Augemnting reference and added implementation-status to component-def…

… per issue 1300.
usnistgov · Mar 28, 2024 · 054c0b7 · 054c0b7
1 parent 7a5098c
commit 054c0b7
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 28 deletions.
diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml
@@ -475,39 +475,20 @@
       <assembly ref="set-parameter" max-occurs="unbounded">
         <group-as name="set-parameters" in-json="ARRAY"/>
       </assembly>
-      <assembly ref="responsibility" max-occurs="unbounded">
-        <group-as name="responsibilities" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
-      </assembly>
-
-      <!-- ADDED for SRM: Implementation Status and Shared Responsibility Assembly -->
-      <!-- <assembly ref="implementation-status">
+      <assembly ref="implementation-status">
         <remarks>
-          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented.</p>
+          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented by this component when the component is integrated into a system (e.g. a cloud service).</p>
         </remarks>
       </assembly>
-      
-      <assembly ref="provided">
-        <group-as name="provided" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="responsibility">
+      <assembly ref="responsibility" max-occurs="unbounded">
         <group-as name="responsibilities" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="inherited">
-        <group-as name="inherited" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="satisfied">
-        <group-as name="satisfied" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="export" max-occurs="1">
         <remarks>
-          <p>TODO: Documentation</p>
+          <p>The <code>responsibility</code> in the context of a <code>component-definition</code> instance documents the customer's responsibilities when this component becomes part of a system, and it is expected to provide the declared <code>implementation-status</code> of the <code>implemented-requirement</code>.</p>
         </remarks>
-      </assembly> -->
-      <!-- END ADDED -->
-
+      </assembly>
+      <assembly ref="responsible-role" max-occurs="unbounded">
+        <group-as name="responsible-roles" in-json="ARRAY"/>
+      </assembly>
       <assembly ref="statement" max-occurs="unbounded">
         <group-as name="statements" in-json="ARRAY"/>
       </assembly>
@@ -562,8 +543,16 @@
       <assembly ref="link" max-occurs="unbounded">
         <group-as name="links" in-json="ARRAY"/>
       </assembly>
+      <assembly ref="implementation-status">
+        <remarks>
+          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the statement of a control is implemented by this component when the component is integrated into a system (e.g. a cloud service).</p>
+        </remarks>
+      </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">
         <group-as name="responsibilities" in-json="ARRAY"/>
+        <remarks>
+          <p>The <code>responsibility</code> in the context of a <code>component-definition</code> instance documents the customer's responsibilities when this component becomes part of a system, and is expected to provide the declared <code>implementation-status</code> of the <code>statement</code>.</p>
+        </remarks>
       </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
         <group-as name="responsible-roles" in-json="ARRAY"/>

diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
@@ -695,7 +695,13 @@
         <formal-name>Leveraged Authorization</formal-name>
         <description>A description of another authorized system from which this system inherits
           capabilities that satisfy security requirements. Another term for this concept is a <em>common
-          control provider</em>.</description>
+          control provider</em>.The information regarding the inheritable capabilities can be retrieved 
+        directly from the leveraging system's SSP (when available) and can be noted in the <code>ssp-uuid</code> flag, 
+        or from a <code>shared-responsibility</code> instance of the system, when the leveraging system's SSP  
+        is not available (docuemnted in this case by the <code>sr-uuid</code> flag). 
+        Additionally, when the leveraging system's SSP is available in OSCAL, the 
+        <em>UUID</em> of the leveraged system's SSP will be availabe in the <code>source-ssp</code> of 
+        the <code>shared-responsibility</code> instance, provided by the <code>ssp-uuid</code> flag.</description>
         <group-as name="leveraged-authorizations" in-json="ARRAY" />
         <define-flag name="uuid" as-type="uuid" required="yes">
           <formal-name>Leveraged Authorization Universally Unique Identifier</formal-name>