# This is a combination of 60 commits.

# The first commit's message is:

Restructuring for new initiative

Moved everything into 'old' and added a new subdirectory for new
experiments.

More early iteration over names

More adjustments in names mostly

HTML page for Word import testing

Just touchups this time

Updates and misc improvements

Changed document element to 'catalog'

Improved and renamed mapping transformation

Adjustments to models, schema, Schematron

Managing gitignore

Same

Minor adjustments

First cut at 27K mapping into OSCAL

Renamed directories for consistency

Cleanup

Bit more cleanup

Adjustments to mapping

Same

Numerous enhancements, some reorg

Planning notes

Added starter FO XSLT

First cut at FO XSL

Minor improvements

Small adjustments

Many/much schema enhancements; proto XSD version

First cut at inline declarations with live validation

Implementing declarations; styling

Refinements and extensions; new assign, select, withdrawn elements

More support for parameters etc.

Now implementing parameters etc.

More touches

Misc improvements

Sundry adjustments

Many more small improvements

Much documentation

More touchups

Updates

Misc adjustments and notes

Significant rework following design session esp declarations

More improvements incl extending declarations to groups

More adjustments; now mapping SP800-53A also.

More polishing and maintenance

Much more including hierarchical number checking

Adjustments, extensions, corrections

Name changes in the model

More adjustments

Cleanup of obsolete artifacts

Minor alignment

Mostly CSS, also Schematron improvements

ISO27002 mapping document

Many enhancements; new COBIT 5 mappings

More on COBIT

Improvements to mapping docs

Adjustments to mappings incl HTML versions

Moved screenshot for documentation

More adjustments and docs

Mostly improvements to documentation

Refreshed 800-53 data with adjustments

More general improvements to models and mappings

Continuing refinements to validations in samples

Update README.md

Update README.md

Update README.md

Update README.md

Minor tweaks

Including initial cut at profiling (1st, rule-based control extraction) among other refinements and improvements

No longer extant

Added new control to COBIT5 example

Misc improvements including more COBIT5 support

File rename and further adjustments

Misc adjustment; SaxonJS demo files

Misc adjustments

Updated readme contents to reflect merge.

Fixed links.

Changed text to better reflect current state and to add more links.

Rearrangement and cleanup

Schematron and schema adjustment and refactoring

SP800-53 extraction improvement, enhancement, cleanup

Improvements and enhancements to ISO27002 extraction

OSCAL Documentation

COBIT5 example tweakage

Organizational notes

Adjustments

Removed old files directory.
Moved files from draft to root.

Updated README.md to reflect new pathing.

Updated readme to contain more documentation of the OSCAL layers.

Added documentation for the working directory.

Update README.md

Edited the text.

Update README.md

Edited the text.

Added Aug 10 tiger team slides with notes

Create a prose overview of OSCAL

Update OSCAL Overview.md

Update OSCAL Overview.md

Profile and catalog mapping: a trivial example

Replacing graphic with rescaled version

Update OSCAL Overview.md

Rescaled image

Update OSCAL Overview.md

Mods to oXygen project file

Removing 'demo' (till later)

Moved proprietary file

Refinements to ISO27002 mappings (new model)

Refining SP800-53 conversion/mappings

Updating lib support for new model

Top-level org

Draft readme docs

Further adjustment to directory readme.md

More adjustments to ISO 27002 and SP800-53 (new model etc.)

More cleanup to main sample subdirectories + readme tweakage

Mostly restructuring

More adjustments to extraction, parameter support

Includes more model refinements; draft implementation of parameter resolution

Adjustments for revised models

Adjustments to demos and conversion pipelines

Experimenting with profiles

Infrastructure adjustments

Schema modifications

# This is the commit message #2:

Minor correction to schema docs merge
# This is the commit message #3:

Updating XSD w/ docs
# This is the commit message #4:

More element renaming/adjustment
# This is the commit message #5:

Now a stable schema again? With SP800-53 extraction adjustments
# This is the commit message #6:

Profile-related mods

# This is the commit message #7:

Org stuff

# This is the commit message #8:

Moved mappind docs; added readme
# This is the commit message #9:

schema documentation
# This is the commit message #10:

Schema production and documentation pipeline
# This is the commit message #11:

