes a tailoring of controls from one or more catalogs, with possible modification of multiple controls. It provides mechanisms by which controls may be selected (import), merged or (re)structured (merge), and amended (modify). OSCAL profiles may select subsets of controls, set parameter values for them in application, and even adjust the representation of controls as given in and by a catalog. They may also serve as sources for further modification in and by other profiles, that import them.

+

See the Concepts - Identifier Use page for additional information regarding this identifier's uniqueness and scope.

 @@ -145,7 +147,8 @@ Group Identifier - A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document. Group Class @@ -196,7 +199,8 @@ Parameter ID - Indicates the value of the 'id' flag on a target parameter; i.e. which parameter to set + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Parameter Class diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index 295356ec2e..cb5a6a65c5 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -34,7 +34,8 @@ system-security-plan System Security Plan Universally Unique Identifier - A globally unique identifier for this catalog instance. This UUID should be changed when this document is revised. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -190,7 +191,8 @@ Information Type Universally Unique Identifier - A globally unique identifier that can be used to reference this information type entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -220,7 +222,8 @@ Information Type Systematized Identifier - An identifier qualified by the given identification system used, such as NIST SP 800-60. + + A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. id @@ -409,7 +412,8 @@ A graphic that provides a visual representation the system, or some aspect of it. Diagram ID - The identifier for this diagram. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -539,7 +543,8 @@ Leveraged Authorization Universally Unique Identifier - A globally unique identifier that can be used to reference this leveraged authorization entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -554,7 +559,8 @@ party-uuid field - A reference to the party that manages the leveraged system. + + A machine-oriented identifier reference to the party that manages the leveraged system. @@ -683,7 +689,8 @@ Describes how the system satisfies an individual control. Control Requirement Universally Unique Identifier - A globally unique identifier that can be used to reference this control requirement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -773,7 +780,8 @@ Control Statement Reference Universally Unique Identifier - A globally unique identifier that can be used to reference this control statement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -815,11 +823,13 @@ Defines how the referenced component implements a set of controls. Component Universally Unique Identifier Reference - A reference to the component that is implementing a given control or control statement. + + A machine-oriented identifier reference to the component that is implemeting a given control. By-Component Universally Unique Identifier - A globally unique identifier that can be used to reference this by-component entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -862,7 +872,8 @@ Provided Universally Unique Identifier - A globally unique identifier that can be used to reference this provided entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -896,7 +907,8 @@ Responsibility Universally Unique Identifier - A globally unique identifier that can be used to reference this responsibility entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -947,7 +959,8 @@ Inherited Universally Unique Identifier - A globally unique identifier that can be used to reference this inherited entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -982,7 +995,8 @@ Satisfied Universally Unique Identifier - A globally unique identifier that can be used to reference this satisfied entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1033,11 +1047,13 @@ Provided UUID - Identifies a 'provided' assembly associated with this assembly. + + A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system. - Provided UUID - Identifies a 'provided' assembly associated with this assembly. + Responsibility UUID + + A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system. From 5fa55c7915c4af25c6a60894d89d4c450d6c56b9 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 25 Jan 2022 17:09:51 -0500 Subject: [PATCH 12/35] Update Path for Schematron Validation of Metaschema Models (#1108) * Update xml-model PI with updated @href for Schematron validation. * Per feedback from Dave uncomment PI for complete schema --- src/metaschema/oscal_assessment-results_metaschema.xml | 2 +- src/metaschema/oscal_catalog_metaschema.xml | 2 +- src/metaschema/oscal_complete_metaschema.xml | 2 +- src/metaschema/oscal_component_metaschema.xml | 2 +- src/metaschema/oscal_control-common_metaschema.xml | 2 +- src/metaschema/oscal_implementation-common_metaschema.xml | 2 +- src/metaschema/oscal_metadata_metaschema.xml | 2 +- src/metaschema/oscal_poam_metaschema.xml | 2 +- src/metaschema/oscal_profile_metaschema.xml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/metaschema/oscal_assessment-results_metaschema.xml b/src/metaschema/oscal_assessment-results_metaschema.xml index 28ef12b224..d2736f8ed3 100644 --- a/src/metaschema/oscal_assessment-results_metaschema.xml +++ b/src/metaschema/oscal_assessment-results_metaschema.xml @@ -1,5 +1,5 @@ - + OSCAL Assessment Results Model diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index b89d40e74b..cc875fba33 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -1,5 +1,5 @@ - + - + - + diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 931dddae7d..fc0d333ff9 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -1,5 +1,5 @@ - + - + diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 2487f072a9..82be6988bd 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -1,5 +1,5 @@ - + - + OSCAL Plan of Action and Milestones (POA&M) Model diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 18e2aad3ce..211d6d204a 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -1,5 +1,5 @@ - + ]> From 4b58d00ca34339cda94344470a5374e15cebc989 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 25 Jan 2022 17:54:05 -0500 Subject: [PATCH 13/35] Local Dev Web Server Enhancements (#1103) * Local web dev container improvements. * Update docs/run-server.sh * Default hugo args tweaks and run gen model doc script. * Merge in @bradh's recommendation. * Merge in some feedback from @dave-waltermire-nist about this PR regarding the default arguments for `hugo` and adding the other important pipeline step for generating both spec and model docs before running the website build. Co-authored-by: Brad Hards --- docs/docker-compose.yml | 6 +++--- docs/run-server.sh | 23 ++++++++++++++++++++--- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/docs/docker-compose.yml b/docs/docker-compose.yml index c724880e89..86815adc9d 100644 --- a/docs/docker-compose.yml +++ b/docs/docker-compose.yml @@ -2,11 +2,11 @@ version: "3.7" services: docs: + environment: + - OSCAL_WORKING_PATH=/oscal extends: file: ../build/docker-compose.yml service: cli ports: - "1313:1313" - volumes: - - "./:/docs" - entrypoint: /docs/run-server.sh + entrypoint: /oscal/docs/run-server.sh diff --git a/docs/run-server.sh b/docs/run-server.sh index 61afda69ba..82467dc651 100644 --- a/docs/run-server.sh +++ b/docs/run-server.sh @@ -1,5 +1,22 @@ #!/bin/bash -/oscal/build/ci-cd/generate-specification-documentation.sh -cd /docs -hugo server --enableGitInfo=false -v --debug --minify --bind 0.0.0.0 \ No newline at end of file +export HUGO_ARGS="--enableGitInfo=false --verbose --minify --bind 0.0.0.0" +export OSCAL_WORKING_PATH="${OSCAL_WORKING_PATH:-/oscal}" + +"${OSCAL_WORKING_PATH}/build/ci-cd/generate-model-documentation.sh" -w "${OSCAL_WORKING_PATH}" + +if [ $retval -gt 0 ]; then + echo "Generating model docs failed with error ${retval}, not running test site, review logs" + exit 1 +fi + +"${OSCAL_WORKING_PATH}/build/ci-cd/generate-specification-documentation.sh" -w "${OSCAL_WORKING_PATH}" + +retval=$? + +if [ $retval -gt 0 ]; then + echo "Generating spec docs failed with error ${retval}, not running test site, review logs" + exit 1 +fi + +(cd "${OSCAL_WORKING_PATH}/docs" && hugo server $HUGO_ARGS) From de69d27381b1af5a9fa7d1d368db0a711db1bff9 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Tue, 7 Sep 2021 10:03:15 -0400 Subject: [PATCH 14/35] Adding missing structuring directive from Profile resolution. --- src/metaschema/oscal_profile_metaschema.xml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 211d6d204a..e4efce81f3 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -114,9 +114,13 @@ - + + Flat + Use the flat structuring method. + + As-Is Structuring Directive - An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. This method has been deprecated and should not be used. The `source` structuring directive syntax should be used instead. + An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. Custom grouping From 85031633866a4f7cf70fa20fab987c64c67b9b46 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 10:35:50 -0500 Subject: [PATCH 15/35] Exposing ports in docker compose config. --- build/docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/docker-compose.yml b/build/docker-compose.yml index 0a8104b412..feab12a357 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -12,6 +12,8 @@ services: calabashversion: 1.2.5-100 volumes: - "../:/oscal" + ports: + - "1313:1313" # environment: # - SAXON_VERSION=9.9.1-3 # - JSON_CLI_VERSION=0.0.1-SNAPSHOT From 4a3cadf6eab2de92880ac76af7cb39052ed06828 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 10:41:18 -0500 Subject: [PATCH 16/35] Updating profile resolution example tests to align with the current profile resolution specification. --- .../catalogs/abc-full_catalog.xml | 44 ++-- .../catalogs/abc-simple_catalog.xml | 22 +- .../include-all-test_profile.xml | 3 + .../merge-keep-resources_profile.xml | 4 +- .../base-test_profile_RESOLVED.xml | 50 ++--- .../base2-test_profile_RESOLVED.xml | 14 +- .../broken_profile_RESOLVED.xml | 3 +- .../circular_profile_RESOLVED.xml | 3 +- .../exclude-call-test_profile_RESOLVED.xml | 50 ++--- .../full-test_profile_RESOLVED.xml | 30 ++- .../output-expected/home_profile_RESOLVED.xml | 3 +- .../import-twice_profile_RESOLVED.xml | 20 +- ...-all-no-children-test_profile_RESOLVED.xml | 83 ++++--- .../include-all-test_profile_RESOLVED.xml | 210 ++++++++++-------- ...ll-with-children-test_profile_RESOLVED.xml | 57 ++--- ...lude-loose-param-test_profile_RESOLVED.xml | 22 +- .../include-match-test_profile_RESOLVED.xml | 3 +- .../merge-implicit-keep_profile_RESOLVED.xml | 17 +- .../merge-keep-resources_profile_RESOLVED.xml | 47 +++- .../merge-keep_profile_RESOLVED.xml | 3 +- .../modify-adds_profile_RESOLVED.xml | 3 +- 21 files changed, 406 insertions(+), 285 deletions(-) diff --git a/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-full_catalog.xml b/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-full_catalog.xml index 522d779ebf..c0ffe9ce3d 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-full_catalog.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-full_catalog.xml @@ -30,19 +30,16 @@ a1.a value - +

