From 8d9ffc9ca181e2f70d1c1c53e4740c160ac0b9bb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 12 Sep 2023 20:42:53 +0000
Subject: [PATCH 01/51] Bump actions/checkout from 3.6.0 to 4.0.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/f43a0e5ff2bd294095638e18286ca9a3d1956744...3df4ab11eba7bda6032a0b82a6bb43b11571feac)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/periodic.yml | 2 +-
 .github/workflows/release.yml  | 2 +-
 .github/workflows/status.yml   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index 245d51b3dc..331e46863f 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -12,7 +12,7 @@ jobs:
       # Needed to post comments and issues
       issues: write
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
         with:
           submodules: recursive
       - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3164f3acb8..cc9478b616 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ jobs:
     name: Package Release
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
         with:
           submodules: recursive
       - uses: actions/setup-java@v3
diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
index f5f1c13ec5..ab3ee57d42 100644
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -18,7 +18,7 @@ jobs:
     name: Status Checks
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
         with:
           submodules: recursive
       - uses: actions/setup-java@v3

From 96d658b79bd91d73b30d6023b39e13bbed41c087 Mon Sep 17 00:00:00 2001
From: Arminta <Arminta.Jenkins@nist.gov>
Date: Fri, 15 Sep 2023 11:33:39 -0400
Subject: [PATCH 02/51] Updated link for profile resolution

---
 src/specifications/profile-resolution/readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/specifications/profile-resolution/readme.md b/src/specifications/profile-resolution/readme.md
index f844d9ca2e..6e877e6c65 100644
--- a/src/specifications/profile-resolution/readme.md
+++ b/src/specifications/profile-resolution/readme.md
@@ -23,7 +23,7 @@ need a process for this - also Github Issues?
 
 ## Providing feedback on this specification
 
-The OSCAL team welcomes feedback on the work in progress in this subdirectory, whether it be questions, points for clarification, critiques or suggestions. A rendered version of the Profile Resolution specification maintained here [appears](https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/) on the OSCAL web site.
+The OSCAL team welcomes feedback on the work in progress in this subdirectory, whether it be questions, points for clarification, critiques or suggestions. A rendered version of the Profile Resolution specification maintained here [appears](https://pages.nist.gov/OSCAL/resources/concepts/processing/profile-resolution/) on the OSCAL web site.
 
 Please post Issues in Github or questions to the OSCAL mailing list, or ask about them on our [Gitter channel](https://gitter.im/usnistgov-OSCAL/Lobby). (See https://pages.nist.gov/OSCAL/contact/ for links.)
 

From 31e1664c7b15cf032d9048c3e005b28d15df6f85 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Sep 2023 04:03:57 +0000
Subject: [PATCH 03/51] Bump actions/checkout from 4.0.0 to 4.1.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/3df4ab11eba7bda6032a0b82a6bb43b11571feac...8ade135a41bc03ea155e62e844d188df1ea18608)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/periodic.yml | 2 +-
 .github/workflows/release.yml  | 2 +-
 .github/workflows/status.yml   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index 331e46863f..f67f869d15 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -12,7 +12,7 @@ jobs:
       # Needed to post comments and issues
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           submodules: recursive
       - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cc9478b616..c4628fee2a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ jobs:
     name: Package Release
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           submodules: recursive
       - uses: actions/setup-java@v3
diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
index ab3ee57d42..31ac78ebca 100644
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -18,7 +18,7 @@ jobs:
     name: Status Checks
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           submodules: recursive
       - uses: actions/setup-java@v3

From 928ac271bcd033f1bb07e05541d504c2af601604 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Sep 2023 04:04:30 +0000
Subject: [PATCH 04/51] Bump build/metaschema-xslt from `034e92b` to `bd4359a`

Bumps [build/metaschema-xslt](https://github.com/usnistgov/metaschema-xslt) from `034e92b` to `bd4359a`.
- [Commits](https://github.com/usnistgov/metaschema-xslt/compare/034e92b3d3dd4140ab2682d509a0c1812254f597...bd4359a0354d3a9452633a8ed915ec9e915d5431)

---
updated-dependencies:
- dependency-name: build/metaschema-xslt
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 build/metaschema-xslt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/metaschema-xslt b/build/metaschema-xslt
index 034e92b3d3..bd4359a035 160000
--- a/build/metaschema-xslt
+++ b/build/metaschema-xslt
@@ -1 +1 @@
-Subproject commit 034e92b3d3dd4140ab2682d509a0c1812254f597
+Subproject commit bd4359a0354d3a9452633a8ed915ec9e915d5431

From d831a3d3b4955382551fbf22676aa4dcd96be247 Mon Sep 17 00:00:00 2001
From: galtm <40716346+galtm@users.noreply.github.com>
Date: Sun, 20 Nov 2022 13:53:36 -0500
Subject: [PATCH 05/51] Fix expected content of resolving
 merge-keep_profile.xml

Based on the content of the catalog whose controls are being
imported, the prop names should be "label" instead of "place"
and the a1 statement paragraph should include <insert>.

Also, remove a debugging message.
---
 .../output-expected/merge-keep_profile_RESOLVED.xml  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml
index 232cef0234..7c90573a82 100644
--- a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml
+++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/merge-keep_profile_RESOLVED.xml
@@ -14,14 +14,14 @@
       <param id="a1_prm1">
          <label>A1 Parameter 1</label>
       </param>
-      <prop name="place" value="first"/>
+      <prop name="label" value="first"/>
       <part name="statement" id="a1-stmt">
-         <p>A1 aaaaa aaaaaaaaaa</p>
+         <p>A1 aaaaa <insert type="param" id-ref="a1_prm1"/> aaaaaaaaaa</p>
       </part>
    </control>
    <control id="b1">
       <title>Control B1</title>
-      <prop name="place" value="fourth"/>
+      <prop name="label" value="fourth"/>
       <part name="statement" id="b1-stmt">
          <p>B1 bbbb bbbbbbb.</p>
       </part>
@@ -31,14 +31,14 @@
       <param id="a1_prm1">
          <label>A1 Parameter 1</label>
       </param>
-      <prop name="place" value="first"/>
+      <prop name="label" value="first"/>
       <part name="statement" id="a1-stmt">
-         <p>A1 aaaaa aaaaaaaaaa</p>
+         <p>A1 aaaaa <insert type="param" id-ref="a1_prm1"/> aaaaaaaaaa</p>
       </part>
    </control>
    <control id="b1">
       <title>Control B1</title>
-      <prop name="place" value="fourth"/>
+      <prop name="label" value="fourth"/>
       <part name="statement" id="b1-stmt">
          <p>B1 bbbb bbbbbbb.</p>
       </part>

From 651deef7f042dd4fa5fa95217a1e8e5e3aaab144 Mon Sep 17 00:00:00 2001
From: galtm <40716346+galtm@users.noreply.github.com>
Date: Mon, 26 Dec 2022 16:48:51 -0500
Subject: [PATCH 06/51] Bug fix for selected children of unselected parent

Unselected parent could have multiple children that
are selected, so data type of template must accommodate
multiple elements.
---
 .../abc-multiple-children_catalog.xml         | 42 +++++++++++++++++++
 .../without-parent_profile_RESOLVED.xml       | 33 +++++++++++++++
 .../without-parent_profile.xml                | 18 ++++++++
 .../select-or-custom-merge.xsl                | 15 +++----
 .../testing/1_selected/select.xspec           | 14 +++++++
 5 files changed, 115 insertions(+), 7 deletions(-)
 create mode 100644 src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-multiple-children_catalog.xml
 create mode 100644 src/specifications/profile-resolution/profile-resolution-examples/output-expected/without-parent_profile_RESOLVED.xml
 create mode 100644 src/specifications/profile-resolution/profile-resolution-examples/without-parent_profile.xml

diff --git a/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-multiple-children_catalog.xml b/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-multiple-children_catalog.xml
new file mode 100644
index 0000000000..1617367a4e
--- /dev/null
+++ b/src/specifications/profile-resolution/profile-resolution-examples/catalogs/abc-multiple-children_catalog.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="../../example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<!-- Modified by conversion XSLT 2021-04-05T11:12:31.584-04:00 - RC2 OSCAL becomes RC3 OSCAL -->
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         uuid="6c5149e8-f3a6-437c-8035-025e9b5fc0bf"
+         xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../../../xml/schema/oscal_catalog_schema.xsd">
+   <metadata>
+      <title>Alphabet Catalog</title>
+      <last-modified>2020-05-30T14:51:41.185-04:00</last-modified>
+      <version>1.0</version>
+      <oscal-version>1.0.0-rc2</oscal-version>
+   </metadata>
+   <control id="a1">
+      <title>Control A1</title>
+      <prop name="label" value="first"/>
+      <part name="statement" id="a1-stmt">
+         <p>A1 ccccc cccccccccccccc.</p>
+      </part>
+      <control id="a1.a">
+         <title>Control A1-A</title>
+         <prop name="label" value="second"/>
+         <part name="statement" id="a1.a-stmt">
+            <p>A1 A ccccc cccccccccccccc.</p>
+         </part>
+      </control>
+      <control id="a1.b">
+         <title>Control A1-B</title>
+         <prop name="label" value="third"/>
+         <part name="statement" id="a1.b-stmt">
+            <p>A1 B ccccc cccccccccccccc.</p>
+         </part>
+      </control>
+      <control id="a1.c">
+         <title>Control A1-C</title>
+         <prop name="label" value="fourth"/>
+         <part name="statement" id="a1.c-stmt">
+            <p>A1 C ccccc cccccccccccccc.</p>
+         </part>
+      </control>
+   </control>
+</catalog>
diff --git a/src/specifications/profile-resolution/profile-resolution-examples/output-expected/without-parent_profile_RESOLVED.xml b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/without-parent_profile_RESOLVED.xml
new file mode 100644
index 0000000000..b67d38d3c2
--- /dev/null
+++ b/src/specifications/profile-resolution/profile-resolution-examples/output-expected/without-parent_profile_RESOLVED.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+         uuid="00000000-0000-4000-B000-000000000000">
+   <metadata>
+      <title>Test Profile</title>
+      <last-modified>2022-12-26T16:13:57.7747599-05:00</last-modified>
+      <version>1.0</version>
+      <oscal-version>1.0.0</oscal-version>
+      <prop name="resolution-tool" value="some value"/>
+      <link rel="source-profile" href="../without-parent_profile.xml"/>
+   </metadata>
+   <control id="a1">
+      <title>Control A1</title>
+      <prop name="label" value="first"/>
+      <part name="statement" id="a1-stmt">
+         <p>A1 ccccc cccccccccccccc.</p>
+      </part>
+   </control>
+   <control id="a1.a">
+      <title>Control A1-A</title>
+      <prop name="label" value="second"/>
+      <part name="statement" id="a1.a-stmt">
+         <p>A1 A ccccc cccccccccccccc.</p>
+      </part>
+   </control>
+   <control id="a1.c">
+      <title>Control A1-C</title>
+      <prop name="label" value="fourth"/>
+      <part name="statement" id="a1.c-stmt">
+         <p>A1 C ccccc cccccccccccccc.</p>
+      </part>
+   </control>
+</catalog>
diff --git a/src/specifications/profile-resolution/profile-resolution-examples/without-parent_profile.xml b/src/specifications/profile-resolution/profile-resolution-examples/without-parent_profile.xml
new file mode 100644
index 0000000000..08fb969048
--- /dev/null
+++ b/src/specifications/profile-resolution/profile-resolution-examples/without-parent_profile.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="../example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<!-- Modified by conversion XSLT 2021-04-05T11:22:07.701-04:00 - RC2 OSCAL becomes RC3 OSCAL -->
+<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+         uuid="cb1ec926-3441-458f-8cce-ea11308c9d37">
+   <metadata>
+      <title>Test Profile</title>
+      <last-modified>2020-05-30T14:39:35.84-04:00</last-modified>
+      <version>1.0</version>
+      <oscal-version>1.0.0</oscal-version>
+   </metadata>
+   <import href="catalogs/abc-multiple-children_catalog.xml">
+      <include-controls  with-parent-controls="no">
+         <with-id>a1.a</with-id>
+         <with-id>a1.c</with-id>
+      </include-controls>
+   </import>
+</profile>
diff --git a/src/utils/resolver-pipeline/select-or-custom-merge.xsl b/src/utils/resolver-pipeline/select-or-custom-merge.xsl
index b7f9c003cc..200ef9b92f 100644
--- a/src/utils/resolver-pipeline/select-or-custom-merge.xsl
+++ b/src/utils/resolver-pipeline/select-or-custom-merge.xsl
@@ -11,8 +11,9 @@
 
     <xsl:include href="oscal-profile-resolve-functions.xsl"/>
 
-    <!-- A control is included if it is selected by the provided import instruction -->
-    <xsl:template match="control" mode="o:select" as="element(o:control)?">
+    <!-- A control is included if it is selected by the provided import instruction. -->
+    <!-- Also, for a nonselected control, this template can return selected children. -->
+    <xsl:template match="control" mode="o:select" as="element(o:control)*">
         <xsl:param name="import-instruction" tunnel="yes" required="yes"/>
         <xsl:choose>
             <xsl:when test="o:selects($import-instruction,.)">
@@ -20,12 +21,12 @@
                     <xsl:call-template name="add-process-id"/>
                     <xsl:apply-templates mode="#current" select="node() | @*"/>
                 </xsl:copy>
-           </xsl:when>
-           <xsl:otherwise>
-               <!-- Visit child controls in case they are selected using
+            </xsl:when>
+            <xsl:otherwise>
+                <!-- Visit child controls in case they are selected using
                    with-parent-controls="no". -->
-               <xsl:apply-templates mode="#current" select="control"/>
-           </xsl:otherwise>
+                <xsl:apply-templates mode="#current" select="control"/>
+            </xsl:otherwise>
         </xsl:choose>
     </xsl:template>
 
diff --git a/src/utils/resolver-pipeline/testing/1_selected/select.xspec b/src/utils/resolver-pipeline/testing/1_selected/select.xspec
index 6b49655f13..c6c5c503cc 100644
--- a/src/utils/resolver-pipeline/testing/1_selected/select.xspec
+++ b/src/utils/resolver-pipeline/testing/1_selected/select.xspec
@@ -700,6 +700,20 @@
             </x:context>
             <x:expect label="Nothing" select="()"/>
         </x:scenario>
+        <x:scenario label="Control is not selected but its child controls are selected">
+            <!--Below, $import-instruction is an <import> element that
+                selects children a1.a and a1.c of the control with id="a1",
+                and the context node has id="a1". -->
+            <x:context mode="o:select"
+                select="doc($ov:filedir || '/catalogs/abc-multiple-children_catalog.xml')//o:control[@id='a1']">
+                <x:param name="import-instruction" tunnel="yes"
+                    select="(doc($ov:filedir || '/without-parent_profile.xml')//o:import)[1]"/>
+            </x:context>
+            <x:expect label="Copy of selected child control elements with opr:id inserted">
+                <control id="a1.a" opr:id="...">...</control>
+                <control id="a1.c" opr:id="...">...</control>
+            </x:expect>
+        </x:scenario>
     </x:scenario>
 
     <x:scenario label="Tests for match='param' mode='o:select' template">

From 534b12dca5da4223615b72677159528022aa344a Mon Sep 17 00:00:00 2001
From: galtm <40716346+galtm@users.noreply.github.com>
Date: Thu, 28 Sep 2023 16:02:43 -0400
Subject: [PATCH 07/51] Make schema paths react to directory restructuring

---
 .../testing/1_selected/resource-media-type.xml                | 2 +-
 .../testing/1_selected/resource-multiple-rlinks.xml           | 2 +-
 src/utils/resolver-pipeline/testing/pathological-profile.xml  | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/utils/resolver-pipeline/testing/1_selected/resource-media-type.xml b/src/utils/resolver-pipeline/testing/1_selected/resource-media-type.xml
index 5db7281637..243a5e4a29 100644
--- a/src/utils/resolver-pipeline/testing/1_selected/resource-media-type.xml
+++ b/src/utils/resolver-pipeline/testing/1_selected/resource-media-type.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<?xml-model href="../../../../../specifications/profile-resolution/example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<?xml-model href="../../../../specifications/profile-resolution/example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
 <!-- Modified by conversion XSLT 2021-04-05T11:22:08.131-04:00 - RC2 OSCAL becomes RC3 OSCAL -->
 <profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
          uuid="427f8c54-c3af-4ca3-a92c-f6abaa015ba5">
diff --git a/src/utils/resolver-pipeline/testing/1_selected/resource-multiple-rlinks.xml b/src/utils/resolver-pipeline/testing/1_selected/resource-multiple-rlinks.xml
index 1f41a36168..060b2ee160 100644
--- a/src/utils/resolver-pipeline/testing/1_selected/resource-multiple-rlinks.xml
+++ b/src/utils/resolver-pipeline/testing/1_selected/resource-multiple-rlinks.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<?xml-model href="../../../../../specifications/profile-resolution/example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<?xml-model href="../../../../specifications/profile-resolution/example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
 <!-- Modified by conversion XSLT 2021-04-05T11:22:08.131-04:00 - RC2 OSCAL becomes RC3 OSCAL -->
 <profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
          uuid="427f8c54-c3af-4ca3-a92c-f6abaa015ba5">
diff --git a/src/utils/resolver-pipeline/testing/pathological-profile.xml b/src/utils/resolver-pipeline/testing/pathological-profile.xml
index d40c5cdbd3..657bff4ae9 100644
--- a/src/utils/resolver-pipeline/testing/pathological-profile.xml
+++ b/src/utils/resolver-pipeline/testing/pathological-profile.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-stylesheet type="text/css" href="../../author/CSS/oscal-author.css" title="Authoring" alternate="no"?>
-<?xml-model href="../../../schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<?xml-model href="../../../../specifications/profile-resolution/example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<?xml-model href="../../schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<?xml-model href="../../../specifications/profile-resolution/example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
 <profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="pathological-profile">
     <metadata>
         <title>Pathological Profile</title>

From 1c0d6ae95699a83a2e70f532ccc865459619af86 Mon Sep 17 00:00:00 2001
From: JustKuzya <dmitry.cousin@nist.gov>
Date: Thu, 12 Oct 2023 12:32:59 -0400
Subject: [PATCH 08/51] Added hybrid cloud

---
 src/metaschema/oscal_ssp_metaschema.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index af496e1e5a..4a9f903b2f 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -156,6 +156,8 @@
         </enum>
         <enum value="community-cloud">The community cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
         </enum>
+        <enum value="hybrid-cloud"> The hybrid cloud deployment model, as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>, can be supported by selecting two or more of the existing deployment models.
+        </enum>
         <!-- TODO: consider generalizing this in a way that applies to other usage contexts. -->
         <enum value="government-only-cloud">A specific type of community-cloud for use only by government services.</enum>
         <enum value="other">Any other type of cloud deployment model that is exclusive to the other choices.</enum>

From 9840b466f69de2ba04afc362688fa83f526ad5a3 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Fri, 13 Oct 2023 18:50:50 -0400
Subject: [PATCH 09/51] Integrate PR feedback and merge updated enum value.

