Conditional parameter insertion for CM-06 in FedRAMP Profiles #288
Assignees
Labels
Scope: Content
Development of OSCAL content and examples.
User Story
Waiting for Action
Waiting for an external action to be taken
Milestone
Comments
david-waltermire
added
the
Scope: Modeling
|
I think this could be (more simply) a (Note the actual choice is between A and B-and-C; there are not three choices.) However I also think that new requirements might be added to the control as an amendment (alteration) in the profile -- and that at higher levels (SSP etc) there will have to be language addressing these, to satisfy the control as FedRAMP defines it. This is the simple solution ("it can be done by hand"). We could go further modeling the interdependencies but I think that probably needs to wait till we look more closely at the possibilities with |
|
@anweiss Do you think that @wendellpiez suggestion above would suffice? If not, let's address this in M2. |
|
@wendellpiez is it possible to delineate between "sub-choices" in this case? as in, can we tag "B" and "C" as "sub-choices" so it can be more clearly denoted? |
|
@anweiss not as currently modeled, no. There are also further ways to work around, which we could discuss. |
|
Thanks @wendellpiez. Maybe something to think about for M2, but otherwise, not a priority at the moment IMO. |
david-waltermire
added
Scope: Content
|
Will update profiles to reflect additional constraints. May need to seek approval since this deviates from the published baselines. |
|
@brianrufgsa Ok. We can put this issue on hold until the necessary approvals are completed. |
david-waltermire
added
the
Waiting for Action
|
This is being worked in PR #471. Need to confirm this has been completed before closing. |
|
Sprint 23 Progress Sep 5 @brianrufgsa could you please update on current status, in regard to CM-6 and in general? I believe our current models are adequate, but the acid test is in the FedRAMP data. |
|
This should have all been addressed in the latest FedRAMP profiles. @brianrufgsa to verify. |
4 tasks
wendellpiez
added a commit
to wendellpiez/OSCAL
that referenced
this issue
Sep 30, 2019
…v#288); release notes towards M2
wendellpiez
added a commit
to wendellpiez/OSCAL
that referenced
this issue
Sep 30, 2019
…v#288); release notes towards M2
wendellpiez
added a commit
to wendellpiez/OSCAL
that referenced
this issue
Sep 30, 2019
…v#288); release notes towards M2
david-waltermire
pushed a commit
to david-waltermire/OSCAL
that referenced
this issue
Sep 30, 2019
…v#288); release notes towards M2
david-waltermire
pushed a commit
to david-waltermire/OSCAL
that referenced
this issue
Oct 1, 2019
…v#288); release notes towards M2
david-waltermire
added a commit
that referenced
this issue
Oct 1, 2019
* Removed unnecessary metaschema check on json-value-key * Now implementing in-xml="with-wrapper | unwrapped" on markup multiline fields, with default `with-wrapper` and corresponding changes to catalog and profile metaschemas. * Updating catalog and profile schemas for (prose) unwrapping behavior * Renamed 'json-behavior' in Metaschema to 'in-json' for consistency with 'in-xml'. * Updating syntax in metaschemas 'in-json' for 'json-behavior' * Updating json converter generator to provide in-xml behavior 'GROUPED' * Refining json converter production from Metaschema * Repairing egregious syntax error * Rectify bug introduced with new feature * Adding support for 'date' and 'dateTime' datatypes, with no time zones (#480), including unit tests * Improvements and corrections to datatypes docs * More small repairs on datatypes descriptions (table markup) * Built out validations of allowed (enumerated) values, including Metaschema validation checks on whether given allowed values conform to their nominal type. * Straightening kinks in datatype metaschema meta-validation * More special handling of recalcitrant datatypes, this time 'NMTOKENS' and 'IDREFS' * Addressing #463, adding `id`, `class` and `title` to `group` in profiles. * Schematron improvements; documentation revisions (removing references to subcontrols) * New Schematron for SP800-53-style catalogs * Removed using in implementation to new metaschema for storage. Started on example, which is still invalid * More work on an example, which is still not valid * refactored schematron processing * more work on SSP example * Refactored generate-schema.sh to allow a metaschema to be provided on the CLI * refactored SSP model to be more flat, while