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: -

-

Parameter a1.a is set: -

-

Also, we refer to a citation.

+

Parameter A.a is set:

+

Parameter a1.a is set:

Control A2 - +

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

Parameter A.b is set: @@ -51,7 +48,7 @@ Control A3 - +

A3 aaaaa aaaaaaaaaa

 @@ -61,21 +58,23 @@ Group B of C Control B1 - +

B1 bbbb bbbbbbb.

 Control B2 - + +

B2 bbb bbbbbbbbbbb bbbbbbbbbbbb.

+

Also, we refer to a citation.

 Control B3 - +

B3 bbbb bbbbbbb bbbb.

 @@ -85,15 +84,15 @@ Group C of C Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

-

We cite a document with an anchor: ... citation ....

+

We cite a document with an anchor: ... citation ....

 Control C2 - +

C2 cccccccc ccccccccccccccccc.

@@ -101,19 +100,19 @@ Control C3 - +

C3 ccccc cccccccccccccc.

 Control C3-A - +

C3 A ccccc cccccccccccccc.

 Control C3-A-1 - +

C3 A-1 ccccc cccccccccccccc.

 @@ -122,10 +121,21 @@ + + + A citation to an out of line document. + + A citation to an out of line document. + + + + A citation to an out of line document. + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-simple_catalog.xml b/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-simple_catalog.xml index b41aef92db..b838be9ad0 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-simple_catalog.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-simple_catalog.xml @@ -18,14 +18,14 @@ - +

A1 aaaaa aaaaaaaaaa

 Control A2 - +

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

 @@ -35,7 +35,7 @@ - +

A3 aaaaa aaaaaaaaaa

 @@ -45,21 +45,21 @@ Group B of C Control B1 - +

B1 bbbb bbbbbbb.

 Control B2 - +

B2 bbb bbbbbbbbbbb bbbbbbbbbbbb.

 Control B3 - +

B3 bbbb bbbbbbb bbbb.

 @@ -69,33 +69,33 @@ Group C of C Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

 Control C2 - +

C2 cccccccc ccccccccccccccccc.

 Control C3 - +

C3 ccccc cccccccccccccc.

 Control C3-A - +

C3 A ccccc cccccccccccccc.

 Control C3-A-1 - +

C3 A-1 ccccc cccccccccccccc.

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml index 10c801ae2c..c6c699df9d 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/include-all-test_profile.xml @@ -12,4 +12,7 @@ + + true + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml index b062ac37ec..358f84f829 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/merge-keep-resources_profile.xml @@ -12,12 +12,12 @@ a1 - b1 + b2 - + Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml index be7795892a..ba4c5907ae 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base-test_profile_RESOLVED.xml @@ -6,57 +6,55 @@ 2021-04-06T15:00:48.692-04:00 1.0 1.0.0 - + + Control A1 - - - - +

A1 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

 Control C3 -

C3 ccccc cccccccccccccc.

 - - Control C3-A - - -

C3 A ccccc cccccccccccccc.

- - - Control C3-A-1 - - -

C3 A-1 ccccc cccccccccccccc.

- - - + + + Control C3-A + + +

C3 A ccccc cccccccccccccc.

+ + + + Control C3-A-1 + + +

C3 A-1 ccccc cccccccccccccc.

+ diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml index 8e5e6948f4..282ff94354 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/base2-test_profile_RESOLVED.xml @@ -6,35 +6,33 @@ 2021-04-06T15:00:49.259-04:00 1.0 1.0.0 - + + Control A1 - - - - +

A1 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

 Control C3 - +

C3 ccccc cccccccccccccc.