More reorg; tweaked schema; more docs
# This is the commit message #12:

Improvements to tag library
# This is the commit message #13:

Another attempt at internal links in md
# This is the commit message #14:

trying again
# This is the commit message #15:

Gonna get this eventually
# This is the commit message #16:

More updates and tuneups
# This is the commit message #17:

More updates to schema and docs
# This is the commit message #18:

Lighter adjustments
# This is the commit message #19:

Similarly subtle adjustments
# This is the commit message #20:

Adjustments supporting parameter assignments
# This is the commit message #21:

More docs
# This is the commit message #22:

Enhancements to demo
# This is the commit message #23:

Moving distractions out of the way
# This is the commit message #24:

Slight readme tweakage
# This is the commit message #25:

Tag library tweaks
# This is the commit message #26:

More tag library adjustments
# This is the commit message #27:

New readme for Schematrons
# This is the commit message #28:

Adjustments to readme
# This is the commit message #29:

Adjustments to mapping documents
# This is the commit message #30:

Adjustments to readme
# This is the commit message #31:

More adjustments to mapping documents
# This is the commit message #32:

Updated punchlist
# This is the commit message #33:

Updates to mapping docs
# This is the commit message #34:


# This is the commit message #35:

CSS for local editing of OSCAL OSCAL
# This is the commit message #36:

Slight adjustments
# This is the commit message #37:

Light editing
# This is the commit message #38:

Light editing
# This is the commit message #39:

Light edits
# This is the commit message #40:

Light edits
# This is the commit message #41:

Light edits
# This is the commit message #42:

Light edits
# This is the commit message #43:

More work on profiles
# This is the commit message #44:

Revised directory descriptions
# This is the commit message #45:

Added an explanation of the demo directories
# This is the commit message #46:

More on profiling
# This is the commit message #47:

Editorial tweaks to oscal-oscal.xml
# This is the commit message #48:

Editorial tweaks to oscal-oscal.xml
# This is the commit message #49:

Edits to schema documentation
# This is the commit message #50:

More enhancements to tag library and its presentation
# This is the commit message #51:

Internal links?
# This is the commit message #52:

Slight adjustments
# This is the commit message #53:

Further touchups to schema docs and their HTML rendering
# This is the commit message #54:

Support for 'pre'
# This is the commit message #55:

Rearranged and touched up profile experiments
# This is the commit message #56:

More touchups to tag library (linking)
# This is the commit message #57:

More adjustments to copy
# This is the commit message #58:

More adjustments
# This is the commit message #59:

Correcting display bug failing to render chars in CSS
# This is the commit message #60:

Added a PDF with the notes.

.gitignore

@@ -1 +1,7 @@
 .DS_Store
+
+# Proprietary files not to be propagated
+vault
+
+*/working/**/*.pdf
+

README.md

@@ -1,33 +1,36 @@
-# OSCAL
-Open Security Controls Assessment Language (OSCAL) 
+# Open Security Controls Assessment Language (OSCAL) 
 
-The Cloud First policy established by the U.S. Federal CIO in December 2010, mandates that agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. By 2012, a subsequent report to Congress showed that more than half of all federal agencies had adopted cloud computing for at least one application. The rapid adoption of cloud computing under this mandate is not voiding any of the agencies’ FISMA requirements for adequate security and privacy protection of data. 
-
-NIST is proposing the development of the Open Security Controls Assessment Language, or OSCAL, a hierarchical, formatted, XML-based (and JSON translation) schema that provides a standard for encoding different categories of information pertaining to the security controls’ implementation and assessment process.  
+NIST is proposing the development of the Open Security Controls Assessment Language, or OSCAL, a hierarchical, formatted, XML-based (and JSON translation) schema that provides a standard for representing different categories of information pertaining to the publication, implementation, and assessment of security controls.
 