---
 src/metaschema/oscal_ssp_metaschema.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 4a9f903b2f..2cfb9df3c3 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -156,7 +156,7 @@
         </enum>
         <enum value="community-cloud">The community cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
         </enum>
-        <enum value="hybrid-cloud"> The hybrid cloud deployment model, as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>, can be supported by selecting two or more of the existing deployment models.
+        <enum value="hybrid-cloud">The hybrid cloud deployment model as defined by as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
         </enum>
         <!-- TODO: consider generalizing this in a way that applies to other usage contexts. -->
         <enum value="government-only-cloud">A specific type of community-cloud for use only by government services.</enum>

From dde71c39226f1094bbb12ee1b9e3db4babc4f4c6 Mon Sep 17 00:00:00 2001
From: Nikita Wootten <nikita.wootten@nist.gov>
Date: Wed, 25 Oct 2023 12:57:12 -0400
Subject: [PATCH 10/51] Implementation Agnostic Testing (#1946)

* Deleted duplicate `metaschema_datatypes` file
* Added spec test adr and prototype spec test file
* Spec test harness and minimal example
---
 .../0007-implementation-agnostic-tests.md     |  80 +++
 .../metaschema-datatypes.xsd                  | 241 ---------
 ...ofile-resolution-specml-requirements.xspec |   2 +-
 .../profile-resolution-specml.xml             |   4 +-
 .../profile-resolution-unit-tests.xml         |   2 +-
 .../profile-resolution/resolution-testing.xml |   2 +-
 .../profile-resolution/spec-tester.py         | 472 ++++++++++++++++++
 .../profile-resolution/spec-tests.json        |  17 +
 .../profile-resolution/unit-tests.xsd         |   2 +-
 9 files changed, 575 insertions(+), 247 deletions(-)
 create mode 100644 decisions/0007-implementation-agnostic-tests.md
 delete mode 100644 src/specifications/profile-resolution/metaschema-datatypes.xsd
 create mode 100755 src/specifications/profile-resolution/spec-tester.py
 create mode 100644 src/specifications/profile-resolution/spec-tests.json

diff --git a/decisions/0007-implementation-agnostic-tests.md b/decisions/0007-implementation-agnostic-tests.md
new file mode 100644
index 0000000000..c56793b4bd
--- /dev/null
+++ b/decisions/0007-implementation-agnostic-tests.md
@@ -0,0 +1,80 @@
+# Implementation-agnostic Testing and Test Harness
+
+Date: 10/06/2023
+
+## Status
+
+Proposed
+
+## Context
+
+In order to support the development of OSCAL tooling, it was decided prototype a unified tool responsible for validating OSCAL implementations against specification requirements.
+
+Currently, only profile resolution has been [formalized into a draft specification](../src/specifications/profile-resolution/profile-resolution-specml.xml).
+
+### Existing Infrastructure
+
+The profile resolver specification currently leverages an in-house XML format known as SpecML, which breaks down a specification into a collection of **sections**, which contain in turn a collection of **requirements**.
+Each `<section/>` and `<requirement/>` has a unique `@id` attribute.
+
+The sections and requirements are mirrored in the XSLT implementation's profile resolution unit tests.
+Although crucial to the XSLT implementation, these tests are not portable and it would not be simple to use the tests in their current state to validate other implementations.
+
+### Specification Tests
+
+Some specifications such as [CommonMark](https://commonmark.org/) include a [test suite and testing harness](https://github.com/commonmark/commonmark-spec/tree/master/test) to make it possible for implementors to "score" their implementation's conformance to the specification.
+
+## Decision
+
+### SpecML
+
+The specification format will remain unchanged for now.
+There is an argument for the format to be replaced or simplified in the future, but the use of `@id` attributes for sections and requirements make linking a test to a example simple.
+
+### Test Suite Data Format
+
+The test suite will be described using a JSON file with a simple data format.
+
+This file will contain a collection of objects that map to a given spec requirement via `section_id` and `requirement_id` fields.
+These objects will further contain a collection of "scenario" objects, each of which containing a `description`, `source_profile_path`, `expected_catalog_path`, and a collection of `selection_expressions`.
+
+For a given scenario, a test runner would be expected to perform profile resolution with the `source_profile_path` and compare selections of the resulting document with the `expected_catalog_path`.
+The `selection_expressions` are XPath expressions, though the [test harness](#test-harness) may further constrain the XPath expression's capabilities.
+
+Here is an example test suite made up of one requirement:
+
+```json
+[
+    {
+        "section_id": "import",
+        "requirement_id": "req-uri-resolve",
+        "scenarios": [
+            {
+                "description": "Check that group and control titles match, signalling that URIs have been resolved",
+                "source_profile_path": "requirement-tests/req-include-all-asis.xml",
+                "expected_catalog_path": "requirement-tests/output-expected/req-include-all-asis_RESOLVED.xml",
+                "selection_expressions": [
+                    "./oscal:group/oscal:title",
+                    "./oscal:group/oscal:control/oscal:title"
+                ]
+            }
+        ]
+    }
+]
+```
+
+The development of a JSON schema for this format is left as future work.
+
+### Test Harness
+
+A prototype testing harness has been developed, with the capability to report a given profile resolver's compliance to a specification given a [test suite JSON file](#test-suite-data-format).
+
+The prototype harness is built to be as simple as possible, avoiding external libraries.
+Python's native XPath capabilities are limited, further constraining the capabilities of the test suite.
+
+## Consequences
+
+Writing specification tests for profile resolution will require significant resources, but will make profile resolution more approachable for implementors and will make changes to the specification more maintainable.
+
+Due to the "requirement based" approach of the specification test suite, new tests can be added gradually.
+Test coverage can be determined by determining which requirements do not have tests.
diff --git a/src/specifications/profile-resolution/metaschema-datatypes.xsd b/src/specifications/profile-resolution/metaschema-datatypes.xsd
deleted file mode 100644
index a1f8e099ae..0000000000
--- a/src/specifications/profile-resolution/metaschema-datatypes.xsd
+++ /dev/null
@@ -1,241 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
-	elementFormDefault="qualified">
-
-	<xs:simpleType name="Base64Datatype">
-		<xs:restriction base="xs:base64Binary">
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed string, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="BooleanDatatype">
-		<xs:restriction base="xs:boolean">
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed string, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="DateDatatype">
-		<xs:restriction base="xs:date">
-			<xs:pattern value="(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))(Z|[+-][0-9]{2}:[0-9]{2})?"/>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="DateWithTimezoneDatatype">
-		<xs:annotation>
-			<xs:documentation>The xs:date with a required timezone.</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="DateDatatype">
-			<xs:pattern value="(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))(Z|[+-][0-9]{2}:[0-9]{2})"/>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="DateTimeDatatype">
-		<xs:restriction base="xs:dateTime">
-			<xs:pattern value="(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T((2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?)(Z|[+-][0-9]{2}:[0-9]{2})?"/>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="DateTimeWithTimezoneDatatype">
-		<xs:annotation>
-			<xs:documentation>The xs:dateTime with a required timezone.</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="DateTimeDatatype">
-			<xs:pattern value="(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T((2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?)(Z|[+-][0-9]{2}:[0-9]{2})"/>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="DayTimeDurationDatatype">
-		<xs:restriction base="xs:duration">
-			<xs:pattern value="[-+]?P([-+]?[0-9]+D)?(T([-+]?[0-9]+H)?([-+]?[0-9]+M)?([-+]?[0-9]+([.,][0-9]{0,9})?S)?)?"/>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="DecimalDatatype">
-		<xs:restriction base="xs:decimal">
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed string, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="EmailAddressDatatype">
-		<xs:annotation>
-			<xs:documentation>An email address</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="StringDatatype">
-			<xs:pattern value="\S.*@.*\S">
-				<xs:annotation>
-					<xs:documentation>Need a better pattern.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="HostnameDatatype">
-		<xs:annotation>
-			<xs:documentation>A host name</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="StringDatatype">
-			<!-- TODO: Need a good hostname pattern -->
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="IntegerDatatype">
-		<xs:restriction base="xs:integer">
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed string, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="IPV4AddressDatatype">
-		<xs:annotation>
-			<xs:documentation>The ip-v4-address type specifies an IPv4 address in
-				dot decimal notation.</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="StringDatatype">
-			<xs:pattern value="((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])" />
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="IPV6AddressDatatype">
-		<xs:annotation>
-			<xs:documentation>The ip-v6-address type specifies an IPv6 address
-				represented in 8 hextets separated by colons.</xs:documentation>
-			<xs:documentation>This is based on the pattern provided here:
-				https://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
-				with some customizations.</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="xs:string">
-			<xs:whiteSpace value="collapse" />
-			<xs:pattern
-				value="(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|[fF][eE]80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::([fF]{4}(:0{1,4}){0,1}:){0,1}((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3,3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3,3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]))" />
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="NonNegativeIntegerDatatype">
-		<xs:restriction base="xs:nonNegativeInteger">
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed string, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="PositiveIntegerDatatype">
-		<xs:restriction base="xs:positiveInteger">
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed string, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="StringDatatype">
-		<xs:annotation>
-			<xs:documentation>A string, but not empty and not whitespace-only
-				(whitespace is U+9, U+10, U+32 or [ \n\t]+ )</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="xs:string">
-			<xs:annotation>
-				<xs:documentation>The OSCAL 'string' datatype restricts the XSD type by prohibiting leading 
-					and trailing whitespace, and something (not only whitespace) is required.</xs:documentation>
-			</xs:annotation>
-			<xs:whiteSpace value="preserve" />
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed string, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-	
-	<xs:simpleType name="TokenDatatype">
-		<xs:annotation>
-			<!--<xs:documentation>Matching XSD NCName, except whitespace is not collapsed.</xs:documentation> -->
-			<xs:documentation>A string token following the rules of XML "no
-				colon" names, with no whitespace. (XML names are single alphabetic
-				characters followed by alphanumeric characters, periods, underscores or dashes.)
-			</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="StringDatatype">
-<!-- 			value="(\p{L}|_)(\p{L}|\p{N}|[.\-_]|\xb7|[#x0300-#x036F#x203F-#x2040])*">-->
-			<xs:pattern
-				value="(\p{L}|_)(\p{L}|\p{N}|[.\-_])*">
-				<xs:annotation>
-					<!--<xs:documentation>An XML initial character (but not colon), followed 
-						by any XML name character (but not colon).</xs:documentation> -->
-					<xs:documentation>A single token may not contain whitespace.
-					</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="URIDatatype">
-		<xs:annotation>
-			<xs:documentation>A URI</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="xs:anyURI">
-			<xs:pattern value="[a-zA-Z][a-zA-Z0-9+\-.]+:.*\S">
-				<xs:annotation>
-					<xs:documentation>Requires a scheme with colon per RFC 3986.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="URIReferenceDatatype">
-		<xs:annotation>
-			<xs:documentation>A URI reference, such as a relative URL
-			</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="xs:anyURI">
-			<xs:pattern value="\S(.*\S)?">
-				<xs:annotation>
-					<xs:documentation>A trimmed URI, at least one character with no
-						leading or trailing whitespace.</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:simpleType name="UUIDDatatype">
-		<xs:annotation>
-			<xs:documentation>A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC
-				4122.</xs:documentation>
-		</xs:annotation>
-		<xs:restriction base="StringDatatype">
-			<xs:pattern
-				value="[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}">
-				<xs:annotation>
-					<xs:documentation>A sequence of 8-4-4-4-12 hex digits, with extra
-						constraints in the 13th and 17-18th places for version 4 and 5
-					</xs:documentation>
-				</xs:annotation>
-			</xs:pattern>
-		</xs:restriction>
-	</xs:simpleType>
-</xs:schema>
-
diff --git a/src/specifications/profile-resolution/profile-resolution-specml-requirements.xspec b/src/specifications/profile-resolution/profile-resolution-specml-requirements.xspec
index 379efd8c03..af0474aaa3 100644
--- a/src/specifications/profile-resolution/profile-resolution-specml-requirements.xspec
+++ b/src/specifications/profile-resolution/profile-resolution-specml-requirements.xspec
@@ -132,7 +132,7 @@
    </x:scenario>
    <x:scenario label="6.1.5 Multiple imports | Note that this occurs even if the same catalog is imported multiple times: each distinct import collects controls into a separate selection">
       <x:scenario label="Example req-chained-deepA.xml - PENDING&#xA;              chained profiles"
-                  pending="chained profiles"><?requirement rq-mulitple-imports ?>
+                  pending="chained profiles"><?requirement rq-multiple-imports ?>
          <x:context href="requirement-tests/req-chained-deepA.xml"/>
          <x:expect label="Resolution of req-chained-deepA.xml"
                    select="opr:scrub(.)"
diff --git a/src/specifications/profile-resolution/profile-resolution-specml.xml b/src/specifications/profile-resolution/profile-resolution-specml.xml
index 993e0ee8d8..466a542f00 100644
--- a/src/specifications/profile-resolution/profile-resolution-specml.xml
+++ b/src/specifications/profile-resolution/profile-resolution-specml.xml
@@ -412,7 +412,7 @@ profile:
       <section id="URI-multiple">
         <head>Multiple imports</head>
         <p>Each import directive is processed to produce a set of controls. <req
-            id="rq-mulitple-imports">Note that this occurs even if the same catalog is imported
+            id="rq-multiple-imports" level="must">Note that this occurs even if the same catalog is imported
             multiple times: each distinct import collects controls into a separate
               <int>selection</int></req>: </p>
         <tagging whose="source_profile">
@@ -445,7 +445,7 @@ intermediate:
           - ac-3
           - ac-4 
         </tagging>
-        <p><req id="rq-multiple-merge">The control inclusions are combined and collapsed in the next
+        <p><req id="rq-multiple-merge" level="must">The control inclusions are combined and collapsed in the next
             phase of processing</req>, <term>merge</term>(see <xref rid="merge-phase"/>) . </p>
         <p>Multiple imports against the same resource are allowed, and would most commonly occur when the profile author is using <xref rid="mapping"/> to create very specific output. 
           Multiple imports may result in outputs with clashing control IDs if mapping or the merge directive is not set correctly.</p>
diff --git a/src/specifications/profile-resolution/profile-resolution-unit-tests.xml b/src/specifications/profile-resolution/profile-resolution-unit-tests.xml
index e8161ff96c..8ccf9b4e5c 100644
--- a/src/specifications/profile-resolution/profile-resolution-unit-tests.xml
+++ b/src/specifications/profile-resolution/profile-resolution-unit-tests.xml
@@ -87,7 +87,7 @@
          <addresses-requirement requirement-id="req-resolve-profile">When a profile imports a profile,
             the subordinate profile SHOULD be resolved first into a catalog using this
             specification, before it is imported. </addresses-requirement>
-         <addresses-requirement requirement-id="rq-mulitple-imports">Note that this occurs even if the same catalog is imported
+         <addresses-requirement requirement-id="rq-multiple-imports">Note that this occurs even if the same catalog is imported
             multiple times: each distinct import collects controls into a separate
               selection</addresses-requirement>
          <addresses-requirement requirement-id="rq-multiple-merge">The control inclusions are combined and collapsed in the next
diff --git a/src/specifications/profile-resolution/resolution-testing.xml b/src/specifications/profile-resolution/resolution-testing.xml
index 72a7013638..2f67d31ac5 100644
--- a/src/specifications/profile-resolution/resolution-testing.xml
+++ b/src/specifications/profile-resolution/resolution-testing.xml
@@ -67,7 +67,7 @@
       <statement>If a processor encounters a circular import as described above (self-imports are inherently circular), the processor MUST cease processing and generate an error. </statement>
       <test file="requirement-tests/req-circular_import.xml" status="pending">PENDING circular import detection</test>
    </requirement>
-   <requirement id="rq-mulitple-imports">
+   <requirement id="rq-multiple-imports">
       <statement>Note that this occurs even if the same catalog is imported multiple times: each distinct import collects controls into a separate selection</statement>
       <test file="requirement-tests/req-chained-deepA.xml" status="pending">PENDING chained profiles</test>
    </requirement>
diff --git a/src/specifications/profile-resolution/spec-tester.py b/src/specifications/profile-resolution/spec-tester.py
new file mode 100755
index 0000000000..7e9c2616c8
--- /dev/null
+++ b/src/specifications/profile-resolution/spec-tester.py
@@ -0,0 +1,472 @@
+#!/usr/bin/env python3
+
+"""
+A simple CLI application that tests profile resolver implementations against the adjacent
+specification.
+
+Caveats:
+- XPath functionality will depend on the version of Python being used (newer is better).
+- On some versions of Python, absolute selections (/root/item) are broken and will result in a
+    warning, use relative selections instead (./item).
+- Comparisons of multiple elements are not "smart". Unlike the OSCAL Deep Diff, this tool does not
+    attempt to match items together. Selections should be written with this in mind (e.g. select a
+    specific oscal:param instead of comparing all of them when order is not explicitly specified).
+
+Future Improvements:
+- TODO: Cache results of profile resolution in Driver class for commonly re-used sources
+- TODO: Make failure condition more granular (e.g. add parameter to prevent failure on "should" levels)
+"""
+
+import argparse
+import sys
+import os.path
+import subprocess
+import tempfile
+import shutil
+import json
+import logging
+import time
+from itertools import zip_longest
+from xml.etree import ElementTree as ET
+
+from typing import TypedDict, List, Dict, Set, Tuple, Optional
+
+
+class Colors:
+    """
+    ANSI color codes
+
+    Via https://gist.github.com/rene-d/9e584a7dd2935d0f461904b9f2950007
+    """
+    BLACK = "\033[0;30m"
+    RED = "\033[0;31m"
+    GREEN = "\033[0;32m"
+    BROWN = "\033[0;33m"
+    BLUE = "\033[0;34m"
+    PURPLE = "\033[0;35m"
+    CYAN = "\033[0;36m"
+    LIGHT_GRAY = "\033[0;37m"
+    DARK_GRAY = "\033[1;30m"
+    LIGHT_RED = "\033[1;31m"
+    LIGHT_GREEN = "\033[1;32m"
+    YELLOW = "\033[1;33m"
+    LIGHT_BLUE = "\033[1;34m"
+    LIGHT_PURPLE = "\033[1;35m"
+    LIGHT_CYAN = "\033[1;36m"
+    LIGHT_WHITE = "\033[1;37m"
+    BOLD = "\033[1m"
+    FAINT = "\033[2m"
+    ITALIC = "\033[3m"
+    UNDERLINE = "\033[4m"
+    BLINK = "\033[5m"
+    NEGATIVE = "\033[7m"
+    CROSSED = "\033[9m"
+    END = "\033[0m"
+    # cancel SGR codes if we don't write to a terminal
+    if not __import__("sys").stdout.isatty():
+        for _ in dir():
+            if isinstance(_, str) and _[0] != "_":
+                locals()[_] = ""
+    else:
+        # set Windows console in VT mode
+        if __import__("platform").system() == "Windows":
+            kernel32 = __import__("ctypes").windll.kernel32
+            kernel32.SetConsoleMode(kernel32.GetStdHandle(-11), 7)
+            del kernel32
+
+
+class TestScenario(TypedDict):
+    """A source profile along with the expected resulting profile and match expressions"""
+    description: str
+    source_profile_path: str
+    expected_catalog_path: str
+    selection_expressions: List[str]
+
+
+class TestRequirement(TypedDict):
+    """A single requirement composed of multiple test scenarios"""
+    section_id: str
+    requirement_id: str
+    scenarios: List[TestScenario]
+
+
+DRIVER_SOURCE_TOKEN = "{src}"
+DRIVER_DESTINATION_TOKEN = "{dest}"
+
+
+INDENT_TEXT = "  "
+
+
+class Driver(object):
+    """Handles running the profile resolver given a source file and destination path"""
+
+    def __init__(self, command: str, workdir: Optional[str] = None,
+                 logger: Optional[logging.Logger] = None) -> None:
+        """
+        Note: Creates a temporary directory as a side effect, consumer must call .cleanup() to remove
+        """
+        if not DRIVER_SOURCE_TOKEN in command:
+            raise Exception(
+                f"Command `{command}` does not contain source token '{DRIVER_SOURCE_TOKEN}'")
+        if not DRIVER_DESTINATION_TOKEN in command:
+            raise Exception(
+                f"Command `{command}` does not contain source token '{DRIVER_DESTINATION_TOKEN}'")
+
+        self.logger = logger if logger is not None else logging.getLogger(
+            __name__)
+        self.command = command
+        self.workdir = workdir
+        self.out_directory = tempfile.mkdtemp("oscal-pr-test-out")
+
+        self.logger.debug(
+            f"Created temporary output directory '{self.out_directory}'")
+
+    def run(self, src_path, indent=0) -> ET.ElementTree:
+        """
+        Run the command specified by `self.command`, substituting `DRIVER_SOURCE_TOKEN` and
+        `DRIVER_DESTINATION_TOKEN` with `src_path` and a generated output path respectively.
+
+        Note: Places output files in a temporary directory, consumer must call .cleanup() to remove
+        """
+        src_name = os.path.basename(src_path)
+        # some-profile.xml => some-profile_RESOLVED_$TIMESTAMP.xml
+        dest_name = os.path.splitext(
+            src_name)[0] + f"_RESOLVED_{time.strftime('%Y%m%d-%H%M%S')}.xml"
+        dest_path = os.path.join(self.out_directory, dest_name)
+
+        command = self.command\
+            .replace(DRIVER_SOURCE_TOKEN, f"'{src_path}'")\
+            .replace(DRIVER_DESTINATION_TOKEN, f"'{dest_path}'")
+
+        self.logger.debug(f"{INDENT_TEXT*indent}Running command `{command}`")
+
+        # Notice: this code does not protect against shell injection of any kind,
+        # `self.command` and `src_path` must be trusted.
+        ret = subprocess.run(command, shell=True,
+                             capture_output=True, cwd=self.workdir)
+        # TODO handle command failure
+
+        if ret.returncode != 0:
+            raise Exception(
+                f"Process returned non-zero exit code, stderr:\n\n{ret.stderr}")
+
+        return ET.parse(dest_path)
+
+    def cleanup(self):
+        """Delete temporary directory"""
+        self.logger.debug(
+            f"Removing temporary output directory '{self.out_directory}'")
+        shutil.rmtree(self.out_directory)
+
+
+def compare_elements(e1: Optional[ET.ElementTree], e2: Optional[ET.ElementTree], path=".",
+                     e1Name="left", e2Name="right") -> Tuple[bool, List[str]]:
+    """
+    Compare two element trees returning if they are the same, and a list of changes in the form of
+    XPath-like selections.
+
+    Warning: This comparison function will likely fail on mixed content (e.g. markup) and in cases
+    where the order of child elements is different.
+
+    Note: comments added to some difference paths using XPath 2.0 (: comment syntax :)
+    """
+
+    differences: List[str] = []
+
+    if e1 is None:
+        differences.append(
+            f"{path}/ (: tag mismatch: {e1Name}=None {e2Name}='{e2.tag}' :)")
+    elif e2 is None:
+        differences.append(
+            f"{path}/ (: tag mismatch: {e1Name}='{e1.tag}' {e2Name}=None :)")
+    else:
+        if e1.tag != e2.tag:
+            # Fail early if tags are mismatched, no point in comparing tag contents
+            differences.append(
+                f"{path}/ (: tag mismatch: {e1Name}='{e1.tag}', {e2Name}='{e2.tag}' :)")
+        else:
+            e1Text = (e1.text if e1.text is not None else "").strip()
+            e2Text = (e2.text if e2.text is not None else "").strip()
+
+            # TODO compare on mixed content?
+            if e1Text != e2Text:
+                differences.append(path + "/text()")
+
+            e1AttribSet = set(e1.attrib.keys())
+            e2AttribSet = set(e2.attrib.keys())
+
+            for key in e1AttribSet.intersection(e2AttribSet):
+                if e1.attrib[key] != e2.attrib[key]:
+                    # Attribute value mismatch
+                    differences.append(
+                        f"{path}/@{key} (: attribute value mismatch: {e1Name}='{e1.attrib[key]}', {e2Name}='{e2.attrib[key]}' :)")
+
+            # Attribute not present in one or the other
+            for key in e1AttribSet.difference(e2AttribSet):
+                differences.append(
+                    f"{path}/@{key} (: attribute value mismatch: {e1Name}='{e1.attrib[key]}', {e2Name}=None :")
+            for key in e2AttribSet.difference(e1AttribSet):
+                differences.append(
+                    f"{path}/@{key} (: attribute value mismatch: in {e1Name}=None, {e2Name}='{e2.attrib[key]}' :")
+
+            for i, (c1, c2) in enumerate(zip_longest(e1, e2)):
+                # zip_longest returns None for extra items of the shorter iterator
+                # XPath starts lists with 1
+                _, child_differences = compare_elements(
+                    c1, c2, path=f"{path}/*[{i + 1}]", e1Name=e1Name, e2Name=e2Name)
+                differences += child_differences
+
+    return len(differences) == 0, differences
+
+
+SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
+DEFAULT_TESTS_PATH = os.path.join(SCRIPT_DIR, "spec-tests.json")
+DEFAULT_SPEC_PATH = os.path.join(SCRIPT_DIR, "profile-resolution-specml.xml")
+
+QUERY_NS = {
+    "specml": "http://csrc.nist.gov/ns/oscal/specml",
+    "oscal": "http://csrc.nist.gov/ns/oscal/1.0"
+}
+
+
+class RequirementTests(object):
+    def __init__(self, spec_path=DEFAULT_SPEC_PATH, tests_path=DEFAULT_TESTS_PATH,
+                 logger: Optional[logging.Logger] = None) -> None:
+        self.spec_path = spec_path
+        self.tests_path = tests_path
+
+        self.spec = ET.parse(self.spec_path)
+
+        self.logger = logger if logger is not None else logging.getLogger(
+            __name__)
+
+        with open(self.tests_path) as tests_file:
+            tests_json = json.loads(tests_file.read())
+            # TODO any sort of input validation, this is currently at best a type hint
+            self.tests: List[TestRequirement] = tests_json
+
+        # used to resolve files relative to the spec file
+        self.tests_workdir = os.path.dirname(self.tests_path)
+
+        # K,V of section ids -> section titles
+        self.section_heads: Dict[str, str] = {}
+        # K,V of section ids -> requirement id -> requirement level
+        # TODO parse out requirement text and store alongside level?
+        self.section_requirements: Dict[str, Dict[str, str]] = {}
+
+        # process spec file
+        for section in self.spec.findall("specml:section", QUERY_NS):
+            section_id = section.attrib['id']
+            section_head = section.find("specml:head", QUERY_NS).text
+
+            self.section_heads[section_id] = section_head
+            self.section_requirements[section_id] = {}
+
+            for requirement in section.findall(".//specml:req", QUERY_NS):
+                requirement_id = requirement.attrib['id']
+                requirement_level = requirement.attrib['level']
+
+                self.section_requirements[section_id][requirement_id] = requirement_level
+
+    def print_coverage(self):
+        """
+        Utility method that prints the test coverage against the spec
+        """
+        covered_tests: Dict[str, Set[str]] = {}
+
+        for test in self.tests:
+            if test["section_id"] not in covered_tests:
+                covered_tests[test["section_id"]] = set()
+            covered_tests[test["section_id"]].add(test["requirement_id"])
+
+        for section_id, section_head in self.section_heads.items():
+            requirements = set(self.section_requirements[section_id].keys())
+            tested_requirements = covered_tests.get(section_id, set())
+            covered_requirements = tested_requirements.intersection(
+                requirements)
+            uncovered_requirements = requirements.difference(
+                tested_requirements)
+            unknown_requirements = tested_requirements.difference(requirements)
+
+            section_color = Colors.GREEN
+            if len(requirements) == 0:
+                section_color = Colors.DARK_GRAY
+            elif len(tested_requirements) == 0:
+                section_color = Colors.RED
+            elif len(uncovered_requirements) > 0:
+                section_color = Colors.YELLOW
+
+            # Provide the user with information about extraneous requirements
+            extra_warning = f"{Colors.RED}+{len(unknown_requirements)}" if len(
+                unknown_requirements) > 0 else ""
+
+            self.logger.info(
+                f"{Colors.BOLD}{section_color}{section_head} ({section_id}): {len(covered_requirements)}/{len(requirements)} {extra_warning}{Colors.END}")
+
+            for requirement_id, level in self.section_requirements[section_id].items():
+                requirement_color = Colors.GREEN if requirement_id in tested_requirements else Colors.RED
+                self.logger.info(
+                    f"{INDENT_TEXT}{requirement_color}{section_id}/{requirement_id} - {level}{Colors.END}")
+
+            # Warn the user of extraneous requirements in the section
+            for requirement_id in unknown_requirements:
+                self.logger.warning(
+                    f"{INDENT_TEXT}{Colors.YELLOW}Unknown requirement id {requirement_id}{Colors.END}")
+
+        # Warn the user of extraneous sections in the tests
+        for section_id in set(covered_tests.keys()).difference(set(self.section_heads.keys())):
+            self.logger.warning(
+                f"{Colors.YELLOW}Unknown section id {section_id} containing {len(covered_tests[section_id])} requirements{Colors.END}")
+
+    def run(self, command, do_cleanup=True) -> bool:
+        driver = Driver(command, self.tests_workdir, logger=self.logger)
+
+        suite_pass = True
+
+        try:
+            for test in self.tests:
+                test_info = f"requirement({test['section_id']}/{test['requirement_id']})"
+                self.logger.info(f"{Colors.BOLD}{test_info}{Colors.END}")
+                if self._run_test(driver, test, indent=1):
+                    self.logger.info(
+                        f"{Colors.BOLD}{Colors.GREEN}{test_info}... PASS{Colors.END}")
+                else:
+                    self.logger.error(
+                        f"{Colors.BOLD}{Colors.RED}{test_info}... FAIL{Colors.END}")
+                    suite_pass = False
+        finally:
+            if do_cleanup:
+                driver.cleanup()
+
+        if suite_pass:
+            self.logger.info(
+                f"{Colors.GREEN}Spec suite {self.tests_path}... PASS{Colors.END}")
+        else:
+            self.logger.error(
+                f"{Colors.RED}Spec suite {self.tests_path}... FAIL{Colors.END}")
+
+        return suite_pass
+
+    def _run_test(self, driver: Driver, requirement: TestRequirement, indent=0) -> bool:
+        test_pass = True
+
+        for scenario in requirement["scenarios"]:
+            scenario_info = f"{INDENT_TEXT * indent}scenario(source='{scenario['source_profile_path']}', expected='{scenario['expected_catalog_path']}')"
+
+            self.logger.info(f"{Colors.BOLD}{scenario_info}{Colors.END}")
+
+            scenario_pass = self._run_test_scenario(
+                driver, scenario, indent=indent + 1)
+
+            if scenario_pass:
+                self.logger.info(
+                    f"{Colors.BOLD}{Colors.GREEN}{scenario_info}... PASS{Colors.END}")
+            else:
+                # TODO: param to fail if the level is not "must"
+                self.logger.error(
+                    f"{Colors.BOLD}{Colors.RED}{scenario_info}... FAIL{Colors.END}")
+                test_pass = False
+
+        return test_pass
+
+    def _run_test_scenario(self, driver: Driver, scenario: TestScenario, indent=0) -> bool:
+        """
+        Runs a given test scenario, returning True if all selection expressions pass
+        """
+
+        self.logger.info(
+            f"{Colors.BLUE}{INDENT_TEXT * indent}Description: {scenario['description']}{Colors.END}")
+
+        # Correct for path relative to spec tests file
+        expected_path = scenario["expected_catalog_path"]
+        if not os.path.isabs(expected_path):
+            expected_path = os.path.join(self.tests_workdir, expected_path)
+        # TODO user friendly error if catalog path cannot be found
+        expected = ET.parse(expected_path)
+
+        # Driver already uses the spec tests file's parent dir as the cwd, no path correction needed
+        result = driver.run(scenario["source_profile_path"], indent=indent + 1)
+
+        # if no selection expressions exist, test still successfully produced an output
+        scenario_pass = True
+        for selection_expression in scenario["selection_expressions"]:
+            result_selection = result.findall(selection_expression, QUERY_NS)
+            expected_selection = expected.findall(
+                selection_expression, QUERY_NS)
+
+            for i, (result_elem, expected_elem) in enumerate(zip(result_selection, expected_selection)):
+                # XPath starts lists with 1
+                selection_expression_indexed = f"{selection_expression}{f'[{i + 1}]' if len(result_selection) > 1 or len(expected_selection) > 1 else ''}"
+                same, differences = compare_elements(result_elem, expected_elem,
+                                                     # XPath selection used for debugging. Only specify position predicate if necessary
+                                                     selection_expression_indexed, e1Name="result", e2Name="expected")
+                if same:
+                    self.logger.debug(
+                        f"{Colors.GREEN}{INDENT_TEXT * (indent + 1)}selection `{selection_expression_indexed}` result matched{Colors.END}")
+                else:
+                    scenario_pass = False
+                    self.logger.error(
+                        f"{Colors.RED}{INDENT_TEXT * indent}selection `{selection_expression_indexed}` result mismatch:{Colors.END}")
+                    for difference in differences:
+                        # Clean up tags in comments to use namespaces
+                        difference = difference.replace(
+                            f"{{{QUERY_NS['oscal']}}}", "oscal:")
+
+                        self.logger.error(
+                            f"{Colors.RED}{INDENT_TEXT * (indent + 1)}{difference}{Colors.END}")
+
+            if len(result_selection) != len(expected_selection):
+                self.logger.error(
+                    f"{Colors.RED}{INDENT_TEXT * (indent + 1)}selection `{selection_expression}` result size mismatch (result={len(result_selection)}, expected={len(expected_selection)}){Colors.END}")
+                scenario_pass = False
+
+        return scenario_pass
+
+
+if __name__ == '__main__':
+    example_text = f"example: spec-tester.py run 'oscal-cli profile resolve --to=XML {DRIVER_SOURCE_TOKEN} {DRIVER_DESTINATION_TOKEN}'"
+
+    parser = argparse.ArgumentParser(
+        description='OSCAL profile-resolution testing harness', epilog=example_text)
+    parser.add_argument(
+        "--tests_path", default=DEFAULT_TESTS_PATH, help="Override the tests file")
+    parser.add_argument(
+        "--spec_path", default=DEFAULT_SPEC_PATH, help="Override the spec file")
+    parser.add_argument("-v", "--verbose",
+                        help="display debug information", action="store_true")
+
+    subparsers = parser.add_subparsers(
+        required=True, dest="action", description="valid subcommands")
+
+    # "run" subcommand
+    parser_run = subparsers.add_parser(
+        'run', description='Run the spec tests', epilog=example_text)
+    parser_run.add_argument(
+        "command", help="The program to call, with the input profile and output path"
+        f" replaced with {DRIVER_SOURCE_TOKEN} and {DRIVER_DESTINATION_TOKEN} respectively")
+
+    parser.add_argument("-k", "--keep",
+                        help="keep output directory", action="store_true")
+    # "coverage" subcommand
+    parser_coverage = subparsers.add_parser(
+        'coverage', description='Report the coverage of the given tests file against the spec')
+
+    args = parser.parse_args()
+
+    # truncate log levels for prettier console formatting
+    logging.addLevelName(logging.DEBUG, 'DEBG')
+    logging.addLevelName(logging.INFO, 'INFO')
+    logging.addLevelName(logging.WARNING, 'WARN')
+    logging.addLevelName(logging.ERROR, 'ERRR')
+    logging.addLevelName(logging.CRITICAL, 'CRIT')
+    logging.basicConfig(format='%(levelname)s: %(message)s',
+                        level=logging.DEBUG if args.verbose else logging.INFO)
+
+    harness = RequirementTests(args.spec_path, args.tests_path)
+
+    if args.action == "run":
+        suite_pass = harness.run(args.command, do_cleanup=not args.keep)
+        if not suite_pass:
+            sys.exit(1)
+    elif args.action == "coverage":
+        harness.print_coverage()
diff --git a/src/specifications/profile-resolution/spec-tests.json b/src/specifications/profile-resolution/spec-tests.json
new file mode 100644
index 0000000000..329df9284b
--- /dev/null
+++ b/src/specifications/profile-resolution/spec-tests.json
@@ -0,0 +1,17 @@
+[
+    {
+        "section_id": "import",
+        "requirement_id": "req-uri-resolve",
+        "scenarios": [
+            {
+                "description": "Check that group and control titles match, signalling that URIs have been resolved",
+                "source_profile_path": "requirement-tests/req-include-all-asis.xml",
+                "expected_catalog_path": "requirement-tests/output-expected/req-include-all-asis_RESOLVED.xml",
+                "selection_expressions": [
+                    "./oscal:group/oscal:title",
+                    "./oscal:group/oscal:control/oscal:title"
+                ]
+            }
+        ]
+    }
+]
\ No newline at end of file
diff --git a/src/specifications/profile-resolution/unit-tests.xsd b/src/specifications/profile-resolution/unit-tests.xsd
index c746b134a0..8f80870a64 100644
--- a/src/specifications/profile-resolution/unit-tests.xsd
+++ b/src/specifications/profile-resolution/unit-tests.xsd
@@ -2,7 +2,7 @@
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
     xmlns="http://csrc.nist.gov/ns/metaschema/test-suite/1.0"
     targetNamespace="http://csrc.nist.gov/ns/metaschema/test-suite/1.0" elementFormDefault="qualified">
-  <xs:include schemaLocation="metaschema-datatypes.xsd"/>
+  <xs:include schemaLocation="../../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema-datatypes.xsd"/>
   
   <xs:element name="test-suite">
     <xs:complexType>

From e309dd5f9208ba55a29af08ab3288a92bc329691 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Thu, 12 Oct 2023 09:50:37 -0400
Subject: [PATCH 11/51] [skip ci] Add ADR-0008 for usnistgov/oscal-content#116.

---
 decisions/0008-oscal-content-management.md | 65 ++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 decisions/0008-oscal-content-management.md

diff --git a/decisions/0008-oscal-content-management.md b/decisions/0008-oscal-content-management.md
new file mode 100644
index 0000000000..58daee373b
--- /dev/null
+++ b/decisions/0008-oscal-content-management.md
@@ -0,0 +1,65 @@
+# OSCAL Content Data Governance and Release Management
+
+Date: 10/13/2023
+
+## Status
+
+Proposed
+
+## Context
+
+Since 2016, the OSCAL project has iterated on methods and locations for managing example content and published catalogs. It is time that we decide whether to continue as-is or make a meaningful change to how project's OSCAL content is developed, published, and maintained.
+
+### Key Takeaways
+
+1. Almost all changes to OSCAL representations of the published SP 800-53A and 800-53B catalogs do not diverge from the official publication. Clear data management and governance guidelines are needed to identify which changes are acceptable OSCAL Team leadership to approve for release, and which specific changes need review and approval by the Security Engineering and Risk Management maintainers of the official SP 800-53 content.
+1. By the nature of OSCAL models and relationships of document instances, the team must continue to manage published catalogs and examples that cite them together.
+1. It is important that final integration testing of all OSCAL content occur with the latest pending release of OSCAL as a final integration test, even if the content is backwards compatible with an older minor or patch release for the same version.
+
+### Background
+
+[In September 2020](https://github.com/usnistgov/OSCAL/commit/01c0aa9b45667b25e8105160119da011471c77cb), the NIST OSCAL Team migrated SP 800-53 Revision 4, SP 800-53 Revision 5, and example content from [the core OSCAL repository](https://github.com/usnistgov/OSCAL) to the [new oscal-content repository](https://github.com/usnistgov/oscal-content). Presumably, this migration allowed the development team to manage published catalog content, and to a lesser extent examples, in a more flexible way, independent from the established release process and practices for the core OSCAL models, schemas, and supporting tooling. (However, even by that time examples reflected the real-world cross-document relationships OSCAL models support. Examples inherently reference adjacent published catalogs of the NIST SP 800-53B controls.) The NIST OSCAL Team coordinated with the [Security Engineering and Risk Management Team](https://csrc.nist.gov/Groups/Computer-Security-Division/Security-Engineering-and-Risk-Management), maintainers of NIST SP 800-53A and SP 800-53B, to publish representations of the assessment methods and respective controls in conjunction with their official publication (in PDF and alternate formats). Team members employed semi-automatic techniques for content-generation and data quality checks to coordinate finalized release of the 5.0 and 5.1 versions of the official documents with the OSCAL representation (e.g. releasing to the `main` branch in the GitHub repository). Their publication schedule is more infrequent than the OSCAL development cycle. This is an important takeaway that lead to data governance, testing, and release challenges.
+
+### Data Management and Governance Challenges
+
+As enhancements and bug fixes for OSCAL increased, separate of the content, in between official upstream releases of SP 800-53A and SP 800-53B, staff and community members [identified bugs and enhancements to the OSCAL representations](). In most cases, these work items would not or did not diverge from the content in the official publication version. These data quality and OSCAL-specific enhancements would or did improve the ability of technical staff using the OSCAL representation to create or improve catalog and profile automation. There has been no clear guidance on how to accept these changes, publish them, and how to identify their versions upon release. These governance questions led to an accumulation of work items that delayed publication (at this time, read: merged into the `main` branch).
+
+### OSCAL Dependency Upgrades, Integration, and Regression Test Challenges
+
+Due to infrequent publications of the catalogs, managed together with examples, the OSCAL submodule to provide models, generated schema, and tooling support. At the time of writing this ADR draft, [the oscal-content main branch at `a53f261`](https://github.com/usnistgov/oscal-content/tree/a53f261a946c52811c507deb4d8385d9e4794a6f) uses a version of the OSCAL models and tooling that is ostensibly from December 2022, [`51d5de2`](https://github.com/usnistgov/OSCAL/commit/51d5de22c181477e3f9cf08789c4399fff013f14), a stable commit between v1.0.4 and v1.0.5. Several attempts to smoothly upgrade this with subsequent releases of OSCAL models and supporting tooling were rolled back or never completed. Automated content conversion and schema validation failed. The team confirmed bugs in dependencies to OSCAL. Fixing these issues required months of development work. Below is a non-exhaustive list with two examples.
+
+- [usnistgov/metaschema#235](https://github.com/usnistgov/metaschema/issues/235)
+- [usnistgov/metaschema#240](https://github.com/usnistgov/metaschema/issues/240)
+
+These bugs, and those like them, impacted conversion and validation of the examples, the published catalogs, or in some cases both. So in all cases, they stopped final publication into the oscal-content `main` branch, even as new OSCAL models were released. Specifically, fixing issues in an implementation of the Metaschema Information Modeling Framework used by OSCAL for schema generation, validation, and conversion need to not only be tested in their upstream projects, but then frequently regression tested across models with complex content present in the oscal-content repo. This manual follow-on work was a necessity to test all edge cases. It was exacerbated by the lack of frequent releases, or such problems would be caught sooner and fixed more frequently. This is a key takeaway that Metaschema and OSCAL Team's developers acknowledge, but not yet put into practice. This last line of defense is important to minimizing toil for the team.
+
+## Decision
+
+Moving forward, the team must commit to the following.
+
+1. A data management and governance procedure will be added [to the OSCAL Team Wiki](https://github.com/usnistgov/OSCAL/wiki/NIST-SP-800%E2%80%9053-OSCAL-Content-Data-Governance).
+1. The oscal-content repository will move to a `Makefile`-based approach for [usnistgov/oscal-content#116](https://github.com/usnistgov/oscal-content/issues/116) when [usnistgov/oscal-content#204](https://github.com/usnistgov/oscal-content/pull/204) is merged to match the same approach for the core repository enacted in [ADR 5](./0005-repository-reorganization.md). For consistency and simplicity of this new workflow, all examples, profiles, and catalogs will be developed in the [src directory](https://github.com/usnistgov/oscal-content/tree/7a079afed39b1a36a091c8d4ac939d096d42c76b/src) in OSCAL XML format only and converted later. This approach will simplify the architecture and improve efficiency of development cycles.
+1. Every OSCAL model release must coincide with an oscal-content release. At a minimum, even if examples or catalogs to be published do not change any content, the team must do the following.
+    - Update the OSCAL submodule to the latest tagged release.
+    - All source catalogs and profiles must have their `oscal-version` and `version` incremented. Their `last-modified` and `published` timestamps must be updated.
+    - All `xml-model` instructions at the top of every example, profile, and catalog instance must be updated to the complete OSCAL XML schema artifact for the release that matches the `oscal-version`.
+1. The team will tag the commit with generated artifacts and mimic [the core repository's versioning, branching, and release guidelines](https://github.com/usnistgov/OSCAL/blob/f159b28948cb0034370fb819a45bfdaeaef5192a/versioning-and-branching.md), following [SemVer requirements](https://semver.org/).
+1. Releases of content will be created alongside the core OSCAL repository.
+1. In ADR 5, the team cited risk with the ongoing use of auto-commit automation with GitHub Actions for core OSCAL models and generated artifacts. To evaluate the best option and allow time for coordination with the community, the team will continue with auto-committing content to `main` as a publication mechanism only for the near-term future. The team will revisit this decision and potentially propose an alternative method that is more suitable in a subsequent spike and approved ADR.
+1. OSCAL Team leadership will review resources and the feasibility of ongoing maintenance of the catalogs and alternative courses of action for long-term publication of NIST SP 800-53 Revision 5 catalogs.
+
+## Consequences
+
+Below are the consequences of the different approaches.
+
+### Do Nothing
+
+In the short-term, doing nothing would mean to stop publication of the content immediately. This solution would be detrimental to the community without effective analysis for alternative courses of action and approaches for usage of existing content.
+
+### Change Nothing
+
+If the team continues as-is by publishing content to `main` after bugs and build tooling improvements are complete, the challenges above will still sustain unnecessary risk without changes to process and tooling to support the team and its goals. Development of example content, not just publication of catalogs, will stall due to edge cases and accumulated changes in tooling that lead to many minor changes in content that must be reviewed and analyzed.
+
+### Clarify Governance and Require Upgrades for Testing
+
+Clear governance and frequent updates will require more periodic work for the NIST OSCAL Team, but ensure the challenges above will be less frequent and less significant.

From fd2ff39f61669afcd5934aa71ac50b3b147770ef Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Fri, 13 Oct 2023 16:23:54 -0400
Subject: [PATCH 12/51] [skip ci] Add missing link to oscal-content per review
 feedback.

Thanks for catching this, @nikitawootten-nist.
---
 decisions/0008-oscal-content-management.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/decisions/0008-oscal-content-management.md b/decisions/0008-oscal-content-management.md
index 58daee373b..65a56b0392 100644
--- a/decisions/0008-oscal-content-management.md
+++ b/decisions/0008-oscal-content-management.md
@@ -22,7 +22,7 @@ Since 2016, the OSCAL project has iterated on methods and locations for managing
 
 ### Data Management and Governance Challenges
 
-As enhancements and bug fixes for OSCAL increased, separate of the content, in between official upstream releases of SP 800-53A and SP 800-53B, staff and community members [identified bugs and enhancements to the OSCAL representations](). In most cases, these work items would not or did not diverge from the content in the official publication version. These data quality and OSCAL-specific enhancements would or did improve the ability of technical staff using the OSCAL representation to create or improve catalog and profile automation. There has been no clear guidance on how to accept these changes, publish them, and how to identify their versions upon release. These governance questions led to an accumulation of work items that delayed publication (at this time, read: merged into the `main` branch).
+As enhancements and bug fixes for OSCAL increased, separate of the content, in between official upstream releases of SP 800-53A and SP 800-53B, staff and community members [identified bugs and enhancements to the OSCAL representations](https://github.com/usnistgov/oscal-content/issues). In most cases, these work items would not or did not diverge from the content in the official publication version. These data quality and OSCAL-specific enhancements would or did improve the ability of technical staff using the OSCAL representation to create or improve catalog and profile automation. There has been no clear guidance on how to accept these changes, publish them, and how to identify their versions upon release. These governance questions led to an accumulation of work items that delayed publication (at this time, read: merged into the `main` branch).
 
 ### OSCAL Dependency Upgrades, Integration, and Regression Test Challenges
 

From 1d8a9a01ba89d21973908046532dded85b5944ef Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Thu, 9 Nov 2023 23:29:41 +0100
Subject: [PATCH 13/51] [skip ci] Update status, date before merge. Clarify
 content is still backwards compatible.

---
 decisions/0008-oscal-content-management.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/decisions/0008-oscal-content-management.md b/decisions/0008-oscal-content-management.md
index 65a56b0392..25bd12c95e 100644
--- a/decisions/0008-oscal-content-management.md
+++ b/decisions/0008-oscal-content-management.md
@@ -1,10 +1,10 @@
 # OSCAL Content Data Governance and Release Management
 
-Date: 10/13/2023
+Date: 11/09/2023
 
 ## Status
 
-Proposed
+Approved
 
 ## Context
 
@@ -41,7 +41,7 @@ Moving forward, the team must commit to the following.
 1. The oscal-content repository will move to a `Makefile`-based approach for [usnistgov/oscal-content#116](https://github.com/usnistgov/oscal-content/issues/116) when [usnistgov/oscal-content#204](https://github.com/usnistgov/oscal-content/pull/204) is merged to match the same approach for the core repository enacted in [ADR 5](./0005-repository-reorganization.md). For consistency and simplicity of this new workflow, all examples, profiles, and catalogs will be developed in the [src directory](https://github.com/usnistgov/oscal-content/tree/7a079afed39b1a36a091c8d4ac939d096d42c76b/src) in OSCAL XML format only and converted later. This approach will simplify the architecture and improve efficiency of development cycles.
 1. Every OSCAL model release must coincide with an oscal-content release. At a minimum, even if examples or catalogs to be published do not change any content, the team must do the following.
     - Update the OSCAL submodule to the latest tagged release.
-    - All source catalogs and profiles must have their `oscal-version` and `version` incremented. Their `last-modified` and `published` timestamps must be updated.
+    - All source catalogs and profiles must have their `oscal-version` and `version` incremented. Their `last-modified` and `published` timestamps must be updated, even if the updated content in that release is backwards compatible with previous major, minor, and/or patch versions.
     - All `xml-model` instructions at the top of every example, profile, and catalog instance must be updated to the complete OSCAL XML schema artifact for the release that matches the `oscal-version`.
 1. The team will tag the commit with generated artifacts and mimic [the core repository's versioning, branching, and release guidelines](https://github.com/usnistgov/OSCAL/blob/f159b28948cb0034370fb819a45bfdaeaef5192a/versioning-and-branching.md), following [SemVer requirements](https://semver.org/).
 1. Releases of content will be created alongside the core OSCAL repository.

From 1d48aeeb7c9ea24d1fe8a5d4cb92e4997a946c0b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 21 Nov 2023 18:33:09 -0500
Subject: [PATCH 14/51] Bump actions/github-script from 6.4.1 to 7.0.1 (#1961)

Bumps [actions/github-script](https://github.com/actions/github-script) from 6.4.1 to 7.0.1.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/d7906e4ad0b1822421a7e6a35d5ca353c962f410...60a0d83039c74a4aee543508d2ffcb1c3799cdea)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/periodic.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index f67f869d15..bd9afec633 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -26,7 +26,7 @@ jobs:
         working-directory: build
       - name: Create an issue or comment if bad links are detected
         if: failure()
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           script: |
             // Read the markdown linkcheck report

From 70816d7f33df07a2c780d8d3432707e6e5682829 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 21 Nov 2023 18:34:16 -0500
Subject: [PATCH 15/51] Bump actions/setup-node from 3.8.1 to 4.0.0 (#1954)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.8.1 to 4.0.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d...8f152de45cc393bb48ce5d89d36b731f54556e65)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/periodic.yml | 2 +-
 .github/workflows/status.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index bd9afec633..97d65d27a7 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           submodules: recursive
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
+      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"
diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
index 31ac78ebca..d4b02a1750 100644
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           distribution: "temurin"
           java-version: "17"
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
+      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"

From b13eeb2705cc823705035bf6ec0807717e0ee8ae Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 21 Nov 2023 18:42:58 -0500
Subject: [PATCH 16/51] Bump org.apache.maven.plugins:maven-dependency-plugin
 in /build (#1953)

Bumps [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.6.0 to 3.6.1.
- [Commits](https://github.com/apache/maven-dependency-plugin/compare/maven-dependency-plugin-3.6.0...maven-dependency-plugin-3.6.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-dependency-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/pom.xml b/build/pom.xml
index 2f04d26516..3532b87e4d 100644
--- a/build/pom.xml
+++ b/build/pom.xml
@@ -48,7 +48,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-dependency-plugin</artifactId>
-                <version>3.6.0</version>
+                <version>3.6.1</version>
                 <executions>
                     <execution>
                         <id>copy-dependencies</id>

From 90089bfcb8a90effc853ebf62540f096c307d517 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 21 Nov 2023 18:43:38 -0500
Subject: [PATCH 17/51] Bump actions/checkout from 4.1.0 to 4.1.1 (#1950)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/periodic.yml | 2 +-
 .github/workflows/release.yml  | 2 +-
 .github/workflows/status.yml   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index 97d65d27a7..e1130dd4ee 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -12,7 +12,7 @@ jobs:
       # Needed to post comments and issues
       issues: write
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
       - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c4628fee2a..a4f844acc0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ jobs:
     name: Package Release
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
       - uses: actions/setup-java@v3
diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
index d4b02a1750..cf461b828a 100644
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -18,7 +18,7 @@ jobs:
     name: Status Checks
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
       - uses: actions/setup-java@v3

From b9e6a2d6b437f53aca2a469a3fabbd1f5d13a411 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 21 Nov 2023 19:08:27 -0500
Subject: [PATCH 18/51] Bump build/metaschema-xslt from `bd4359a` to `7d9fbfa`
 (#1955)

Bumps [build/metaschema-xslt](https://github.com/usnistgov/metaschema-xslt) from `bd4359a` to `7d9fbfa`.
- [Commits](https://github.com/usnistgov/metaschema-xslt/compare/bd4359a0354d3a9452633a8ed915ec9e915d5431...7d9fbfa84e78e4ba4dd950ad39c65738b7b66697)

---
updated-dependencies:
- dependency-name: build/metaschema-xslt
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build/metaschema-xslt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/metaschema-xslt b/build/metaschema-xslt
index bd4359a035..7d9fbfa84e 160000
--- a/build/metaschema-xslt
+++ b/build/metaschema-xslt
@@ -1 +1 @@
-Subproject commit bd4359a0354d3a9452633a8ed915ec9e915d5431
+Subproject commit 7d9fbfa84e78e4ba4dd950ad39c65738b7b66697

From 085af23bd3f6b70bbbd421b9341587326d98abd6 Mon Sep 17 00:00:00 2001
From: Nikita Wootten <nikita.wootten@nist.gov>
Date: Tue, 21 Nov 2023 19:12:28 -0500
Subject: [PATCH 19/51] Add tutorials system lifecycle ADR (#1959)

This ADR documents the team's decision regarding the simplified system lifecycle to be used in the tutorials.
---
 decisions/0009-tutorials-system-lifecycle.md | 46 ++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 decisions/0009-tutorials-system-lifecycle.md

diff --git a/decisions/0009-tutorials-system-lifecycle.md b/decisions/0009-tutorials-system-lifecycle.md
new file mode 100644
index 0000000000..e881617f9c
--- /dev/null
+++ b/decisions/0009-tutorials-system-lifecycle.md
@@ -0,0 +1,46 @@
+# : Design simplified system lifecycle for example system in tutorials
+
+Date: 10/31/2023
+
+## Status
+
+Proposed
+
+## Context
+
+We wish to reduce friction encountered by community members learning security automation with OSCAL through tutorials produced by the OSCAL team.
+A series of OSCAL security automation tutorials would need to be centered around and driven by some system lifecycle, such as the implied lifecycle in NIST 800-37 Risk Management Framework or ISO/IEC 27005.
+However, adopting a complex real-world lifecycle in the tutorials would have several disadvantages:
+
+- Complex system lifecycles add overhead that may not be relevant to the tutorial at hand.
+- Endorsing a particular lifecycle may incorrectly signal to the reader that OSCAL can only be used with that lifecycle.
+- The use of a real-world lifecycle could invite disagreement over the particulars of the lifecycle that are not relevant to the tutorials.
+
+Summarized, the lifecycle should serve the tutorials and not the other way around.
+
+*Note: this ADR was created as part of a work item for [OSCAL#1893](https://github.com/usnistgov/OSCAL/issues/1893).*
+
+## Decision
+
+The NIST OSCAL team should use a simplified lifecycle in its tutorials.
+The lifecycle will focus on the security automation.
+
+This document will only contain minimally-viable details of the lifecycle.
+
+### Proposed Lifecycle
+
+The proposed lifcycle will be evocative of a stripped-down RMF or ISO 27005 SDLC, discarding and simplifying steps that are not immediately relevant to a tutorial.
+
+The individual tutorials may include asides on how a given process maps to other processes such as RMF.
+
+|RISK MGMT | Select | Implement | Assess |
+| --- | --- | --- | --- |
+| DEVELOPMENT |	Design | Develop | Test |
+
+The proposed lifecycle collapses "prepare", "categorize", and "select" into ***design***, renames "implement" into ***develop***, collapses "assess" and "authorize" into ***test***, and removes "monitor".
+
+The steps of the RMF are all important and deserve individual consideration, but are not the subject of the tutorials.
+
+## Consequences
+
+This decision will affect tutorials written in the future, particularly tutorials surrounding the fictional [example system](https://github.com/usnistgov/OSCAL/issues/1892).

From fe3931859af1737630e86aa7090708687fcbf4b3 Mon Sep 17 00:00:00 2001
From: Nikita Wootten <nikita.wootten@nist.gov>
Date: Wed, 29 Nov 2023 13:15:57 -0500
Subject: [PATCH 20/51] Flatten codeowners (#1962)

* Flatten codeowners

* Update CODEOWNERS with feedback from the team
---
 .github/CODEOWNERS | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index fd30d4ccab..598a0eb4bc 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,12 +1,8 @@
-# directory specific owners
-/.github/               @usnistgov/itl-oscal-maintainers
-/build/                 @usnistgov/itl-oscal-maintainers
-/content/               @aj-stein-nist
-/docs/                  @aj-stein-nist
-/docs/content           @aj-stein-nist @iMichaela
-/json/                  
-/xml/                   
-/src/                   @usnistgov/itl-oscal-maintainers
-/src/metaschema         @aj-stein-nist
-/src/specifications/profile-resolution  @david-waltermire-nist @wendellpiez
-/src/utils              @wendellpiez
+# The OSCAL Admins team governs critical directories
+.github/workflows/      @usnistgov/itl-oscal-admins
+build/Makefile          @usnistgov/itl-oscal-admins
+# The OSCAL Maintainers team governs source and build directories
+src/                    @usnistgov/itl-oscal-maintainers
+build/                  @usnistgov/itl-oscal-maintainers
+# Otherwise governed by the OSCAL Team
+*                       @usnistgov/itl-oscal

From 290bc843fd221b736d84e97ea5c0a2c30774eb71 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Wed, 29 Nov 2023 13:47:12 -0500
Subject: [PATCH 21/51] Catalog constraints added in
 oscal_catalog_metaschema.xml - see issue #1949  (#1952)

* Two additional allowed values for catalog/group/part/@name and catalog/group/control/part/@name

* aligned the description of group/part@name='statement' and control/part@name='statement'

* Fixed typo in the oscal_ssp_metaschema and updated controversial constraint for group/part in oscal_catalog_metaschema

* Update src/metaschema/oscal_catalog_metaschema.xml

Fixed grammar.

Co-authored-by: Chris Compton <daniel.compton@nist.gov>

---------

Co-authored-by: Iorga <miorga@pn129618.campus.nist.gov>
Co-authored-by: Chris Compton <daniel.compton@nist.gov>
---
 src/metaschema/oscal_catalog_metaschema.xml | 4 +++-
 src/metaschema/oscal_ssp_metaschema.xml     | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml
index 5a2a9b52fa..cf6498f580 100644
--- a/src/metaschema/oscal_catalog_metaschema.xml
+++ b/src/metaschema/oscal_catalog_metaschema.xml
@@ -146,6 +146,7 @@
                   </allowed-values>
                   <allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                         <enum value="overview">An introduction to a control or a group of controls.</enum>
+                        <enum value="instruction">Information providing directions for a control or a group of controls.</enum>
                   </allowed-values>
             </constraint>
             <remarks>
@@ -254,9 +255,10 @@
                         target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                         <enum value="overview">An introduction to a control or a group of
                               controls.</enum>
-                        <enum value="statement">A set of control implementation requirements.</enum>
+                        <enum value="statement">A set of implementation requirements or recommendations.</enum>
                         <enum value="guidance">Additional information to consider when selecting,
                               implementing, assessing, and monitoring a control.</enum>
+                        <enum value="example">An example of an implemented requirement or control statement.</enum>
                         <enum value="assessment" deprecated="1.0.1">**(deprecated)** Use
                               'assessment-method' instead.</enum>
                         <enum value="assessment-method">The part describes a method-based assessment
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 2cfb9df3c3..2f0d1c613c 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -156,7 +156,7 @@
         </enum>
         <enum value="community-cloud">The community cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
         </enum>
-        <enum value="hybrid-cloud">The hybrid cloud deployment model as defined by as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+        <enum value="hybrid-cloud">The hybrid cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
         </enum>
         <!-- TODO: consider generalizing this in a way that applies to other usage contexts. -->
         <enum value="government-only-cloud">A specific type of community-cloud for use only by government services.</enum>

From f72e27ecad71f51eaae7b01b02209d4c2bd7906a Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Wed, 6 Dec 2023 10:58:34 -0500
Subject: [PATCH 22/51] Updated version in the release a patch guidance (#1964)

---
 versioning-and-branching.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/versioning-and-branching.md b/versioning-and-branching.md
index 27a60adc92..40e97d186a 100644
--- a/versioning-and-branching.md
+++ b/versioning-and-branching.md
@@ -113,7 +113,7 @@ Once a patch release is ready, the release can be made using the following Git c
 ```
 git checkout main
 git merge --no-ff release-1.2
-git tag -a 1.2.1
+git tag -a v1.2.1
 git push --follow-tags
 ```
 

From ee77ab66dd869ebca91959d7a868dfd3696dd786 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 6 Dec 2023 09:59:11 -0600
Subject: [PATCH 23/51] Bump actions/setup-java from 3 to 4 (#1963)

Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3 to 4.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 .github/workflows/status.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a4f844acc0..e7690d64d0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: "17"
diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
index cf461b828a..0c6dfd68b1 100644
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: "17"

From c4a99cc3f18582794ea3a492ec63aa4a127bea59 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Wed, 6 Dec 2023 11:25:57 -0500
Subject: [PATCH 24/51] Remove with-parent-controls from implementation (#1843)

* Remove with-parent-controls from XSLT profile resolver for #1816.

* Remove profile resolver with-parent-controls tests for #1816.
---
 .../select-or-custom-merge.xsl                |  13 --
 .../testing/1_selected/select.xspec           | 200 ------------------
 2 files changed, 213 deletions(-)

diff --git a/src/utils/resolver-pipeline/select-or-custom-merge.xsl b/src/utils/resolver-pipeline/select-or-custom-merge.xsl
index 200ef9b92f..fed17e0b7f 100644
--- a/src/utils/resolver-pipeline/select-or-custom-merge.xsl
+++ b/src/utils/resolver-pipeline/select-or-custom-merge.xsl
@@ -51,28 +51,20 @@
             <xsl:sequence select="exists($importing/include-all)"/>
             <xsl:sequence select="some $c in ($importing/include-controls/with-id)
                 satisfies ($c = $candidate/@id)"/>
-            <xsl:sequence select="some $c in ($importing/include-controls[o:calls-parents(.)]/with-id)
-                satisfies ($c = $candidate/descendant::control/@id)"/>
             <xsl:sequence select="some $c in ($importing/include-controls[o:calls-children(.)]/with-id)
                 satisfies ($c = $candidate/ancestor::control/@id)"/>
             <xsl:sequence select="some $m in ($importing/include-controls/matching[@pattern != ''])
                 satisfies (matches($candidate/@id,$m/@pattern/o:glob-as-regex(string(.)) ))"/>
-            <xsl:sequence select="some $m in ($importing/include-controls[o:calls-parents(.)]/matching[@pattern != '']), $a in $candidate/descendant::control 
-                satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
             <xsl:sequence select="some $m in ($importing/include-controls[o:calls-children(.)]/matching[@pattern != '']), $a in $candidate/ancestor::control 
                 satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
         </xsl:variable>
         <xsl:variable name="exclude-reasons" as="xs:boolean+">
             <xsl:sequence select="exists($candidate/parent::control) and $importing/include-all/@with-child-controls='no'"/>
             <xsl:sequence select="some $c in ($importing/exclude-controls/with-id) satisfies ($c = $candidate/@id)"/>
-            <xsl:sequence select="some $c in ($importing/exclude-controls[o:calls-parents(.)]/with-id)
-                satisfies ($c = $candidate/descendant::control/@id)"/>
             <xsl:sequence select="some $c in ($importing/exclude-controls[o:calls-children(.)]/with-id)
                 satisfies ($c = $candidate/ancestor::control/@id)"/>
             <xsl:sequence select="some $m in ($importing/exclude-controls/matching[@pattern != ''])
                 satisfies (matches($candidate/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
-            <xsl:sequence select="some $m in ($importing/exclude-controls[o:calls-parents(.)]/matching[@pattern != '']), $a in $candidate/descendant::control
-                satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
             <xsl:sequence select="some $m in ($importing/exclude-controls[o:calls-children(.)]/matching[@pattern != '']), $a in $candidate/ancestor::control
                 satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
         </xsl:variable>
@@ -84,11 +76,6 @@
         <xsl:param name="caller" as="element()"/>
         <xsl:sequence select="$caller/@with-child-controls='yes'"/>
     </xsl:function>
-    
-    <xsl:function name="o:calls-parents" as="xs:boolean">
-        <xsl:param name="caller" as="element()"/>
-        <xsl:sequence select="not($caller/@with-parent-controls='no')"/>
-    </xsl:function>
 
     <xsl:function name="opr:catalog-identifier" as="xs:string">
         <xsl:param name="catalog" as="element(o:catalog)"/>
diff --git a/src/utils/resolver-pipeline/testing/1_selected/select.xspec b/src/utils/resolver-pipeline/testing/1_selected/select.xspec
index c6c5c503cc..f05ee727cb 100644
--- a/src/utils/resolver-pipeline/testing/1_selected/select.xspec
+++ b/src/utils/resolver-pipeline/testing/1_selected/select.xspec
@@ -292,40 +292,6 @@
                 </profile>
             </x:expect>
         </x:scenario>
-    
-        <x:scenario label="Default value of 'with-parent-controls' (yes)">
-            <x:context>
-                <profile>
-                    <import href="{$ov:filedir}/catalogs/xyz-tiny_catalog.xml">
-                        <include-controls with-parent-controls="yes">
-                            <with-id>z3.a-1</with-id>
-                        </include-controls>
-                    </import>
-                </profile>
-            </x:context>
-            
-            <x:expect label="Control Z3-A-1 and all its ancestors">
-                <profile>
-                    <selection uuid="..." opr:src="...">
-                        <metadata>...</metadata>
-                        <group opr:id="...">
-                            <title>Group X of XYZ</title>
-                        </group>
-                        <group opr:id="...">
-                            <title>Group Y of XYZ</title>
-                        </group>
-                        <group opr:id="...">
-                            <title>Group Z of XYZ</title>
-                            <control id="z3" opr:id="..."><title>Control Z3</title>
-                                <control id="z3.a" opr:id="..."><title>Control Z3-A</title>
-                                    <control id="z3.a-1" opr:id="..."><title>Control Z3-A-1</title></control>
-                                </control>
-                            </control>
-                        </group>
-                    </selection>
-                </profile>
-            </x:expect>
-        </x:scenario>
 
         <x:scenario label="Nondefault value of 'with-parent-controls' (no)">
             <x:context>
@@ -800,32 +766,6 @@
                 </x:call>
                 <x:expect label="false" select="false()"/>
             </x:scenario>
-            <x:scenario label="Select descendant ID, omitting with-parent-controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-controls>
-                                <with-id>level-four</with-id>
-                            </include-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="true (with-parent-controls defaults to yes)" select="true()"/>
-            </x:scenario>
-            <x:scenario label="Select descendant ID, and explicitly include parent controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-controls with-parent-controls="yes">
-                                <with-id>level-four</with-id>
-                            </include-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="true" select="true()"/>
-            </x:scenario>
             <x:scenario label="Select descendant ID and do not include parent controls.">
                 <x:call function="o:selects">
                     <x:param name="importing">
@@ -938,32 +878,6 @@
                 </x:call>
                 <x:expect label="false" select="false()"/>
             </x:scenario>
-            <x:scenario label="Match descendant ID, omitting with-parent-controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-controls>
-                                <matching pattern="*-four"/>
-                            </include-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="true (with-parent-controls defaults to yes)" select="true()"/>
-            </x:scenario>
-            <x:scenario label="Match descendant ID, with parent controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-controls with-parent-controls="yes">
-                                <matching pattern="*-four"/>
-                            </include-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="true" select="true()"/>
-            </x:scenario>
             <x:scenario label="Match descendant ID, without parent controls.">
                 <x:call function="o:selects">
                     <x:param name="importing">
@@ -1016,23 +930,6 @@
                 </x:call>
                 <x:expect label="false" select="false()"/>
             </x:scenario>
-            <x:scenario label="Include grandchild with parent controls, and include child without parent controls">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-controls with-parent-controls="yes">
-                                <with-id>level-four</with-id>
-                            </include-controls>
-                            <include-controls with-parent-controls="no">
-                                <with-id>level-three</with-id>
-                            </include-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate"
-                        select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="true" select="true()"/>
-            </x:scenario>
             <x:scenario label="Include grandparent with child controls, and include parent without child controls">
                 <x:call function="o:selects">
                     <x:param name="importing">
@@ -1095,48 +992,6 @@
                 </x:call>
                 <x:expect label="true" select="true()"/>
             </x:scenario>
-            <x:scenario label="Exclude descendant ID, omitting with-parent-controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-all/>
-                            <exclude-controls>
-                                <with-id>level-four</with-id>
-                            </exclude-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="false (with-parent-controls defaults to yes)" select="false()"/>
-            </x:scenario>
-            <x:scenario label="Exclude descendant ID with parent controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-all/>
-                            <exclude-controls with-parent-controls="yes">
-                                <with-id>level-four</with-id>
-                            </exclude-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="false" select="false()"/>
-            </x:scenario>
-            <x:scenario label="Exclude descendant ID without parent controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-all/>
-                            <exclude-controls with-parent-controls="no">
-                                <with-id>level-four</with-id>
-                            </exclude-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="true" select="true()"/>
-            </x:scenario>
             <x:scenario label="Exclude ancestor ID, omitting with-child-controls.">
                 <x:call function="o:selects">
                     <x:param name="importing">
@@ -1277,34 +1132,6 @@
                 </x:call>
                 <x:expect label="true" select="true()"/>
             </x:scenario>
-            <x:scenario label="Match descendant ID, omitting with-parent-controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-all/>
-                            <exclude-controls>
-                                <matching pattern="*-four"/>
-                            </exclude-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="false (with-parent-controls defaults to yes)" select="false()"/>
-            </x:scenario>
-            <x:scenario label="Match descendant ID, with parent controls.">
-                <x:call function="o:selects">
-                    <x:param name="importing">
-                        <import>
-                            <include-all/>
-                            <exclude-controls with-parent-controls="yes">
-                                <matching pattern="*-four"/>
-                            </exclude-controls>
-                        </import>
-                    </x:param>
-                    <x:param name="candidate" select="$ov:control-hierarchy//o:control[@id='level-two']"/>
-                </x:call>
-                <x:expect label="false" select="false()"/>
-            </x:scenario>
             <x:scenario label="Match descendant ID, without parent controls.">
                 <x:call function="o:selects">
                     <x:param name="importing">
@@ -1468,33 +1295,6 @@
         </x:scenario>
     </x:scenario>
 
-    <x:scenario label="Tests for o:calls-parents function">
-        <x:scenario label="with-parent-controls attribute is 'yes'">
-            <x:call function="o:calls-parents">
-                <x:param>
-                    <elem with-parent-controls="yes"/>
-                </x:param>
-            </x:call>
-            <x:expect label="true" select="true()"/>
-        </x:scenario>
-        <x:scenario label="with-parent-controls attribute is 'no'">
-            <x:call function="o:calls-parents">
-                <x:param>
-                    <elem with-parent-controls="no"/>
-                </x:param>
-            </x:call>
-            <x:expect label="false" select="false()"/>
-        </x:scenario>
-        <x:scenario label="with-parent-controls attribute is omitted">
-            <x:call function="o:calls-parents">
-                <x:param>
-                    <elem/>
-                </x:param>
-            </x:call>
-            <x:expect label="true" select="true()"/>
-        </x:scenario>
-    </x:scenario>
-
     <x:scenario label="Tests for o:resource-or-error function">
         <x:scenario label="Document is available">
             <x:call function="o:resource-or-error">

From 97a71c16a3dabd5ec356ae9c5a1a456c5cadec10 Mon Sep 17 00:00:00 2001
From: Chris Compton <daniel.compton@nist.gov>
Date: Wed, 6 Dec 2023 11:21:30 -0600
Subject: [PATCH 25/51] Update oscal metaschema source to version 1.1.2

---
 src/metaschema/oscal_assessment-common_metaschema.xml     | 2 +-
 src/metaschema/oscal_assessment-plan_metaschema.xml       | 2 +-
 src/metaschema/oscal_assessment-results_metaschema.xml    | 2 +-
 src/metaschema/oscal_catalog_metaschema.xml               | 2 +-
 src/metaschema/oscal_complete_metaschema.xml              | 2 +-
 src/metaschema/oscal_component_metaschema.xml             | 2 +-
 src/metaschema/oscal_implementation-common_metaschema.xml | 2 +-
 src/metaschema/oscal_metadata_metaschema.xml              | 2 +-
 src/metaschema/oscal_poam_metaschema.xml                  | 2 +-
 src/metaschema/oscal_profile_metaschema.xml               | 2 +-
 src/metaschema/oscal_ssp_metaschema.xml                   | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml
index f26093a83e..92fcced389 100644
--- a/src/metaschema/oscal_assessment-common_metaschema.xml
+++ b/src/metaschema/oscal_assessment-common_metaschema.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" abstract="yes">
    <schema-name>OSCAL Assessment Layer Format -- Common Modules</schema-name>
-   <schema-version>1.1.1</schema-version>
+   <schema-version>1.1.2</schema-version>
    <short-name>oscal-assessment-common</short-name>
    <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
    <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_assessment-plan_metaschema.xml b/src/metaschema/oscal_assessment-plan_metaschema.xml
index 72d3f7c842..93c66ddfaf 100644
--- a/src/metaschema/oscal_assessment-plan_metaschema.xml
+++ b/src/metaschema/oscal_assessment-plan_metaschema.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
     <schema-name>OSCAL Assessment Plan Model</schema-name>
-    <schema-version>1.1.1</schema-version>
+    <schema-version>1.1.2</schema-version>
     <short-name>oscal-ap</short-name>
     <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
     <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_assessment-results_metaschema.xml b/src/metaschema/oscal_assessment-results_metaschema.xml
index 820282fba7..405f4594b9 100644
--- a/src/metaschema/oscal_assessment-results_metaschema.xml
+++ b/src/metaschema/oscal_assessment-results_metaschema.xml
@@ -3,7 +3,7 @@
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
   <schema-name>OSCAL Assessment Results Model</schema-name>
-  <schema-version>1.1.1</schema-version>
+  <schema-version>1.1.2</schema-version>
   <short-name>oscal-ar</short-name>
   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
   <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml
index cf6498f580..a5bcd6fd02 100644
--- a/src/metaschema/oscal_catalog_metaschema.xml
+++ b/src/metaschema/oscal_catalog_metaschema.xml
@@ -8,7 +8,7 @@
 <?xml-stylesheet type="text/css" href="metaschema-author.css"?>
 <METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
       <schema-name>OSCAL Control Catalog Model</schema-name>
-      <schema-version>1.1.1</schema-version>
+      <schema-version>1.1.2</schema-version>
       <short-name>oscal-catalog</short-name>
       <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
       <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_complete_metaschema.xml b/src/metaschema/oscal_complete_metaschema.xml
index ed88e5116b..0e919c4f19 100644
--- a/src/metaschema/oscal_complete_metaschema.xml
+++ b/src/metaschema/oscal_complete_metaschema.xml
@@ -7,7 +7,7 @@
 ]>
 <METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
       <schema-name>OSCAL Unified Model of Models</schema-name>
-      <schema-version>1.1.1</schema-version>
+      <schema-version>1.1.2</schema-version>
       <short-name>oscal-complete</short-name>
       <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
       <json-base-uri>http://csrc.nist.gov/ns/oscal/1.0</json-base-uri>
diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml
index 68ebd4bc68..ac09a01c42 100644
--- a/src/metaschema/oscal_component_metaschema.xml
+++ b/src/metaschema/oscal_component_metaschema.xml
@@ -14,7 +14,7 @@
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
   <schema-name>OSCAL Component Definition Model</schema-name>
-  <schema-version>1.1.1</schema-version>
+  <schema-version>1.1.2</schema-version>
   <short-name>oscal-component-definition</short-name>
   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
   <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml
index 6c584ff947..60138cbf4b 100644
--- a/src/metaschema/oscal_implementation-common_metaschema.xml
+++ b/src/metaschema/oscal_implementation-common_metaschema.xml
@@ -14,7 +14,7 @@
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd" abstract="yes">
       <schema-name>OSCAL Implementation Common Information</schema-name>
-      <schema-version>1.1.1</schema-version>
+      <schema-version>1.1.2</schema-version>
       <short-name>oscal-implementation-common</short-name>
       <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
       <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml
index 97566d8e66..473327d327 100644
--- a/src/metaschema/oscal_metadata_metaschema.xml
+++ b/src/metaschema/oscal_metadata_metaschema.xml
@@ -6,7 +6,7 @@
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" abstract="yes">
     <schema-name>OSCAL Document Metadata Description</schema-name>
-    <schema-version>1.1.1</schema-version>
+    <schema-version>1.1.2</schema-version>
     <short-name>oscal-metadata</short-name>
     <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
     <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_poam_metaschema.xml b/src/metaschema/oscal_poam_metaschema.xml
index 21b9ef7a7e..8d7223bff2 100644
--- a/src/metaschema/oscal_poam_metaschema.xml
+++ b/src/metaschema/oscal_poam_metaschema.xml
@@ -3,7 +3,7 @@
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
     <schema-name>OSCAL Plan of Action and Milestones (POA&amp;M) Model</schema-name>
-    <schema-version>1.1.1</schema-version>
+    <schema-version>1.1.2</schema-version>
     <short-name>oscal-poam</short-name>
     <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
     <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml
index 0c28af80e4..010ff96f48 100644
--- a/src/metaschema/oscal_profile_metaschema.xml
+++ b/src/metaschema/oscal_profile_metaschema.xml
@@ -7,7 +7,7 @@
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
       <schema-name>OSCAL Profile Model</schema-name>
-      <schema-version>1.1.1</schema-version>
+      <schema-version>1.1.2</schema-version>
       <short-name>oscal-profile</short-name>
       <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
       <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 2f0d1c613c..f7ac668666 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -13,7 +13,7 @@
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
   <schema-name>OSCAL System Security Plan (SSP) Model</schema-name>
-  <schema-version>1.1.1</schema-version>
+  <schema-version>1.1.2</schema-version>
   <short-name>oscal-ssp</short-name>
   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
   <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>

From 45c1fc41e3dd04b98cb7ccd8d4b23d81c738ccb4 Mon Sep 17 00:00:00 2001
From: Wendell Piez <wendell.piez@nist.gov>
Date: Tue, 23 Jan 2024 13:13:01 -0500
Subject: [PATCH 26/51] New XSLT emulates resolve-entities.xsl, except using
 3.0 features, with XSpec

---
 build/resolve-entities.xspec | 78 ++++++++++++++++++++++++++++++++++++
 build/resolve-entities3.xsl  | 33 +++++++++++++++
 2 files changed, 111 insertions(+)
 create mode 100644 build/resolve-entities.xspec
 create mode 100644 build/resolve-entities3.xsl

diff --git a/build/resolve-entities.xspec b/build/resolve-entities.xspec
new file mode 100644
index 0000000000..b583bfaeeb
--- /dev/null
+++ b/build/resolve-entities.xspec
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<x:description xmlns:x="http://www.jenitennison.com/xslt/xspec"
+   stylesheet="resolve-entities3.xsl"
+   xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
+   
+   <x:scenario label="Everything copies:">
+      <x:scenario label="A bare metaschema">
+         <x:context>
+            <METASCHEMA/>
+         </x:context>
+         <x:expect label="copies" select="$x:context"/>
+      </x:scenario>
+      <x:scenario label="With random PIs">
+         <x:context>
+            <?xml-stylesheet href="some.css"?>
+            <METASCHEMA>
+               <title>A test</title>
+               <?random?>
+            </METASCHEMA>
+      </x:context>
+         <x:expect label="copies" select="$x:context"/>
+      </x:scenario>
+      <x:scenario label="A comment" pending="dev"/>
+   </x:scenario>
+   
+   <x:scenario label="import/@href is modified:">
+      <x:scenario label="providing a suffix to the base name">
+         <x:context>
+            <METASCHEMA>
+               <import href="some.other.metaschema.xml"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some.other.metaschema_RESOLVED.xml"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+      <x:scenario label="even when the suffix is not 'xml'">
+         <x:context>
+            <METASCHEMA>
+               <import href="some.other.metaschema"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some.other_RESOLVED.metaschema"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+      <x:scenario label="or it is missing entirely">
+         <x:context>
+            <METASCHEMA>
+               <import href="some_metaschema"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some_metaschema_RESOLVED"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+      <x:scenario label="providing a suffix to the base name">
+         <x:context>
+            <x:param name="splice">_NEW</x:param>
+            <METASCHEMA>
+               <import href="some.other.metaschema.xml"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some.other.metaschema_NEW.xml"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+   </x:scenario>
+   
+</x:description>
diff --git a/build/resolve-entities3.xsl b/build/resolve-entities3.xsl
new file mode 100644
index 0000000000..8ffeb07367
--- /dev/null
+++ b/build/resolve-entities3.xsl
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+   xmlns:xs="http://www.w3.org/2001/XMLSchema"
+   xmlns:math="http://www.w3.org/2005/xpath-functions/math"
+   xpath-default-namespace="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+   exclude-result-prefixes="xs math"
+   version="3.0">
+   
+<!-- This XSLT provides the same outputs as resolve-entities.xsl for 'normal' inputs
+     i.e. when import/@href ends in '.xml'.
+   
+     For extraordinary inputs it does a little differently.
+     
+     See the XSpec resolve-entities.xspec for functional testing, including the edge cases.
+     
+   -->
+   <!-- since whitespace is retained from input, it provides indenting
+        - if (schema-based) strip-space is operative, switch @indent to 'yes'-->
+   <xsl:output omit-xml-declaration="no" indent="no" encoding="ASCII"/>
+   
+   <xsl:param name="importHrefSuffix" select="'RESOLVED'"/>
+   
+   <!-- copying everything through -->
+   <xsl:mode on-no-match="shallow-copy"/>
+   
+   <xsl:template match="import/@href">
+      <xsl:param     name="splice"   select="'_' || $importHrefSuffix"/>
+      
+      <xsl:variable  name="basename" select="replace(.,'\.[^.]*$','')"/>
+      <xsl:attribute name="href"     select="$basename || $splice || substring-after(.,$basename)"/>
+   </xsl:template>
+   
+</xsl:stylesheet>
\ No newline at end of file

From f69c55e569573b4f11462bdeb7c7f44706ede4a8 Mon Sep 17 00:00:00 2001
From: Wendell Piez <wendell.piez@nist.gov>
Date: Tue, 30 Jan 2024 11:14:23 -0500
Subject: [PATCH 27/51] Improved initial comment on XSLT

---
 build/resolve-entities3.xsl | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/build/resolve-entities3.xsl b/build/resolve-entities3.xsl
index 8ffeb07367..ce66f2f78c 100644
--- a/build/resolve-entities3.xsl
+++ b/build/resolve-entities3.xsl
@@ -6,14 +6,27 @@
    exclude-result-prefixes="xs math"
    version="3.0">
    
-<!-- This XSLT provides the same outputs as resolve-entities.xsl for 'normal' inputs
-     i.e. when import/@href ends in '.xml'.
+<!--
+     Purpose: Process XML files through a parsing/serialization that resolves internal parsed entities.
+
+     Also renames file references in METASCHEMA/import/@href
+     using $importHrefSuffix to suffix the base name
+       so for $importHrefSuffix='NEW'
+       import href="a_metaschema_module.xml" becomes href="a_metaschema_module_NEW.xml"
+     
+     Otherwise this is an identity transform, so a diff over source and results should show only stated changes.
+     
+     Parameter: $importHrefSuffix is 'RESOLVED' by default
+  
+     XSpec: See the XSpec resolve-entities.xspec for functional testing, including the edge cases.
+
+     Compared to old resolve-entities.xsl: This XSLT provides the same outputs
+     for 'normal' inputs i.e. when import/@href ends in '.xml'.
    
      For extraordinary inputs it does a little differently.
      
-     See the XSpec resolve-entities.xspec for functional testing, including the edge cases.
-     
    -->
+   
    <!-- since whitespace is retained from input, it provides indenting
         - if (schema-based) strip-space is operative, switch @indent to 'yes'-->
    <xsl:output omit-xml-declaration="no" indent="no" encoding="ASCII"/>

From f2465307aa13857f0308c5cfb1e194d3931feef1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Feb 2024 08:05:55 +0000
Subject: [PATCH 28/51] Bump actions/setup-node from 4.0.0 to 4.0.1

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/8f152de45cc393bb48ce5d89d36b731f54556e65...b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/periodic.yml | 2 +-
 .github/workflows/status.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index e1130dd4ee..e20e5fce80 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
-      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"
diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
index 0c6dfd68b1..e0bbdbe9e4 100644
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           distribution: "temurin"
           java-version: "17"
-      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"

From 553bbc2cc66bf12cd563e0e55cb6d86d318c678e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 7 Feb 2024 08:09:27 +0000
Subject: [PATCH 29/51] Bump actions/setup-node from 4.0.1 to 4.0.2

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.1 to 4.0.2.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8...60edb5dd545a775178f52524783378180af0d1f8)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/periodic.yml | 2 +-
 .github/workflows/status.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index e20e5fce80..0ac75b728c 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
-      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"
diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
index e0bbdbe9e4..566a3b416f 100644
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           distribution: "temurin"
           java-version: "17"
-      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"

From 28f801d2772a95cfb4ff1d3904071d8155f6e90c Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Tue, 20 Feb 2024 12:19:12 -0500
Subject: [PATCH 30/51] skipping the linkcheck for OSCAL site on csrc due to
 very tardy site response.

---
 build/markdown-link-check.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/build/markdown-link-check.json b/build/markdown-link-check.json
index a0b086073d..9b46aad128 100644
--- a/build/markdown-link-check.json
+++ b/build/markdown-link-check.json
@@ -11,7 +11,10 @@
         },
         {
             "pattern": "https://linux.die.net/man/1/xmllint/"
-        }        
+        },
+        {
+            "pattern": "https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language"
+        }       
     ],
     "replacementPatterns": [
         {

From 674d65effb5bd39362f5f19d8b61065c06a35b0a Mon Sep 17 00:00:00 2001
From: galtm <40716346+galtm@users.noreply.github.com>
Date: Thu, 22 Feb 2024 08:27:58 -0500
Subject: [PATCH 31/51] Updates to accommodate CI/CD

Imitate changes in xslt3-functions PR#7.

- CI/CD puts compiled XSpec file somewhere else, so define
  ov:service variable more robustly so that uuid-value.txt
  will be found regardless of where compiled XSpec file is.

- Java UUID class is not found in CI/CD, so conditionalize
  tests that use it. Running XSpec in Oxygen finds the class
  and verifies its results (same as before this change).
---
 .../2_metadata/uuid-method-choice.xspec       | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/utils/resolver-pipeline/testing/2_metadata/uuid-method-choice.xspec b/src/utils/resolver-pipeline/testing/2_metadata/uuid-method-choice.xspec
index f1a5f6b8e3..0c409a7ade 100644
--- a/src/utils/resolver-pipeline/testing/2_metadata/uuid-method-choice.xspec
+++ b/src/utils/resolver-pipeline/testing/2_metadata/uuid-method-choice.xspec
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <x:description xmlns:x="http://www.jenitennison.com/xslt/xspec"
+    xmlns:javaUUID="java.util.UUID"
     xmlns:ov="http://csrc.nist.gov/ns/oscal/xspec/variable"
     xmlns:u="http://csrc.nist.gov/ns/uuid"
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
@@ -8,7 +9,7 @@
     <x:scenario label="Tests for u:determine-uuid template">
         <x:variable name="ov:fixed" as="xs:string" select="'00000000-0000-4000-B000-000000000000'"/>
         <x:variable name="ov:specified" as="xs:string" select="'f0ad1e6c-5de5-44cd-b92e-a4c507805f0f'"/>
-        <x:variable name="ov:service" as="xs:string" select="resolve-uri('../uuid-value.txt')"/>
+        <x:variable name="ov:service" as="xs:string" select="resolve-uri('uuid-value.txt',$x:xspec-uri)"/>
         <x:scenario label="Valid user-provided UUID">
             <x:call template="u:determine-uuid">
                 <x:param name="top-uuid" select="$ov:specified"/>
@@ -37,16 +38,22 @@
             <x:expect label="UUID is neither fixed one nor specified one"
                 test="$x:result ne $ov:specified and $x:result ne $ov:fixed"/>
         </x:scenario>
-        <x:scenario label="Random UUID using Java">
+        <x:scenario label="Random UUID using Java (Note: Not available in CI/CD)">
             <x:call template="u:determine-uuid">
                 <x:param name="top-uuid" select="$ov:specified"/>
                 <x:param name="uuid-method" select="'random-java'"/>
             </x:call>
-            <x:expect label="Nonempty string"
-                test="$x:result instance of xs:string and $x:result != ''"/>
+            <x:variable name="ov:java-fcn-available" as="xs:boolean"
+                select="function-available('javaUUID:randomUUID')"/>
+            <x:expect label="Nonempty"
+                test="if ($ov:java-fcn-available)
+                then (string($x:result) != '')
+                else true()"/>
             <x:expect label="UUID is neither fixed one nor specified one"
-                test="$x:result ne $ov:specified and $x:result ne $ov:fixed"/>
-        </x:scenario>
+                test="if ($ov:java-fcn-available)
+                then (string($x:result) ne $ov:specified and string($x:result) ne $ov:fixed)
+                else true()"/>
+            </x:scenario>
         <!-- FYI: Because the transform relies on use-when, which is evaluated at
             compile time, the same test invocation cannot check both
             when the XSLT and Java random number generators are available

From f421eac7497e8fbce8399abbeff7484631388875 Mon Sep 17 00:00:00 2001
From: galtm <40716346+galtm@users.noreply.github.com>
Date: Fri, 23 Feb 2024 08:45:13 -0500
Subject: [PATCH 32/51] CI/CD-friendly URIs to new location

- 2nd argument of resolve-uri makes the path relative to the original XSpec file instead of the compiled one, whose location can vary depending on how the test is run

- Remove one ../ from URI to resolve (similar to #1945) because of directory reorg
---
 .../testing/1_selected/select-mapping-controls.xspec          | 4 ++--
 .../resolver-pipeline/testing/1_selected/select-rlink.xspec   | 4 ++--
 src/utils/resolver-pipeline/testing/1_selected/select.xspec   | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/utils/resolver-pipeline/testing/1_selected/select-mapping-controls.xspec b/src/utils/resolver-pipeline/testing/1_selected/select-mapping-controls.xspec
index 950e4a241f..b46425d0b0 100644
--- a/src/utils/resolver-pipeline/testing/1_selected/select-mapping-controls.xspec
+++ b/src/utils/resolver-pipeline/testing/1_selected/select-mapping-controls.xspec
@@ -23,8 +23,8 @@
         https://github.com/usnistgov/OSCAL/discussions/1114
         When this is determined, tests can be added for those sections. -->
 
-    <!-- Location of sample files, relative to compiled test in xspec/ subdirectory -->
-    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../../../specifications/profile-resolution/profile-resolution-examples')"/>
+    <!-- Location of sample files, relative to this test file -->
+    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../specifications/profile-resolution/profile-resolution-examples',$x:xspec-uri)"/>
 
     <x:scenario label="Import controls using ID mapping">
         <x:scenario label="Basic case" pending="Mapping is not implemented yet">
diff --git a/src/utils/resolver-pipeline/testing/1_selected/select-rlink.xspec b/src/utils/resolver-pipeline/testing/1_selected/select-rlink.xspec
index cb70e55295..7569f39e35 100644
--- a/src/utils/resolver-pipeline/testing/1_selected/select-rlink.xspec
+++ b/src/utils/resolver-pipeline/testing/1_selected/select-rlink.xspec
@@ -6,8 +6,8 @@
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
     stylesheet="../../oscal-profile-resolve-select.xsl">
     
-    <!-- Location of sample files, relative to compiled test in xspec/ subdirectory -->
-    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../../../specifications/profile-resolution/profile-resolution-examples')"/>
+    <!-- Location of sample files, relative to this test file -->
+    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../specifications/profile-resolution/profile-resolution-examples',$x:xspec-uri)"/>
 
     <x:scenario label="Direct import by file href">
         <x:context>
diff --git a/src/utils/resolver-pipeline/testing/1_selected/select.xspec b/src/utils/resolver-pipeline/testing/1_selected/select.xspec
index f05ee727cb..46c015c689 100644
--- a/src/utils/resolver-pipeline/testing/1_selected/select.xspec
+++ b/src/utils/resolver-pipeline/testing/1_selected/select.xspec
@@ -8,8 +8,8 @@
     stylesheet="../../oscal-profile-resolve-select.xsl"
     xslt-version="3.0">
 
-    <!-- Location of sample files, relative to compiled test in xspec/ subdirectory -->
-    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../../../specifications/profile-resolution/profile-resolution-examples')"/>
+    <!-- Location of sample files, relative to this test file -->
+    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../specifications/profile-resolution/profile-resolution-examples',$x:xspec-uri)"/>
 
     <x:variable name="ov:unique" as="function(*)"
         select="function($seq as xs:string*) as xs:boolean {

From fe22cb1e70a230f842fc092e8bf9656ae070ab06 Mon Sep 17 00:00:00 2001
From: galtm <40716346+galtm@users.noreply.github.com>
Date: Fri, 23 Feb 2024 08:49:58 -0500
Subject: [PATCH 33/51] Mark include-controls w/ parent scenario pending

Temporary change until it's clear whether this feature
is supported and what its expected result should be.
---
 .../resolver-pipeline/testing/3_merged/merge-custom.xspec      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/utils/resolver-pipeline/testing/3_merged/merge-custom.xspec b/src/utils/resolver-pipeline/testing/3_merged/merge-custom.xspec
index 4cf7ba997a..54e1179211 100644
--- a/src/utils/resolver-pipeline/testing/3_merged/merge-custom.xspec
+++ b/src/utils/resolver-pipeline/testing/3_merged/merge-custom.xspec
@@ -574,7 +574,8 @@
                 </control>
             </x:expect>
         </x:scenario>
-        <x:scenario label="include-controls with parent controls (default choice)">
+        <x:scenario label="include-controls with parent controls (default choice)"
+          pending="Needs confirmation about latest expected result">
             <x:context mode="o:custom-merge" select="//o:include-controls">
                 <catalog uuid="xyz-tiny_catalog">
                     <selection>

From c8b7b54f9d94eef8b6d0cc7dab9f3a6e48a490df Mon Sep 17 00:00:00 2001
From: galtm <40716346+galtm@users.noreply.github.com>
Date: Fri, 23 Feb 2024 08:49:06 -0500
Subject: [PATCH 34/51] Rewrite id() usage

`select="id('a1-stmt')"` works in Oxygen but not xspec.bat or CI/CD. Expressing that select attribute a different way.