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml index df127be426..012fe3972b 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/broken_profile_RESOLVED.xml @@ -6,6 +6,7 @@ 2021-04-06T15:00:49.676-04:00 1.0 1.0.0 - + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml index 87db19e179..c6c08e2fe1 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/circular_profile_RESOLVED.xml @@ -6,6 +6,7 @@ 2021-04-06T15:00:49.96-04:00 1.0 1.0.0 - + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml index 6a9e9c0917..14b60e834b 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/exclude-call-test_profile_RESOLVED.xml @@ -6,79 +6,77 @@ 2021-04-06T15:00:50.316-04:00 1.0 1.0.0 - + + Control A2 - +

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

 Control A3 - - - - +

A3 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 Control B2 - +

B2 bbb bbbbbbbbbbb bbbbbbbbbbbb.

 Control B3 - +

B3 bbbb bbbbbbb bbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

 Control C2 - +

C2 cccccccc ccccccccccccccccc.

 Control C3 - +

C3 ccccc cccccccccccccc.

 - - Control C3-A - - -

C3 A ccccc cccccccccccccc.

- - - Control C3-A-1 - - -

C3 A-1 ccccc cccccccccccccc.

- - - + + + Control C3-A + + +

C3 A ccccc cccccccccccccc.

+ + + + Control C3-A-1 + + +

C3 A-1 ccccc cccccccccccccc.

+ diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml index 12f9ea4553..e05bbe6443 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/full-test_profile_RESOLVED.xml @@ -6,42 +6,54 @@ 2021-04-06T15:00:50.63-04:00 1.0 1.0.0 - + + + + + A.a value + Control A1 a1.a value - +

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: ...

-

Parameter a1.a is set: ...

-

Also, we refer to a citation.

+

Parameter A.a is set:

+

Parameter a1.a is set:

Control B1 - +

B1 bbbb bbbbbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

-

We cite a document with an anchor: ... citation ....

+

We cite a document with an anchor: ... citation ....

 Control C3 - +

C3 ccccc cccccccccccccc.

 + + + + + A citation to an out of line document. + + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml index 14d6ffe505..db8d94f3b4 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/home_profile_RESOLVED.xml @@ -6,6 +6,7 @@ 2021-04-06T15:00:50.936-04:00 1.0 1.0.0 - + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml index cae4377852..ba2af7bf12 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/import-twice_profile_RESOLVED.xml @@ -6,56 +6,54 @@ 2021-04-06T15:00:51.268-04:00 1.0 1.0.0 - + + Control A1 - - - - +

A1 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

 Control C3 - +

C3 ccccc cccccccccccccc.

 Control B1 - +

B1 bbbb bbbbbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

 Control C3 - +

C3 ccccc cccccccccccccc.

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml index 94f72f228a..ed4ab1ea9d 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-no-children-test_profile_RESOLVED.xml @@ -6,69 +6,83 @@ 2021-04-06T15:00:51.584-04:00 1.0 1.0.0 - + + + + + A.a value + + + + Control A1 a1.a value - +

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: ...

-

Parameter a1.a is set: ...

-

Also, we refer to a citation.

+

Parameter A.a is set:

+

Parameter a1.a is set:

Control A2 - +

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

-

Parameter A.b is set: ...

+

Parameter A.b is set: +

Control A3 - +

A3 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 Control B2 - + +

B2 bbb bbbbbbbbbbb bbbbbbbbbbbb.

+

Also, we refer to a citation.

 Control B3 - +

B3 bbbb bbbbbbb bbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

-

We cite a document with an anchor: ... citation ....

+

We cite a document with an anchor: ... citation ....

 Control C2 - +

C2 cccccccc ccccccccccccccccc.

@@ -76,30 +90,41 @@ Control C3 - +

C3 ccccc cccccccccccccc.

 - - Control C3-A - - -

C3 A ccccc cccccccccccccc.

- - - Control C3-A-1 - - -

C3 A-1 ccccc cccccccccccccc.

- - - + + + Control C3-A + + +

C3 A ccccc cccccccccccccc.

+ + + + Control C3-A-1 + + +

C3 A-1 ccccc cccccccccccccc.

+ + + + A citation to an out of line document. + + A citation to an out of line document. + + + + A citation to an out of line document. + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml index 45a907be3c..1467b2616e 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-all-test_profile_RESOLVED.xml @@ -6,100 +6,134 @@ 2021-04-06T15:00:51.847-04:00 1.0 1.0.0 - + + - - Control A1 - - - a1.a value - - - -

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: ...

-

Parameter a1.a is set: ...

-

Also, we refer to a citation.

- - - - Control A2 - - -

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

-

Parameter A.b is set: ...

- - - - Control A3 - - -

A3 aaaaa aaaaaaaaaa

- - - - Control B1 - - -

B1 bbbb bbbbbbb.

- - - - Control B2 - - -

B2 bbb bbbbbbbbbbb bbbbbbbbbbbb.

- - - - Control B3 - - -

B3 bbbb bbbbbbb bbbb.

- - - - Control C1 - - -

C1 ccccc ccc ccccccccccccccccc.

-

We cite a document with an anchor: ... citation ....

- - - - Control C2 - - - -

C2 cccccccc ccccccccccccccccc.

- - - - Control C3 - - -

C3 ccccc cccccccccccccc.

- - - Control C3-A - - -

C3 A ccccc cccccccccccccc.

- - - Control C3-A-1 - - -

C3 A-1 ccccc cccccccccccccc.

- - - - + + Group A of C + + + A.a value + + + + + + Control A1 + + + a1.a value + + + +

A1 aaaaa aaaaaaaaaa

+

Parameter A.a is set:

+

Parameter a1.a is set:

+ + + + Control A2 + + +

A2 aaa aaaaaaaaaa aaaaaaaaaaaaa

+

Parameter A.b is set: +

+ + + + Control A3 + + +

A3 aaaaa aaaaaaaaaa

+ + + + + Group B of C + + Control B1 + + +

B1 bbbb bbbbbbb.

+ + + + Control B2 + + + +

B2 bbb bbbbbbbbbbb bbbbbbbbbbbb.

+

Also, we refer to a citation.

+ + + + Control B3 + + +

B3 bbbb bbbbbbb bbbb.

+ + + + + Group C of C + + Control C1 + + +

C1 ccccc ccc ccccccccccccccccc.

+

We cite a document with an anchor: ... citation ....

+ + + + Control C2 + + + +

C2 cccccccc ccccccccccccccccc.

+ + + + Control C3 + + +

C3 ccccc cccccccccccccc.

+ + + Control C3-A + + +

C3 A ccccc cccccccccccccc.