 OSCAL aims to:
-1.	Standardize the description of a control based upon the standard used (NIST SP 800.53, ISO/IEC 27001/2, PCI, SOX, etc), 
-2.	standardize the reporting format of a security control implementation for a particular ‘technology’ (cloud computing, cyber physical systems, mobile, etc.) – for an Overlay (see NIST SP 800-53 R4 for more details) -  or for a particular ‘scope’ or 'purpose' for which the control is implemented (e.g. the control is implemented for physical access or logical access to a, b, c layers). 
-3.	standardize the format of the documented assessment criteria, 
-4.	standardize the format of the metrics and measurements for the continuous monitoring of the control, and 
-5.	other custom information standardization.
+1. Standardize control, implementation, and assessment information using open, machine-readable formats. 
+1. Normalize the semantics of controls and profiles/baselines/overlays across multiple control catalogs (e.g., NIST SP 800-53, ISO/IEC 27001/2, COBIT 5).
+1. Provide interoperable formats to ensure that OSCAL information is used by tools in consistent ways.
+1. Promote adoption of OSCAL by tool developers by ensuring that OSCAL information is easy to create, use, and customize. 
+
+OSCAL consists of a number of layers:
+
+![OSCAL layers](docs/graphics/oscal-layers.png "OSCAL Layer Diagram")
+
+Starting from the bottom on the left, the OSCAL layers are:
+  * __Catalog__: Defines a set of security controls (e.g., NIST SP 800-53 Appendix F); may also define objectives and methods for assessing the controls (e.g., NIST SP 800-53A).
+  * __Profile__: Defines a set of security requirements, where meeting each requirement necessitates implementing one or more security controls; also called a _baseline_ or _overlay_.
+  * __Implementation__: Defines how each profile item is implemented for a given system component (System Security Plan).
+  * __Assessment__: Describes how the system assessment is to be performed.
+  * __Assessment Results__: Records the findings of the assessment.
+
+OSCAL will also integrate with: 
+  * __Metrics__: Defines metrics and measurements for understanding the effectiveness of the system’s security.
+  * __Mechanism__: Describes methods used to monitor the system’s current security state (e.g., Security Content Automation Protocol (SCAP)).
 
 --------------
-General Notes, 20170313:
-Most recent additions are example xml file and schema extensions for a system-implementation. (MI - ?)
-The system-implementation example includes tags from FedRAMP template and links to another hypothetical document that contains an enumerated list of system components. (MI - ?)
-The component list is included in "attachment 13" of the FedRAMP template; referred to as a component inventory. (MI - ??)
-I am trying (for expedience) to (re)use structures already defined in the OSCAL-core schema.  (MI - ?)
-In system-implementation, statements defined for security control catalog are reused as statements for implementing the security controls. (MI - ?)
-
-NOTES on schema:
-OSCAL-core contains the information structures that are most highly developed
-OSCAL-common contains link definitions and some additional structures to facilitate human readability (MI - ?)
-OSCAL-extensions define information structures outside the core that are unique to specific catalogs or other specifications.
-
-NOTES on processing of guidance information:
-Since the function of profile (overlay) xml documents is to select, augment, and sometimes overwrite requirements/controls, schemas and XML examples require further development in terms of explicit methods for reconciling specific tags that come from multiple sources.  The OSCAL-core schema document defines a RationaleChangeType information object that includes restrictions for augmenting, changing, or scoping-out (eliminating) text.
-
-NOTES on (re)use of authorization bodies of evidence (MI - ?):
-System implementation documents should include a method to capture links to pre-existing bodies of evidence (e.g. a component ID with links to a FedRAMP authorization number) referring that a system or system component has been assessed before.  When accessible, such links are associated with increased levels of trust in the component.  The scope of an assessment process may be greatly reduced by accepting pre-existing bodies of assessment evidence and focusing on assessment of new (untested) or modified components.  Closely related, are component links or aliases to CPE names, SWID names, and other standardized identifiers; which may be associated with known vulnerabilities (e.g. CVEs).
+
+This repository consists of the following directories pertaining to the OSCAL project:
+  * [docs](docs): Documentation graphics, prose, and presentation slides
+  * [working](working): Development artifacts (e.g., XML, XSLT, CSS, script, Markdown, and sample files, plus supporting files); additional documentation is posted under [working/doc](working/doc): 
+  * [sources](sources): Resources used to produce OSCAL artifacts that are not maintained by the OSCAL project (e.g., a copy of the NIST SP 800-53 control data feed schema)
+
+## Update August 10th, 2017
+
+As the result of a new OSCAL initiative undertaken starting in mid-May, this repository has been updated. With this effort, we are stressing the agile development of a *minimal* format that is both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types.