Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initiated spiral 3 for issue #5 #8

Merged
Prev Previous commit
Next Next commit
Draft of Spiral 3
Compton-US committed Apr 5, 2023
commit e75f4ef6850348e81941c2a8d65b445d0df5870c
56 changes: 28 additions & 28 deletions research-2023/effort-responsibility-sharing/2023-03-08.003.md
Original file line number Diff line number Diff line change
@@ -24,7 +24,7 @@ As an OSCAL model developer, I need examples of the an SSP that contain content

## Requirements

- Produce an example based on the common fields that were identified in OSCAL Issue [1336](https://github.com/usnistgov/OSCAL/issues/1336).
- Produce an example based on the common fields that were identified in OSCAL Issue [1336](https://github.com/usnistgov/OSCAL/issues/1336) and recorded in [Spiral 1](2022-07-05.001.md).
- Produce an example that demonstrates a potential approach that does not require modification to the existing SSP model. (or requires minimal modification).

## Approach
@@ -42,15 +42,24 @@ As an OSCAL model developer, I need examples of the an SSP that contain content

## Determination

`Content Here`
The goal of this spiral was to produce examples of exports, one question did arise that if all exportable content was not located under the export assembly, is there still a need to explicitly define which content is exportable?

Two potential options:

- The export assembly defines the exported fields.
- An attribute, such as `exportable`, could be added to content to be exported.

The content of this spiral should be reviewed with those that are interested in meeting on this topic.

## Constraints and Assumptions

`Content Here`
- We are working with a limited set of controls, so more complex systems with hundreds or thousands exports may have unique needs that are not fully understood in this spiral.
- We only focus on the format of the export, and do not fully explore a shared responsibility scenario. This may need to be considered in a future spiral.

## Existing Benchmarks, Practices and Prior Art

`Content Here`
- For OSCAL, a responsibility model, is new.
- Current practices use spreadsheets, and this was reviewed as a part of [Spiral 1](2022-07-05.001.md).

## Analysis

@@ -215,49 +224,40 @@ An example using existing fields and assemblies, requiring no SSP model modifica

## Outcome

The goal of this spiral was to produce examples of exports, one question did arise that if all exportable content was not located under the export assembly, is there still a need to explicitly define which content is exportable?

Two potential options:
The examples have been completed based on a single, fully inheritable control, and a set of controls prepared for another project as synthetic data.

- The export assembly defines the exported fields.
- An attribute, such as `exportable`, could be added to content to be exported.
The shared responsibility use case was not prepared for this spiral, so that we could attempt to prepare an SSP using synthetic controls.

# Interpretation

## Feasibility

`Content Here`
It appears feasible to use the existing SSP assemblies, but to fully address the common fields, props may be needed. This would assume that implementation-status:state is the only element of the SSP that is exported outside of the export assembly.

## Risks

`Content Here`

## Workarounds

`Content Here`
- Without a method to communicate exportable information from the SSP, it is very difficult to share information without exposing the contents of an entire SSP.
- Information could be exposed if content is exported from assemblies that are not specifically marked for export. This could be an issue in a large volume of

## Resources Required

`Content Here`
- Community Feedback

## Action

`Content Here`

# Validation

`Content Here`
- Recommended: The content of this spiral should be reviewed with those that are interested in meeting on this topic. I believe we have three or four individuals that have expressed an interest in participating in a draft for a responsibility model.
- Recommended: The next spiral should be an initial exploration of a potential model for the exported content that is shared with others (e.g., customers).

# Executive

`Content Here`
TBD

| Element | Response |
| --------------------------- | ------------------- |
| Disposition | `Content Here` |
| Concurrence Recorded | `Content Here` |
| Next Spiral Sequence Number | `Content LINK Here` |
| Element | Response |
| --------------------------- | -------- |
| Disposition | TBD |
| Concurrence Recorded | TBD |
| Next Spiral Sequence Number | TBD |

# References

`Content Here`
No references.