From 6882d51f8bcbefe0334d63d3928484bc37c4cf74 Mon Sep 17 00:00:00 2001 From: Wendell Piez Date: Fri, 9 Sep 2022 12:05:51 -0400 Subject: [PATCH] Responding to #1066: metaschema edits; CSS enhancement (#56) * Responding to #1066: metaschema edits; CSS enhancement * Whitespace cleanup in metadata metaschema * Apply suggestions from code review Co-authored-by: David Waltermire --- src/metaschema/metaschema-author.css | 65 ++++++++-- src/metaschema/oscal_catalog_metaschema.xml | 122 ++++++++++++------ .../oscal_control-common_metaschema.xml | 23 ++-- src/metaschema/oscal_metadata_metaschema.xml | 73 ++++++----- src/metaschema/oscal_profile_metaschema.xml | 71 ++++++---- 5 files changed, 234 insertions(+), 120 deletions(-) diff --git a/src/metaschema/metaschema-author.css b/src/metaschema/metaschema-author.css index 333e9fb9e0..064a793e46 100644 --- a/src/metaschema/metaschema-author.css +++ b/src/metaschema/metaschema-author.css @@ -1,4 +1,4 @@ -METASCHEMA { font-family: Georgia, serif } +METASCHEMA { font-family: Calibri, Verdana, sans-serif } * { display: block } @@ -10,6 +10,11 @@ METASCHEMA { } title { } +import:before + { content: 'import module ' oxy_urlChooser(edit, '@href', columns 60) } + + + define-assembly, define-field, define-flag { margin-top: 1ex; margin-bottom: 1ex; border: thin inset black; padding: 0.5em } @@ -23,6 +28,15 @@ define-flag:before oxy_textfield(edit, '@name', columns, 12) } +root-name:before { content: "Root name: " } + + +prop:before + { content: 'property ' + oxy_textfield(edit, '@name', columns, 25) + oxy_textfield(edit, '@value', columns, 30) + } + define-assembly[group-as]:before, define-field[group-as]:before, @@ -36,12 +50,6 @@ define-flag * { margin: 0em } define-assembly > * { margin-top: 1em } -allowed-values:before { content: "Allowed values" } -allowed-values { border: thin solid black; padding: 1em } - -enum:before { display: list-item } -enum:before { content: "enum" } - pre { padding: 0.5em; background-color: gainsboro } define-assembly { } @@ -79,6 +87,8 @@ example *:after { content: ''; font-family: monospace; font-siz model { padding-left: 0.5em; border-left: medium solid blue; font-size: 80%; padding-right: 2em } +model model { font-size: 100%; } + flag:before { content: oxy_name() ' ref: ' oxy_textfield(edit, '@ref', columns, 12) @@ -105,10 +115,45 @@ prose:before { font-weight: bold; content: choice > * { margin-left: 2em } -enum { display: block; font-size: 90%; padding-left: 1em } -enum:before { content: oxy_textfield(edit, '@value', columns, 24); } - a { display: inline; color: blue } a:before { content: oxy_urlChooser( edit, "@href", columns 42); } + + +/* CONSTRAINTS */ + +constraint > * { border: thin solid black; padding: 0.6em } + +allowed-values:before { content: "Allowed values" + ' level: ' oxy_combobox(edit, '@level', editable, false, values, "ERROR, WARNING" ) } + +enum { margin-left: 2em; display: list-item; + font-size: 90%; padding-left: 1em } +enum:before { content: oxy_textfield(edit, '@value', columns, 24); } + +index { } +index:before { content: "Index: " + ' name: ' oxy_textfield(edit, '@name', columns, 24) + ' target: ' oxy_textfield(edit, '@target', columns, 52) + ' level: ' oxy_combobox(edit, '@level', editable, false, values, "ERROR, WARNING" ); } + +key-field { margin-left: 2em } +key-field:before { content: "Key field " + ' target: ' oxy_textfield(edit, '@target', columns, 52) + ' level: ' oxy_combobox(edit, '@level', editable, false, values, "ERROR, WARNING" ); } + +expect { } +expect:before { content: "Expect " + ' target: ' oxy_textfield(edit, '@target', columns, 52) + ' test: ' oxy_textfield(edit, '@test', columns, 36) + ' level: ' oxy_combobox(edit, '@level', editable, false, values, "ERROR, WARNING" ); } + +index-has-key { } + +index-has-key:before { content: "Index has key: " + ' name: ' oxy_textfield(edit, '@name', columns, 24) + ' target: ' oxy_textfield(edit, '@target', columns, 52) + ' level: ' oxy_combobox(edit, '@level', editable, false, values, "ERROR, WARNING" ); } + + diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index dc22f29652..ef63cef286 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -5,9 +5,8 @@ ]> - + + OSCAL Control Catalog Model 1.0.4 oscal-catalog @@ -93,10 +92,10 @@ Control Group A group of controls, or of groups of controls. - + Group Identifier - Identifies the group for the purpose of cross-linking within the defining instance or other instances that reference the catalog. + Identifies the group for the purpose of cross-linking within the defining instance or from other instances that reference the catalog. @@ -163,12 +162,16 @@ Control - A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information. Each security or privacy control within the catalog is defined by a distinct control instance. + A structured object representing a requirement or guideline, which when + implemented will reduce an aspect of risk related to an information system and its + information. Control Identifier - Identifies a control such that it can be referenced in the defining catalog and other OSCAL instances (e.g., profiles). + Identifies a control such that it can be referenced in the defining + catalog and other OSCAL instances (e.g., profiles). @@ -177,16 +180,21 @@ Control Class - A textual label that provides a sub-type or characterization of the control. + A textual label that provides a sub-type or characterization of the + control. -

A class can be used in validation rules to express extra constraints over named items of a specific class value.

-

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

+

A class can be used in validation rules to express extra + constraints over named items of a specific class + value.

+

A class can also be used in an OSCAL profile as a means to + target an alteration to control content.

Control Title - A name given to the control, which may be used by a tool for display and navigation. + A name given to the control, which may be used by a tool for + display and navigation. @@ -203,7 +211,8 @@ Mapping - A mapping between the containing control and another resource. + A mapping between the containing control and another + resource. Mapping Identifier The unique identifier for the mapping. @@ -224,70 +233,97 @@ - - - &allowed-values-control-group-property-name; - The status of a control. For example, a value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used. + + + &allowed-values-control-group-property-name; + The status of a control. For example, a + value of 'withdrawn' can indicate that the control has + been withdrawn and should no longer be used. - + The control is no longer used. - **(deprecated)*** Use 'withdrawn' instead. + **(deprecated)*** Use 'withdrawn' + instead. - The link cites an external resource related to this control. - The link identifies another control with bearing to this control. - The link identifies another control that must be present if this control is present. - The link identifies other control content where this control content is now addressed. - The containing control definition was moved to the referenced control. + The link cites an external resource related to this + control. + The link identifies another control with bearing to + this control. + The link identifies another control that must be + present if this control is present. + The link identifies other control content + where this control content is now addressed. + The containing control definition was moved to the + referenced control. - + - - An introduction to a control or a group of controls. + + An introduction to a control or a group of + controls. A set of control implementation requirements. - Additional information to consider when selecting, implementing, assessing, and monitoring a control. - **(deprecated)** Use 'assessment-method' instead. - The part describes a method-based assessment over a set of assessment objects. + Additional information to consider when selecting, + implementing, assessing, and monitoring a control. + **(deprecated)** Use + 'assessment-method' instead. + The part describes a method-based assessment + over a set of assessment objects. - + An individual item within a control statement.

Nested statement parts are "item" parts.

- - **(deprecated)** Use 'assessment-objective' instead. - The part describes a set of assessment objectives. + + **(deprecated)** Use + 'assessment-objective' instead. + The part describes a set of assessment + objectives.

Objectives can be nested.

- - **(deprecated)** Use 'assessment-objects' instead. - Provides a listing of assessment objects. + + **(deprecated)** Use + 'assessment-objects' instead. + Provides a listing of assessment + objects.

Assessment objects appear on assessment methods.

- - + **(deprecated)** Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment-method". - - The assessment method to use. This typically appears on parts with the name "assessment-method". + + The assessment method to use. This typically appears on + parts with the name "assessment-method". - + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
-

Controls may be grouped using group, and controls may be partitioned using part or further enhanced (extended) using control.

-

A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.

+

Each security or privacy control within the catalog is defined by a distinct control instance. Controls may be as complex or as simple as a catalog defines them. They may be decomposed or further specified into child control objects, for example to represent control enhancements or specific breakouts of control functionality, to be maintained as discrete requirements. Controls may also contain structured parts (using part) and they may be grouped together in families or classes with group.

+

Control structures in OSCAL will also exhibit regularities and rules that are not codified in OSCAL but in its applications or domains of application. For example, for catalogs describing controls as defined by NIST SP 800-53, a control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text. This organization supports addressability of this data content as long as, and only insofar as, it is consistently implemented across the control set. As given with these model definitions, constraints defined and assigned here can aid in ensuring this regularity; but other such constraints and other useful patterns of use remain to be discovered and described.

diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index abf8ef8a39..0d1168698c 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -7,7 +7,7 @@ ]> + xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" abstract="yes"> OSCAL Control Catalog Format -- Common Models 1.0.4 oscal-control-common @@ -24,7 +24,7 @@ Part Identifier - Provides locally unique means to identify a given control part. + A unique identifier for the part. @@ -48,9 +48,9 @@
Part Class - An optional textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns. - + An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs. +

One use of this flag is to distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns (since even within a given namespace it can be useful to overload a name).

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

@@ -92,7 +92,7 @@

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

- Multiple Parts with Different Organization-Specific Names + Multiple Parts with Different Organization-Specific Names. A requirement specific to FedRAMP stakeholders. A requirement specific to the Department of Defense stakeholders. @@ -143,7 +143,8 @@ Parameter Usage Description - Describes the purpose and use of a parameter + Describes the purpose and use of a + parameter. constraint @@ -194,7 +195,7 @@ Constraint - A formal or informal expression of a constraint or test + A formal or informal expression of a constraint or test. Constraint Description @@ -207,7 +208,8 @@ Constraint test - A formal (executable) expression of a constraint + A formal (executable) expression of a + constraint. @@ -232,7 +234,7 @@ Selection - Presenting a choice among alternatives + Presenting a choice among alternatives. Parameter Cardinality Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted. @@ -246,7 +248,8 @@ Choice - A value selection among several such options + A value selection among several such + options. choice value diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index e1bf090e07..e4433a8746 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -2,8 +2,9 @@ + + xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" abstract="yes"> OSCAL Document Metadata Description 1.0.4 oscal-metadata @@ -76,10 +77,9 @@ Defines a function, which might be assigned to a party in a specific situation. - Role Identifier - Provides locally unique means to identify a given role. + A unique identifier for the role. @@ -162,7 +162,7 @@ Location Universally Unique Identifier - A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + A unique ID for the location, for reference. @@ -231,8 +231,7 @@ Party Universally Unique Identifier - A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. - Provides locally unique means to identify a given party. + A unique identifier for the party. @@ -261,7 +260,9 @@ Party External Identifier - An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID) + An identifier for a person or organization using a designated + scheme. e.g. an Open Researcher and Contributor ID + (ORCID). id @@ -306,8 +307,7 @@ Organizational Affiliation - A reference to another party (person or organization) that this subject is associated with. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). - + A reference to another party by UUID, typically an organization, that this subject is associated with. @@ -319,6 +319,7 @@ +

Since the reference target of an organizational affiliation must be another party (whether further qualified as person or organization) as inidcated by its uuid. As a machine-oriented identifier with uniqueness across document and trans-document scope, this uuid value is sufficient to reference the data item locally or globally across related documents, e.g., in an imported OSCAL instance.

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

@@ -429,8 +430,7 @@ Location Universally Unique Identifier Reference - A reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). - + Reference to a location by UUID. @@ -446,8 +446,7 @@ Location Universally Unique Identifier Reference - A reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). - + Reference to a location by UUID. @@ -457,16 +456,12 @@ - -

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

-
Party Universally Unique Identifier Reference - A reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). - + Reference to a party by UUID. @@ -476,15 +471,12 @@ - -

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

-
Role Identifier Reference - A reference to roles served by the user. + Reference to a role by UUID. @@ -509,8 +501,8 @@ Resource Universally Unique Identifier + A unique identifier for a resource. - A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined resource elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -712,7 +704,7 @@ Property Universally Unique Identifier - A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + A unique identifier for a property. Property Namespace @@ -728,10 +720,11 @@ Property Class - A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns. - + A textual label that provides a sub-type or characterization of the + property's name. -

A class can be used in validation rules to express extra constraints over named items of a specific class value.

+

This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

+

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.

@@ -925,9 +918,13 @@ Media Type - A media type provides a label that indicates the nature of a resource. The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here. - + A label that indicates the nature of a resource, as a data serialization or + format. +

The Internet Assigned Numbers Authority (IANA) Media + Types Registry defines a standardized set of media types, which may be used + here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

@@ -984,8 +981,9 @@ Email Address - An email address as defined by RFC 5322 Section 3.4.1. - + An email address as defined by RFC 5322 Section + 3.4.1. @@ -1029,11 +1027,12 @@ State - State, province or analogous geographical region for mailing address + State, province or analogous geographical region for a mailing + address. Postal Code - Postal or ZIP code for mailing address + Postal or ZIP code for mailing address. Country Code @@ -1064,11 +1063,14 @@ Document Identifier - A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions of the same document. If this element does not appear, the value of the "uuid" flag of the top-level root field can serve as a document identifier. + A document identifier qualified by an identifier + scheme. identifier Document Identification Scheme - Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters. + Qualifies the kind of document identifier using a URI. If the scheme is not + provided the value of the element will be interpreted as a string of + characters. A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record. @@ -1079,6 +1081,7 @@
+

A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.