+ + + Control C3-A-1 + + +

C3 A-1 ccccc cccccccccccccc.

+ + + + + + + + A citation to an out of line document. + + A citation to an out of line document. + + + + A citation to an out of line document. + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml index 850a35c9ff..f07802e74a 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-call-with-children-test_profile_RESOLVED.xml @@ -1,57 +1,60 @@ + uuid="4e44c016-f69e-4ef0-9041-7c3afc2c6ae7"> Test Profile - 2021-04-06T15:00:52.172-04:00 + 2021-04-06T15:00:48.692-04:00 1.0 1.0.0 - + + Control A1 - - - - +

A1 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 Control C1 - +

C1 ccccc ccc ccccccccccccccccc.

 Control C3 - - + +

C3 ccccc cccccccccccccc.

 - - Control C3-A - - -

C3 A ccccc cccccccccccccc.

- - - Control C3-A-1 - - -

C3 A-1 ccccc cccccccccccccc.

- - - - + + Control C3-A + + +

C3 A ccccc cccccccccccccc.

+ + + + Control C3-A-1 + + +

C3 A-1 ccccc cccccccccccccc.

+ + + \ No newline at end of file diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml index a20ef91888..2051d3a49f 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-loose-param-test_profile_RESOLVED.xml @@ -6,20 +6,32 @@ 2021-04-06T15:00:52.401-04:00 1.0 1.0.0 - + + + + + A.a value + Control A1 a1.a value - +

A1 aaaaa aaaaaaaaaa

-

Parameter A.a is set: ...

-

Parameter a1.a is set: ...

-

Also, we refer to a citation.

+

Parameter A.a is set:

+

Parameter a1.a is set:

+ + + + + A citation to an out of line document. + + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml index cf2af06b5c..f21d77cf83 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/include-match-test_profile_RESOLVED.xml @@ -6,6 +6,7 @@ 2021-04-06T15:00:52.649-04:00 1.0 1.0.0 - + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml index c60632f323..d4816f91ed 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-implicit-keep_profile_RESOLVED.xml @@ -6,38 +6,33 @@ 2021-04-06T15:00:52.97-04:00 1.0 1.0.0 - + + Control A1 - - - - +

A1 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 Control A1 - - - - +

A1 aaaaa aaaaaaaaaa

 Control B1 - +

B1 bbbb bbbbbbb.

 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml index 7ac3c90d65..0444e5edd6 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep-resources_profile_RESOLVED.xml @@ -6,23 +6,52 @@ 2021-04-06T15:00:53.229-04:00 1.0 1.0.0 - + + + + + A.a value + Control A1 - - + + + a1.a value - +

A1 aaaaa aaaaaaaaaa

+

Parameter A.a is set:

+

Parameter a1.a is set:

- - Control B1 - - -

B1 bbbb bbbbbbb.

+ + Control B2 + + + +

B2 bbb bbbbbbbbbbb bbbbbbbbbbbb.

+

Also, we refer to a citation.

 + + + + A citation to an out of line document. + + + + + + A citation to an out of line document. + + + + Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy + + ...doi... + + + diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml index f2c4327c0d..232cef0234 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml @@ -6,7 +6,8 @@ 2021-04-06T15:00:53.459-04:00 1.0 1.0.0 - + + Control A1 diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml index 10f629276b..c331b3d7c4 100644 --- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml +++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/modify-adds_profile_RESOLVED.xml @@ -6,7 +6,8 @@ 2021-04-06T15:00:53.695-04:00 1.2 1.0.0 - + + Group A of C From cc25334700d507b02fc5facd4fdbd32d854e9da9 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 10:52:56 -0500 Subject: [PATCH 17/35] Fix to allow provider directory to be specified in the environment. --- build/ci-cd/include/init-oscal.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/ci-cd/include/init-oscal.sh b/build/ci-cd/include/init-oscal.sh index ee3e8e5efa..800ccff240 100755 --- a/build/ci-cd/include/init-oscal.sh +++ b/build/ci-cd/include/init-oscal.sh @@ -6,7 +6,7 @@ if [ -z ${OSCAL_SCRIPT_INIT+x} ]; then # Get location of this script and set the OSCAL directory as a relative path OSCALDIR="$(cd "$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null && pwd)/../../.."; pwd)" WORKING_DIR="${OSCALDIR}" - export PROVIDER_DIR="${OSCALDIR}/build/metaschema/toolchains/xslt-M4" +# export PROVIDER_DIR="${OSCALDIR}/build/metaschema/toolchains/xslt-M4" source "$OSCALDIR/build/metaschema/scripts/include/common-environment.sh" From cdd21a1677ec9dae3659aa2dedbcd319eae821e4 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 10:55:13 -0500 Subject: [PATCH 18/35] Added missing metadata props and links in the catalog Metaschema that are specified in the profile resolution specification. --- build/metaschema | 2 +- src/metaschema/oscal_catalog_metaschema.xml | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/build/metaschema b/build/metaschema index 9c884726d9..25a56e7810 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 9c884726d926dba8f2a3c7ce6c3f1e89d5bab6a4 +Subproject commit 25a56e7810d3f4602ddd09c7feac528d4c6326de diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index cc875fba33..40c922ef99 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -45,6 +45,14 @@ + + + The tool used to produce a resolved profile. + + + The tool used to produce a resolved profile. + +

Catalogs may use one or more group objects to subdivide the control contents of a catalog.

An OSCAL catalog model provides a structured representation of control information.

@@ -168,7 +176,7 @@ - + &allowed-values-control-group-property-name; The status of a control. For example, a value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used. From 53dc983b1ce62466e131401b94420c78c197fe21 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 10:57:25 -0500 Subject: [PATCH 19/35] Converted some cardinality constraints to expect constraints, since these are actually conditional expectations. The cardinalities were causing false positives. --- src/metaschema/oscal_control-common_metaschema.xml | 2 +- src/metaschema/oscal_metadata_metaschema.xml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index fc0d333ff9..52dad739b8 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -88,7 +88,7 @@ The assessment method to use. This typically appears on parts with the name "assessment". - + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 82be6988bd..91993799ee 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -555,11 +555,11 @@

- +

A title is required when a citation is provided.

 - +

A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource. Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

From a183fab4c5d771924ccf4c6f030b3fe2e8b59503 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 11:00:49 -0500 Subject: [PATCH 20/35] Relocated the "by-component-export-provided-uuid" index to eliminate a duplicate index error. --- src/metaschema/oscal_ssp_metaschema.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index cb5a6a65c5..b140ff9407 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -679,6 +679,9 @@

Since multiple set-parameter entries can be provided, each parameter must be set only once.

 + + +

Use of set-parameter in this context, sets the parameter for all related controls referenced in an implemented-requirement. If the same parameter is also set in a specific implemented-requirement, then the new value will override this value.

