usnistgov · aj-stein-nist · Sep 20, 2022 · Sep 2, 2022 · Sep 2, 2022 · Sep 2, 2022
diff --git a/src/metaschema/examples/rules-component.xml b/src/metaschema/examples/rules-component.xml
@@ -1,11 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- This is a mapping example used for development. This file should be moved to the oscal-content repo when this feature is ready. -->
 <component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_complete_schema.xsd" uuid="3559d200-4849-41ac-a420-28b2ffa22c52">
     <metadata>
         <title>Example Component Definition for Openshift Container Platform v4, Rules, and Tests</title>
-        <last-modified>2022-08-23T00:00:00.000000000-04:00</last-modified>
+        <last-modified>2022-08-23T00:00:00.000000001-04:00</last-modified>
         <version>0.0.1-alpha</version>
         <oscal-version>1.2.0</oscal-version>
     </metadata>
@@ -117,11 +116,15 @@
                     <description>
                         <p>Configuration managers can use the product's functionality to establish and document configuration settings for OCP4 cluster(s) employed within the system. When not using system defaults, configuration managers can use <insert type="param" id-ref="cm-06_prm_1"/> that reflect the most restrictive mode consistent with operational requirements.</p>
                     </description>
+                    <rule-implementation uuid="9b49bb8b-7eb6-48a6-8dfa-08302f1af80c">
+                        <description>
+                            <p>This rule and test are evidence of how the use of properly configured OpenShift satisfies part of this requirement.</p>
+                        </description>
+                        <condition operator="and">
+                            <testing-scenario-reference testing-scenario-uuid="0666cbf2-2b76-4e9d-ba99-a783419ff1fe"/>
+                        </condition>
+                    </rule-implementation>
                 </statement>
-                <condition operator="and">
-                    <!-- Bind testing scenario for static analysis test only. -->
-                    <testing-scenario-reference testing-scenario-uuid="0666cbf2-2b76-4e9d-ba99-a783419ff1fe" />
-                </condition>
             </implemented-requirement>
         </control-implementation>
     </component>

diff --git a/src/metaschema/examples/rules-ssp.xml b/src/metaschema/examples/rules-ssp.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_complete_schema.xsd" uuid="46126f22-0bca-4a16-b6b1-8cb7e1915292">
+    <metadata>
+        <title>Example System Security Plan with Rules and Tests</title>
+        <last-modified>2022-08-23T00:00:00.000000001-04:00</last-modified>
+        <version>0.0.1-alpha</version>
+        <oscal-version>1.2.0</oscal-version>
+    </metadata>
+    <import-profile href="#9aa67a14-d18e-461f-8eee-d7b661703a9f"/>
+    <system-characteristics>
+        <system-id identifier-type="http://ietf.org/rfc/rfc4122">103e77a8-ab96-4767-9625-19940fefde5f</system-id>
+        <system-name>Example System</system-name>
+        <description>
+            <p>This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.</p>
+        </description>
+        <date-authorized>2022-08-23</date-authorized>
+        <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
+        <system-information>
+            <information-type>
+                <title>Summary of System Development Information in Example System</title>
+                <description>
+                    <p>This application contains system development data.</p>
+                </description>
+                <confidentiality-impact>
+                    <base>fips-199-low</base>
+                    <selected>fips-199-low</selected>
+                </confidentiality-impact>
+                <integrity-impact>
+                    <base>fips-199-low</base>
+                    <selected>fips-199-low</selected>
+                </integrity-impact>
+                <availability-impact>
+                    <base>fips-199-low</base>
+                    <selected>fips-199-low</selected>
+                </availability-impact>
+            </information-type>
+        </system-information>
+        <security-impact-level>
+            <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
+            <security-objective-integrity>fips-199-moderate</security-objective-integrity>
+            <security-objective-availability>fips-199-moderate</security-objective-availability>
+        </security-impact-level>
+        <status state="under-development"/>
+        <authorization-boundary>
+            <description>
+                <p>There is no authorization boundary for the application.</p>
+            </description>
+            <remarks>
+                <p>This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.</p>
+            </remarks>
+        </authorization-boundary>
+    </system-characteristics>
+    <system-implementation>
+        <user uuid="a2276e8d-f8f1-43c3-9e5a-4165ba37476e">
+            <authorized-privilege>
+                <title>System Developer Privilege</title>
