Support additional control-origination props #784

[Compton-US]

Committer Notes

Based on the request in #784, extended the xpath to include control-origination props for:

implemented-requirement/prop
implemented-requirement/by-component/prop
implemented-requirement/statement/prop
implemented-requirement/statement/by-component/prop

The updated xpath selected the following paths from my test case:

" /system-security-plan[1]/control-implementation[1]/implemented-requirement[1]/prop[1]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[1]/prop[2]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[1]/prop[3]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[1]/statement[1]/prop[1]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[1]/statement[2]/by-component[1]/prop[1]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[2]/prop[1]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[2]/prop[2]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[2]/prop[3]/@name",
" /system-security-plan[1]/control-implementation[1]/implemented-requirement[2]/by-component[1]/prop[1]/@name",

A note was added that the child context will override the parent control-origination.

[aj-stein-nist]

Like #1456, I'm A.J. and I approve this message. :-)

[david-waltermire]

What is the value of a prop with name="control-origination"? We should do something to constrain the values.

[david-waltermire]

I think we need to think more about the value side of this new property.

[Compton-US]

What is the value of a prop with name="control-origination"? We should do something to constrain the values.

@david-waltermire-nist Are we wanting to review this list?

At 711:

      <allowed-values target="prop[@name='control-origination']/@value">
        <enum value="organization">The control is implemented by the organization owning the system, but is not specific to the system itself.</enum>
        <enum value="system-specific">The control is implemented specifically to this system.</enum>
        <enum value="customer-configured">The control is provided by the system, but must be configured by the customer.</enum>
        <enum value="customer-provided">The control must be implemented by the customer.</enum>
        <enum value="inherited">This control is inherited from an underlying system.</enum>
      </allowed-values>

[aj-stein-nist]

It appears I missed this bit, but Dave pointed it out and you merged it in, so now I can approve again with more confidence we met reqs. :-)

[aj-stein-nist]

OK, I am going to be that guy and retract my approval so we can discuss something? Let me know when you have time to discuss, Chris (and/or others maybe).

[aj-stein-nist]

Back to my previous state. Will approve this PR and table further conversation of follow-on work until #1502.

[david-waltermire]

LGTM. Thanks!