Patching control info at arbitrary granularity / addressability of control contents

[wendellpiez]

At time of writing, we can patch at the "statement" level by specifying the deletion of control contents (parts, properties) and by augmenting controls (and subcontrols) with arbitrary contents (including new parts and properties to replace or supplement the old ones). But we do not have the capability to patch at finer levels of granularity -- for example, by removing or adding a single item to an 'objective' hierarchy (see //part[@class='objective'] in SP800-53).

Goals

Extend the addressing capabilities of alter elements in profiles so elements at arbitrary levels of granularity can be patched (contents edited/overwritten) in catalogs or (resolved) profiles being called. Demonstrate the capability in profile resolution (and display) logic.

Dependency

Examples demonstrating use cases in scope. Patching a single item inside an 'objective' hierarchy could be one. A pathological example might have to be created for very narrow patches such as a single list item inside a list.

NB that when deleting ol/li, the remaining ol/li in a list will be renumbered in (dynamic) display, so no "hole" ("missing list item") is visible. Entire statements (part elements) with labels, when removed, will however show jumps in numbering (where numbers are actually properties of the OSCAL statements, not display-time). Examples should illustrate this distinction.

Acceptance Criteria

• New examples(s) are added to the mini-testing library demonstrating these capabilities. They are commented and documented appropriately.
• Both removal/deletion of (granular) elements from controls, and augmentation/adding (at the point of address) are demonstrated.
• The solution including any syntax rules is documented for implementors. This includes discussion of when "holes will be visible" (as when statements with labels or visible names are removed) or not, as described above.

Notes

It is tempting to think about a little addressing language (I have notes), and somewhat daunting to think about its implementation. (Even if here we need to address within the scope of a single control/subcontrol, not arbitrarily in document or global scope.)

A consideration is that for deletion, selecting multiple elements (contents) at once is a feature, but for augmenting -- can a single patch affect multiple locations? Evidently, we need to be able to address specific elements, i.e. things like item[2] or item[2] description. A bare-bones version could permit addressing by ID (#id) or index (item[2]). XPath 1.0 could also offer an escape hatch (albeit with a new dependency).

[wendellpiez]

Suggest postponing this as not essential for Milestone 1, pending further development of requirements. It is likely this issue will come up again as we test and develop support for tailoring in the profile model.

[david-waltermire]

@wendellpiez Can you summarize what still needs to be done on this issue?

[wendellpiez]

@david-waltermire-nist : this issue captures a what-if scenario, which we have not actually seen. It describes a hypothetical requirement given the present opacity of arbitrary-content-floating-in-prose. Eventually such requirements are likely to arise in the real world. But we do not know when, maybe not soon. Also there are workarounds.

Also, the design shortcoming this Issue addresses will only become an issue once we have profile resolution running dependably (it was in prototype when the Issue was composed), and can demonstrate and test patching, period.

In other words, this Issue has a dependency on another, namely "demonstrate profile resolution to show results of applying a profile to a catalog", which we could put in front of it.

[david-waltermire]

We should identify a new set of issues to complete to address this.

[wendellpiez]

Sprint 23 Progress Sep 3

We need to return to requirements definition for this, preferably with real-world examples or use cases in mind.

Looking at how well FedRAMP requirements are being met could be also be a start.

[wendellpiez]

Also note that addressing this implies we have catalog resolution working in which to test it ...

[brian-ruf]

Real-world example: AC-2 in FedRAMP Tailored for Low Impact (LI) SaaS (found [HERE] (https://www.fedramp.gov/assets/resources/templates/APPENDIX-B-FedRAMP-Tailored-LI-SaaS-Template.docx) in Section 14.1), which reads as follows:

The organization:
	(a)	Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
	(b)	[Excluded from FedRAMP Tailored for LI-SaaS]
	(c)	[Excluded from FedRAMP Tailored for LI-SaaS]
	(d)	[Excluded from FedRAMP Tailored for LI-SaaS]
	(e)	[Excluded from FedRAMP Tailored for LI-SaaS]
	(f)	Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
	(g)	Monitors the use of information system accounts; and
	(h)	Notifies account managers:
		(1)	When accounts are no longer required;
		(2)	When users are terminated or transferred; and
		(3)	When individual information system usage or need-to-know changes
	(i)	[Excluded from FedRAMP Tailored for LI-SaaS]
	(j)	[Excluded from FedRAMP Tailored for LI-SaaS]
	(k)	[Excluded from FedRAMP Tailored for LI-SaaS]

We initially modeled it like this:

		<alter control-id="ac-2">
			<remove id-ref="ac-2_smt.b" />
			<remove id-ref="ac-2_smt.c" />
			<remove id-ref="ac-2_smt.d" />
			<remove id-ref="ac-2_smt.e" />
			<remove id-ref="ac-2_smt.i" />
			<remove id-ref="ac-2_smt.j" />
			<remove id-ref="ac-2_smt.k" />
			<add position="ending">
				<prop name='assess' class='tailored-designation' ns='fedramp' />
				<part id="ac-2_fr" name="item" ns="fedramp">
					<title>AC-2 Additional FedRAMP Requirements and Guidance</title>
					<part id="ac-2_fr_gdn.1" name="guidance">
						<prop name="label">Guidance:</prop>
						<p>Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored for LI-SaaS.</p>
					</part>
				</part>
			</add>
		</alter>

This is likely "good enough"; however, I would have liked to have modified (b), (c), (d), (e), (i), (j), and (k) to each include the text "[Excluded from FedRAMP Tailored for LI-SaaS]".

The existing syntax would have allowed me to first remove the statement, then add back in the "[Excluded from FedRAMP Tailored for LI-SaaS]"; however, the presentation sequence would no longer be correct. I would have had to insert these at the begging or end, when I needed to insert some in between other statements.

It is possible that the sequencing syntax added as a result of Issue #463 could address this issue. Once it is fully approved/available, we can revisit its applicability to this presentation issue.

[wendellpiez]

One option here would be to provide for a replace clause in addition to add and remove. I think replacement will not be an infrequent requirement.

Another could be to support a value of "replace" on add/@position. This overloads "position" slightly but not in a way that breaks it (I don't think). Its semantics might be harder to make sense of -- we would have to stipulate that anything inside replaces something with the same id (wouldn't we?).

However, I also like the "good enough" approach, assuming users actually think it is good enough.

Finally, I note that the desired rendition (listing the removed items explicitly in the display as 'removed') could indeed be produced automatically by a process that had the original control along with the profile's alteration of it. One way of treating this issue is as a display requirement for profiles: show the places where things are removed.

[david-waltermire]

@wendellpiez Can you review this issue and note what work still needs to be done?

[wendellpiez]

I'd like to hear from @brianrufgsa looking at the AC-2 example cited above.

Specifically, how about the following? It is literalistic, but it captures the information does it not?

Alternatively - apart from this example - can we restate the functional gap being identified here, and current capabilities?

<alter control-id="ac-2">
    <remove id-ref="ac-2_smt.b" />
    <remove id-ref="ac-2_smt.c" />
    <remove id-ref="ac-2_smt.d" />
    <remove id-ref="ac-2_smt.e" />
    <remove id-ref="ac-2_smt.i" />
    <remove id-ref="ac-2_smt.j" />
    <remove id-ref="ac-2_smt.k" />
    <add id-ref="ac-2-_smt.b">
        <part id="ac-2_smt.b" name="item">
            <prop name="label">b.</prop>
            <p>[Excluded from FedRAMP Tailored for LI-SaaS]</p>
        </part>
    </add>
    <add id-ref="ac-2-_smt.c">
        <part id="ac-2_smt.c" name="item">
            <prop name="label">c.</prop>
            <p>[Excluded from FedRAMP Tailored for LI-SaaS]</p>
        </part>
    </add>
[ Etc ...]
</alter>

-- This would achieve the intended rendition. OTOH I kind of like your solution, which is lighter-weight.

[david-waltermire]

I think we should close this issue in favor of creating more specific issues that address specific, individual tailoring features that need to be added.