[WIP] Metaschema Enhancements Needed for Rule Construct in Component Definition

src/metaschema/oscal_assessment-common_metaschema.xml

@@ -98,112 +98,6 @@
       </model>
    </define-assembly>
 
-   <!-- ===============================  -->
-   <!-- ========= NEW CONTENT =========  -->
-   <!-- ===============================  -->
-   <define-assembly name="activity">
-      <formal-name>Activity</formal-name>
-      <description>Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.</description>
-      <define-flag name="uuid" required="yes" as-type="uuid">
-         <formal-name>Assessment Activity Universally Unique Identifier</formal-name>
-         <!-- Identifier Declaration -->
-         <description>A <a href="/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="/concepts/identifier-use/#globally-unique">globally unique</a>> identifier with <a href="/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this assessment activity elsewhere in <a href="/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>activity</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
-      </define-flag>
-      <model>
-         <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
-            <formal-name>Included Activity Title</formal-name>
-            <description>The title for this included activity.</description>
-         </define-field>
-         <define-field name="description" min-occurs="1" max-occurs="1" as-type="markup-multiline" in-xml="WITH_WRAPPER">
-            <formal-name>Included Activity Description</formal-name>
-            <description>A human-readable description of this included activity.</description>
-         </define-field>
-         <assembly ref="property" max-occurs="unbounded">
-            <group-as name="props" in-json="ARRAY"/>
-         </assembly>
-         <assembly ref="link" max-occurs="unbounded">
-            <group-as name="links" in-json="ARRAY"/>
-         </assembly>
-         <define-assembly name="step" min-occurs="0" max-occurs="unbounded">
-            <formal-name>Step</formal-name>
-            <description>Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.</description>
-            <group-as name="steps" in-json="ARRAY"/>
-            <define-flag name="uuid" required="yes" as-type="uuid">
-               <formal-name>Step Universally Unique Identifier</formal-name>
-               <!-- Identifier Declaration -->
-               <description>A <a href="/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this step elsewhere in <a href="/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>step</code> (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
-            </define-flag>
-            <model>
-               <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
-                  <formal-name>Step Title</formal-name>
-                  <description>The title for this step.</description>
-               </define-field>
-               <define-field name="description" min-occurs="1" max-occurs="1" as-type="markup-multiline" in-xml="WITH_WRAPPER">
-                  <formal-name>Step Description</formal-name>
-                  <description>A human-readable description of this step.</description>
-               </define-field>
-               <assembly ref="property" max-occurs="unbounded">
-                  <group-as name="props" in-json="ARRAY"/>
-               </assembly>
-               <assembly ref="link" max-occurs="unbounded">
-                  <group-as name="links" in-json="ARRAY"/>
-               </assembly>
-               <assembly ref="reviewed-controls">
-                  <remarks>
-                     <p>This can be optionally used to define the set of controls and control objectives that are assessed by this step.</p>
-                  </remarks>
-               </assembly>
-               <assembly ref="responsible-role" max-occurs="unbounded">
-                  <group-as name="responsible-roles" in-json="ARRAY"/>
-                  <remarks>
-                     <p>Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.</p>
-                  </remarks>
-               </assembly>
-               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
-            </model>
-            <constraint>
-               <is-unique id="unique-step-responsible-role" target="responsible-role">
-                  <key-field target="@role-id"/>
-                  <remarks>
-                     <p>Since multiple <code>party-uuid</code> entries can be provided, each role-id must be referenced only once.</p>
-                  </remarks>
-               </is-unique>
-            </constraint>
-         </define-assembly>
-         <assembly ref="reviewed-controls">
-            <use-name>related-controls</use-name>
-            <remarks>
-               <p>This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.</p>
-            </remarks>
-         </assembly>
-         <assembly ref="responsible-role" max-occurs="unbounded">
-            <group-as name="responsible-roles" in-json="ARRAY"/>
-            <remarks>
-               <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
-            </remarks>
-         </assembly>
-         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
-      </model>
-      <constraint>
-         <!-- TODO: Dave to double-check constraints here -->
-         <allowed-values target="prop/@name" allow-other="yes">
-            <enum value="method">The assessment method to use. This typically appears on parts with the name "assessment".</enum>
-         </allowed-values>
-         <has-cardinality target="prop[@name='method']" min-occurs="1"/>
-         <allowed-values target="prop[@name='method']/@value">
-            <enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
-            <enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
-            <enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
-         </allowed-values>
-         <is-unique id="unique-activity-responsible-role" target="responsible-role">
-            <key-field target="@role-id"/>
-            <remarks>
-               <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
-            </remarks>
-         </is-unique>
-      </constraint>
-   </define-assembly>
-
    <define-assembly name="task">
       <formal-name>Task</formal-name>
       <description>Represents a scheduled event or milestone, which may be associated with a series of assessment actions.</description>
@@ -368,136 +262,6 @@
    <!-- = END NEW = -->
    <!-- =========== -->
 
-   <!-- ********** OBJECTIVES Assembly ********** -->
-   <define-assembly name="reviewed-controls">
-      <formal-name>Reviewed Controls and Control Objectives</formal-name>
-      <description>Identifies the controls being assessed and their control objectives.</description>
-      <model>
-         <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
-            <formal-name>Control Objective Description</formal-name>
-            <description>A human-readable description of control objectives.</description>
-         </define-field>
-         <assembly ref="property" max-occurs="unbounded">
-            <group-as name="props" in-json="ARRAY"/>
-         </assembly>
-         <assembly ref="link" max-occurs="unbounded">
-            <group-as name="links" in-json="ARRAY"/>
-         </assembly>
-
-         <define-assembly name="control-selection" min-occurs="1" max-occurs="unbounded">
-            <formal-name>Assessed Controls</formal-name>
-            <description>Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.</description>
-            <group-as name="control-selections" in-json="ARRAY"/>
-            <model>
-               <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
-                  <formal-name>Assessed Controls Description</formal-name>
-                  <description>A human-readable description of in-scope controls specified for assessment.</description>
-               </define-field>
-               <assembly ref="property" max-occurs="unbounded">
-                  <group-as name="props" in-json="ARRAY"/>
-               </assembly>
-               <assembly ref="link" max-occurs="unbounded">
-                  <group-as name="links" in-json="ARRAY"/>
-               </assembly>
-               <choice>
-                  <define-assembly name="include-all" min-occurs="1">
-                     <formal-name>All</formal-name>
-                     <description>A key word to indicate all.</description>
-                  </define-assembly>
-                  <assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded">
-                     <use-name>include-control</use-name>
-                     <group-as name="include-controls" in-json="ARRAY"/>
-                     <remarks>
-                        <p>Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.</p>
-                     </remarks>
-                  </assembly>
-               </choice>
-               <assembly ref="select-control-by-id" max-occurs="unbounded">
-                  <use-name>exclude-control</use-name>
-                  <group-as name="exclude-controls" in-json="ARRAY"/>
-                  <remarks>
-                     <p>Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.</p>
-                  </remarks>
-               </assembly>
-               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
-            </model>
-            <remarks>
-               <p>The <code>include-all</code>, specifies all control identified in the <strong>baseline</strong> are included in the scope if this assessment, as specified by the <code>include-profile</code> statement within the linked SSP.</p>
-               <p>Any control specified within <code>exclude-controls</code> must first be within a range of explicitly included controls, via <code>include-controls</code> or <code>include-all</code>.</p>
-            </remarks>
-         </define-assembly>
-
-         <define-assembly name="control-objective-selection" min-occurs="0" max-occurs="unbounded">
-            <formal-name>Referenced Control Objectives</formal-name>
-            <description>Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.</description>
-            <group-as name="control-objective-selections" in-json="ARRAY"/>
-            <model>
-               <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
-                  <formal-name>Control Objectives Description</formal-name>
-                  <description>A human-readable description of this collection of control objectives.</description>
-               </define-field>
-               <assembly ref="property" max-occurs="unbounded">
-                  <group-as name="props" in-json="ARRAY"/>
-               </assembly>
-               <assembly ref="link" max-occurs="unbounded">
-                  <group-as name="links" in-json="ARRAY"/>
-               </assembly>
