[RFC] Adding Actions to the OSCAL Metadata Assembly

[aj-stein-nist]

Committer Notes

This is a PR for the community to review the inclusion of actions to the metadata assembly of OSCAL, thereby allowing actions in any OSCAL model document instance. Please provide feedback before or during the upcoming model review meeting on 2 September 2022.

Closes #1033.

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you set "Allow edits and access to secrets by maintainers
  "?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Do all automated CI/CD checks pass?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

Changes to Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.
• Have you included examples of how to use your new feature(s)?

[aj-stein-nist]

As discussed in today's model meeting, below is a sample SSP with an approval action. Feedback welcome!

<?xml version="1.0" encoding="UTF-8"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../../OSCAL/xml/schema/oscal_complete_schema.xsd" uuid="46126f22-0bca-4a16-b6b1-8cb7e1915292">
    <metadata>
        <title>Example System SSP with Actions</title>
        <last-modified>2022-09-02T00:00:00.000000001-04:00</last-modified>
        <version>0.0.1-alpha</version>
        <oscal-version>1.1.0</oscal-version>
        <role id="legal-officer">
            <title>IT Security and Compliance Division Legal Officer</title>
            <short-name>Counsel</short-name>
         </role>
         <party uuid="166befca-8f70-4170-8848-2af978990772" type="organization">
            <name>ExampleCorp Office of the Counsel</name>
            <short-name>ExampleCorp Legal</short-name>
            <link href="https://example.com" rel="homepage"/>
            <email-address>[email protected]</email-address>
            <address type="work">
               <addr-line>100 Main Street NW</addr-line>
               <city>Washington</city>
               <state>DC</state>
               <postal-code>20000</postal-code>
               <country>US</country>
            </address>
         </party>
        <action uuid="bc90bc6b-8d06-4422-8bbb-63fd525f62f6" date="2022-08-23T00:00:00.000000001-04:00" type="approval">
            <responsible-party role-id="legal-officer">
                <party-uuid>166befca-8f70-4170-8848-2af978990772</party-uuid>
            </responsible-party>
        </action>
    </metadata>
    <import-profile href="#9aa67a14-d18e-461f-8eee-d7b661703a9f"/>
    <system-characteristics>
        <system-id identifier-type="http://ietf.org/rfc/rfc4122">103e77a8-ab96-4767-9625-19940fefde5f</system-id>
        <system-name>Example System</system-name>
        <description>
            <p>This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.</p>
        </description>
        <date-authorized>2022-08-23</date-authorized>
        <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
        <system-information>
            <information-type>
                <title>Summary of System Development Information in Example System</title>
                <description>
                    <p>This application contains system development data.</p>
                </description>
                <confidentiality-impact>
                    <base>fips-199-low</base>
                    <selected>fips-199-low</selected>
                </confidentiality-impact>
                <integrity-impact>
                    <base>fips-199-low</base>
                    <selected>fips-199-low</selected>
                </integrity-impact>
                <availability-impact>
                    <base>fips-199-low</base>
                    <selected>fips-199-low</selected>
                </availability-impact>
            </information-type>
        </system-information>
        <security-impact-level>
            <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
            <security-objective-integrity>fips-199-moderate</security-objective-integrity>
            <security-objective-availability>fips-199-moderate</security-objective-availability>
        </security-impact-level>
        <status state="under-development"/>
        <authorization-boundary>
            <description>
                <p>There is no authorization boundary for the application.</p>
            </description>
            <remarks>
                <p>This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.</p>
            </remarks>
        </authorization-boundary>
    </system-characteristics>
    <system-implementation>
        <user uuid="3260c490-ad55-4c99-a3d4-09a6b6f6fb17">
            <authorized-privilege>
                <title>System Developer Privilege</title>
                <function-performed>add functionality</function-performed>
                <function-performed>modify functionality</function-performed>
                <function-performed>maintain deploy system in environment</function-performed>
            </authorized-privilege>
        </user>
        <component uuid="1e3aaf69-258b-4e19-a4cc-0289049ceb7c" type="this-system">
            <title>The Example System Core Component</title>
            <description>
                <p></p>
            </description>
            <status state="under-development"/>
            <remarks>
                <p>This is an example system with notional examples, the system and this document will never be complete, regardless of the intention of implicated by <code>action</code> examples.</p></remarks>
        </component>
    </system-implementation>
    <control-implementation>
        <description>
            <p></p>
        </description>
        <implemented-requirement uuid="e7d0fd18-0bc6-4583-9eb2-66e77956a96d" control-id=""></implemented-requirement>
    </control-implementation>
    <back-matter>
        <resource uuid="9aa67a14-d18e-461f-8eee-d7b661703a9f">
            <rlink href="https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml"/>
        </resource>
    </back-matter>
</system-security-plan>

For now, I removed the JSON and YAML examples because the conversion tool had a minor bug, reported in usnistgov/metaschema-java#131. Will have to convert JSON/YAML examples by hand or wait out the bug, sorry for those following it.

[david-waltermire]

This looks good.