allowing component references * slight cleanup * old example * Fixed content generation * updated metaschema to new specs * fixed content errors * added metaschema examples * Updated metaschema example. * Adding 'prop' and 'part' to Profile Metaschema per #463 * Added 'param' to profile 'group' model * JSON converter now properly handling flags assigned to assemblies identified by json key * Added 'sort-id' property to controls in SP800-53 catalog * Added support for direct generation of schema and converters * Minor updates to SSP example and metaschema * Adding computer build metaschema examples * Extending allowed-values support to fields; unit tests: #437 * More work on allowed-values, now in XSD with unit tests for #437 * Repairing small datatyping bug thanks to regression testing * Further adjustment for allowed-values in docs * Renamed unit tests, now working * Adding allowed-values unit tests * Addressing #452: cleaned up character handling in XML-to-JSON conversion. Fixed the bug this exposed in markdown->HTML conversion. Added some light unit testing. * More adjustments in view of comments to #452 * Repairing more bugs in character handling in Markdown and plain text, with unit testing: #452 * Improvements to Schematron for SP800-53 #400 * For #452, modified copy-and-convert script to suppress character-level post-processing in generated JSON; added unit tests for URIs to detect issues with solidus characters '/' * Edited docs, including datatypes page per #452 (regarding character escapes). * Cleanup metaschema valdiation errors * changed use of the ID and IDREF datatype to NCName * Removed ID and IDREF datatypes * refactored components out of ssp metaschema * Updated SP800-53 catalog and NIST profiles to current model * Added name to information type. * Continued refinement of the SSP model * Updated metadata syntax * changing CM-6 constraint to guidance * continued work on SSP * refactored responsible party to metadata * fixed validation issues * Fixed overriding enumerated values * Fixed content validation errors based on latest metaschema changes * Completed full pass through ssp model * added prop to resource * Fixed broken links in Markdown files. Small adjustments to SSP example. * FDixed relapath error caused when the generated schema directory doesn't exist. Also attempting a fix for CircleCI colorized escape codes causing extra characters to appear. * Fixed validation issue with component metaschema * attempting to fix extra characters in CircleCI colorized messages * Updated enumerated values to remove values that should appear in a given context * quick reordering of elements * hardcode ascii color codes * Fixing broken links in readmes; file name update for consistency * added unit tests for bug * fixed color escaping in scripts * Removed bogus unit test and fixed a small cardinality issue in the SSP model * Improvements to docs generation * Added JSON value keys to fields with flags (that did not have them) * Bug reduction in XSD production mainly related to datatypes and allowed values * Fixing glitch in JSON converter generator * Adjustments repairing Metaschema issues * CSS tweak in docs (model maps to use USWDS font) * Adding to Milestone 2 release notes (in progress) * Change to parameter setting in profile model (#494, #288); release notes towards M2 * Small improvements to copy in release notes (draft) * Updating metaschemas to latest syntax, with improved Metaschema Schematron and unit test tweakage * Adjustments to flag unit test and release notes * SSP Metaschema review and update * cleanup of unused role-id field * reflactored role-id * updated documentation for release. * cleanup of IDs * Minor schema and metaschema improvements * M1 to M2 content converter * Merging local and upstream changes to json example * Relaxing rule over 'ID' flag to accept any string not only XML NCName * reorganizing content for release * more file moves * Fixed changed path * Updated FedRAMP profiles and catalog to current models * Bug fix to XML-to-JSON converter generator * Fixed copy script * Updated FedRAMP baselines and catalog to match new metaschema syntax * fixed merge error * fixed another merge error * fixed spelling issues * Fix from Wendell
bradh
pushed a commit
to bradh/OSCAL
that referenced
this issue
Dec 4, 2019