@@ -944,9 +947,6 @@ - - - From 1697757d6e498eaa5384e352173bf7f7bbbe2e9c Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 11:03:45 -0500 Subject: [PATCH 21/35] Updated the profile resolution test helper to allow for directly calling it and to normalize a few additional fields that are mutable between the expected and actual examples. --- .../oscal-profile-test-helper.xsl | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/utils/util/resolver-pipeline/oscal-profile-test-helper.xsl b/src/utils/util/resolver-pipeline/oscal-profile-test-helper.xsl index 27fa5d48b2..a423068823 100644 --- a/src/utils/util/resolver-pipeline/oscal-profile-test-helper.xsl +++ b/src/utils/util/resolver-pipeline/oscal-profile-test-helper.xsl @@ -15,8 +15,8 @@ --> - - + + @@ -32,7 +32,13 @@ --> - + + + + + + + @@ -54,7 +60,15 @@ - + + + ... + + + + ... + + ... From 51a66bbb2a5f9cef2370c9d02d7f04453acfeb46 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 26 Jan 2022 11:31:15 -0500 Subject: [PATCH 22/35] repairing missing formal-name --- build/metaschema | 2 +- src/metaschema/oscal_metadata_metaschema.xml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/build/metaschema b/build/metaschema index 25a56e7810..9c884726d9 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 25a56e7810d3f4602ddd09c7feac528d4c6326de +Subproject commit 9c884726d926dba8f2a3c7ce6c3f1e89d5bab6a4 diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 91993799ee..6e51da7c72 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -363,6 +363,7 @@ + Role Identifier A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL instance must be referenced in the context of the containing resource (e.g., import, import-component-definition, import-profile, import-ssp or import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. From f40b56bd75f5cc4dee741813c424659a5fb4a296 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Wed, 26 Jan 2022 15:21:33 -0500 Subject: [PATCH 23/35] Fix enum typos from inteneral->internal, closes #1067. (#1110) --- src/metaschema/oscal_component_metaschema.xml | 2 +- src/metaschema/oscal_implementation-common_metaschema.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml index db374e0b12..4bdb6a6ec5 100644 --- a/src/metaschema/oscal_component_metaschema.xml +++ b/src/metaschema/oscal_component_metaschema.xml @@ -182,7 +182,7 @@ - The component is implemented within the system boundary. + The component is implemented within the system boundary. The component is implemented outside the system boundary. diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index a58e4af062..aed1c18a38 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -139,7 +139,7 @@ - The component is implemented within the system boundary. + The component is implemented within the system boundary. The component is implemented outside the system boundary. From c2848eb226d133018451f6b3e7fbf6c715fcb3b0 Mon Sep 17 00:00:00 2001 From: Guy Zylberberg Date: Wed, 26 Jan 2022 22:39:56 +0200 Subject: [PATCH 24/35] Add support for yaml OSCAL files validation (#1091) * Add support for yaml OSCAL files validation * Replace pyyaml library with ruamel.yaml This was done to address the concern raised in the PR - https://github.com/usnistgov/OSCAL/pull/1091#discussion_r787153710 * Pin specific versions of PyPI packages. Co-authored-by: Alexander Stein --- src/utils/util/oscal-content-validator.py | 9 ++++++++- src/utils/util/requirements.txt | 5 +++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/utils/util/oscal-content-validator.py b/src/utils/util/oscal-content-validator.py index 2e1fbe83a6..3c6bc9328a 100755 --- a/src/utils/util/oscal-content-validator.py +++ b/src/utils/util/oscal-content-validator.py @@ -6,6 +6,7 @@ import argparse from jsonschema import validate import xmlschema +from ruamel.yaml import YAML def _get_oscal_file_type(filename): @@ -13,6 +14,8 @@ def _get_oscal_file_type(filename): return "json" elif filename.endswith("xml") or filename.endswith("xsd"): return "xml" + elif filename.endswith("yaml") or filename.endswith("yml"): + return "yaml" else: raise("Not a valid OSCAL file.") @@ -21,6 +24,9 @@ def read_file(filename, ftype): with io.open(filename, 'r', encoding="utf-8") as f: if ftype == "json": filedata = json.load(f) + if ftype == "yaml": + yaml = YAML() + filedata = yaml.load(f) else: filedata = f.read() return filedata, ftype @@ -41,7 +47,8 @@ def oscal_validator(oscal_schema, oscal_data): schema, stype = read_file(oscal_schema, _get_oscal_file_type(oscal_schema)) data, ftype = read_file(oscal_data, _get_oscal_file_type(oscal_data)) - if ftype == 'json': + if ftype == 'json' or ftype == 'yaml': + # Yaml files are validated using the json schema validate(data, schema) if ftype == 'xml': xmlschema.validate(data, schema) diff --git a/src/utils/util/requirements.txt b/src/utils/util/requirements.txt index 5d85005ef4..fc585b61e1 100644 --- a/src/utils/util/requirements.txt +++ b/src/utils/util/requirements.txt @@ -1,2 +1,3 @@ -jsonschema -xmlschema +jsonschema==4.4.0 +ruamel.yaml==0.17.10 +xmlschema==1.9.2 \ No newline at end of file From 2c1fd5f19e9c0cd8d41df543622e7dcf354e4143 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Wed, 26 Jan 2022 17:03:12 -0500 Subject: [PATCH 25/35] Make @control-id for alter statements in profile required. (#1111) Resolves #1053. Discussed with the team and agreed that this is in fact a bug that requires a backward-breaking compatibility change to fix. --- src/metaschema/oscal_profile_metaschema.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index e4efce81f3..69b8f2cae5 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -335,7 +335,7 @@ Alteration An Alter element specifies changes to be made to an included control when a profile is resolved. - + From f610a1b31c9c8720daecc3efc4dd98bb897ec89b Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Wed, 26 Jan 2022 17:07:00 -0500 Subject: [PATCH 26/35] Clarify data types docs for param insert. Closes #1037. (#1112) --- docs/content/reference/datatypes.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/reference/datatypes.md b/docs/content/reference/datatypes.md index adef933283..5123fd2975 100644 --- a/docs/content/reference/datatypes.md +++ b/docs/content/reference/datatypes.md @@ -362,16 +362,16 @@ Note: Markdown does not have an equivalent of the HTML <i> and <b> t The OSCAL catalog, profile, and implementation layer models allow for control parameters to be defined and injected into prose text. -Parameter injection is handled in OSCAL as follows using the <insert> tag: +Parameter injection is handled in OSCAL as follows using the <insert> tag, where you must provide its type and the identifier reference with id-ref: ```html -Reviews and updates the risk management strategy or as required, to address organizational changes. +This implements as required to address organizational changes. ``` The same string in Markdown is represented as follows: ```markdown -Reviews and updates the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes. +This implements {{ insert: param, pm-9_prm_1 }} as required to address organizational changes. ``` #### Specialized Character Mapping From 76eec06b5b2b30f9a587d95d10c9199b59ebebcb Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Fri, 28 Jan 2022 08:12:25 -0500 Subject: [PATCH 27/35] Adding missing prop, link, and part names used in the SP 800-53 catalog that were missing in the OSCAL Metaschemas. Added additional constraints to support new and existing uses of prop, link, and part names. Removed allow-other="yes" from prop and part names in the OSCAL namespace to avoid namespace squatting on the official OSCAL namespace. Organizations using their own props will now be forced to use their own namespace, which was the original intention. --- .../oscal_assessment-common_metaschema.xml | 16 +++--- src/metaschema/oscal_catalog_metaschema.xml | 53 +++++++++++++++++-- .../oscal_control-common_metaschema.xml | 32 ++++------- src/metaschema/oscal_metadata_metaschema.xml | 11 ++-- ...wed-values-control-group-property-name.ent | 3 +- 5 files changed, 78 insertions(+), 37 deletions(-) diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index 84b3912c75..7b1656ddea 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -62,14 +62,16 @@ - - - + + (deprecated) Use 'assessment-objective' instead. + (deprecated) Use 'assessment-method' instead + The part defines an assessment objective. + The part defines an assessment method. - - - - + + + + diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 40c922ef99..ab368f2ee1 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -46,7 +46,7 @@ - + The tool used to produce a resolved profile. @@ -115,9 +115,12 @@ - + &allowed-values-control-group-property-name; + + An introduction to a control or a group of controls. +

Catalogs can use a group to collect related controls into a single grouping. That can be useful to group controls into a family or other logical grouping.

@@ -177,11 +180,11 @@ - + &allowed-values-control-group-property-name; The status of a control. For example, a value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used. - + The control is no longer used. @@ -189,6 +192,48 @@ The link identifies another control with bearing to this control. The link identifies another control that must be present if this control is present. The link identifies other control content where this control content is now addressed. + The containing control definition was moved to the referenced control. + + + + An introduction to a control or a group of controls. + A set of control implementation requirements. + Additional information to consider when selecting, implementing, assessing, and monitoring a control. + (deprecated) Use 'assessment-method' instead. + The part describes a method-based assessment over a set of assessment objects. + + + An individual item within a control statement. + +

Nested statement parts are "item" parts.

+ + + + (deprecated) Use 'assessment-objective' instead. + The part describes a set of assessment objectives. + +

Objectives can be nested.

+ + + + (deprecated) Use 'assessment-objects' instead. + Provides a listing of assessment objects. + +

Assessment objects appear on assessment methods.

+ + + + + (deprecated) Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment". + + + The assessment method to use. This typically appears on parts with the name "assessment". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 52dad739b8..19ff7efc0c 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -28,18 +28,6 @@ Part Name A textual label that uniquely identifies the part's semantic type. - - - - An introduction to a control or a group of controls. - A set of control implementation requirements. - An individual item within a control statement. - Additional information to consider when selecting, implementing, assessing, and monitoring a control. - Describes a set of assessment objectives. - Describes a method-based assessment over a set of assessment objects. - Provides a list of assessment objects. - - @@ -82,18 +70,9 @@ - + &allowed-values-control-group-property-name; - - The assessment method to use. This typically appears on parts with the name "assessment". - - - - The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. - The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). - The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. -

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

@@ -182,6 +161,15 @@ + + + &allowed-values-control-group-property-name; + An alternate to the value provided by the parameter's label. This will typically be qualified by a class. + + + The parent parameter provides an aggregation of 2 or more other parameters, each described by this property. + +

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 6e51da7c72..4b066f73ba 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -101,9 +101,14 @@ - Indicates the organization that created this content. + Indicates the organization that created this content. + Indicates the organization that prepared this content. Indicates the organization for which this content was created. Indicates the organization responsible for all content represented in the "document". + Indicates the organization to contact for questions or support related to this content. + + + The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications. The link identifies the authoritative location for this file. Defined by RFC 6596. @@ -511,7 +516,7 @@ For resources representing a published document, this represents the version number of that document. For resources representing a published document, this represents the publication date of that document. - + @@ -542,7 +547,7 @@ Indicates the resource is a report. Indicates the resource is a formal agreement between two or more parties. - + diff --git a/src/metaschema/shared-constraints/allowed-values-control-group-property-name.ent b/src/metaschema/shared-constraints/allowed-values-control-group-property-name.ent index c8f59dc6a3..a5191ce71f 100644 --- a/src/metaschema/shared-constraints/allowed-values-control-group-property-name.ent +++ b/src/metaschema/shared-constraints/allowed-values-control-group-property-name.ent @@ -1,2 +1,3 @@ -A human-readable label for the parent context. +A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases. An alternative identifier, whose value is easily sortable among other such values in the document. +An alternate or aliased identifier for the parent context. From e9d1015d42526c4eb181d1050589e46ada87be80 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Fri, 28 Jan 2022 08:13:46 -0500 Subject: [PATCH 28/35] updating to latest Metaschema toolchain --- build/metaschema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/metaschema b/build/metaschema index 9c884726d9..b48b76547f 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 9c884726d926dba8f2a3c7ce6c3f1e89d5bab6a4 +Subproject commit b48b76547fe3dcd2e3f6eef92ad68def4f398ed4 From 1081875b85d6daaf73ec4cea232dd5234d3e6127 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sat, 29 Jan 2022 13:57:53 -0500 Subject: [PATCH 29/35] updating to latest metaschema schema --- build/metaschema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/metaschema b/build/metaschema index b48b76547f..750531c014 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit b48b76547fe3dcd2e3f6eef92ad68def4f398ed4 +Subproject commit 750531c014575b5f9be6aef577a507cc86a33b69 From 219fdfa6ea293176a5729812214c4c193ff4e040 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 30 Jan 2022 08:37:14 -0500 Subject: [PATCH 30/35] picking up deprecated support from Metaschema --- build/metaschema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/metaschema b/build/metaschema index 750531c014..78c3e0daa9 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 750531c014575b5f9be6aef577a507cc86a33b69 +Subproject commit 78c3e0daa9f115cbb4858eef44c1bf161c57305f From 5eb63530a534e664bce044932bfe5a02d881b91a Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 30 Jan 2022 09:19:01 -0500 Subject: [PATCH 31/35] Updating submodule. --- build/metaschema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/metaschema b/build/metaschema index 78c3e0daa9..63d258b67e 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 78c3e0daa9f115cbb4858eef44c1bf161c57305f +Subproject commit 63d258b67e1f014e5071a7bb6e5afebf325ce76b From 42bfb80e94f84c3cc02ee8d536cfc1d1e468ab44 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 30 Jan 2022 09:53:34 -0500 Subject: [PATCH 32/35] Updating to latest metaschema schema. --- build/metaschema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/metaschema b/build/metaschema index 63d258b67e..54d1d8d24e 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 63d258b67e1f014e5071a7bb6e5afebf325ce76b +Subproject commit 54d1d8d24edb0f07fe0e8effd5ea476e890ecdb7 From 2d6d21086d0d4651ef9b6ebedba9a3c6d8d13778 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 30 Jan 2022 10:12:41 -0500 Subject: [PATCH 33/35] Many adjustments to the OSCAL Metaschema models. - Added missing allowed values used in the OSCAL NIST catalogs and profiles for SP 800-53. - Added deprecation information for older allowed values for which their use should be discontinued. - Deprecated depends-on in parameter, since this construct only allows a single dependency. - In part deprecated and replaced the following names: objective->assessment-objective, assessment->assessment-method - Deprecated profile merge/combine/@merge since this behavior is not defined in the profile resolution specification. - Added warnings for non-required UUID flags per #1044. Resolves #1044. --- .../oscal_assessment-common_metaschema.xml | 4 ++-- src/metaschema/oscal_catalog_metaschema.xml | 11 ++++++----- src/metaschema/oscal_control-common_metaschema.xml | 13 +++++++------ .../oscal_implementation-common_metaschema.xml | 5 +++++ src/metaschema/oscal_poam_metaschema.xml | 7 ++++++- src/metaschema/oscal_profile_metaschema.xml | 7 +++++-- src/metaschema/oscal_ssp_metaschema.xml | 5 +++++ 7 files changed, 36 insertions(+), 16 deletions(-) diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index 7b1656ddea..509a6beb08 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -63,8 +63,8 @@ - (deprecated) Use 'assessment-objective' instead. - (deprecated) Use 'assessment-method' instead + **(deprecated)** Use 'assessment-objective' instead. + **(deprecated)** Use 'assessment-method' instead The part defines an assessment objective. The part defines an assessment method. diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index ab368f2ee1..c4a025e950 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -6,6 +6,7 @@ ]> OSCAL Control Catalog Model 1.0.0 @@ -199,8 +200,8 @@ An introduction to a control or a group of controls. A set of control implementation requirements. Additional information to consider when selecting, implementing, assessing, and monitoring a control. - (deprecated) Use 'assessment-method' instead. - The part describes a method-based assessment over a set of assessment objects. + **(deprecated)** Use 'assessment-method' instead. + The part describes a method-based assessment over a set of assessment objects. An individual item within a control statement. @@ -209,14 +210,14 @@ - (deprecated) Use 'assessment-objective' instead. + **(deprecated)** Use 'assessment-objective' instead. The part describes a set of assessment objectives.

Objectives can be nested.

 - (deprecated) Use 'assessment-objects' instead. + **(deprecated)** Use 'assessment-objects' instead. Provides a listing of assessment objects.

Assessment objects appear on assessment methods.

@@ -224,7 +225,7 @@ - (deprecated) Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment". + **(deprecated)** Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment". The assessment method to use. This typically appears on parts with the name "assessment". diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 19ff7efc0c..8b6a857fe8 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -113,7 +113,10 @@

A class can be used in validation rules to express extra constraints over named items of a specific class value.

 - + + Depends on + **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used. + @@ -169,6 +172,9 @@ The parent parameter provides an aggregation of 2 or more other parameters, each described by this property. + + depends-on is deprecated +

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

@@ -247,11 +253,6 @@

A set of parameter value choices, that may be picked from to set the parameter value.

 - - - Depends on - Another parameter invoking this one - Control Identifier Reference diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index aed1c18a38..c2b8e4f4c3 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -270,6 +270,11 @@ + + + It is a best practice to provide a UUID. + + Port Range diff --git a/src/metaschema/oscal_poam_metaschema.xml b/src/metaschema/oscal_poam_metaschema.xml index d8ca767fc6..851e352222 100644 --- a/src/metaschema/oscal_poam_metaschema.xml +++ b/src/metaschema/oscal_poam_metaschema.xml @@ -87,7 +87,7 @@ POA&M Item Describes an individual POA&M item. - + POA&M Item Universally Unique Identifier A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -152,5 +152,10 @@ + + + It is a best practice to provide a UUID. + + diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 69b8f2cae5..0be13bae06 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -100,7 +100,7 @@ Use the first definition - the first control with a given ID is used; subsequent ones are discarded - **(deprecated)** **(unspecified)** Merge - controls with the same ID are combined + **(deprecated)** **(unspecified)** Merge - controls with the same ID are combined Keep - controls with the same ID are kept, retaining the clash @@ -213,7 +213,10 @@

A class can be used in validation rules to express extra constraints over named items of a specific class value.

