From 51da1833bbe60b4eb3c74d6ff3b3593f2069bd92 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 9 Dec 2021 08:39:33 -0500 Subject: [PATCH 1/5] Release 1.0 metaschema adjustments (#1065) * Many fixes to the constraints in the OSCAL metaschemas to repair broken Metapaths. * fixing defects in metaschema constraints * Updating to latest Metaschema toolchain. Removed use of the "require" constraint. * updating readme with current links --- src/metaschema/oscal_control-common_metaschema.xml | 9 +++++++++ src/metaschema/oscal_profile_metaschema.xml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 8b6a857fe8..47df693e7f 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -73,6 +73,15 @@ &allowed-values-control-group-property-name; + + The assessment method to use. This typically appears on parts with the name "assessment". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. +

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 0be13bae06..d6ffb3835e 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -122,7 +122,7 @@ As-Is Structuring Directive An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. - + Custom grouping A Custom element frames a structure for embedding represented controls in resolution. From bfaa6d0a1db8ce245134b09fb727f1c75c85ab2a Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Fri, 28 Jan 2022 11:21:08 -0500 Subject: [PATCH 2/5] Add basic shape of update rule construct. --- .../oscal_assessment-common_metaschema.xml | 242 ---------------- src/metaschema/oscal_component_metaschema.xml | 3 + .../oscal_control-common_metaschema.xml | 259 ++++++++++++++++++ 3 files changed, 262 insertions(+), 242 deletions(-) diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index 509a6beb08..d5f0902098 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -98,112 +98,6 @@ - - - - - Activity - Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment. - - Assessment Activity Universally Unique Identifier - - A machine-oriented, globally unique> identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. - - - - Included Activity Title - The title for this included activity. - - - Included Activity Description - A human-readable description of this included activity. - - - - - - - - - Step - Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure. - - - Step Universally Unique Identifier - - A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. - - - - Step Title - The title for this step. - - - Step Description - A human-readable description of this step. - - - - - - - - - -

This can be optionally used to define the set of controls and control objectives that are assessed by this step.

- - - - - -

Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.

- - - - - - - - -

Since multiple party-uuid entries can be provided, each role-id must be referenced only once.

- - - - - - related-controls - -

This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.

- - - - - -

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

- - - - - - - - The assessment method to use. This typically appears on parts with the name "assessment". - - - - The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. - The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). - The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. - - - - -

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

- - - - - Task Represents a scheduled event or milestone, which may be associated with a series of assessment actions. @@ -368,136 +262,6 @@ - - - Reviewed Controls and Control Objectives - Identifies the controls being assessed and their control objectives. - - - Control Objective Description - A human-readable description of control objectives. - - - - - - - - - - Assessed Controls - Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan. - - - - Assessed Controls Description - A human-readable description of in-scope controls specified for assessment. - - - - - - - - - - All - A key word to indicate all. - - - include-control - - -

Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.

- - - - - exclude-control - - -

Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.

- - - - - -

The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.

-

Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.

- - - - - Referenced Control Objectives - Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan. - - - - Control Objectives Description - A human-readable description of this collection of control objectives. - - - - - - - - - - All - A key word to indicate all. - - - include-objective - - -

Used to select a control objective for inclusion by the control objective's identifier.

- - - - - exclude-objective - - -

Used to select a control objective for exclusion by the control objective's identifier.

- - - - - -

The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.

-

Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.

- - - - - -

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

-

When resolving the selection of controls and control objectives, the following processing will occur:

-

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

-

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

- - - - - Select Control - Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope. - - - - Include Specific Statements - Used to constrain the selection to only specificity identified statements. - - - - - - - Select Objective - Used to select a control objective for inclusion/exclusion based on the control objective's identifier. - - - Assessment Subject Placeholder @@ -1638,12 +1402,6 @@ - - - Objective ID - Points to an assessment objective. - - Assessment Part diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml index 4bdb6a6ec5..b1e3e6df00 100644 --- a/src/metaschema/oscal_component_metaschema.xml +++ b/src/metaschema/oscal_component_metaschema.xml @@ -38,6 +38,9 @@ + + + diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 47df693e7f..8c4a18c9e4 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -228,6 +228,265 @@ + + + + + Activity + Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment. + + Assessment Activity Universally Unique Identifier + + A machine-oriented, globally unique> identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Included Activity Title + The title for this included activity. + + + Included Activity Description + A human-readable description of this included activity. + + + + + + + + + Step + Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure. + + + Step Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Step Title + The title for this step. + + + Step Description + A human-readable description of this step. + + + + + + + + + +

This can be optionally used to define the set of controls and control objectives that are assessed by this step.