Also, I fixed a select attribute where the namespace prefix
was missing. The omission caused the test to pass for the wrong
reason (empty context).
---
 src/utils/resolver-pipeline/testing/4_modified/modify.xspec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/utils/resolver-pipeline/testing/4_modified/modify.xspec b/src/utils/resolver-pipeline/testing/4_modified/modify.xspec
index 40eb7e3026..5a0546a739 100644
--- a/src/utils/resolver-pipeline/testing/4_modified/modify.xspec
+++ b/src/utils/resolver-pipeline/testing/4_modified/modify.xspec
@@ -300,7 +300,7 @@
         
     <x:scenario label="Tests for match=set-parameter template">
         <x:scenario label="set-param child does not match anything">
-            <x:context select="//set-parameter">
+            <x:context select="//o:set-parameter">
                 <catalog id="abc">
                     <param id="p1">
                         <label>Parameter #1</label>
@@ -1158,7 +1158,7 @@
         </x:scenario>
         <x:scenario label="Edge case: Empty $modifications param">
             <x:call function="oscal:patches-to-id-targeting-ancestor">
-                <x:param name="here" select="id('a1-stmt')">
+                <x:param name="here" select="//*[@id='a1-stmt']">
                     <catalog id="abc">
                         <control id="a1">
                             <title>Control A</title>

From f358425e95ab5a5e300c58df4774ebfb2e999ef3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 27 Feb 2024 08:39:39 +0000
Subject: [PATCH 35/51] Bump actions/add-to-project from 0.5.0 to 0.6.0

Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](https://github.com/actions/add-to-project/compare/31b3f3ccdc584546fc445612dec3f38ff5edb41c...0609a2702eefb44781da00f8e04901d6e5cd2b92)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/issue-triage.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml
index 0dc03fe811..d4b2553731 100644
--- a/.github/workflows/issue-triage.yml
+++ b/.github/workflows/issue-triage.yml
@@ -12,7 +12,7 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c
+      - uses: actions/add-to-project@0609a2702eefb44781da00f8e04901d6e5cd2b92
         with:
           project-url: https://github.com/orgs/usnistgov/projects/25
           github-token: ${{ secrets.COMMIT_TOKEN }}

From c909b22017aaf8a55254fd897f825bd1df54328b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 12 Mar 2024 01:22:59 +0000
Subject: [PATCH 36/51] Bump softprops/action-gh-release from 1 to 2

Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e7690d64d0..9cfcd228b5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
           make -j2 artifacts archives RELEASE=${GITHUB_REF_NAME:1}
         working-directory: build
       - name: Create release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           token: ${{ secrets.COMMIT_TOKEN }}
           draft: true

From e8c00f07c450e43dc21fe1f7367ecb416fc0f25a Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Tue, 12 Mar 2024 21:54:46 -0400
Subject: [PATCH 37/51] Addressing issue 1958 by updating the description of
 the property.

---
 src/metaschema/oscal_metadata_metaschema.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml
index 473327d327..36d8bfa04f 100644
--- a/src/metaschema/oscal_metadata_metaschema.xml
+++ b/src/metaschema/oscal_metadata_metaschema.xml
@@ -679,7 +679,7 @@
         <use-name>prop</use-name>
         <define-flag name="name" as-type="token" required="yes">
             <formal-name>Property Name</formal-name>
-            <description>A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.</description>
+            <description>A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.</description>
         </define-flag>
         <define-flag name="uuid" as-type="uuid">
             <formal-name>Property Universally Unique Identifier</formal-name>

From 366d1550cea17cd9ac1410805abe7a57dfd699bf Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Tue, 12 Mar 2024 22:12:58 -0400
Subject: [PATCH 38/51] Updated the PR template to point to the OSCAL website
 repos.

---
 .github/PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index b5c3debd9c..b6690ccda3 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,4 +19,4 @@ By submitting a pull request, you are agreeing to provide this contribution unde
 - [ ] Have you added an explanation of what your changes do and why you'd like us to include them?
 - [ ] Have you written new tests for your core changes, as applicable?
 - [ ] Have you included examples of how to use your new feature(s)?
-- [ ] Have you updated all [OSCAL website](https://pages.nist.gov/OSCAL) and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.
+- [ ] Have you updated the [OSCAL website](https://pages.nist.gov/OSCAL) and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the [OSCAL-Pages](https://github.com/usnistgov/OSCAL-Pages) and [OSCAL_Reference](https://github.com/usnistgov/OSCAL-Reference) repositories.

From dd6e1a3fa79ac08176b5a23f7a56f6820f8ba65e Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Fri, 22 Mar 2024 02:24:06 -0400
Subject: [PATCH 39/51] Fixed validation errors in
 oscal_responsibility-common_metaschema.xml definition file.

---
 ...oscal_responsibility-common_metaschema.xml | 312 +++++++++++-------
 1 file changed, 196 insertions(+), 116 deletions(-)

diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index 9d5183dc01..7a0868ec08 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -1,121 +1,158 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<!-- <!DOCTYPE METASCHEMA [
+<!DOCTYPE METASCHEMA [
   <!ENTITY allowed-values-responsible-roles-system SYSTEM "./shared-constraints/allowed-values-responsible-roles-system.ent">
   <!ENTITY allowed-values-responsible-roles-operations SYSTEM "./shared-constraints/allowed-values-responsible-roles-operations.ent">
   <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
-]> -->
-<METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" abstract="yes">
-   <schema-name>OSCAL Shared Responsibility Format -- Common Modules</schema-name>
-   <schema-version>1.1.0</schema-version>
-   <short-name>oscal-responsibility-common</short-name>
-   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
-   <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
-   <remarks>
-      <p>This contains all modules common to shared responsibility in the ssp and component definition models. </p>
-   </remarks>
-
-   <!-- IMPORT STATEMENTS -->
-   <import href="oscal_metadata_metaschema.xml"/>
-   <import href="oscal_implementation-common_metaschema.xml"/>
+]>
+<METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+  xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd"
+  abstract="yes">
+  <schema-name>OSCAL Shared Responsibility Format -- Common Modules</schema-name>
+  <schema-version>1.1.2</schema-version>
+  <short-name>oscal-responsibility-common</short-name>
+  <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
+  <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
+  <remarks>
+    <p>This contains all modules common to shared responsibility in the ssp and component definition
+      models. </p>
+  </remarks>
+
+  <!-- IMPORT STATEMENTS -->
+  <import href="oscal_metadata_metaschema.xml" />
+  <import href="oscal_implementation-common_metaschema.xml" />
 
   <!-- Shared Responsibility Assemblies -->
-   
-   <define-assembly name="source-ssp" max-occurs="1">
+
+  <define-assembly name="source-ssp">
     <formal-name>Source SSP</formal-name>
-    <description>This has not been described in the prototype.</description>
+    <description>The leveraged System Security Plan (SSP) that documents the components implementing
+      inheritable controls.</description>
 
     <define-flag name="ssp-uuid" as-type="uuid" required="yes">
       <formal-name>SSP Universally Unique Identifier</formal-name>
-      <description>This has not been described in the prototype.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference the sourced SSP in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL
+        instances</a>.</description>
     </define-flag>
 
     <model>
       <define-field name="title" as-type="markup-line">
         <formal-name>Source Title</formal-name>
-        <description>This has not been described in the prototype.</description>
+        <description>The title of sourced leveraged SSP.</description>
       </define-field>
 
       <define-field name="published" as-type="dateTime-with-timezone">
         <formal-name>Publication Timestamp</formal-name>
-        <description>This has not been described in the prototype.</description>
+        <description>The time and date of leveraged SSP initial publication.</description>
       </define-field>
 
       <define-field name="last-modified" as-type="dateTime-with-timezone">
         <formal-name>Last Modified Timestamp</formal-name>
-        <description>This has not been described in the prototype.</description>
+        <description>The time and date of leveraged SSP last modification.</description>
       </define-field>
 
       <define-field name="version">
         <formal-name>Document Version</formal-name>
-        <description>This has not been described in the prototype.</description>
+        <description>The version of the leveraged SSP.</description>
       </define-field>
 
-      <assembly ref="referenced-profile"/>
+      <field ref="date-authorized" />
+      <field ref="party-uuid" min-occurs="1" />
+      
+      <assembly ref="referenced-profile" max-occurs="1"/>
 
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
-    
+
       <assembly ref="link" max-occurs="unbounded">
-          <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
 
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
 
   </define-assembly>
 
-  <define-assembly name="referenced-profile" max-occurs="1">
+  <define-assembly name="referenced-profile">
     <formal-name>Referenced Profile</formal-name>
-    <description>This has not been described in the prototype.</description>
+    <description>The OSCAL profile imported by the leveraged SSP.</description>
     <define-flag name="href" as-type="uri-reference" required="yes">
       <formal-name>Hyperlink Reference</formal-name>
-      <description>A link to a resource that defines a set of components and/or capabilities to import into this collection.</description>
+      <description>A link to a resource that defines a set of components and/or capabilities to
+        import into this collection.</description>
       <remarks>
         <p>This value may be one of:</p>
         <ol>
-          <li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that points to a network resolvable resource,</li>
-          <li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative reference</a> pointing to a network resolvable resource whose base URI is the URI of the containing document, or</li>
-          <li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in this or an imported document (see <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking to another OSCAL object</a>).</li>
+          <li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a>
+            that points to a network resolvable resource,</li>
+          <li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative
+            reference</a> pointing to a network resolvable resource whose base URI is the URI of the
+            containing document, or</li>
+          <li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in
+            this or an imported document (see <a
+              href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking
+            to another OSCAL object</a>).</li>
         </ol>
       </remarks>
     </define-flag>
   </define-assembly>
 
-  <define-assembly name="provided" max-occurs="unbounded">
+  <define-assembly name="provided">
     <formal-name>Provided Control Implementation</formal-name>
     <description>Describes a capability which may be inherited by a leveraging system.</description>
     <!-- CHANGED: "provided-group" to "provided" -->
-    <group-as name="provided" in-json="ARRAY"/>
+    <!-- <group-as name="provided" in-json="ARRAY"/> -->
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Provided Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this provided entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>provided</code> entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this provided entry elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>provided</code> entry
+        can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
-    <flag ref="satisfied-uuid" required="no" />
-    <model>
-      <flag ref="exportable" />
+    <flag ref="implemented-by" required="no" />
+    <flag ref="exportable" />
 
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+    <model>
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Provided Control Implementation Description</formal-name>
         <description>An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships -->
       </assembly>
       <assembly ref="responsible-role" min-occurs="0" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <is-unique id="unique-provided-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
           <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
@@ -123,189 +160,232 @@
     </constraint>
   </define-assembly>
 
-  <define-assembly name="responsibility" max-occurs="unbounded">
+  <define-assembly name="responsibility" >
     <formal-name>Control Implementation Responsibility</formal-name>
     <description>Describes a control implementation responsibility imposed on a leveraging system.</description>
-    <group-as name="responsibilities" in-json="ARRAY"/>
+    <!-- <group-as name="responsibilities" in-json="ARRAY"/> -->
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Responsibility Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this responsibility elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>responsibility</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this responsibility elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>responsibility</code>
+        can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
     <flag ref="provided-uuid" required="no" />
-    <flag ref="satisfied-uuid" required="no" />
+    <flag ref="implemented-by" required="no" />
+    <flag ref="exportable" />
     <model>
-      <flag ref="exportable" />
-
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Control Implementation Responsibility Description</formal-name>
-        <description>An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.</description>
+        <description>An implementation statement that describes the aspects of the control or
+          control statement implementation that a leveraging system must implement to satisfy the
+          control provided by a leveraged system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships -->
       </assembly>
       <assembly ref="responsible-role" min-occurs="0" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
         <remarks>
-          <p>A role defined at the by-component level takes precedence over the same role defined on the parent implemented-requirement or on the referenced component. </p>
+          <p>A role defined at the by-component level takes precedence over the same role defined on
+            the parent implemented-requirement or on the referenced component. </p>
         </remarks>
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <is-unique id="unique-responsibility-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
     </constraint>
-  </define-assembly>  
+  </define-assembly>
 
-  <define-assembly name="inherited" max-occurs="unbounded">
+  <define-assembly name="inherited" >
     <formal-name>Inherited Control Implementation</formal-name>
     <description>Describes a control implementation inherited by a leveraging system.</description>
     <!-- CHANGED: "inherited-group" to "inherited" -->
-    <group-as name="inherited" in-json="ARRAY"/>
+    <!-- <group-as name="inherited" in-json="ARRAY"/> -->
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Inherited Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this inherited entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>inherited control implementation</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this inherited entry elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>inherited control
+        implementation</code> can be used to reference the data item locally or globally (e.g., in
+        an imported OSCAL instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
     <flag ref="provided-uuid" required="no" />
-    <flag ref="satisfied-uuid" required="no" />
-    <model>
-      <flag ref="exportable" />
+    <flag ref="implemented-by" required="no" />
+    <flag ref="exportable" />
 
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+    <model>
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Inherited Control Implementation Description</formal-name>
-        <description>An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.</description>
+        <description>An implementation statement that describes the aspects of a control or control
+          statement implementation that a leveraging system is inheriting from a leveraged system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships -->
       </assembly>
       <assembly ref="responsible-role" min-occurs="0" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
     </model>
     <constraint>
       <is-unique id="unique-inherited-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
     </constraint>
   </define-assembly>
 
-
-  <define-assembly name="satisfied" max-occurs="unbounded">
+  <define-assembly name="satisfied">
     <formal-name>Satisfied Control Implementation Responsibility</formal-name>
     <description>Describes how this system satisfies a responsibility imposed by a leveraged system.</description>
     <!-- CHANGED: "satisfied-group" to "satisfied" -->
-    <group-as name="satisfied" in-json="ARRAY"/>
+    <!-- <group-as name="satisfied" in-json="ARRAY"/> -->
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Satisfied Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this satisfied control implementation entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control implementation</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented"> machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this satisfied control implementation entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control implementation</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
     </define-flag>
     <flag ref="responsibility-uuid" required="no" />
+    <flag ref="exportable" />
     <model>
-      <flag ref="exportable" />
-
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Satisfied Control Implementation Responsibility Description</formal-name>
-        <description>An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.</description>
+        <description>An implementation statement that describes the aspects of a control or control
+          statement implementation that a leveraging system is implementing based on a requirement
+          from a leveraged system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships -->
       </assembly>
       <assembly ref="responsible-role" min-occurs="0" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <is-unique id="unique-satisfied-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
     </constraint>
   </define-assembly>
 
-
-
-  
-  <define-assembly name="export" max-occurs="1" deprecated="1.1.0">
+  <define-assembly name="export" deprecated="1.1.2">
     <formal-name>Shared Responsibility</formal-name>
-    <description>Identifies content intended for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.</description>
+    <description>Identifies content intended for external consumption, such as with leveraged
+      organizations, customer responsibility documentation, and shared security responsibility
+      documentation.</description>
+      
     <model>
-      <flag ref="exportable" />
-
+      <!-- Not clear why exportable flag in an export assembly would be needed. It did not exist
+      anyway.
+        <flag ref="exportable" /> 
+      -->
       <define-field name="description" as-type="markup-multiline" in-xml="WITH_WRAPPER">
         <formal-name>Control Implementation Export Description</formal-name>
-        <description>An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.</description>
+        <description>An implementation statement that describes the aspects of the control or
+          control statement implementation that can be available to another system leveraging this
+          system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships -->
       </assembly>
-
-      <assembly ref="provided">
-        <group-as name="provided" in-json="ARRAY"/>
+      <assembly ref="provided" max-occurs="unbounded">
+        <group-as name="provided" in-json="ARRAY" />
       </assembly>
-      <assembly ref="responsibility">
-        <group-as name="responsibility" in-json="ARRAY"/>
+      <assembly ref="responsibility" max-occurs="unbounded">
+        <group-as name="responsibility" in-json="ARRAY" />
       </assembly>
-
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
-    <constraint>
-      <has-cardinality target="provided|responsibility" min-occurs="1"/>
 
+    <constraint>
+      <has-cardinality target="provided|responsibility" min-occurs="1" />
       <index name="shared-responsibility-provided-uuid" target="//shared-responsibility/provided">
-        <key-field target="@uuid"/>
+        <key-field target="@uuid" />
       </index>
 
       <index-has-key name="shared-responsibility-provided-uuid" target="responsibility">
-        <key-field target="@provided-uuid"/>
+        <key-field target="@provided-uuid" />
       </index-has-key>
     </constraint>
-  </define-assembly>  
+  </define-assembly>
 
   <define-flag name="provided-uuid" as-type="uuid" scope="local">
     <formal-name>Provided UUID</formal-name>
     <!-- Identifier Reference -->
-    <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.</description>
+    <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+      machine-oriented</a> identifier reference to an inheritable control implementation that a
+      leveraging system may inherite from a leveraged system.</description>
   </define-flag>
 
-  <define-flag name="satisfied-uuid" as-type="uuid" scope="local">
-    <formal-name>Satisfied UUID</formal-name>
+  <define-flag name="implemented-by" as-type="uuid">
+    <formal-name>Implementer UUID</formal-name>
     <!-- Identifier Reference -->
-    <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a satisfied control implementation.</description>
+    <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+      machine-oriented</a> identifier reference to the control implementation. An inheritable
+      control provided by a leveraged system can be inherited by a leveraging system and further
+      provid it to their customers, with or without associated responsibilities.</description>
   </define-flag>
 
   <define-flag name="responsibility-uuid" as-type="uuid" scope="local">
     <formal-name>Responsibility UUID</formal-name>
     <!-- Identifier Reference -->
-    <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.</description>
+    <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+      machine-oriented</a> identifier reference to a control implementation that satisfies a
+      responsibility imposed by a leveraged system.</description>
   </define-flag>
 
 </METASCHEMA>
\ No newline at end of file

From b9bc8d12906c7767c8c950b1d4341d7f5fb11033 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Fri, 22 Mar 2024 02:27:05 -0400
Subject: [PATCH 40/51] Added reference documentation and other minor changes

---
 src/metaschema/oscal_ssp_metaschema.xml | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 389adca9de..9747c3bb7e 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -24,8 +24,11 @@
     <p>The root of the OSCAL System Security Plan (SSP) format is <code>system-security-plan</code>.</p>
   </remarks>
 
+  <!-- IMPORT STATEMENTS -->
+  <!-- The following are already imported into oscal_implementation-common_metaschema.xml
   <import href="oscal_metadata_metaschema.xml"/>
   <import href="oscal_implementation-common_metaschema.xml"/>
+  -->
   <import href="oscal_responsibility-common_metaschema.xml"/>
 
   <!-- ############################################## -->
@@ -560,11 +563,7 @@
           <assembly ref="link" max-occurs="unbounded">
             <group-as name="links" in-json="ARRAY"/>
           </assembly>
-          <define-field name="party-uuid" as-type="uuid" min-occurs="1">
-            <formal-name>party-uuid field</formal-name>
-            <!-- Identifier Reference -->
-            <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to the  <code>party</code> that manages the leveraged system.</description>
-          </define-field>
+          <field ref="party-uuid" min-occurs="1"/>
           <field ref="date-authorized" min-occurs="1"/>
           <field ref="remarks" in-xml="WITH_WRAPPER"/>
         </model>
@@ -855,17 +854,17 @@
         </remarks>
       </assembly>
 
-      <!-- CHANGED from Export for CRM/SSRM: Shared Responsibility Assembly -->
-      <assembly ref="provided">
+      <!-- CHANGED from Export for SRM: Shared Responsibility Assembly -->
+      <assembly ref="provided" max-occurs="unbounded">
         <group-as name="provided" in-json="ARRAY"/>
       </assembly>
-      <assembly ref="responsibility">
+      <assembly ref="responsibility" max-occurs="unbounded">
         <group-as name="responsibility" in-json="ARRAY"/>
       </assembly>
-      <assembly ref="inherited">
+      <assembly ref="inherited" max-occurs="unbounded">
         <group-as name="inherited" in-json="ARRAY"/>
       </assembly>
-      <assembly ref="satisfied">
+      <assembly ref="satisfied" max-occurs="unbounded">
         <group-as name="satisfied" in-json="ARRAY"/>
       </assembly>
 

From 9fe6524e1d40bc4214288d995729f8fe75b197f4 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Fri, 22 Mar 2024 02:32:11 -0400
Subject: [PATCH 41/51] Re-aligned the SSP with the SR.

