Feature 800 53 updates #221
Conversation
* For consistency providing link bindings, making three corrections by hand on label properties (prop[@name='label']: - 'AC-20a.1' becomes 'AC-20a.01' - 'AC-20a.2' becomes 'AC-20a.02' - 'PE-03(01)02]' becomes 'PE-03(01)[02]' * Adding enhancement XSLT with preliminary result * Cleanup: updating content, removing preliminary result * Correcting validation error
* Update param AC-07(02)_ODP[02] to use and, not or. * Param AC-24_ODP[01] to require only one choice. * Add parens to param CA_02(03)_ODP[01] pluralization * Limit param CA-08(03)_ODP[02] to 1, not >=1 select * Change PM-31_ODP[02] and PM-31_ODP[03] param plurals * Add control IA-13 to catalog. * Add control enhancement IA-13.1 to catalog. * Add control enhancement IA-13.2 to catalog. * IA-13 control and enhancements refs must link back. * Implementation level and assurance tag for new controls. * Add FIPS 196 and FIPS 198-1 for IA-13.3 references to back-matter. * Add IA-13.3, align final edits from RMF Team, and version metadata. * Fix bad copy-paste on FIPS-196 UUID anchor for IA-13.3 refs Re-running Schematron one last time indicated the final digit was missing from this UUID. * Fix revisions, errant link/@rel, and resource title
|
When this has been reviewed for other potential issues, we need to do the following to complete the changes:
|
|
Any estimate on when this will get a full release? FedRAMP wants to align the baselines with 5.1.1, but we need this content to do so. Can we do anything to help? |
@david-waltermire-nist - I provided this information/answer in the chat of the FedRAMP bites today. We are just one step away from finishing it (there are some missing links between assessment-objectives to their control statements that need to go in). We will finish them and review them this week (tomorrow) and release early next week (Monday is my hope, if we do not get any issue with the resolved profiles to capture the text changes for some controls). I also mentioned in the chat that there is only one extra control IA-13 which is not part of any NIST baselines but it might be of interest to FedRAMP to bring it into scope for some use cases since is dealing with identity federation. If the decision is made this is not the case, then the rest of the updates are minimal (text clarifications). |
|
I'll be investigating the cardinality warning today |
|
Happy to see the relationships between the assessment-method and the statement. This is a move in a good direction. For the assessment-method links that point to the statement, I am not sure |
I had a similar thought with @david-waltermire-nist when I reviewed @wendellpiez 's PR we incorporated, but believed that was discussed with the RMF team (participants: @aj-stein-nist and @wendellpiez ). I wanted to suggest |
|
Using The problem with being too general is you run into semantic "clashes". Say for example we have the need to both describe the associated statement, and a dependency on another assessment method. If all we have is |
There was a problem hiding this comment.
As a cross-check I suggest running Schematrons over edited content, after touching it. There appear to be two possible test sets (Schematron files) in the repo, either of which might be useful.
Attempting to apply these to modified content, the worst case scenario is the Schematron is broken or reports false errors. Assuming it runs, however, the functionality can easily be tested interactively and its usefulness assessed, if not improved.
The testing checks for certain regularities not expressed in constraints in the (meta)schema, such as names and order of labels, correspondences between labels and @id values, and other things that had better be in order.
IIRC one of these at least also reports info-level messages of potential interest.
|
Also noting - the advantage of keeping the included updating XSLT here is we can do a global change if wanted, by running this XSLT again (with any mods needed). The proposed change however is simple enough I would suggest a small refactoring operation in a capable editor (I can demo if called on). |
I see the point you are making. The links are linking an A highly specific type is valuable only to humans that understand it when processing the information. A tool will not know what to do with the relation unless it is coded to understand it. So a GRC tool developer will have to guess all possible values if the relation is important to be processed or will just ignore it if the value is not understood by the tool. This was the reason behind the proposed generalization - the reuse. In the example you provide above, the "identity" ( I'll bring this discussion tomorrow to our team and let them decide but the community's input is highly desired. The PR can not stay open for too long since FedRAMP needs the 800-53 rev 5.1.1. This link relation type can be updated at any time in the future should it be proven to not satisfy the GRC tool developers' expectations. |
Indeed. Sorry about that. I somehow switched this around. I'm glad you understood what I was saying.
I am not looking for a highly specific type, just one that is aligned well to the semantics of the relationship. IMHO, something like This link needs to be suitable for machine consumption, which is why having a codepoint, i.e. the link "rel", that aligns with the given semantics is important.
I believe the
Indeed. As a member of the OSCAL community and the FedRAMP OSCAL lead, I'm providing input here in this thread. This relationship is something we want to use at FedRAMP for validation and in our GRC solution. Updating it in the future, would require we change all things downstream that depend on it. This is why I am concerned about getting this right now. We want to rely on this, so we would like it to be stable for long-term use. |
I'll ask the team to consider the importance to FedRAMP of the The catalog does not provide any links from the The schema allows for locally defined values, and I would not recommend including any other values besides the existing |
|
Let's make the improvements - I like the |
Great! Thank you.
