Skip to content
This repository has been archived by the owner on Dec 12, 2023. It is now read-only.

Add Post-OSCAL Still Conventional Attachments #106

Closed
wants to merge 9 commits into from

Conversation

GaryGapinski
Copy link
Collaborator

  • additionally add Privacy-related constraints

- additionally add Privacy-related constraints
@github-actions

This comment has been minimized.

-change "lacks" to "has"
- remove comments from consolidation
@github-actions

This comment has been minimized.

- SP 800-60v2r1 checks are separate
@github-actions

This comment has been minimized.

Copy link

@ohsh6o ohsh6o left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick review because you brought it up in stand-up, but it is still not on the board and marked draft. Some quick thoughts in either case.

resources/validations/src/ssp-additions.sch Outdated Show resolved Hide resolved
Comment on lines +51 to +52
<sch:value-of
select="$path" /> has no reference within the document</sch:assert>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NB: This should have more positive language, correct?

Suggested change
<sch:value-of
select="$path" /> has no reference within the document</sch:assert>
<sch:value-of
select="$path" /> SHOULD optionally have a reference within the document (but does not)</sch:assert>

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion.

resources/validations/src/ssp-additions.sch Show resolved Hide resolved
resources/validations/src/ssp-additions.sch Outdated Show resolved Hide resolved
<sch:title>A FedRAMP SSP must incorporate one policy document and one procedure document for each of the 17 NIST SP 800-54r4 control
families</sch:title>

<!-- TODO: handle attachments declared by component (see implemented-requirement ac-1 for an example) -->
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

B: So is this still correct and the componentized attachments are not supported?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The consensus with the OSCAL developers appeared (twice) to be that inventory-items should hold the related attributes and that "inheritance" should not be used. This did not have certitude, so we could restore inheritance were that to be the final resolution.

Copy link

@ohsh6o ohsh6o Jun 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was confused because, in our last NIST sync meeting, you acknowledged their advice. Then you said something along the lines subsequently in different later meeting between you, Dan, and I that you would keep it anyway, since you saw it as unwise to throw it out. I was surprised, but you suggested it was not such a big deal since the code was implemented and there was no reason to roll it back.

Am I mistaken?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think you are mistaken. I will overlay component inheritance on the system inventory after a get a clean unit test on system-inventory-less-component-inheritance.

I do not think there is any other way to reduce the complexity+redundancy of inventory properties other than to use component inheritance. However, that will be a novel type of system inventory representation to FedRAMP reviewers. I presume, that a transform from OSCAL to traditional FedRAMP system inventory will be desired if not necessary.

resources/validations/src/ssp-additions.sch Show resolved Hide resolved
@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

- tweak base64 content validation
@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@github-actions
Copy link

XSpec Test Results

  1 files  ±0    2 suites  ±0   0s ⏱️ ±0s
59 tests ±0  47 ✔️ ±0  12 💤 ±0  0 ❌ ±0 

Results for commit f99e433. ± Comparison against base commit c729539.

@GaryGapinski GaryGapinski self-assigned this Jul 1, 2021
@GaryGapinski GaryGapinski marked this pull request as ready for review July 1, 2021 03:44
@GaryGapinski
Copy link
Collaborator Author

This is closed (obviated) by #108.

ohsh6o added a commit that referenced this pull request Jul 2, 2021
* Update submodule and configuration for submodule.

The usnistgov/OSCAL repo has a `main` branch, `master has been
deprecated and removed.

* Updated content with content-upgrade transforms.

* Check Fix SSP errors fixed.

* Update prop with `-ref` suffixes to `by-` prefixes.

* Add explicit XSD validation checking with xm-model PI.

* Update `CORE` and `response-point` props. Other fixes.

* More fixes.

* Switch from @id-ref to @target-id.

* Adjust status/state to status/@State.

* Logical content touchups, lots of target additions.

* Mixed up status/@State enum value.

Made a small slip in `/assessment-results//target/status/@state`.

* Base on resolution and current NIST SP800-53 catalog.

Fix errors like this:

```
/oscal/baselines/rev4/xml/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog.xml:4175: element select: Schemas validity error : Element '{http://csrc.nist.gov/ns/oscal/1.0}select', attribute 'how-many': [facet 'pattern'] The value 'one or more' is not accepted by the pattern '[\i-[:𐀀-󯿿]][Resolved profile '/oscal/baselines/rev4/xml/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog.xml' is not a valid OSCAL catalog.
```
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants