Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenControl mappings and schema merger #72

Closed
anweiss opened this issue Nov 29, 2017 · 6 comments
Closed

OpenControl mappings and schema merger #72

anweiss opened this issue Nov 29, 2017 · 6 comments
Assignees
@anweiss @akarmel
Labels
Discussion Needed This issues needs to be reviewed by the OSCAL development team.

Comments

@anweiss
Copy link
Contributor

anweiss commented Nov 29, 2017
edited
Loading

Issue for tracking current OpenControl schema and mappings and how best to merge OSCAL in to that community.

Initial discussion items below (moved from #68) ... CC @gregelin:

  • OpenControl schema to OSCAL schema mappings:

    OSCAL component OpenControl type
    catalog standard
    profile certification
    Implementation
    Assessment
    Assessment Results    		 component

  • As of today, the OSCAL "catalog" and "profile" are far more robust than the equivalent OpenControl "standard" and "certification" types

    • OpenControl's "standard" type merely consists of maps of strings to represent a control catalog (e.g. 800-53) -> example
    • OpenControl's "certification" type is just a map of maps whose keys represent each of the controls included within a baseline (e.g. FedRAMP Moderate, etc) and whose values are empty -> example
    • OpenControl's "component" type does already incorporate elements that are assumed to also be defined in the equivalent OSCAL "implementation", "assessment" and "assessment results" once developed

  • OpenControl does have the advantage of being strictly YAML-based which offers for pure human readability (vs. JSON and XML whose priorities are not for human readability)

    • What one sacrifices in terms of modeling and domain-driven capabilities of XML, one gains in human readability of YAML

  • YAML is a superset of JSON

  • Since JSON is merely a subset of YAML, changing the OpenControl schema to utilize equilvalent JSON-formatted OSCAL terminology and tags is very straightforward ... and at that point, replacement of the equivalent OpenControl schema with OSCAL could be feasible

  • Where things could get interesting is that we could take advantage of the nature of YAML's human readable format to create "lightweight" OSCAL components where we strip out what doesn't map well from XML/JSON

    • OpenControl could then house the "lightweight" OSCAL and shift its focus towards tooling for the consumption of OSCAL, generation of SSPs, etc ... and become more of a community of practice for authorization, security and audit professionals for ATO best practices, FISMA, etc

  • YAML anchors, references and extend types enable re-use and better meshing of elements than what JSON can do ... quick overview of these features here

  • Sample OSCAL YAML for comparison can be found in [do not merge] yaml examples #69

  • 11/15 OpenControl community discussion highlights:

    • the focus was much less on the existing OpenControl schema and instead how the OpenControl umbrella could be used to address challenges orgs are facing with RMF, authorization processes/boundaries, reciprocity, and defining a common framework for automating compliance
    • At the current time, the OpenControl schema is by no means formalized nor an end-all-be-all, and IMHO can be replaced by OSCAL. With that being said, there are a few vendors that have embraced the OpenControl YAML format and would need to make engineering changes to adopt OSCAL. As such, OSCAL should be easily adoptable in those scenarios
@anweiss anweiss mentioned this issue Nov 30, 2017
Closed
david-waltermire added a commit that referenced this issue Apr 3, 2018
@david-waltermire
# This is a combination of 29 commits.
5b13d9d 
# The first commit's message is:

# This is a combination of 54 commits.
# The first commit's message is:

# This is a combination of 4 commits.
# The first commit's message is:

# This is a combination of 2 commits.
# The first commit's message is:

# This is a combination of 2 commits.
# The first commit's message is:

# This is a combination of 6 commits.
# The first commit's message is:

# This is a combination of 3 commits.
# The first commit's message is:

# This is a combination of 111 commits.
# The first commit's message is:

Initial commit of docs branch.