* Removed unnecessary metaschema check on json-value-key * Now implementing in-xml="with-wrapper | unwrapped" on markup multiline fields, with default `with-wrapper` and corresponding changes to catalog and profile metaschemas. * Updating catalog and profile schemas for (prose) unwrapping behavior * Renamed 'json-behavior' in Metaschema to 'in-json' for consistency with 'in-xml'. * Updating syntax in metaschemas 'in-json' for 'json-behavior' * Updating json converter generator to provide in-xml behavior 'GROUPED' * Refining json converter production from Metaschema * Repairing egregious syntax error * Rectify bug introduced with new feature * Adding support for 'date' and 'dateTime' datatypes, with no time zones (usnistgov#480), including unit tests * Improvements and corrections to datatypes docs * More small repairs on datatypes descriptions (table markup) * Built out validations of allowed (enumerated) values, including Metaschema validation checks on whether given allowed values conform to their nominal type. * Straightening kinks in datatype metaschema meta-validation * More special handling of recalcitrant datatypes, this time 'NMTOKENS' and 'IDREFS' * Addressing usnistgov#463, adding `id`, `class` and `title` to `group` in profiles. * Schematron improvements; documentation revisions (removing references to subcontrols) * New Schematron for SP800-53-style catalogs * Removed using in implementation to new metaschema for storage. Started on example, which is still invalid * More work on an example, which is still not valid * refactored schematron processing * more work on SSP example * Refactored generate-schema.sh to allow a metaschema to be provided on the CLI * refactored SSP model to be more flat, while allowing component references * slight cleanup * old example * Fixed content generation * updated metaschema to new specs * fixed content errors * added metaschema examples * Updated metaschema example. * Adding 'prop' and 'part' to Profile Metaschema per usnistgov#463 * Added 'param' to profile 'group' model * JSON converter now properly handling flags assigned to assemblies identified by json key * Added 'sort-id' property to controls in SP800-53 catalog * Added support for direct generation of schema and converters * Minor updates to SSP example and metaschema * Adding computer build metaschema examples * Extending allowed-values support to fields; unit tests: usnistgov#437 * More work on allowed-values, now in XSD with unit tests for usnistgov#437 * Repairing small datatyping bug thanks to regression testing * Further adjustment for allowed-values in docs * Renamed unit tests, now working * Adding allowed-values unit tests * Addressing usnistgov#452: cleaned up character handling in XML-to-JSON conversion. Fixed the bug this exposed in markdown->HTML conversion. Added some light unit testing. * More adjustments in view of comments to usnistgov#452 * Repairing more bugs in character handling in Markdown and plain text, with unit testing: usnistgov#452 * Improvements to Schematron for SP800-53 usnistgov#400 * For usnistgov#452, modified copy-and-convert script to suppress character-level post-processing in generated JSON; added unit tests for URIs to detect issues with solidus characters '/' * Edited docs, including datatypes page per usnistgov#452 (regarding character escapes). * Cleanup metaschema valdiation errors * changed use of the ID and IDREF datatype to NCName * Removed ID and IDREF datatypes * refactored components out of ssp metaschema * Updated SP800-53 catalog and NIST profiles to current model * Added name to information type. * Continued refinement of the SSP model * Updated metadata syntax * changing CM-6 constraint to guidance * continued work on SSP * refactored responsible party to metadata * fixed validation issues * Fixed overriding enumerated values * Fixed content validation errors based on latest metaschema changes * Completed full pass through ssp model * added prop to resource * Fixed broken links in Markdown files. Small adjustments to SSP example. * FDixed relapath error caused when the generated schema directory doesn't exist. Also attempting a fix for CircleCI colorized escape codes causing extra characters to appear. * Fixed validation issue with component metaschema * attempting to fix extra characters in CircleCI colorized messages * Updated enumerated values to remove values that should appear in a given context * quick reordering of elements * hardcode ascii color codes * Fixing broken links in readmes; file name update for consistency * added unit tests for bug * fixed color escaping in scripts * Removed bogus unit test and fixed a small cardinality issue in the SSP model * Improvements to docs generation * Added JSON value keys to fields with flags (that did not have them) * Bug reduction in XSD production mainly related to datatypes and allowed values * Fixing glitch in JSON converter generator * Adjustments repairing Metaschema issues * CSS tweak in docs (model maps to use USWDS font) * Adding to Milestone 2 release notes (in progress) * Change to parameter setting in profile model (usnistgov#494, usnistgov#288); release notes towards M2 * Small improvements to copy in release notes (draft) * Updating metaschemas to latest syntax, with improved Metaschema Schematron and unit test tweakage * Adjustments to flag unit test and release notes * SSP Metaschema review and update * cleanup of unused role-id field * reflactored role-id * updated documentation for release. * cleanup of IDs * Minor schema and metaschema improvements * M1 to M2 content converter * Merging local and upstream changes to json example * Relaxing rule over 'ID' flag to accept any string not only XML NCName * reorganizing content for release * more file moves * Fixed changed path * Updated FedRAMP profiles and catalog to current models * Bug fix to XML-to-JSON converter generator * Fixed copy script * Updated FedRAMP baselines and catalog to match new metaschema syntax * fixed merge error * fixed another merge error * fixed spelling issues * Fix from Wendell
aj-stein-nist
referenced
this issue
in aj-stein-nist/OSCAL-forked
Jan 25, 2023
* Removed unnecessary metaschema check on json-value-key * Now implementing in-xml="with-wrapper | unwrapped" on markup multiline fields, with default `with-wrapper` and corresponding changes to catalog and profile metaschemas. * Updating catalog and profile schemas for (prose) unwrapping behavior * Renamed 'json-behavior' in Metaschema to 'in-json' for consistency with 'in-xml'. * Updating syntax in metaschemas 'in-json' for 'json-behavior' * Updating json converter generator to provide in-xml behavior 'GROUPED' * Refining json converter production from Metaschema * Repairing egregious syntax error * Rectify bug introduced with new feature * Adding support for 'date' and 'dateTime' datatypes, with no time zones (usnistgov#480), including unit tests * Improvements and corrections to datatypes docs * More small repairs on datatypes descriptions (table markup) * Built out validations of allowed (enumerated) values, including Metaschema validation checks on whether given allowed values conform to their nominal type. * Straightening kinks in datatype metaschema meta-validation * More special handling of recalcitrant datatypes, this time 'NMTOKENS' and 'IDREFS' * Addressing usnistgov#463, adding `id`, `class` and `title` to `group` in profiles. * Schematron improvements; documentation revisions (removing references to subcontrols) * New Schematron for SP800-53-style catalogs * Removed using in implementation to new metaschema for storage. Started on example, which is still invalid * More work on an example, which is still not valid * refactored schematron processing * more work on SSP example * Refactored generate-schema.sh to allow a metaschema to be provided on the CLI * refactored SSP model to be more flat, while allowing component references * slight cleanup * old example * Fixed content generation * updated metaschema to new specs * fixed content errors * added metaschema examples * Updated metaschema example. * Adding 'prop' and 'part' to Profile Metaschema per usnistgov#463 * Added 'param' to profile 'group' model * JSON converter now properly handling flags assigned to assemblies identified by json key * Added 'sort-id' property to controls in SP800-53 catalog * Added support for direct generation of schema and converters * Minor updates to SSP example and metaschema * Adding computer build metaschema examples * Extending allowed-values support to fields; unit tests: usnistgov#437 * More work on allowed-values, now in XSD with unit tests for usnistgov#437 * Repairing small datatyping bug thanks to regression testing * Further adjustment for allowed-values in docs * Renamed unit tests, now working * Adding allowed-values unit tests * Addressing usnistgov#452: cleaned up character handling in XML-to-JSON conversion. Fixed the bug this exposed in markdown->HTML conversion. Added some light unit testing. * More adjustments in view of comments to usnistgov#452 * Repairing more bugs in character handling in Markdown and plain text, with unit testing: usnistgov#452 * Improvements to Schematron for SP800-53 #400 * For usnistgov#452, modified copy-and-convert script to suppress character-level post-processing in generated JSON; added unit tests for URIs to detect issues with solidus characters '/' * Edited docs, including datatypes page per usnistgov#452 (regarding character escapes). * Cleanup metaschema valdiation errors * changed use of the ID and IDREF datatype to NCName * Removed ID and IDREF datatypes * refactored components out of ssp metaschema * Updated SP800-53 catalog and NIST profiles to current model * Added name to information type. * Continued refinement of the SSP model * Updated metadata syntax * changing CM-6 constraint to guidance * continued work on SSP * refactored responsible party to metadata * fixed validation issues * Fixed overriding enumerated values * Fixed content validation errors based on latest metaschema changes * Completed full pass through ssp model * added prop to resource * Fixed broken links in Markdown files. Small adjustments to SSP example. * FDixed relapath error caused when the generated schema directory doesn't exist. Also attempting a fix for CircleCI colorized escape codes causing extra characters to appear. * Fixed validation issue with component metaschema * attempting to fix extra characters in CircleCI colorized messages * Updated enumerated values to remove values that should appear in a given context * quick reordering of elements * hardcode ascii color codes * Fixing broken links in readmes; file name update for consistency * added unit tests for bug * fixed color escaping in scripts * Removed bogus unit test and fixed a small cardinality issue in the SSP model * Improvements to docs generation * Added JSON value keys to fields with flags (that did not have them) * Bug reduction in XSD production mainly related to datatypes and allowed values * Fixing glitch in JSON converter generator * Adjustments repairing Metaschema issues * CSS tweak in docs (model maps to use USWDS font) * Adding to Milestone 2 release notes (in progress) * Change to parameter setting in profile model (usnistgov#494, #288); release notes towards M2 * Small improvements to copy in release notes (draft) * Updating metaschemas to latest syntax, with improved Metaschema Schematron and unit test tweakage * Adjustments to flag unit test and release notes * SSP Metaschema review and update * cleanup of unused role-id field * reflactored role-id * updated documentation for release. * cleanup of IDs * Minor schema and metaschema improvements * M1 to M2 content converter * Merging local and upstream changes to json example * Relaxing rule over 'ID' flag to accept any string not only XML NCName * reorganizing content for release * more file moves * Fixed changed path * Updated FedRAMP profiles and catalog to current models * Bug fix to XML-to-JSON converter generator * Fixed copy script * Updated FedRAMP baselines and catalog to match new metaschema syntax * fixed merge error * fixed another merge error * fixed spelling issues * Fix from Wendell
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User Story:
As an OSCAL profile maintainer, I have the ability to define dynamic parameters based on certain requirements. While not a common scenario, a specific example can be found with
cm-6_prm_1and the FedRAMP Profiles. The FedRAMP High and Moderate profiles simply define one value forcm-6_prm_1, which isUnited States Government Configuration Baseline (USGCB). However, the FedRAMP profiles also list two custom requirements forcm-6.abut that aren't defined as parameter values:These requirements (if met), can be interpreted as conditional (dynamic) values for parameter
cm-6_prm_1. However, there's no way to define any sort of conditional parameter value. Instead, the entirety of the text would have to be inserted intocm-6_prm_1and interpreted as something like the following:Some sort of multi-
constraintlogic would be helpful. This could likely be accomplished with the "declarations" model that allows one to apply attributes to theconstraintelements for defining any sort of custom logic defined by profile maintainers.Goals:
More granular parameter insertion logic can be defined and parsed.
Dependencies:
Related to #14, #106, #66.
Acceptance Criteria
Conditional logic can be applied to parameter insertions to allow for dynamic parameters.
The text was updated successfully, but these errors were encountered: