clarified the semantics of implemented-requirement in a component def…

…inition as only a suggestion of how to implement. Resolves usnistgov#1194.
david-waltermire · May 4, 2022 · 50c0945 · 50c0945
1 parent e6c89a4
commit 50c0945
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml
@@ -358,7 +358,7 @@
     <model>
       <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
         <formal-name>Control Implementation Description</formal-name>
-        <description>A description of how the specified control is implemented for the containing component or capability.</description>
+        <description>A suggestion for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
         <group-as name="props" in-json="ARRAY"/>
@@ -397,6 +397,9 @@
         </remarks>
       </is-unique>
     </constraint>
+    <remarks>
+      <p>Implemented requirements within a component or capability in a component definition provide a means to suggest possible control implementation details, which may be used by a different party when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.</p>
+    </remarks>
   </define-assembly>
   <define-assembly name="statement" scope="local">
     <formal-name>Control Statement Implementation</formal-name>

diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
@@ -690,7 +690,7 @@
   </define-assembly>
   <define-assembly name="implemented-requirement" scope="local">
     <formal-name>Control-based Requirement</formal-name>
-    <description>Describes how the system satisfies an individual control.</description>
+    <description>Describes how the system satisfies the requirements of an individual control.</description>
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Control Requirement Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->