A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.

Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.

An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.

diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index ca380e51bc..5d3ea80e06 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -5,17 +5,27 @@ ]> + xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"> OSCAL Profile Model 1.0.4 oscal-profile http://csrc.nist.gov/ns/oscal/1.0 http://csrc.nist.gov/ns/oscal -

In OSCAL a profile represents a baseline of selected controls from one or more control catalogs. An OSCAL profile is used in an OSCAL system security plan (SSP) to determine the baseline of controls that must be implemented by the information system. The effective set of controls is generated through profile resolution process.

-

In OSCAL a profile represents a set of selected controls from one or more control catalogs. Such a set of controls can be referenced by an OSCAL system security plan (SSP) to establish a control baseline. This effective set of controls is produced from an OSCAL profile using a deterministic, predictable process called profile resolution.

+

In OSCAL a profile represents a set of selected controls from one or more control catalogs. Such a set of controls can + be referenced by an OSCAL system security plan (SSP) to establish a control baseline. This effective set of controls is produced from an OSCAL + profile using a deterministic, predictable process called profile resolution.

A profile references one or more OSCAL catalogs or profiles to import controls for control selection and tailoring. A profile can also describe how a resulting catalog is structured. When the profile is resolved, these selections and modifications are processed to produce a resulting OSCAL catalog.

-

OSCAL profiles have uses beyond establishing a baseline, such as documentation generation or as reference tables for validations.

+

OSCAL profiles have uses beyond establishing control baselines, such as documentation + generation or as reference tables for validations.

@@ -23,7 +33,8 @@ Profile - Each OSCAL profile is defined by a profile element + Each OSCAL profile is defined by a profile + element. profile Profile Universally Unique Identifier @@ -104,11 +115,15 @@ A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID). Combination Method - Declare how clashing controls should be handled + Declare how clashing controls should be + handled. Use the first definition - the first control with a given ID is used; subsequent ones are discarded - **(deprecated)** **(unspecified)** Merge - controls with the same ID are combined + **(deprecated)** **(unspecified)** + Merge - controls with the same ID are + combined Keep - controls with the same ID are kept, retaining the clash @@ -146,17 +161,20 @@ Control Group - A group of (selected) controls or of groups of controls + A group of (selected) controls or of groups of controls. - + Group Identifier - Provides locally unique means to identify a given control group. + Identifies the group. + +

This optional data element is available to support hyperlinking to formal groups or families as defined in control catalogs, among other operations.

+
Group Class @@ -198,17 +216,18 @@
Modify Controls - Set parameters or amend controls in resolution + Set parameters or amend controls in resolution. Parameter Setting - A parameter setting, to be propagated to points of insertion + A parameter setting, to be propagated to points of + insertion. Parameter ID - Provides locally unique means to identify a given paramater. + An identifier for the parameter. @@ -242,7 +261,8 @@
Parameter Usage Description - Describes the purpose and use of a parameter + Describes the purpose and use of a + parameter. constraint @@ -278,7 +298,8 @@ Reference by (assigned) name - Identify items to remove by matching their assigned name + Identify items remove by matching their + assigned name. Reference by class @@ -290,7 +311,10 @@ Item Name Reference - Identify items to remove by the name of the item's information element name, e.g. title or prop + Identify items to remove by the name of the + item's information object name, e.g. + title or + prop. A descendant parameter and all of its descendants. @@ -313,11 +337,14 @@
Addition - Specifies contents to be added into controls, in resolution + Specifies contents to be added into controls, in + resolution. Position - Where to add the new content with respect to the targeted element (beside it or inside it) + Where to add the new content with respect to + the targeted element (beside it or inside + it). Preceding the by-id target @@ -414,22 +441,22 @@ Select Control - Select a control or controls from an imported control set + Select a control or controls from an imported control set. Match Controls by Identifier - + Selecting a control by its ID given as a literal. Match Controls by Pattern - Select controls by (regular expression) match on ID + Selecting a set of controls by matching their IDs with a + wildcard pattern. -

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.