SSP Tutorials - Planning

[iMichaela]

User Story:

As an OSCAL tutorial developer, I need to identify which features are most important to be explained in a tutorial, and in how many tutorials should the SSP explanation be split to make each tutorial simple enough to understand the issues, but comprehensive enough to be useful.

Goals:

A list of the tutorials necessary to explain the SSP model and how to create a system's OSCAL SSP and the features that need to be highlighted in each SSP tutorial.

Dependencies:

None

Acceptance Criteria

The list of tutorials and features is clear and complete.

[david-waltermire]

We need to create a strawman outline illustrating the quantity of tutorials and which SSP model features will be covered in each tutorial..

[iMichaela]

Below is an outline of a set of mini-tutorials:

Tutorial 1

• Importing the Profile (baseline)
• System Characteristics
  • System IDs
  • System Description
  • System Information, Impact Level
  • Authorization Boundary
  • Network Architecture and Data Flow

Tutorial 2

• Expressing the Roles, Parties, Responsibilities
• Responsible parties

Tutorial 3

• System Implementation
  • Users
  • Components (Services, etc) (Tutorial: SSP components #862)
  • Inventory

Tutorial 4

• Controls Implementation (Documentation Update: Control Representations in SSP #819)

Tutorial 5

• Interconnections
• Leveraged Authorizations

[david-waltermire]

@Rene2mt We should discuss the way forward on this issue which outlines a few tutorials. Once we have a solid outline, I'd like to have you start working on a tutorial in this series.

[Rene2mt]

SSP Tutorials Plan (Issue #654)

SSPs have a lot of content. We'll want to develop a series of tutorials that incrementally walks readers through the process of developing an SSP in OSCAL without overwhelming them. The following is a proposed series of SSP related tutorials (e.g., try to follow the Model Overview & Key Concepts.

Metadata Tutorial - Metadata syntax is identical and required in all OSCAL models. It includes information such as the document's title, publication version, publication date, and OSCAL version. Metadata is also used to define roles, parties (people, teams and organizations), and locations.

• NOTE: the metadata tutorial is already being addressed via issue Metadata Section Tutorial #909

Tutorial 1: System Characteristics: Represents attributes of the system, such as its name, description, models, and information processed. A lot to cover here so maybe split into several smaller chunks

• Tutorial 1 (Part 1) - (e.g., system-id, system-name & system-short-name, description, date-authorized, any SSP specific prop & link examples). This is probably a good place to cover roles, parties, responsibilities (see issue Tutorial: SSP System Characteristics - Part 1 of 3 #975).
• Tutorial 1 (Part 2) - (e.g., security-sensitivity-level, system-information, security-impact-level, status) (see issue Tutorial: SSP System Characteristics - Part 2 of 3 #976).
• Tutorial 1 (Part 3) - (e.g., authorization-boundary, network-architecture, data-flow) (see issue Tutorial: SSP System Characteristics - Part 3 of 3 #977).

Tutorial 2: System Implementation: Represents relevant information about the system's deployment, including user roles, interconnections, services, and system inventory.

• Tutorial 2 (Part 1) - leveraged-authorization, user (see issue system inventory. Tutorial: SSP System Implementation - Part 1 of 3 #978).
• Tutorial 2 (Part 2) - components. This tutorial could really help clarify the difference between component definition components, vs SSP components (see issues Tutorial: SSP components #862 & Tutorial: SSP System Implementation - Part 2 of 3 #979).
• Tutorial 2 (Part 3) - inventory (see issue Tutorial: SSP System Implementation - Part 3 of 3 #980).

Tutorial 3: Control Implementation: Describes how profiles are imported and how each control in the baseline is implemented within the system (see issues #819 & #981).

• Import baseline profile
• description, set-parameter, implemented-requirement
  • would this be the place to also show how component definitions are used in the SSP?

Back Matter Tutorial: Back matter syntax is identical in all OSCAL models. It is used for resources including attachments, citations, and embedded content such as graphics.

• NOTE: since back-matter is generic and its syntax is identical for all OSCAL models, it will be covered separately in its own tutorial (not part of the SSP tutorial series)

Overall, the SSP tutorial series would total of 7 relatively small tutorials.

[david-waltermire]

@Rene2mt Thanks for creating the new issues for this. Since these issues will be used for the tutorial development, I am going to close this issue.