# This is the commit message #2:

Create CONTRIBUTING.md
# This is the commit message #3:

Create ROADMAP.md
# This is the commit message #4:

Update README.md
# This is the commit message #5:

Create README.md
# This is the commit message #6:

Update README.md
# This is the commit message #7:

Update README.md
# This is the commit message #8:

Create OSCAL-PRODUCERS.md
# This is the commit message #9:

Create OSCAL-CONSUMERS.md
# This is the commit message #10:

Update and rename OSCAL-CONSUMERS.md to USERS.md
# This is the commit message #11:

Update and rename OSCAL-PRODUCERS.md to IMPLEMENTERS.md
# This is the commit message #12:

Rename CONTRIBUTING.md to CONTRIBUTORS.md
# This is the commit message #13:

Update README.md
# This is the commit message #14:

Update README.md
# This is the commit message #15:

Update USERS.md
# This is the commit message #16:

Update README.md
# This is the commit message #17:

Update IMPLEMENTERS.md
# This is the commit message #18:

Update README.md
# This is the commit message #19:

Update ROADMAP.md
# This is the commit message #20:

Update USERS.md
# This is the commit message #21:

Update CONTRIBUTORS.md
# This is the commit message #22:

Update README.md
# This is the commit message #23:

Update README.md
# This is the commit message #24:

Update IMPLEMENTERS.md
# This is the commit message #25:

Update IMPLEMENTERS.md
# This is the commit message #26:

Rename CONTRIBUTORS.md to CONTRIBUTING.md
# This is the commit message #27:

Create control.md
# This is the commit message #28:

Update control.md
# This is the commit message #29:

Update control.md
# This is the commit message #30:

Update control.md
# This is the commit message #31:

Update control.md
# This is the commit message #32:

Add files via upload
# This is the commit message #33:

Update control.md
# This is the commit message #34:

Create temp.md
# This is the commit message #35:

Delete NIST-SP-800-53-Rev4-AC1.png
# This is the commit message #36:

Add files via upload
# This is the commit message #37:

Delete temp.md
# This is the commit message #38:

Add files via upload
# This is the commit message #39:

Update control.md
# This is the commit message #40:

Add files via upload
# This is the commit message #41:

Add files via upload
# This is the commit message #42:

Update control.md
# This is the commit message #43:

Update CONTRIBUTING.md
# This is the commit message #44:

Update CONTRIBUTING.md
# This is the commit message #45:

Update USERS.md
# This is the commit message #46:

Update CONTRIBUTING.md
# This is the commit message #47:

Delete CONTRIBUTING.md
# This is the commit message #48:

Delete USERS.md
# This is the commit message #49:

Add files via upload
# This is the commit message #50:

Delete CSA-CCM-IAM02.png
# This is the commit message #51:

Update control.md
# This is the commit message #52:

Update control.md
# This is the commit message #53:

Update control.md
# This is the commit message #54:

Update control.md
# This is the commit message #55:

Update control.md
# This is the commit message #56:

Update control.md
# This is the commit message #57:

Update control.md
# This is the commit message #58:

Update control.md
# This is the commit message #59:

Update control.md
# This is the commit message #60:

Update control.md
# This is the commit message #61:

Delete NIST-SP-800-53-AC1-in-OSCAL-XML.png
# This is the commit message #62:

Update README.md
# This is the commit message #63:

Update control.md
# This is the commit message #64:

Update control.md
# This is the commit message #65:

Add files via upload
# This is the commit message #66:

Delete ISO-27001-Control-A9.png
# This is the commit message #67:

Update control.md
# This is the commit message #68:

Add files via upload
# This is the commit message #69:

Add files via upload
# This is the commit message #70:

Delete ISO-27002-Control-9.1.1-part1.png
# This is the commit message #71:

Delete ISO-27002-Control-9.1.1-part2.png
# This is the commit message #72:

Update control.md
# This is the commit message #73:

Update control.md
# This is the commit message #74:

Update control.md
# This is the commit message #75:

Update control.md
# This is the commit message #76:

Update control.md
# This is the commit message #77:

Update README.md
# This is the commit message #78:

Update IMPLEMENTERS.md
# This is the commit message #79:

Add files via upload
# This is the commit message #80:

Delete oscal-layers.png
# This is the commit message #81:

Add files via upload
# This is the commit message #82:

Delete oscal-layers.png
# This is the commit message #83:

Add files via upload
# This is the commit message #84:

Update IMPLEMENTERS.md
# This is the commit message #85:

Update control.md
# This is the commit message #86:

Update IMPLEMENTERS.md
# This is the commit message #87:

Update control.md
# This is the commit message #88:

Rename IMPLEMENTERS.md to docs/prose/IMPLEMENTERS.md
# This is the commit message #89:

Rename IMPLEMENTERS.md to implementers.md
# This is the commit message #90:

Rearranged and outlined catalog documentation based on the conversation with karen and Wendell.

