target examples in Profile Resolution selection and merge phase documentation

[joshualubell]

The OSCAL Profile Resolution page provides examples of source profiles and their resolved targets resulting from selection and merge phases. These targets have elements such as <profile> and <selection> that are not allowed in the OSCAL catalog model.

Example:

<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="merge-keep_profile">
    <metadata> … </metadata>
    <selection id="…">
      <control id="a1"> … </control>
      <control id="c1"> … </control>
    </selection>
    <selection id="…">
      <control id="b1"> … </control>
    </selection>
</profile>

Is this a mistake in the documentation, or am I missing something?

[david-waltermire]

@wendellpiez Can you answer this?

[wendellpiez]

What is probably not clear enough -- it is expressed in the documentation, but apparently not well enough -- is that the tagging there is merely nominal for representing an internal (transitional) state in profile resolution. So not part of the model of either catalog or profile, but a sort of hybrid.

The fact that this question comes up tells me that the docs should probably be rewritten (maybe with some sort of specialized notation?) to show that some of these tags, such as selection here, are only "virtual".

I propose we mark this for attention when we next make an editorial pass over the Profile Resolution spec.

[iMichaela]

@joshualubell -- I looked at the resolved profiles (few of them) and I do not find any elements such as and . Could you please check again, maybe the resolved profiles no longer contain assemblies not allowed in a catalog. If not, could you please provide a ling to the file? The documentation update remains an issue.

[wendellpiez]

@iMichaela the critique is not with catalog resolution but with its documentation, where I invented a notational convention that confuses the reader as to the model. (Josh took a nominal representation of an intermediate state, to be a canonical representation of final state).

The document certainly needs work; in addition to this problem, the problem of specifying behaviors for "orphan" controls (enhancements without their parents, under different merge scenarios) needs to be specified fully, as @JustKuzya has pointed out.

I propose we flag this Issue as a work item for me to work on the Profile Resolution Specification (with advice from @david-waltermire-nist ).

[joshualubell]

@wendellpiez is correct. I had confused his intermediate representation with the OSCAL representation of a resolved profile. BTW, kudos for taking on the profile resolution documentation issue. I believe this is really important - especially now that 800-53r5 and 800-53B have adopted OSCAL.

Looking at the OSCAL stakeholder categories (Assessors, Baseline Authors, Security Professionals, Tool Developers), my guess is that only Tool Developers might need to understand the interim steps of profile resolution.

[david-waltermire]

I believe this issue has been completed, since the inline examples in the spec have been updated. Closing this for now.

@joshualubell Can you review the current spec to make sure your concerns have been cleared up? If you have further concerns, please open a new issue.