+                <function-performed>add functionality</function-performed>
+                <function-performed>modify functionality</function-performed>
+                <function-performed>maintain deploy system in environment</function-performed>
+            </authorized-privilege>
+        </user>
+        <rule uuid="0d0b4ba7-02ff-4c2c-8a32-19790fb5c12b">
+            <title>Monitoring System Logging for Indicators of Compromise Commands in Privileged Contacts</title>
+            <description>
+                <p>When threat actors want to confirm they have successfully performed privilege escalation, they will want to confirm they have elevated system privileges.</p>
+                <p>Responsible staff for a given role must monitor systems logs in a centralized logging system to confirm organizationally-recommended commands have not been run in a privileged context.</p>
+                <ul>
+                    <li>whoami</li>
+                    <li>id</li>
+                    <li>groups</li>
+                    <li>env</li>
+                </ul>
+            </description>
+            <prop name="ioc-command" class="query-parameter" value="whoami"/>
+            <prop name="ioc-command" class="query-parameter" value="id"/>
+            <prop name="ioc-command" class="query-parameter" value="groups"/>
+            <prop name="ioc-command" class="query-parameter" value="env"/>
+        </rule>
+        <test uuid="a3ec79e6-ab61-4dd7-94d5-fd99d7e9b539">
+            <description>
+                <p>This test documents which Splunk commands you will run to look for commands associated with indicators of compromise.</p>
+            </description>
+            <remarks>
+                <p>The internal structure of structuring and passing parameters of the query is yet to be determined.</p>
+            </remarks>
+        </test>
+        <testing-scenario uuid="886adeea-8cb9-4a78-9ab6-b3562cbc9e9f" rule-uuid="0d0b4ba7-02ff-4c2c-8a32-19790fb5c12b">
+            <test-reference test-uuid="a3ec79e6-ab61-4dd7-94d5-fd99d7e9b539" />
+        </testing-scenario>
+        <component uuid="2d885d41-7356-4ebd-bd16-a33eef3cc9d5" type="this-system">
+            <title>Example System Core Component</title>
+            <description>
+                <p>This component documents Example System, an information system under development that makes use of automated system evaluation with rules.</p>
+            </description>
+            <status state="under-development"/>
+            <responsible-role role-id="system-engineer"/>
+            <remarks>
+                <p>This is an example system to demonstrate the use of rules for auditing requirements.</p>
+            </remarks>
+        </component>
+    </system-implementation>
+    <control-implementation>
+        <description>
+            <p>Example System follows the Risk Management Framework as defined in SP 800-37 and 800-53 for risk management, privacy, and security guidance.</p>
+        </description>
+        <implemented-requirement uuid="2060f510-e178-40ce-8e61-8cd1ec16c348" control-id="au-6.8">
+            <by-component component-uuid="2d885d41-7356-4ebd-bd16-a33eef3cc9d5" uuid="1bbea228-c161-410f-a70e-3e287b38460c">
+                <description>
+                    <p>This describes how Example System requires system operators to perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.</p>
+                </description>
+                <implementation-status state="implemented"/>
+
+            </by-component>
+        </implemented-requirement>
+    </control-implementation>
+    <back-matter>
+        <resource uuid="9aa67a14-d18e-461f-8eee-d7b661703a9f">
+            <rlink href="https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml"/>
+        </resource>
+    </back-matter>
+</system-security-plan>
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
@@ -801,6 +801,12 @@
       <assembly ref="by-component" max-occurs="unbounded">
         <group-as name="by-components" in-json="ARRAY"/>
       </assembly>
+      <assembly ref="rule-implementation" max-occurs="unbounded">
+        <group-as name="rule-implementations" in-json="ARRAY"/>
+        <remarks>
+          <p>Multiple rule implementations can be provided to describe alternative rule-based implementations used to evaluate the implementation and effectiveness of the containing control statement.</p>
+        </remarks>
+      </assembly>
       <field ref="remarks" in-xml="WITH_WRAPPER"/>
     </model>
     <constraint>
@@ -1031,6 +1037,12 @@
         <group-as name="responsible-roles" in-json="ARRAY"/>
       </assembly>
       <!-- CHANGED: removed "set-parameter" -->
+      <assembly ref="rule-implementation" max-occurs="unbounded">
+        <group-as name="rule-implementations" in-json="ARRAY"/>
+        <remarks>
+          <p>Multiple rule implementations can be provided to describe alternative approaches for using rules to evaluate the implementation and effectiveness of the containing control.</p>
+        </remarks>
+      </assembly>
       <field ref="remarks" in-xml="WITH_WRAPPER"/>
     </model>
     <constraint>