 - + + Depends on + **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used. + diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index b140ff9407..d4bacafd58 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -281,6 +281,11 @@ + + + It is a best practice to provide a UUID. + + From 8541d41af706298369e430f22c2099fb86315c83 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 30 Jan 2022 12:37:22 -0500 Subject: [PATCH 34/35] Updating release notes and readme documentation. --- docs/content/reference/release-notes.md | 48 +++++++++++++++++++++++++ src/release/README.txt | 3 +- src/release/release-notes.md | 2 +- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/docs/content/reference/release-notes.md b/docs/content/reference/release-notes.md index b5b625606a..e39cd2541c 100644 --- a/docs/content/reference/release-notes.md +++ b/docs/content/reference/release-notes.md @@ -10,6 +10,54 @@ toc: headingselectors: "h2, h3, h4, h5, h6" --- +## OSCAL 1.0.1 Release + +The following changes were made in this patch release. + +- #635, #966 Cleaned up src/utils directory and added documentation (PR #970, #1014) @wendellpiez +- #956 Enhanced the schema production pipeline to ensure that high-order Unicode characters are properly escaped (PR usnistgov/ metaschema#165) @wendellpiez +- #958 Fixed an issue in the content upconverter used for updating OSCAL content from 1.0.0 RC2 to 1.0.0 (PR #960) @wendellpiez +- #983 Fix Dockerfile entrypoint using best practices for entrypoint. (PR #984) @ohsh60 +- #986 Updated dependency versions for Saxon and AJV in the Docker config. Added dependencies for yargs. (PR #987) @ohsh60 +- #1001 Fixed bad metapath. @david-waltermire-nist +- #1004 Refactored dockerfiles for the build and docs folders. Updated use documentation. Added missing dependency for calabash. (PR #1005) @david-waltermire-nist +- #1020 Updated documentation around using the content converters. (PR #1027, #1055) @wendellpiez +- #1025 Fixed SyntaxWarning for content validator oscal-content-validator.py (PR #1026) @bradh, @david-waltermire-nist +- #1037 Clarify data types docs for param insert (PR #1112) +- #1039, #1040, #1041, #1042, #1046 Updated the profile resolution specification (PR #1014, #1017) @stephenbanghart +- #1044 Added warnings for non-required UUID flags. @david-waltermire-nist +- #1053 Make @control-id for alter statements in profile required (PR #1111) @aj-stein-nist +- #1067 Fix enum typo from inteneral->internal (PR #1110) @aj-stein-nist +- #1102 Some Docker container improvements for local web development and testing for PRs (PR #1103) @aj-stein-nist +- #1107 Incorporating processing directives that support schematron validation of Metaschema-based models (#1108) @aj-stein-nist +- usnistgov/oscal-content/#59 Convert File Type for Files or Remote Hyperlinks in Continuous Deployment (PR #1010, 1070) @ohsh6o, @david-waltermire-nist +- Fixed broken branch configuration for the metaschema submodule (PR #991) @ohsh60 +- Fixed OSCAL constraints in Metaschemas. Fixing Metapath syntax errors. (PR #1012, #1065) @david-waltermire-nist +- Repaired a bug report on a missed control; adding test files (PR #1013) @wendellpiez +- Removed duplicate json import in oscal-content-validator.py (PR #1077) @flickerfly +- Improvements to XSLT-based profile resolver (PR #1071) @wendellpiez +- Added requirements.txt for oscal-content-validator.py (PR #1077) @guyzyl +- Add support for yaml OSCAL files validation (PR #1091) @guyzyl, @aj-stein-nist +- Updated contributing and pull request documentation for External Developers (#1094) @aj-stein-nist +- Bump addressable from 2.7.0 to 2.8.0 in /docs (PR #994) @dependabot +- Bump nokogiri from 1.11.5 to 1.12.5 in /docs (PR #1029) @dependabot +- Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python (PR #1096) @dependabot + +### Website changes + +- #739 Fixed 404 error when using the "Improve this page" link. (PR #995) @EasyDynamics, @david-waltermire-nist +- #854 Added a Component Tutorial to Website (PR #935, #1015) @Rene2mt, @david-waltermire-nist +- #860 Updated model reference documentation to better clarify the scope and uniqueness of identifiers used within the OSCAL models. (PR #941) @Rene2mt, @david-waltermire-nist, @aj-stein-nist +- #947 Fixed a number of typos (PR #955) @david-waltermire-nist +- #968 Fixed broken and stale links in model documentation. (PR #973) @david-waltermire-nist +- #993 Updating tools page to use a table. Added Compliance Tressle. @iMichaela, @david-waltermire-nist +- #996 Added blogs to website. @david-waltermire-nist +- #1049 Added control freak to the OSCAL tools page (PR #1104) @aj-stein-nist +- Fixed prop syntax in validation component tutorial. (PR #999) @ohsh60 +- Added link to EasyDynamics OSCAL tools (PR #1009) @afeld +- Adding link to XML Jelly Sandwich OSCAL demos (PR #1016) @wendellpiez +- Updated the Lunch with Devs meeting info and Tools page to include new meeting info (PR #1045) @iMichaela, @david-waltermire-nist + ## OSCAL 1.0.0 Release The following changes were made in OSCAL 1.0.0 since OSCAL 1.0.0 Release Candidate (RC) 2. diff --git a/src/release/README.txt b/src/release/README.txt index fdcb40d59c..994ce17510 100644 --- a/src/release/README.txt +++ b/src/release/README.txt @@ -1,8 +1,9 @@ # The Open Security Controls Assessment Language (OSCAL) -NIST is developing OSCAL as a set of machine-readable data exchange formats, referred to as "OSCAL models" (https://pages.nist.gov/OSCAL/documentation/schema/). These models enable organizations to express and exchange detailed, security and privacy control-related information in an implementation neutral way that spans the needs of multiple industries and compliance regimes. NIST is facilitating the creation and maintenance of the core OSCAL models. These models are provided in Extensible Markup Language (XML), JavaScript Object Notation (JSON), and YAML Ain't Markup Language (YAML) formats that are synchronized allowing them to represent the same information. OSCAL has been designed to be extended by other organizations to address industry-specific, compliance-specific, or organization-specific content. +NIST is developing OSCAL as a set of machine-readable data exchange formats, referred to as "OSCAL models" (https://pages.nist.gov/OSCAL/concepts/layer/). These models enable organizations to express and exchange detailed, security and privacy control-related information in an implementation neutral way that spans the needs of multiple industries and compliance regimes. NIST is facilitating the creation and maintenance of the core OSCAL models. These models are provided in Extensible Markup Language (XML), JavaScript Object Notation (JSON), and YAML Ain't Markup Language (YAML) formats that are synchronized allowing them to represent the same information. OSCAL has been designed to be extended by other organizations to address industry-specific, compliance-specific, or organization-specific content. More information about OSCAL can be found on the OSCAL Project Website: https://nist.gov/oscal. +Documentation for the OSCAL models can be found at: https://pages.nist.gov/OSCAL/reference/ # Release Contents diff --git a/src/release/release-notes.md b/src/release/release-notes.md index 6ae7409753..db8846a6e4 100644 --- a/src/release/release-notes.md +++ b/src/release/release-notes.md @@ -1,3 +1,3 @@ -# OSCAL 1.0.0 +# OSCAL 1.0.1 Full release notes can be found at: https://pages.nist.gov/OSCAL/reference/release-notes/ From ea55f5167608982b285967fdb2822613841fa158 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 30 Jan 2022 12:41:33 -0500 Subject: [PATCH 35/35] Adding release-* branched to artifact workflow. --- .github/workflows/metaschema-artifacts.yml | 1 + .github/workflows/validate-repo-markdown.yml | 2 ++ .github/workflows/website-artifacts.yml | 1 + 3 files changed, 4 insertions(+) diff --git a/.github/workflows/metaschema-artifacts.yml b/.github/workflows/metaschema-artifacts.yml index 5e3f73ee6f..83c1b9f78f 100644 --- a/.github/workflows/metaschema-artifacts.yml +++ b/.github/workflows/metaschema-artifacts.yml @@ -2,6 +2,7 @@ on: push: branches: - main + - release-** paths: - 'src/metaschema/**' - '.github/workflows/metaschema-artifacts.yml' diff --git a/.github/workflows/validate-repo-markdown.yml b/.github/workflows/validate-repo-markdown.yml index df1cf4b6a2..e7a431732c 100644 --- a/.github/workflows/validate-repo-markdown.yml +++ b/.github/workflows/validate-repo-markdown.yml @@ -2,6 +2,8 @@ on: push: branches: - main + - develop + - release-** paths: - '!docs/**' - '**.md' diff --git a/.github/workflows/website-artifacts.yml b/.github/workflows/website-artifacts.yml index 7550a3c30f..db7ebe62a4 100644 --- a/.github/workflows/website-artifacts.yml +++ b/.github/workflows/website-artifacts.yml @@ -3,6 +3,7 @@ on: branches: - main - develop + - release-** tags: - "v*" paths: