OSCAL SSP schema review against an actual SSP Template #498
Comments
|
@JJediny First of all, thank you for this review. This is extremely helpful. I'd like to address your summary feedback.
I have also included some detailed comments below marked [daw:]. |
Note: I use field/attribute/element interchangeably below to represent an object in the schema...
Understood, my comment was meant to make this ^ the later helps the user understand what is unique vs what are the common attributes
I think the current fields but under a nested
Interconnections on the second review; seem appropriate, but they are missing the following attributes:
That said
~ The separation of the SSP from control implementation is the cleanest IMHO. Adding those mixed concepts at the SSP layer only complicates things and makes the schema more complex to implement the same thing at two schema layers.
^
^ This is a great ask of the FEDRAMP team to santize real-world examples of what is traditional cataloged for these and match attributes in the schema for them.
It seems costly to ask users to duplicate defining them (as a mapping/matching check?); when the user is defining them and establishing them under
^
^ agree to dismiss
👍
See the first bullet, in response, has to do with the additive information types being reviewed to intially determine the system fip profile. There could be 50/8/6/5 types of "information types" reviewed individually/independently; if one of them is L/M/L then the system could be determined to be
If it is only being referenced by id the field should just be calling back to a single But ^ is more appropriately managed as a
|
david-waltermire
added
Scope: Content
david-waltermire
modified the milestones:
OSCAL 1.0 (Full Release),
OSCAL 1.0 Milestone 3
30-Jan-2020 StatusWill review this in detail in an upcoming working session. Possibly next week. |
|
This is partially addressed by PR #619 which added version histories. |
|
PR #643 represents further work on addressing this issue.
|
david-waltermire
changed the title
Migrated definition of a system interconnection and service into components. The "service" and "interconnection" component types are now used to define these. (usnistgov#498) Flattened party -> org/person to be just party. Party now has a type which identifies if the party is a person or organization. Added SHA-3 algorithms to the hash algorithm list. (usnistgov#632)
* Renamed group-as names to make them more consistent. * Moved levergaed-authorizations to system-implementation. Made system-implementation and control-implementation required. * Added metadata and fixed other front matter in content * Updated examples with AU-5 mock-up data * Filled in missing titles and descriptions. Added role/user. * Updates to examples. Tweak to SSP Metaschema * Adding metaschema support for UUIDs. Implemented uuids addressing issue #676. * Fixed broken schema and schematron paths. * Fixed content to use new uuid-based flags. * Profile resolution test set update to M3 models * Updating profile resolver; renaming uuid support XSLT (#42) * Removed SSL certificate check for wget to deal with broken SSL cert on apache archive site. * Updated OSCAL version in metaschema files. * Migrated definition of a system interconnection and service into components. The "service" and "interconnection" component types are now used to define these. (#498) * Flattened party -> org/person to be just party. Party now has a type which identifies if the party is a person or organization. * Added SHA-3 algorithms to the hash algorithm list. (#632) * Fixed Docker container to run scripts that require in-place editing. * Fixed SSP elements that reference a component UUID, but lacked the correct type. * Added a location title. * Updating metaschema support to fix bug (usnistgov/metaschema#56). * Added "homepage" link relation. * Fixed message error in round-trip validation which indicated the wrong type of conversion as compared to what was actually happening. Fixed remaining round-trip issues. * Updated Assessment Metaschemas * Updated FedRAMP Profiles * WIP - UUID transition prep * WIP assessment * Finished UUID Transition * Significant assessment metaschema updates * Assessment metaschema changes * Assessment metaschema changes * party assembly tweaks * Assessment Metaschema Updates * Updated FedRAMP Profiles * additional assessment model tweaks * SAR and POA&M Model Adjustments * Metaschema gymnastics * Fixed invalid content. * SSP Example - Remove Schema Line * Baselines with relative path to catalog * Baseline path tweaks Co-authored-by: David Waltermire <david.waltermire@nist.gov> Co-authored-by: Wendell Piez <wendell.piez@nist.gov> Co-authored-by: Wendell Piez <wapiez@wendellpiez.com>
