Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set-parameter in the context of an SSP is ambiguously defined #1206

Closed
GaryGapinski opened this issue Apr 15, 2022 · 1 comment · Fixed by #1234
Closed

set-parameter in the context of an SSP is ambiguously defined #1206

GaryGapinski opened this issue Apr 15, 2022 · 1 comment · Fixed by #1234
Assignees
@david-waltermire
Labels
bug
Milestone
OSCAL 1.0.3

Comments

@GaryGapinski
Copy link

Describe the bug

The "correct" use of set-parameter is inadequately defined.

Who is the bug affecting?

OSCAL implementation authors.

What is affected by this bug?

Ambiguity has an adverse effect on the fidelity of OSCAL implementations.

When does this occur?

As of the time of this issue creation, It is a contemporary affliction.

How do we replicate the issue?

By use of examples.

If applicable, add screenshots to help explain your problem.}

Expected behavior (i.e. solution)

Apodictic certitude regarding interpretation of set-parameter.

Other Comments

Examples will follow.
@GaryGapinski
Copy link
Author

GaryGapinski commented Apr 15, 2022
edited
Loading

Simple example:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-model schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema" href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.2/xml/schema/oscal_complete_schema.xsd" ?>
<system-security-plan
    uuid="9c81479b-1704-492f-ad51-27a2428fd249"
    xmlns="http://csrc.nist.gov/ns/oscal/1.0">
    <metadata>
        <title>Example</title>
        <last-modified>2022-04-15T04:47:32Z</last-modified>
        <version>latest</version>
        <oscal-version>1.0.2</oscal-version>
    </metadata>
    <import-profile
        href="#" />
    <system-characteristics>
        <system-id>Example</system-id>
        <system-name>Example</system-name>
        <description>
            <p>Example</p>
        </description>
        <security-sensitivity-level>triple secret</security-sensitivity-level>
        <system-information>
            <information-type>
                <title />
                <description />
                <confidentiality-impact>
                    <base>trivial</base>
                </confidentiality-impact>
                <integrity-impact>
                    <base>worrysome</base>
                </integrity-impact>
                <availability-impact>
                    <base>grave</base>
                </availability-impact>
            </information-type>
        </system-information>
        <security-impact-level>
            <security-objective-confidentiality>caution</security-objective-confidentiality>
            <security-objective-integrity>deliberation</security-objective-integrity>
            <security-objective-availability>obfuscation</security-objective-availability>
        </security-impact-level>
        <status
            state="nascent" />
        <authorization-boundary>
            <description />
        </authorization-boundary>
    </system-characteristics>
    <system-implementation>
        <user
            uuid="754b76e2-9ef7-4a17-8357-0ae819d8dd6a" />
        <component
            type="component"
            uuid="ccf5986f-89f8-4427-8492-a794f614c1e1">
            <title />
            <description />
            <status
                state="comfortable" />
        </component>
    </system-implementation>
    <control-implementation>
        <!-- 
            https://pages.nist.gov/OSCAL/reference/latest/system-security-plan/xml-reference/#/system-security-plan/control-implementation/set-parameter
            does not levy any constraints on set-parameter
        -->
        <description />
        <set-parameter
            param-id="one">
            <value>V1</value>
        </set-parameter>
        <implemented-requirement
            control-id="C1"
            uuid="3903fcca-e3a8-4141-bc37-7a014d82cb20">
            <!-- 
                https://pages.nist.gov/OSCAL/reference/latest/system-security-plan/xml-reference/#/system-security-plan/control-implementation/implemented-requirement
                asserts "for set-parameter: any target value must be unique (i.e., occur only once)"
                without specifying the scope of uniqueness
                i.e., 
                implemented-requirement, 
                implemented-requirement/descendant:set-parameter, 
                /system-security-plan/control-implementation/implemented-requirement/set-parameter, 
                /system-security-plan/control-implementation/implemented-requirement/statement/by-component/set-parameter,
                etc.
            -->
            <set-parameter
                param-id="one">
                <value>V1</value>
            </set-parameter>
            <statement
                statement-id="S1"
                uuid="a6ca6c29-ae75-4071-aa7b-0fd3fa652d81">
                <by-component
                    component-uuid="ccf5986f-89f8-4427-8492-a794f614c1e1"
                    uuid="4200da40-5af1-468e-b186-37eef596d834">
                    <description />
                    <!-- 
                        https://pages.nist.gov/OSCAL/reference/latest/system-security-plan/xml-reference/#/system-security-plan/control-implementation/implemented-requirement/by-component/set-parameter
                        does not levy any constraints on set-parameter
                    -->
                    <set-parameter
                        param-id="one">
                        <value>V1</value>
                    </set-parameter>
                </by-component>
            </statement>
        </implemented-requirement>
    </control-implementation>
</system-security-plan>

@david-waltermire david-waltermire added this to the OSCAL 1.0.3 milestone May 4, 2022
@david-waltermire david-waltermire self-assigned this May 4, 2022
@david-waltermire david-waltermire mentioned this issue May 5, 2022
Merged
9 tasks
david-waltermire added a commit to david-waltermire/OSCAL that referenced this issue May 5, 2022
@david-waltermire
Clarified use of set-parameter and how to determine the effective val…
9207c95 
…ue. Resolves usnistgov#1206.
@david-waltermire david-waltermire linked a pull request May 5, 2022 that will close this issue
clarified use of set-parameter and how to determine the effective value #1234
Merged
9 tasks
david-waltermire added a commit to david-waltermire/OSCAL that referenced this issue May 5, 2022
@david-waltermire
Clarified use of set-parameter and how to determine the effective val…
59f9f12 
…ue. Resolves usnistgov#1206.
david-waltermire added a commit that referenced this issue May 5, 2022
@david-waltermire
Clarified use of set-parameter and how to determine the effective val…
2401beb 
…ue. Resolves #1206. (#1234)
david-waltermire added a commit that referenced this issue May 5, 2022
@david-waltermire
Clarified use of set-parameter and how to determine the effective val…
55c035b 
…ue. Resolves #1206. (#1234)
Rene2mt pushed a commit to Rene2mt/OSCAL that referenced this issue May 17, 2022
@david-waltermire @Rene2mt
Clarified use of set-parameter and how to determine the effective val…
dee4ad9 
…ue. Resolves usnistgov#1206. (usnistgov#1234)
@aj-stein-nist aj-stein-nist mentioned this issue May 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@david-waltermire david-waltermire

Labels
bug
Projects
None yet
Milestone
OSCAL 1.0.3
Development

Successfully merging a pull request may close this issue.

clarified use of set-parameter and how to determine the effective value david-waltermire/OSCAL
2 participants
@GaryGapinski @david-waltermire