Approval Status and Date for OSCAL Document Instance

[ohsh6o]

User Story:

As an OSCAL tool developer, in order to allow my tools to show that different stakeholders from the organization authoring the information system's security documentation (SSP, SAP, SAR, and/or POA&M), I want to add metadata to show the responsible parties for approval and dates of these approvals.

Goals:

@david-waltermire-nist and I had found a way to effectively encode only the responsible party for these approvals, but current use of additional props, existing OSCAL generic metadata structures, and/or specific structures for particular OSCAL models cannot effectively encode and map an approval date for each responsible party. There is a strong likelihood there will be more than one approval party and approval date in most cases.

• Develop a concrete example based on the Metaschema in PR Add actions assembly to encode an action (i.e. approval) and its role, party, and approval date. #1052.
• Socialize this during an OSCAL model review. [RFC] Adding Actions to the OSCAL Metadata Assembly #1429
• Collect feedback, and identify any follow-on work if needed.

See GSA/fedramp-automation#162 for more context.

Dependencies:

N/A

Acceptance Criteria

• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

[ohsh6o]

Per conversation today with Dave and Wendell, I am going to make a recommended architecture design a new assembly. It will look something like this.

• An approvals assembly
  • With 0 to unbounded instances of an approval. Each approval will have:
    • party
    • role
    • date
    • remarks
    • links
    • prop

Will draft a PR with proposed changes to the Metaschema for review, hopefully for tomorrow's model review meeting.

[xee5ch]

As @ohsh6o is inactive, I will try and pick this up. I was talking to @wendellpiez and think, given feedback from the model meeting and his recommendation, I will try to update this PR and convert approvals and approval to actions and action.

[aj-stein-nist]

Whew, this guy! Per discussion with Dave, I like the previously implemented assembly designs, I still want to talk over potential naming collisions and other stuff prior to merging this, given Dave and team's approval.

Meeting invite sent for next week.

[aj-stein-nist]

OK the contributed PR is ready for review and should be good to go for Dave. Sliding this to Under Review.

[david-waltermire]

PR #1052 is ready to merge. Need community review.

[david-waltermire]

Going to merge #1429 since there has been no additional community feedback.