# This is the commit message #91:

Create catalog-xml.md
# This is the commit message #92:

Rename control.md to catalog.md
# This is the commit message #93:

Update catalog.md
# This is the commit message #94:

Update catalog.md
# This is the commit message #95:

Update catalog.md
# This is the commit message #96:

Update catalog-xml.md
# This is the commit message #97:

Update catalog-xml.md
# This is the commit message #98:

Update catalog-xml.md
# This is the commit message #99:

Update catalog-xml.md
# This is the commit message #100:

Update catalog-xml.md
# This is the commit message #101:

Update catalog-xml.md
# This is the commit message #102:

Update catalog-xml.md
# This is the commit message #103:

Update catalog-xml.md
# This is the commit message #104:

Update catalog-xml.md
# This is the commit message #105:

Update catalog-xml.md
# This is the commit message #106:

Docset migration to Slate

# This is the commit message #107:

Removing unused file.

# This is the commit message #108:

Update README.md

Corrected a typo
# This is the commit message #109:

Add files via upload

Graphical representation of OSCAL schemas aligned with Risk Management Framework steps and tasks.
# This is the commit message #110:

Create CONTRIBUTING.md
# This is the commit message #111:

Create ROADMAP.md
# This is the commit message #2:

Create README.md
# This is the commit message #3:

Update README.md
# This is the commit message #2:

Create OSCAL-PRODUCERS.md
# This is the commit message #3:

Create OSCAL-CONSUMERS.md
# This is the commit message #4:

Update and rename OSCAL-CONSUMERS.md to USERS.md
# This is the commit message #5:

Update and rename OSCAL-PRODUCERS.md to IMPLEMENTERS.md
# This is the commit message #6:

Rename CONTRIBUTING.md to CONTRIBUTORS.md
# This is the commit message #2:

Update USERS.md
# This is the commit message #2:

Update IMPLEMENTERS.md
# This is the commit message #2:

Update ROADMAP.md
# This is the commit message #3:

Update USERS.md
# This is the commit message #4:

Update CONTRIBUTORS.md
# This is the commit message #2:

Update IMPLEMENTERS.md
# This is the commit message #3:

Update IMPLEMENTERS.md
# This is the commit message #4:

Rename CONTRIBUTORS.md to CONTRIBUTING.md
# This is the commit message #5:

Create control.md
# This is the commit message #6:

Update control.md
# This is the commit message #7:

Update control.md
# This is the commit message #8:

Update control.md
# This is the commit message #9:

Update control.md
# This is the commit message #10:

Add files via upload
# This is the commit message #11:

Update control.md
# This is the commit message #12:

Create temp.md
# This is the commit message #13:

Delete NIST-SP-800-53-Rev4-AC1.png
# This is the commit message #14:

Add files via upload
# This is the commit message #15:

Delete temp.md
# This is the commit message #16:

Add files via upload
# This is the commit message #17:

Update control.md
# This is the commit message #18:

Add files via upload
# This is the commit message #19:

Add files via upload
# This is the commit message #20:

Update control.md
# This is the commit message #21:

Update CONTRIBUTING.md
# This is the commit message #22:

Update CONTRIBUTING.md
# This is the commit message #23:

Update USERS.md
# This is the commit message #24:

Update CONTRIBUTING.md
# This is the commit message #25:

Delete CONTRIBUTING.md
# This is the commit message #26:

Delete USERS.md
# This is the commit message #27:

Add files via upload
# This is the commit message #28:

Delete CSA-CCM-IAM02.png
# This is the commit message #29:

Update control.md
# This is the commit message #30:

Update control.md
# This is the commit message #31:

Update control.md
# This is the commit message #32:

Update control.md
# This is the commit message #33:

Update control.md
# This is the commit message #34:

Update control.md
# This is the commit message #35:

Update control.md
# This is the commit message #36:

Update control.md
# This is the commit message #37:

Update control.md
# This is the commit message #38:

Update control.md
# This is the commit message #39:

Delete NIST-SP-800-53-AC1-in-OSCAL-XML.png
# This is the commit message #40:

Update README.md
# This is the commit message #41:

Update control.md
# This is the commit message #42:

Update control.md
# This is the commit message #43:

Add files via upload
# This is the commit message #44:

Delete ISO-27001-Control-A9.png
# This is the commit message #45:

Update control.md
# This is the commit message #46:

Add files via upload
# This is the commit message #47:

Add files via upload
# This is the commit message #48:

Delete ISO-27002-Control-9.1.1-part1.png
# This is the commit message #49:

Delete ISO-27002-Control-9.1.1-part2.png
# This is the commit message #50:

Update control.md
# This is the commit message #51:

Update control.md
# This is the commit message #52:

Update control.md
# This is the commit message #53:

Update control.md
# This is the commit message #54:

Update control.md
# This is the commit message #2:

Update IMPLEMENTERS.md
# This is the commit message #3:

Add files via upload
# This is the commit message #4:

Delete oscal-layers.png
# This is the commit message #5:

Add files via upload
# This is the commit message #6:

Delete oscal-layers.png
# This is the commit message #7:

Add files via upload
# This is the commit message #8:

Update IMPLEMENTERS.md
# This is the commit message #9:

Update control.md
# This is the commit message #10:

Update IMPLEMENTERS.md
# This is the commit message #11:

Update control.md
# This is the commit message #12:

Rename IMPLEMENTERS.md to docs/prose/IMPLEMENTERS.md
# This is the commit message #13:

Rename IMPLEMENTERS.md to implementers.md
# This is the commit message #14:

Rearranged and outlined catalog documentation based on the conversation with karen and Wendell.

# This is the commit message #15:

Create catalog-xml.md
# This is the commit message #16:

Rename control.md to catalog.md
# This is the commit message #17:

Update catalog.md
# This is the commit message #18:

Update catalog.md
# This is the commit message #19:

Update catalog.md
# This is the commit message #20:

Update catalog-xml.md
# This is the commit message #21:

Update catalog-xml.md
# This is the commit message #22:

Update catalog-xml.md
# This is the commit message #23:

Update catalog-xml.md
# This is the commit message #24:

Update catalog-xml.md
# This is the commit message #25:

Update catalog-xml.md
# This is the commit message #26:

Update catalog-xml.md
# This is the commit message #27:

Update catalog-xml.md
# This is the commit message #28:

Update catalog-xml.md
# This is the commit message #29:

Fixed typos, updated repo documentation, and migrated documentation for use in Slate.

Corrected a typo (+4 squashed commit)

Squashed commit:

[6ada57f] Removing unused file.

[503ad71] Docset migration to Slate

[351257e] Update catalog-xml.md

[aae1e8b] Add files via upload

Graphical representation of OSCAL schemas aligned with Risk Management Framework steps and tasks.
@david-waltermire david-waltermire added the Discussion Needed This issues needs to be reviewed by the OSCAL development team. label Apr 5, 2018
@david-waltermire
Copy link
Contributor

We need to figure out what needs to be done to close this issue.

@david-waltermire david-waltermire modified the milestone: OSCAL 1.0 M2 Apr 6, 2018
@gregelin
Copy link

gregelin commented Apr 8, 2018

@david-waltermire-nist Could you please elaborate or list what needs to be figured out?

@david-waltermire
Copy link
Contributor

FYI, YAML files generated from OSCAL JSON files can now be found in the repository.

@afeld
Copy link
Contributor

afeld commented Nov 15, 2019

opencontrol/schemas#87

@david-waltermire
Copy link
Contributor

@gregelin I'd like to revisit this issue. On the 3/26/2020 Lunch with the Devs, the idea of driving some convergence between the OSCAL and OpenControl projects was brought up. Given that the OSCAL Catalog, Profile, and SSP models are maturing, and we are starting on the assessment layers, this might be a good time to strategize some on how to drive more convergance between these projects.

It might be good to have a call to discuss what we can achieve this year on this front. Any interest?

@david-waltermire david-waltermire added this to the Tools and Utilities milestone Mar 27, 2020
@david-waltermire
Copy link
Contributor

I am going to close this issue, since there has been no reported activity. We can reopen it if there is a need to do so.

@aj-stein-nist aj-stein-nist removed this from the Tools and Utilities milestone Jul 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anweiss anweiss

@akarmel akarmel

Labels
Discussion Needed This issues needs to be reviewed by the OSCAL development team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gregelin @afeld @anweiss @david-waltermire @akarmel @aj-stein-nist