Add Post-OSCAL Still Conventional Attachments #106

GaryGapinski · 2021-06-18T18:01:58Z

additionally add Privacy-related constraints

- additionally add Privacy-related constraints

-change "lacks" to "has" - remove comments from consolidation

- SP 800-60v2r1 checks are separate

ohsh6o

Quick review because you brought it up in stand-up, but it is still not on the board and marked draft. Some quick thoughts in either case.

resources/validations/src/ssp-additions.sch

ohsh6o · 2021-06-21T15:50:50Z

resources/validations/src/ssp-additions.sch

+                <sch:value-of
+                    select="$path" /> has no reference within the document</sch:assert>


NB: This should have more positive language, correct?

Suggested change

<sch:value-of

select="$path" /> has no reference within the document</sch:assert>

<sch:value-of

select="$path" /> SHOULD optionally have a reference within the document (but does not)</sch:assert>

Good suggestion.

resources/validations/src/ssp-additions.sch

ohsh6o · 2021-06-21T15:59:34Z

resources/validations/src/ssp-additions.sch

+        <sch:title>A FedRAMP SSP must incorporate one policy document and one procedure document for each of the 17 NIST SP 800-54r4 control
+            families</sch:title>
+
+        <!-- TODO: handle attachments declared by component (see implemented-requirement ac-1 for an example) -->


B: So is this still correct and the componentized attachments are not supported?

The consensus with the OSCAL developers appeared (twice) to be that inventory-items should hold the related attributes and that "inheritance" should not be used. This did not have certitude, so we could restore inheritance were that to be the final resolution.

I was confused because, in our last NIST sync meeting, you acknowledged their advice. Then you said something along the lines subsequently in different later meeting between you, Dan, and I that you would keep it anyway, since you saw it as unwise to throw it out. I was surprised, but you suggested it was not such a big deal since the code was implemented and there was no reason to roll it back.

Am I mistaken?

I do not think you are mistaken. I will overlay component inheritance on the system inventory after a get a clean unit test on system-inventory-less-component-inheritance.

I do not think there is any other way to reduce the complexity+redundancy of inventory properties other than to use component inheritance. However, that will be a novel type of system inventory representation to FedRAMP reviewers. I presume, that a transform from OSCAL to traditional FedRAMP system inventory will be desired if not necessary.

resources/validations/src/ssp-additions.sch

Co-authored-by: Alexander Stein <61464190+ohsh6o@users.noreply.github.com>

…omation.git into composite-schematron

- tweak base64 content validation

github-actions · 2021-06-22T08:58:12Z

XSpec Test Results

  1 files ±0   2 suites ±0 0s ⏱️ ±0s
59 tests ±0 47 ✔️ ±0 12 💤 ±0 0 ❌ ±0

Results for commit f99e433. ± Comparison against base commit c729539.

GaryGapinski · 2021-07-01T03:44:58Z

This is closed (obviated) by #108.

@target-id

* Update submodule and configuration for submodule. The usnistgov/OSCAL repo has a `main` branch, `master has been deprecated and removed. * Updated content with content-upgrade transforms. * Check Fix SSP errors fixed. * Update prop with `-ref` suffixes to `by-` prefixes. * Add explicit XSD validation checking with xm-model PI. * Update `CORE` and `response-point` props. Other fixes. * More fixes. * Switch from @id-ref to @target-id. * Adjust status/state to status/@State. * Logical content touchups, lots of target additions. * Mixed up status/@State enum value. Made a small slip in `/assessment-results//target/status/@state`. * Base on resolution and current NIST SP800-53 catalog. Fix errors like this: ``` /oscal/baselines/rev4/xml/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog.xml:4175: element select: Schemas validity error : Element '{http://csrc.nist.gov/ns/oscal/1.0}select', attribute 'how-many': [facet 'pattern'] The value 'one or more' is not accepted by the pattern '[\i-[:𐀀-ó¯¿¿]][Resolved profile '/oscal/baselines/rev4/xml/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog.xml' is not a valid OSCAL catalog. ```

Add Post-OSCAL Still Conventional Attachments

c948670

- additionally add Privacy-related constraints