-               <choice>
-                  <define-assembly name="include-all" min-occurs="1">
-                     <formal-name>All</formal-name>
-                     <description>A key word to indicate all.</description>
-                  </define-assembly>
-                  <assembly ref="select-objective-by-id" min-occurs="1" max-occurs="unbounded">
-                     <use-name>include-objective</use-name>
-                     <group-as name="include-objectives" in-json="ARRAY"/>
-                     <remarks>
-                        <p>Used to select a control objective for inclusion by the control objective's identifier.</p>
-                     </remarks>
-                  </assembly>
-               </choice>
-               <assembly ref="select-objective-by-id" max-occurs="unbounded">
-                  <use-name>exclude-objective</use-name>
-                  <group-as name="exclude-objectives" in-json="ARRAY"/>
-                  <remarks>
-                     <p>Used to select a control objective for exclusion by the control objective's identifier.</p>
-                  </remarks>
-               </assembly>
-               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
-            </model>
-            <remarks>
-               <p>The <code>include-all</code> field, specifies all control objectives for any in-scope control. In-scope controls are defined in the <code>control-selection</code>.</p>
-               <p>Any control objective specified within <code>exclude-controls</code> must first be within a range of explicitly included control objectives, via <code>include-objectives</code> or <code>include-all</code>.</p>
-            </remarks>
-         </define-assembly>
-         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
-      </model>
-      <remarks>
-         <p>In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.</p>
-         <p>When resolving the selection of controls and control objectives, the following processing will occur:</p>
-         <p>1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.</p>
-         <p>2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.</p>
-      </remarks>
-   </define-assembly>
-
-   <define-assembly name="select-control-by-id" scope="local">
-      <formal-name>Select Control</formal-name>
-      <description>Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.</description>
-      <flag ref="control-id" required="yes"/>
-      <model>
-         <define-field name="statement-id" as-type="token" min-occurs="0" max-occurs="unbounded" >
-            <formal-name>Include Specific Statements</formal-name>
-            <description>Used to constrain the selection to only specificity identified statements.</description>
-            <group-as name="statement-ids" in-json="ARRAY"/>
-         </define-field>
-      </model>
-   </define-assembly>
-
-   <define-assembly name="select-objective-by-id">
-      <formal-name>Select Objective</formal-name>
-      <description>Used to select a control objective for inclusion/exclusion based on the control objective's identifier.</description>
-      <flag ref="objective-id" required="yes"/>
-   </define-assembly>
-
    <!-- ********** ASSESSMENT SUBJECT Assembly ********** -->
    <define-assembly name="assessment-subject-placeholder">
       <formal-name>Assessment Subject Placeholder</formal-name>
@@ -1638,12 +1402,6 @@
       </constraint>
    </define-assembly>
 
-   <define-flag name="objective-id" as-type="token" scope="local">
-      <!-- This is an id to sync with control syntax -->
-      <formal-name>Objective ID</formal-name>
-      <description>Points to an assessment objective.</description>
-   </define-flag>
-
    <define-assembly name="assessment-part"> <!--scope="local"-->
       <!-- QUESTION: Is it confusing to use part here, given the control meaning of part? -->
       <formal-name>Assessment Part</formal-name>

src/metaschema/oscal_component_metaschema.xml

@@ -38,6 +38,9 @@
     </define-flag>
     <model>
       <assembly ref="metadata" min-occurs="1"/>
+      <assembly ref="rule" min-occurs="0" max-occurs="unbounded">
+        <group-as name="rules" in-json="ARRAY"/>
+      </assembly>
       <assembly ref="import-component-definition" max-occurs="unbounded">
         <group-as name="import-component-definitions" in-json="ARRAY"/>
       </assembly>