While this would be helpful, I am happy if any additional work on this is deferred to a future update to move the OSCAL 5.1.1 catalog forward with a release ASAP.
Ok. Thanks. |
|
@david-waltermire-nist - All links were updated per FedRAMP's request to |
* Adding links from assessment objectives to statement items (#147) * For consistency providing link bindings, making three corrections by hand on label properties (prop[@name='label']: - 'AC-20a.1' becomes 'AC-20a.01' - 'AC-20a.2' becomes 'AC-20a.02' - 'PE-03(01)02]' becomes 'PE-03(01)[02]' * Adding enhancement XSLT with preliminary result * Cleanup: updating content, removing preliminary result * Correcting validation error * Publish Updated NIST SP 800-53 Revision 5.1.1 Controls (#220) * Update param AC-07(02)_ODP[02] to use and, not or. * Param AC-24_ODP[01] to require only one choice. * Add parens to param CA_02(03)_ODP[01] pluralization * Limit param CA-08(03)_ODP[02] to 1, not >=1 select * Change PM-31_ODP[02] and PM-31_ODP[03] param plurals * Add control IA-13 to catalog. * Add control enhancement IA-13.1 to catalog. * Add control enhancement IA-13.2 to catalog. * IA-13 control and enhancements refs must link back. * Implementation level and assurance tag for new controls. * Add FIPS 196 and FIPS 198-1 for IA-13.3 references to back-matter. * Add IA-13.3, align final edits from RMF Team, and version metadata. * Fix bad copy-paste on FIPS-196 UUID anchor for IA-13.3 refs Re-running Schematron one last time indicated the final digit was missing from this UUID. * Fix revisions, errant link/@rel, and resource title * Add missing ia-13 links. * added links for assessment objectives * contrpl ia-13.3 error fixed * Per reviewer's comment, replaced depends-on with related-to. * Updated last-modified and version * updated rel value to assessment-for per FedRAMP's request * updated profiles' metadata * updated profiles' root uuid --------- Co-authored-by: Wendell Piez <[email protected]> Co-authored-by: A.J. Stein <[email protected]> Co-authored-by: Iorga <[email protected]> Co-authored-by: Iorga <[email protected]>
* Feature 800 53 updates (#221) * Adding links from assessment objectives to statement items (#147) * For consistency providing link bindings, making three corrections by hand on label properties (prop[@name='label']: - 'AC-20a.1' becomes 'AC-20a.01' - 'AC-20a.2' becomes 'AC-20a.02' - 'PE-03(01)02]' becomes 'PE-03(01)[02]' * Adding enhancement XSLT with preliminary result * Cleanup: updating content, removing preliminary result * Correcting validation error * Publish Updated NIST SP 800-53 Revision 5.1.1 Controls (#220) * Update param AC-07(02)_ODP[02] to use and, not or. * Param AC-24_ODP[01] to require only one choice. * Add parens to param CA_02(03)_ODP[01] pluralization * Limit param CA-08(03)_ODP[02] to 1, not >=1 select * Change PM-31_ODP[02] and PM-31_ODP[03] param plurals * Add control IA-13 to catalog. * Add control enhancement IA-13.1 to catalog. * Add control enhancement IA-13.2 to catalog. * IA-13 control and enhancements refs must link back. * Implementation level and assurance tag for new controls. * Add FIPS 196 and FIPS 198-1 for IA-13.3 references to back-matter. * Add IA-13.3, align final edits from RMF Team, and version metadata. * Fix bad copy-paste on FIPS-196 UUID anchor for IA-13.3 refs Re-running Schematron one last time indicated the final digit was missing from this UUID. * Fix revisions, errant link/@rel, and resource title * Add missing ia-13 links. * added links for assessment objectives * contrpl ia-13.3 error fixed * Per reviewer's comment, replaced depends-on with related-to. * Updated last-modified and version * updated rel value to assessment-for per FedRAMP's request * updated profiles' metadata * updated profiles' root uuid --------- Co-authored-by: Wendell Piez <[email protected]> Co-authored-by: A.J. Stein <[email protected]> Co-authored-by: Iorga <[email protected]> Co-authored-by: Iorga <[email protected]> * Adjust home repository to oscal-content --------- Co-authored-by: Wendell Piez <[email protected]> Co-authored-by: A.J. Stein <[email protected]> Co-authored-by: Iorga <[email protected]> Co-authored-by: Iorga <[email protected]>
Committer Notes
This incorporates the following PRs:
It also corrects a few content issues.
All Submissions:
Changes to Core Features: