Skip to content

Commit

Permalink
Week 30 feedback on SSP model. (usnistgov#49)
Browse files Browse the repository at this point in the history
  • Loading branch information
aj-stein-nist authored and david-waltermire committed Aug 23, 2022
1 parent ac0382a commit 7e1649e
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 4 deletions.
7 changes: 7 additions & 0 deletions src/metaschema/oscal_implementation-common_metaschema.xml
Original file line number Diff line number Diff line change
Expand Up @@ -665,6 +665,13 @@
<!-- This is an id because the idenfier is assigned and managed by humans. -->
<formal-name>System Identification</formal-name>
<!-- Identifier Declaration -->
<!--
TODO: Given feedback, we need to update Metaschema with usnistgov/metaschema#222
with props like in https://github.com/david-waltermire-nist/OSCAL/commit/3aafc080b3dc5f488c15b763f707326e77a61f5d#diff-4176d3cf694dd36b02a94207426934306ec0fdaecc54d1bb96f50f52cd7ceae6R27-R32.
We need to determine if both identifier-type='machine-oriented' and identifier-type='human-oriented'.
Option 2 is identifier-type='unspecified'.
-->
<description>A <a href="/concepts/identifier-use/#human-oriented">human-oriented</a>, <a href="/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this system identification property elsewhere in <a href="/concepts/identifier-use/#scope">this or other OSCAL instances</a>. When referencing an externally defined <code>system identification</code>, the <code>system identification</code> must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned <a href="/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same system across revisions of the document.</description>
<json-value-key>id</json-value-key>
<define-flag name="identifier-type" as-type="uri">
Expand Down
16 changes: 12 additions & 4 deletions src/metaschema/oscal_ssp_metaschema.xml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
<!-- TODO: Add a link to "within the scope of the containing OSCAL document" to point to documentation of identification scopes" -->
<p>If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified <code>resource</code> in the document's <code>back-matter</code> or another object that is within the scope of the containing OSCAL document. The identified resource will be used instead as the target resource.</p>
<p>If an internet resource is used, the <code>href</code> value will be an absolute or relative URI pointing to the location of the target resource. A relative URI will be resolved relative to the location of the document containing the link.</p>
<p>If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL [profile resolution specification](https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/) to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.</p>
<p>If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL <a href="https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/">profile resolution specification</a> to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.</p>
<p>While it is possible to reference a previously resolved OSCAL profile as a catalog, this practice is discouraged since the unresolved form of the profile communicates more information about selections and changes to the underlying catalog. Furthermore, the underlying catalog can be maintained separately from the profile, which also has maintenance advantages for distinct maintainers, ensuring that the best available information is produced through profile resolution.</p>
</remarks>
</define-flag>
Expand All @@ -88,6 +88,9 @@
<define-field name="system-name-short" as-type="string">
<formal-name>System Name - Short</formal-name>
<description>A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.</description>
<remarks>
<p>Since <code>system-name-short</code> is optional, if the <code>system-name-short</code> is not provided, the <code>system-name</code> can be used as a substitute.</p>
</remarks>
</define-field>
<define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
<formal-name>System Description</formal-name>
Expand Down Expand Up @@ -304,6 +307,10 @@
<index-has-key name="index-back-matter-resource" target="link[@rel='privacy-impact-assessment' and starts-with(@href,'#')]">
<key-field target="@href" pattern="#(.*)"/>
</index-has-key>
<!--
TODO: Per discussion in usnisgov/OSCAL#1331 review on 29 July 2022,
add the path target to security-sensitivity-level as well.
-->
<matches target="link[@rel='privacy-impact-assessment']/@href[not(starts-with(.,'#'))]" datatype="uri"/>
<allowed-values target="information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)">
<enum value="fips-199-low">A 'low' sensitivity level as defined in <a href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>.
Expand Down Expand Up @@ -334,18 +341,19 @@
<formal-name>Security Impact Level</formal-name>
<description>The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.</description>
<model>
<!--
TODO: Per discussion in usnisgov/OSCAL#1331 review on 29 July 2022,
add the path target to security-impact-level as well for fips-199-low/mod/high.
-->
<define-field name="security-objective-confidentiality" as-type="string" min-occurs="1">
<!-- CHANGED: cardinality to min 1 -->
<formal-name>Security Objective: Confidentiality</formal-name>
<description>A target-level of confidentiality for the system, based on the sensitivity of information within the system.</description>
</define-field>
<define-field name="security-objective-integrity" as-type="string" min-occurs="1">
<!-- CHANGED: cardinality to min 1 -->
<formal-name>Security Objective: Integrity</formal-name>
<description>A target-level of integrity for the system, based on the sensitivity of information within the system.</description>
</define-field>
<define-field name="security-objective-availability" as-type="string" min-occurs="1">
<!-- CHANGED: cardinality to min 1 -->
<formal-name>Security Objective: Availability</formal-name>
<description>A target-level of availability for the system, based on the sensitivity of information within the system.</description>
</define-field>
Expand Down

0 comments on commit 7e1649e

Please sign in to comment.