Skip to content

Commit

Permalink
Added responsibility assembly to component def, corrected group-as na…
Browse files Browse the repository at this point in the history 
…me and added sr-uuid flag.
  • Loading branch information
@iMichaela
iMichaela committed Mar 25, 2024
1 parent 45f6712 commit 4bd5bb5
Show file tree
Hide file tree
Showing 5 changed files with 94 additions and 13 deletions.
79 changes: 73 additions & 6 deletions src/metaschema/oscal_component_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@
<p>The root of the OSCAL Implementation Layer Component Definition model is <code>component-definition</code>.</p>
</remarks>

<import href="oscal_implementation-common_metaschema.xml"/>
<import href="oscal_responsibility-common_metaschema.xml"/>
<!-- IMPORTS -->
<import href="oscal_implementation-common_metaschema.xml"/>
<!-- <import href="oscal_responsibility-common_metaschema.xml"/> -->

<define-assembly name="component-definition">
<formal-name>Component Definition</formal-name>
Expand Down Expand Up @@ -134,7 +135,6 @@
<p>Used for <code>service</code> components to define the protocols supported by the service.</p>
</remarks>
</assembly>

<assembly ref="control-implementation" max-occurs="unbounded">
<group-as name="control-implementations" in-json="ARRAY"/>
</assembly>
Expand Down Expand Up @@ -312,6 +312,7 @@
<!-- Feature Request: add constraint ensuring a capability's incorporates-component references //component-definition/component/@uuid in the same component definition instance or an imported instance-->
</constraint>
</define-assembly>

<define-assembly name="incorporates-component">
<formal-name>Incorporates Component</formal-name>
<!-- TODO: needs a description -->
Expand All @@ -329,6 +330,67 @@
</model>
</define-assembly>

<define-assembly name="responsibility" scope="local">
<formal-name>Control Implementation Responsibility</formal-name>
<description>Describes a control implementation responsibility imposed on a leveraging system.</description>
<!-- <group-as name="responsibilities" in-json="ARRAY"/> -->
<define-flag name="uuid" as-type="uuid" required="yes">
<formal-name>Responsibility Universally Unique Identifier</formal-name>
<!-- Identifier Declaration -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
machine-oriented</a>, <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
unique</a> identifier with <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
scope that can be used to reference this responsibility elsewhere in <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>responsibility</code>
can be used to reference the data item locally or globally (e.g., in an imported OSCAL
instance). This UUID should be assigned <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
which means it should be consistently used to identify the same subject across revisions of
the document.</description>
</define-flag>
<!-- The following flags make no sense in teh context of a CDef.
<flag ref="provided-uuid" required="no" />
<flag ref="implemented-by" required="no" />
-->
<flag ref="exportable" />
<model>
<define-field name="description" as-type="markup-multiline" min-occurs="1"
in-xml="WITH_WRAPPER">
<formal-name>Control Implementation Responsibility Description</formal-name>
<description>An implementation statement that describes the aspects of the control or
control statement implementation that a customer must implement to satisfy the
control provided by the component.</description>
</define-field>
<assembly ref="property" max-occurs="unbounded">
<group-as name="props" in-json="ARRAY" />
</assembly>
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY" />
<!-- TODO: Model specific link relationships -->
</assembly>
<assembly ref="responsible-role" min-occurs="0" max-occurs="unbounded">
<group-as name="responsible-roles" in-json="ARRAY" />
<remarks>
<p>A role defined at the by-component level takes precedence over the same role defined on
the parent implemented-requirement or on the referenced component. </p>
</remarks>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" />
</model>
<constraint>
<is-unique id="unique-responsibility-responsible-role" target="responsible-role">
<key-field target="@role-id" />
<remarks>
<p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
with a single <code>role-id</code>, each role-id must be referenced only once.</p>
</remarks>
</is-unique>
</constraint>
</define-assembly>

<define-assembly name="control-implementation" scope="local">
<formal-name>Control Implementation Set</formal-name>
<description>Defines how the component or capability supports a set of controls.</description>
Expand Down Expand Up @@ -412,11 +474,14 @@
<assembly ref="set-parameter" max-occurs="unbounded">
<group-as name="set-parameters" in-json="ARRAY"/>
</assembly>
<assembly ref="responsibility" max-occurs="unbounded">
<group-as name="responsibilities" in-json="ARRAY"/>
</assembly>
<assembly ref="responsible-role" max-occurs="unbounded">
<group-as name="responsible-roles" in-json="ARRAY"/>
</assembly>

<!-- ADDED for CRM/SSRM: Implementation Status and Shared Responsibility Assembly -->
<!-- ADDED for SRM: Implementation Status and Shared Responsibility Assembly -->
<!-- <assembly ref="implementation-status">
<remarks>
<p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented.</p>
Expand All @@ -427,15 +492,14 @@
<group-as name="provided" in-json="ARRAY"/>
</assembly>
<assembly ref="responsibility">
<group-as name="responsibility" in-json="ARRAY"/>
<group-as name="responsibilities" in-json="ARRAY"/>
</assembly>
<assembly ref="inherited">
<group-as name="inherited" in-json="ARRAY"/>
</assembly>
<assembly ref="satisfied">
<group-as name="satisfied" in-json="ARRAY"/>
</assembly>
<assembly ref="export" max-occurs="1">
<remarks>
<p>TODO: Documentation</p>
Expand Down Expand Up @@ -497,6 +561,9 @@
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY"/>
</assembly>
<assembly ref="responsibility" max-occurs="unbounded">
<group-as name="responsibilities" in-json="ARRAY"/>
</assembly>
<assembly ref="responsible-role" max-occurs="unbounded">
<group-as name="responsible-roles" in-json="ARRAY"/>
</assembly>
Expand Down
2 changes: 1 addition & 1 deletion src/metaschema/oscal_implementation-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1002,7 +1002,7 @@

<define-flag name="exportable" as-type="boolean">
<formal-name>Exportable</formal-name>
<description>Indicates that the implmentation status is exportable for external
<description>Indicates that the information is exportable for external
consumption, such as with leveraged organizations, customer responsibility
documentation, and shared security responsibility documentation.</description>
</define-flag>
Expand Down
19 changes: 16 additions & 3 deletions src/metaschema/oscal_responsibility-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@
<formal-name>Source SSP</formal-name>
<description>The leveraged System Security Plan (SSP) that documents the components implementing
inheritable controls.</description>
<!-- While it is desirable the SSP of an SP to be in OSCAL, legacy systems might not have one,
and the SR would serve as the first step towards digitalization. In OSCAL v2.0 maybe we can require the ssp-uuid -->
<!-- While it is desirable for the SSP of the system to be in OSCAL, legacy systems might not have one,
and the SR would serve as the first step towards digitalization. The `ssp-uuid` will not be required -->
<define-flag name="ssp-uuid" as-type="uuid" >
<formal-name>SSP Universally Unique Identifier</formal-name>
<description>A <a
Expand All @@ -45,6 +45,19 @@
instances</a>.</description>
</define-flag>

<define-flag name="sr-uuid" as-type="uuid" >
<formal-name>SR Universally Unique Identifier</formal-name>
<description>A <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
machine-oriented</a>, <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
unique</a> identifier with <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
scope that can be used to reference the Shared Responsibility leveraged in <a
href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL
instances</a>.</description>
</define-flag>

<model>
<define-field name="title" as-type="markup-line">
<formal-name>Source Title</formal-name>
Expand Down Expand Up @@ -348,7 +361,7 @@
<group-as name="provided" in-json="ARRAY" />
</assembly>
<assembly ref="responsibility" max-occurs="unbounded">
<group-as name="responsibility" in-json="ARRAY" />
<group-as name="responsibilities" in-json="ARRAY" />
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" />
</model>
Expand Down
2 changes: 1 addition & 1 deletion src/metaschema/oscal_shared-responsibility_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,7 @@
<group-as name="provided" in-json="ARRAY" />
</assembly>
<assembly ref="responsibility" max-occurs="unbounded">
<group-as name="responsibility" in-json="ARRAY" />
<group-as name="responsibilities" in-json="ARRAY" />
</assembly>
<assembly ref="inherited" max-occurs="unbounded">
<group-as name="inherited" in-json="ARRAY" />
Expand Down
5 changes: 3 additions & 2 deletions src/metaschema/oscal_ssp_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -554,7 +554,8 @@
<!-- Identifier Declaration -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope and can be used to reference this leveraged authorization elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>leveraged authorization</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
</define-flag>
<flag ref="ssp-uuid" />
<flag ref="ssp-uuid" required="no"/>
<flag ref="sr-uuid" required="no"/>
<model>
<define-field name="title" as-type="markup-line" min-occurs="1">
<formal-name>title field</formal-name>
Expand Down Expand Up @@ -862,7 +863,7 @@
<group-as name="provided" in-json="ARRAY"/>
</assembly>
<assembly ref="responsibility" max-occurs="unbounded">
<group-as name="responsibility" in-json="ARRAY"/>
<group-as name="responsibilities" in-json="ARRAY"/>
</assembly>
<assembly ref="inherited" max-occurs="unbounded">
<group-as name="inherited" in-json="ARRAY"/>
Expand Down

0 comments on commit 4bd5bb5

Please sign in to comment.