+ + + + + +

Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.

+ + + + + + + + +

Since multiple party-uuid entries can be provided, each role-id must be referenced only once.

+ + + + + + related-controls + +

This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.

+ + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+ + + + + + + + The assessment method to use. This typically appears on parts with the name "assessment". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+ + + + + + + + Reviewed Controls and Control Objectives + Identifies the controls being assessed and their control objectives. + + + Control Objective Description + A human-readable description of control objectives. + + + + + + + + + + Assessed Controls + Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan. + + + + Assessed Controls Description + A human-readable description of in-scope controls specified for assessment. + + + + + + + + + + All + A key word to indicate all. + + + include-control + + +

Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.

+ + + + + exclude-control + + +

Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.

+ + + + + +

The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.

+

Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.

+ + + + + Referenced Control Objectives + Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan. + + + + Control Objectives Description + A human-readable description of this collection of control objectives. + + + + + + + + + + All + A key word to indicate all. + + + include-objective + + +

Used to select a control objective for inclusion by the control objective's identifier.

+ + + + + exclude-objective + + +

Used to select a control objective for exclusion by the control objective's identifier.

+ + + + + +

The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.

+

Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.

+ + + + + +

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

+

When resolving the selection of controls and control objectives, the following processing will occur:

+

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

+

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

+ + + + + Select Control + Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope. + + + + Include Specific Statements + Used to constrain the selection to only specificity identified statements. + + + + + + + Select Objective + Used to select a control objective for inclusion/exclusion based on the control objective's identifier. + + + + + + Objective ID + Points to an assessment objective. + + + + + Rule + An expression of a security evaluation or testing procedure. + + The formal name to identify the rule + A human-oriented identifier for the rule instance. + + + Rule UUID + A machine-oriented identifier for the rule instance. + + + + + + Parameter Value From 5c0626ebbb5b5206f99a195823db2231deac67ba Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Fri, 28 Jan 2022 15:36:17 -0500 Subject: [PATCH 3/5] Make rule's activity an optional scalar list, 0 to many. --- .../oscal_control-common_metaschema.xml | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 8c4a18c9e4..5f2a57aa6f 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -479,11 +479,25 @@ A human-oriented identifier for the rule instance. - Rule UUID - A machine-oriented identifier for the rule instance. + Rule Universally Unique Identifier + A unique identifiermachine-oriented identifier for the rule instance. - + + Rule Title + The title for this rule. + + + Rule Description + A human-readable description of this rule. + + + Rule Condition + The state of the system subject to test and evaluation of the rule as supporting evidence of factual assertions for other OSCAL data. + + + + From d6ed244a208b54431b07231930a96fcf10a99548 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Fri, 28 Jan 2022 18:38:41 -0500 Subject: [PATCH 4/5] Alias activity->condition evaluator with a use-name directive. --- src/metaschema/oscal_control-common_metaschema.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 5f2a57aa6f..8d2b3306d4 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -495,8 +495,9 @@ Rule Condition The state of the system subject to test and evaluation of the rule as supporting evidence of factual assertions for other OSCAL data. - - + + condition-evaluator + From 4c31de27ec433271d5dd652dbc550a7c5ea753af Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Mon, 31 Jan 2022 14:26:59 -0500 Subject: [PATCH 5/5] Switch from condition-evaluator(s)->condition-test(s). --- src/metaschema/oscal_control-common_metaschema.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 8d2b3306d4..dbc49e5663 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -496,8 +496,8 @@ The state of the system subject to test and evaluation of the rule as supporting evidence of factual assertions for other OSCAL data. - condition-evaluator - + condition-test +