Design example system for new tutorials

[aj-stein-nist]

User Story

As a developer or system engineer writing software using OSCAL for security automation, I would like a simple, example system used throughout tutorials to represent different features and use cases of OSCAL.

In this issue, we will design an architecture of simple web application as the example system that hosts static pages, with an example hosting service, with no dynamic server backend or database for persistence. It will only host a website.

(NOTE: This issue is part of a value stream for tutorial improvements.)

Goals

Goals

1. Let's model systems and relate to controls.
2. Let's focus on use cases for a simplified lifecycle.
3. We will commit to 1 and 2, but not dogmatically. (We will make tutorials for specific data, tools, methodologies as the need comes up, but that comes up later as advanced material.)
4. Design the tutorials and simplified lifecycle around OSCAL models' features.

Non-goals

1. Building a complex, real-world example system.
2. Designing tutorials around an actual control framework or technical stack (see Goal 3).
3. Building contextual examples into our reference model docs (great idea, separate of this).

(NOTE: This issue is part of a value stream for tutorial improvements, these goals and non-goals apply to the value stream overall, not just this issue. It has been copy-pasted for convenience.)

Dependencies

No response

Acceptance Criteria

• A design document in HackMD with minimally viable details for the system.
• Socialization with the NIST OSCAL Team.
• Presentation of this design in a sprint review for the sprint in which this work is allocated.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response

[Compton-US]

I'm going to self-assign this as a contributor, but not necessarily the lead. I need to do quite a bit of example work for the mapping and responsibility modeling efforts, and I can probably check some of these items off along the way. I can outline a couple of systems based on my past experiences. (In the context of more simplified goals, and not trying to be "real-world").

[Compton-US]

I'll take lead and close this out based on the discusssion with @iMichaela and @nikitawootten-nist last week.

• General theme: Static Website as a simple start that can be layered upon in the future.

[aj-stein-nist]

Work on this issue is ongoing but incomplete. It will be needed to move onto the next sprint.

[Compton-US]

I put this in a repo so we could look at it and potentially adjust. Would also need to find a permanent home somewhere in our repositories. For input: https://github.com/Compton-NIST/oscal-systems/blob/main/simple/README.md

[wendellpiez]

Looking nice so far.

Is it on the list to clarify what is not in the system? For example, in the plainest-vanilla system, no consideration is given to how the HTML to be served is created, validated or defended against (since not all HTML is equally safe) -- the risks here are simply passed upstream, presumably to the content creator/uploader.

I guess asking this shows that even the simplest system description can provoke useful questions ... so far, so good.

[iMichaela]

@Compton-NIST - the system is simple enough to be understood. It is a great start. Thank you.
Have you decided on the 3-5 controls we should use or the controls will be decided later.

[Compton-US]

Will move this under oscal-content in a feature branch.

[Compton-US]

Published to: https://github.com/usnistgov/oscal-content/tree/feature-simple-network/systems/simple

This is a feature branch that we can merge once we achieve consensus.