* Renamed group-as names to make them more consistent. * Moved levergaed-authorizations to system-implementation. Made system-implementation and control-implementation required. * Added metadata and fixed other front matter in content * Updated examples with AU-5 mock-up data * Filled in missing titles and descriptions. Added role/user. * Updates to examples. Tweak to SSP Metaschema * Adding metaschema support for UUIDs. Implemented uuids addressing issue usnistgov#676. * Fixed broken schema and schematron paths. * Fixed content to use new uuid-based flags. * Profile resolution test set update to M3 models * Updating profile resolver; renaming uuid support XSLT (#42) * Removed SSL certificate check for wget to deal with broken SSL cert on apache archive site. * Updated OSCAL version in metaschema files. * Migrated definition of a system interconnection and service into components. The "service" and "interconnection" component types are now used to define these. (usnistgov#498) * Flattened party -> org/person to be just party. Party now has a type which identifies if the party is a person or organization. * Added SHA-3 algorithms to the hash algorithm list. (usnistgov#632) * Fixed Docker container to run scripts that require in-place editing. * Fixed SSP elements that reference a component UUID, but lacked the correct type. * Added a location title. * Updating metaschema support to fix bug (usnistgov/metaschema#56). * Added "homepage" link relation. * Fixed message error in round-trip validation which indicated the wrong type of conversion as compared to what was actually happening. Fixed remaining round-trip issues. * Updated Assessment Metaschemas * Updated FedRAMP Profiles * WIP - UUID transition prep * WIP assessment * Finished UUID Transition * Significant assessment metaschema updates * Assessment metaschema changes * Assessment metaschema changes * party assembly tweaks * Assessment Metaschema Updates * Updated FedRAMP Profiles * additional assessment model tweaks * SAR and POA&M Model Adjustments * Metaschema gymnastics * Fixed invalid content. * SSP Example - Remove Schema Line * Baselines with relative path to catalog * Baseline path tweaks Co-authored-by: David Waltermire <david.waltermire@nist.gov> Co-authored-by: Wendell Piez <wendell.piez@nist.gov> Co-authored-by: Wendell Piez <wapiez@wendellpiez.com>
User Story:
As an OSCAL stakeholder, I want to make sure there is a balance between the flexibility/expandability of the System Security Plan (SSP) schema; between its practical use in templating an SSP.
Goals:
We conducted a raw mapping of the current draft of the
oscal-sspschema (as of today), using a converted markdown format of the FEDRAMP Tailored SSP template. Work is DRAFT here: http://fedramp-ssp.netlify.com/fedramp-tailoredThe review showed the truly great value/potential in this; but also the need to improve and reduce the footprint of the SSP schema, to make it intuitive as a simple presentation layer for an SSP.
Acceptance Criteria
commondata elements, based on a mapping to the FEDRAMP tailored appendix B SSP template the following elements we're seldom used but at the same time common across multiple levels of the hierarchy. It seems appropriate to establish acommonschema and reuse it throughout.system-security-plan.metadata.versionexists. Suggest this is turned into a nested property inversions:Address the use of and the ideally the removal and consolidation of
servicesintocomponentsandinterconnectionsintoleveraged-authorizations. There are currently the following overlapping concepts:componentsservicesssp-interconnectionsservices.ssp-protocolsservices.protocolscomponentsshould just hrefcontrol-implementations&implemented-component, those last two elements should not be at the ssp layer.The current schema should do away with any implementation/inheritance of controls and delegate all of that into the control implementation layer of the schema and only ref the component by
id. However, at that same time components SHOULD at the SSP layer have declared ports/protocols/interconnections as child elements for rendering into the SSP (instead of usingservices/ssp-interconnections). Suggest removingcontrol-implementation&implemented-componentfrom ssp layer of the schema altogether and move all ports/protocol information intocomponents.interconnections- doesn't have the needed attributes to fill in the required fields for the FEDRAMPed tailored SSP table.Currently, there is no ability to list the full set of "Inventory" lists with the schema.
All Comments contained in YAML here from the exercise:
The text was updated successfully, but these errors were encountered: