Made ssp-uuid not required to support SR from non OSCAL SSP and inclu…

…ded it also in the leveraged-autorization assembly to support OSCAL SSPs for leveraged systems
usnistgov · Mar 23, 2024 · 45f6712 · 45f6712
1 parent 9fe6524
commit 45f6712
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -1,10 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<!DOCTYPE METASCHEMA [
+<!-- <!DOCTYPE METASCHEMA [
   <!ENTITY allowed-values-responsible-roles-system SYSTEM "./shared-constraints/allowed-values-responsible-roles-system.ent">
   <!ENTITY allowed-values-responsible-roles-operations SYSTEM "./shared-constraints/allowed-values-responsible-roles-operations.ent">
   <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
 ]>
+-->
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
   xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd"
@@ -29,8 +30,9 @@
     <formal-name>Source SSP</formal-name>
     <description>The leveraged System Security Plan (SSP) that documents the components implementing
       inheritable controls.</description>
-
-    <define-flag name="ssp-uuid" as-type="uuid" required="yes">
+<!-- While it is desirable the SSP of an SP to be in OSCAL, legacy systems might not have one, 
+  and the SR would serve as the first step towards digitalization. In OSCAL v2.0 maybe we can require the ssp-uuid -->
+    <define-flag name="ssp-uuid" as-type="uuid" >
       <formal-name>SSP Universally Unique Identifier</formal-name>
       <description>A <a
           href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
@@ -318,7 +320,7 @@
     </constraint>
   </define-assembly>
 
-  <define-assembly name="export" deprecated="1.1.2">
+  <define-assembly name="export" deprecated="1.1.0">
     <formal-name>Shared Responsibility</formal-name>
     <description>Identifies content intended for external consumption, such as with leveraged
       organizations, customer responsibility documentation, and shared security responsibility

diff --git a/src/metaschema/oscal_shared-responsibility_metaschema.xml b/src/metaschema/oscal_shared-responsibility_metaschema.xml
@@ -22,8 +22,9 @@
   </remarks>
 
   <!-- IMPORT STATEMENTS -->
+  <!-- Already imported in oscal_responsibility-common_metaschema.xml
   <import href="oscal_metadata_metaschema.xml" />
-  <import href="oscal_implementation-common_metaschema.xml" />
+  <import href="oscal_implementation-common_metaschema.xml" /> -->
   <import href="oscal_responsibility-common_metaschema.xml" />
 
   <define-assembly name="shared-responsibility">

diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
@@ -381,10 +381,12 @@
       <p>If 'other' is selected, a remark must be included to describe the current state.</p>
     </remarks>
   </define-assembly>
+  <!-- Moved to oscal_implementation-commong_metaschema.xml to use it in SR and CDef
   <define-field name="date-authorized" as-type="date" scope="local">
     <formal-name>System Authorization Date</formal-name>
     <description>The date the system received its authorization.</description>
   </define-field>
+  -->
   <define-assembly name="authorization-boundary">
     <formal-name>Authorization Boundary</formal-name>
     <description>A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.</description>
@@ -552,6 +554,7 @@
           <!-- Identifier Declaration -->
           <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope and can be used to reference this leveraged authorization elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>leveraged authorization</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
         </define-flag>
+        <flag ref="ssp-uuid" />
         <model>
           <define-field name="title" as-type="markup-line" min-occurs="1">
             <formal-name>title field</formal-name>