---
 ...oscal_implementation-common_metaschema.xml | 743 ++++++++++++------
 ...oscal_shared-responsibility_metaschema.xml | 290 ++++---
 2 files changed, 697 insertions(+), 336 deletions(-)

diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml
index b48ee4bf66..888cb3b39e 100644
--- a/src/metaschema/oscal_implementation-common_metaschema.xml
+++ b/src/metaschema/oscal_implementation-common_metaschema.xml
@@ -12,16 +12,18 @@
       <!ENTITY allowed-values-component-type SYSTEM "./shared-constraints/allowed-values-component-type.ent">
 ]>
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-      xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd" abstract="yes">
+      xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd"
+      abstract="yes">
       <schema-name>OSCAL Implementation Common Information</schema-name>
       <schema-version>1.1.2</schema-version>
       <short-name>oscal-implementation-common</short-name>
       <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
       <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
 
-      <import href="oscal_metadata_metaschema.xml"/>
-      <import href="oscal_control-common_metaschema.xml"/>
-      
+      <import href="oscal_metadata_metaschema.xml" />
+      <import href="oscal_control-common_metaschema.xml" />
+
       <!-- ################################################## -->
       <!-- # The System Component and supporting constructs # -->
       <!-- ################################################## -->
@@ -31,7 +33,21 @@
             <define-flag name="uuid" as-type="uuid" required="yes">
                   <formal-name>Component Identifier</formal-name>
                   <!-- Identifier Declaration -->
-                  <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this component elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>component</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+                  <description>A <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+                        machine-oriented</a>, <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+                        unique</a> identifier with <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+                        cross-instance</a> scope that can be used to reference this component
+                        elsewhere in <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this
+                        or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>
+                        component</code> can be used to reference the data item locally or globally
+                        (e.g., in an imported OSCAL instance). This UUID should be assigned <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">
+                        per-subject</a>, which means it should be consistently used to identify the
+                        same subject across revisions of the document.</description>
             </define-flag>
             <flag ref="system-component-type" required="yes">
                   <!-- CHANGED: "component-type" to "type" -->
@@ -42,19 +58,22 @@
                         <formal-name>Component Title</formal-name>
                         <description>A human readable name for the system component.</description>
                   </define-field>
-                  <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+                  <define-field name="description" as-type="markup-multiline" min-occurs="1"
+                        in-xml="WITH_WRAPPER">
                         <formal-name>Component Description</formal-name>
-                        <description>A description of the component, including information about its function.</description>
+                        <description>A description of the component, including information about its
+                              function.</description>
                   </define-field>
                   <define-field name="purpose" as-type="markup-line">
                         <formal-name>Purpose</formal-name>
-                        <description>A summary of the technological or business purpose of the component.</description>
+                        <description>A summary of the technological or business purpose of the
+                              component.</description>
                   </define-field>
                   <assembly ref="property" max-occurs="unbounded">
-                        <group-as name="props" in-json="ARRAY"/>
+                        <group-as name="props" in-json="ARRAY" />
                   </assembly>
                   <assembly ref="link" max-occurs="unbounded">
-                        <group-as name="links" in-json="ARRAY"/>
+                        <group-as name="links" in-json="ARRAY" />
                   </assembly>
                   <define-assembly name="status" min-occurs="1">
                         <formal-name>Status</formal-name>
@@ -64,184 +83,272 @@
                               <description>The operational status.</description>
                               <constraint>
                                     <allowed-values>
-                                          <enum value="under-development">The component is being designed, developed, or implemented.</enum>
-                                          <enum value="operational">The component is currently operational and is available for use in the system.</enum>
-                                          <enum value="disposition">The component is no longer operational.</enum>
+                                          <enum value="under-development">The component is being
+                                                designed, developed, or implemented.</enum>
+                                          <enum value="operational">The component is currently
+                                                operational and is available for use in the system.</enum>
+                                          <enum value="disposition">The component is no longer
+                                                operational.</enum>
                                           <enum value="other">Some other state.</enum>
                                     </allowed-values>
                               </constraint>
                         </define-flag>
                         <model>
-                              <field ref="remarks" in-xml="WITH_WRAPPER"/>
+                              <field ref="remarks" in-xml="WITH_WRAPPER" />
                         </model>
                   </define-assembly>
                   <assembly ref="responsible-role" max-occurs="unbounded">
-                        <group-as name="responsible-roles" in-json="ARRAY"/>
+                        <group-as name="responsible-roles" in-json="ARRAY" />
                   </assembly>
                   <assembly ref="protocol" max-occurs="unbounded">
-                        <group-as name="protocols" in-json="ARRAY"/>
+                        <group-as name="protocols" in-json="ARRAY" />
                         <remarks>
-                              <p>Used for <code>service</code> components to define the protocols supported by the service.</p>
+                              <p>Used for <code>service</code> components to define the protocols
+                                    supported by the service.</p>
                         </remarks>
                   </assembly>
-                  <field ref="remarks" in-xml="WITH_WRAPPER"/>
+                  <field ref="remarks" in-xml="WITH_WRAPPER" />
             </model>
             <constraint>
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                         <!-- names related to inherited component -->
-                        <enum value="implementation-point">Relative placement of component ('internal' or 'external') to the system.</enum>
-                        <enum value="leveraged-authorization-uuid">UUID of the related leveraged-authorization assembly in this SSP.</enum>
-                        <enum value="inherited-uuid">UUID of the component as it was assigned in the leveraged system's SSP.</enum>
+                        <enum
+                              value="implementation-point">Relative placement of component
+                        ('internal' or 'external') to the system.</enum>
+                        <enum
+                              value="leveraged-authorization-uuid">UUID of the related
+                        leveraged-authorization assembly in this SSP.</enum>
+                        <enum
+                              value="inherited-uuid">UUID of the component as it was assigned in the
+                        leveraged system's SSP.</enum>
 
-                        <!-- ========================================================================================================== -->
-                        <!-- = Changes to the following values need to be synced with component in the SSP and component metaschemas. = -->
+                        <!--
+                        ========================================================================================================== -->
+                        <!-- = Changes to the following values need to be synced with component in
+                        the SSP and component metaschemas. = -->
                         <!-- CHANGED (BJR): Done -->
-                        <!-- ========================================================================================================== -->
+                        <!--
+                        ========================================================================================================== -->
                         &allowed-values-component_inventory-item_property-name;
-
-                        &allowed-values-component_component_property-name;
-                  </allowed-values>
+                        &allowed-values-component_component_property-name; </allowed-values>
 
                   <allowed-values target="link/@rel" allow-other="yes">
-                        <!-- ========================================================================================================== -->
-                        <!-- = Changes to the following values need to be synced with component in the SSP and component metaschemas. = -->
+                        <!--
+                        ========================================================================================================== -->
+                        <!-- = Changes to the following values need to be synced with component in
+                        the SSP and component metaschemas. = -->
                         <!-- CHANGED (BJR): Done -->
-                        <!-- ========================================================================================================== -->
-            &allowed-values-component_component_link-rel;
-                        <enum value="uses-network">This component uses the network provided by the identified network component.</enum>
-                        <enum value="imported-from">The hyperlink identifies a URI pointing to the <code>component</code> in a <code>component-definition</code> that originally defined the <code>component</code>.</enum>
+                        <!--
+                        ========================================================================================================== -->
+                        &allowed-values-component_component_link-rel; <enum value="uses-network">This
+                        component uses the network provided by the identified network component.</enum>
+                        <enum
+                              value="imported-from">The hyperlink identifies a URI pointing to the <code>
+                        component</code> in a <code>component-definition</code> that originally
+                        defined the <code>component</code>.</enum>
                   </allowed-values>
 
                   <allowed-values target="responsible-role/@role-id" allow-other="yes">
-                        <!-- ========================================================================================================== -->
-                        <!-- = Changes to the following values need to be synced with component in the SSP and component metaschemas. = -->
-                        <!-- ========================================================================================================== -->
-            &allowed-values-responsible-roles-operations;
-            &allowed-values-responsible-roles-component-production;
-                  </allowed-values>
+                        <!--
+                        ========================================================================================================== -->
+                        <!-- = Changes to the following values need to be synced with component in
+                        the SSP and component metaschemas. = -->
+                        <!--
+                        ========================================================================================================== -->
+                        &allowed-values-responsible-roles-operations;
+                        &allowed-values-responsible-roles-component-production; </allowed-values>
 
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value" allow-other="yes">
-            &allowed-values-property-name-asset-type-values;
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value"
+                        allow-other="yes">
+                        &allowed-values-property-name-asset-type-values;
                   </allowed-values>
 
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value">
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value">
                         <enum value="yes">The component allows an authenticated scan.</enum>
                         <enum value="no">The component does not allow an authenticated scan.</enum>
                   </allowed-values>
 
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='public']/@value">
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='public']/@value">
                         <enum value="yes">The component is publicly accessible.</enum>
                         <enum value="no">The component is not publicly accessible.</enum>
                   </allowed-values>
 
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='virtual']/@value">
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='virtual']/@value">
                         <enum value="yes">The component is virtualized.</enum>
                         <enum value="no">The component is not virtualized.</enum>
                   </allowed-values>
 
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='implementation-point']/@value">
-                        <enum value="internal">The component is implemented within the system boundary.</enum>
-                        <enum value="external">The component is implemented outside the system boundary.</enum>
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='implementation-point']/@value">
+                        <enum value="internal">The component is implemented within the system
+                              boundary.</enum>
+                        <enum value="external">The component is implemented outside the system
+                              boundary.</enum>
                   </allowed-values>
 
-                  <index-has-key name="index-metadata-location-uuid" target="prop[@name='physical-location']">
-                        <key-field target="@value"/>
+                  <index-has-key name="index-metadata-location-uuid"
+                        target="prop[@name='physical-location']">
+                        <key-field target="@value" />
                   </index-has-key>
 
-                  <matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='inherited-uuid']/@value" datatype="uuid" />
-                  <matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='release-date']/@value" datatype="date"/>
-
-                  <!-- ========================================================================================================== -->
-                  <!-- = Changes to the following values need to be synced with component in the SSP and component metaschemas. = -->
-                  <!-- ========================================================================================================== -->
-
-                  <allowed-values target="(.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                  <matches
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='inherited-uuid']/@value"
+                        datatype="uuid" />
+                  <matches
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='release-date']/@value"
+                        datatype="date" />
+
+                  <!--
+                  ========================================================================================================== -->
+                  <!-- = Changes to the following values need to be synced with component in the SSP
+                  and component metaschemas. = -->
+                  <!--
+                  ========================================================================================================== -->
+
+                  <allowed-values
+                        target="(.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                         <enum value="vendor-name">The name of the company or organization </enum>
                   </allowed-values>
 
                   <!-- TODO: Add ipv4-subnet property for type='network' - add pattern constraint -->
                   <!-- TODO: Add ipv6-subnet property for type='network' - add pattern constraint -->
 
-                  <!-- ========================================================================================================== -->
+                  <!--
+                  ========================================================================================================== -->
                   <!-- = VALIDATION: type='validation' constraints                        = -->
-                  <!-- ========================================================================================================== -->
+                  <!--
+                  ========================================================================================================== -->
                   <allowed-values target="(.)[@type='validation']/link/@rel" allow-other="yes">
-                        <enum value="validation-details">A link to an online information provided by the authorizing body.</enum>
+                        <enum value="validation-details">A link to an online information provided by
+                              the authorizing body.</enum>
                   </allowed-values>
 
-                  <!-- ========================================================================================================== -->
+                  <!--
+                  ========================================================================================================== -->
                   <!-- = SOFTWARE: type='software' constraints                        = -->
-                  <!-- ========================================================================================================== -->
-                  <allowed-values target="(.)[@type='software']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-            &allowed-values-component_component_software;
+                  <!--
+                  ========================================================================================================== -->
+                  <allowed-values
+                        target="(.)[@type='software']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                        &allowed-values-component_component_software;
                   </allowed-values>
 
-                  <!-- ========================================================================================================== -->
+                  <!--
+                  ========================================================================================================== -->
                   <!-- = SERVICE: type='service' constraints                        = -->
-                  <!-- ========================================================================================================== -->
+                  <!--
+                  ========================================================================================================== -->
                   <allowed-values target="(.)[@type='service']/link/@rel" allow-other="yes">
-            &allowed-values-component_component_service;
+                        &allowed-values-component_component_service;
                   </allowed-values>
 
-                  <expect target="." test="not(exists((.)[not(@type='service')]/protocol))"/>
+                  <expect target="." test="not(exists((.)[not(@type='service')]/protocol))" />
 
-                  <!-- ========================================================================================================== -->
+                  <!--
+                  ========================================================================================================== -->
                   <!-- = INTERCONNECTION: type='interconnection' constraints                        = -->
-                  <!-- ========================================================================================================== -->
-                  <allowed-values target="(.)[@type='interconnection']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-                        <enum value="isa-title">Title of the Interconnection Security Agreement (ISA).</enum>
+                  <!--
+                  ========================================================================================================== -->
+                  <allowed-values
+                        target="(.)[@type='interconnection']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                        <enum value="isa-title">Title of the Interconnection Security Agreement
+                              (ISA).</enum>
                         <enum value="isa-date">Date of the Interconnection Security Agreement (ISA).</enum>
-                        <enum value="isa-remote-system-name">The name of the remote interconnected system.</enum>
-                        <enum value="ipv4-address">An Internet Protocol Version 4 interconnection address</enum>
-                        <enum value="ipv6-address">An Internet Protocol Version 6 interconnection address</enum>
-                        <enum value="direction">An Internet Protocol Version 6 interconnection address</enum>
+                        <enum value="isa-remote-system-name">The name of the remote interconnected
+                              system.</enum>
+                        <enum value="ipv4-address">An Internet Protocol Version 4 interconnection
+                              address</enum>
+                        <enum value="ipv6-address">An Internet Protocol Version 6 interconnection
+                              address</enum>
+                        <enum value="direction">An Internet Protocol Version 6 interconnection
+                              address</enum>
                   </allowed-values>
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('ipv4-address','ipv6-address')]/@class">
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('ipv4-address','ipv6-address')]/@class">
                         <enum value="local">The identified IP address is for this system.</enum>
-                        <enum value="remote">The identified IP address is for the remote system to which this system is connected.</enum>
+                        <enum value="remote">The identified IP address is for the remote system to
+                              which this system is connected.</enum>
                   </allowed-values>
                   <allowed-values target="(.)[@type='interconnection']/link/@rel" allow-other="yes">
                         <!-- CHANGE: @name="agreement" changed to @name="isa-agreement" -->
                         <enum value="isa-agreement">A link to the system interconnection agreement.</enum>
                   </allowed-values>
-                  <allowed-values target="(.)[@type='interconnection']/responsible-role/@role-id" allow-other="yes">
-                        <enum value="isa-poc-local">Interconnection Security Agreement (ISA) point of contact (POC) for this system.</enum>
-                        <enum value="isa-poc-remote">Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.</enum>
-                        <enum value="isa-authorizing-official-local">Interconnection Security Agreement (ISA) authorizing official for this system.</enum>
-                        <enum value="isa-authorizing-official-remote">Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.</enum>
+                  <allowed-values target="(.)[@type='interconnection']/responsible-role/@role-id"
+                        allow-other="yes">
+                        <enum value="isa-poc-local">Interconnection Security Agreement (ISA) point
+                              of contact (POC) for this system.</enum>
+                        <enum value="isa-poc-remote">Interconnection Security Agreement (ISA) point
+                              of contact (POC) for the remote interconnected system.</enum>
+                        <enum value="isa-authorizing-official-local">Interconnection Security
+                              Agreement (ISA) authorizing official for this system.</enum>
+                        <enum value="isa-authorizing-official-remote">Interconnection Security
+                              Agreement (ISA) authorizing official for the remote interconnected
+                              system.</enum>
                   </allowed-values>
-                  <matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='isa-date']/@value" datatype="dateTime"/>
-                  <matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='ipv4-address']/@value" datatype="ip-v4-address" />
-                  <matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='ipv6-address']/@value" datatype="ip-v6-address" />
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='direction']/@value">
+                  <matches
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='isa-date']/@value"
+                        datatype="dateTime" />
+                  <matches
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='ipv4-address']/@value"
+                        datatype="ip-v4-address" />
+                  <matches
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='ipv6-address']/@value"
+                        datatype="ip-v6-address" />
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='direction']/@value">
                         <enum value="incoming">Data from the remote system flows into this system.</enum>
                         <enum value="outgoing">Data from this system flows to the remote system.</enum>
                   </allowed-values>
                   <is-unique id="unique-system-component-responsible-role" target="responsible-role">
-                        <key-field target="@role-id"/>
+                        <key-field target="@role-id" />
                         <remarks>
-                              <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+                              <p>Since <code>responsible-role</code> associates multiple <code>
+                                    party-uuid</code> entries with a single <code>role-id</code>,
+                                    each role-id must be referenced only once.</p>
                         </remarks>
                   </is-unique>
             </constraint>
             <remarks>
-                  <p>Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.</p>
+                  <p>Components may be products, services, application programming interface (APIs),
+                        policies, processes, plans, guidance, standards, or other tangible items
+                        that enable security and/or privacy.</p>
                   <p>The <code>type</code> indicates which of these component types is represented.</p>
-                  <!-- <p>A group of components may be aggregated into a <code>capability</code>. For example, an account management capability that consists of an account management process, and a Lightweight Directory Access Protocol (LDAP) software implementation.</p>
+                  <!-- <p>A group of components may be aggregated into a <code>capability</code>.
+                  For example, an account management capability that consists of an account
+                  management process, and a Lightweight Directory Access Protocol (LDAP) software
+                  implementation.</p>
          <p>Capabilities are expressed by combining one or more components.</p>-->
-                  <p>When defining a <code>service</code> component where are relationship to other components is known, one or more <code>link</code> entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.</p>
+                  <p>When defining a <code>service</code> component where are relationship to other
+                        components is known, one or more <code>link</code> entries with rel values
+                        of provided-by and used-by can be used to link to the specific component
+                        identifier(s) that provide and use the service respectively.</p>
             </remarks>
       </define-assembly>
 
+      <define-field name="party-uuid" as-type="uuid">
+            <formal-name>party-uuid field</formal-name>
+            <!-- Identifier Reference -->
+            <description>A <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+                  machine-oriented</a> identifier reference to the <code>party</code> that manages
+                  the leveraged system.</description>
+      </define-field>
+
       <define-flag name="system-component-type" as-type="string">
             <formal-name>Component Type</formal-name>
             <description>A category describing the purpose of the component.</description>
             <constraint>
                   <allowed-values allow-other="yes">
                         <enum value="this-system">The system as a whole.</enum>
-                        <enum value="system">An external system, which may be a leveraged system or the other side of an interconnection.</enum>
-                        &allowed-values-component-type;
-                        <enum value="network">A physical or virtual network.</enum>
+                        <enum value="system">An
+                        external system, which may be a leveraged system or the other side of an
+                        interconnection.</enum> &allowed-values-component-type; <enum
+                              value="network">A physical or virtual network.</enum>
                   </allowed-values>
             </constraint>
       </define-flag>
@@ -252,23 +359,40 @@
             <define-flag name="uuid" as-type="uuid">
                   <formal-name>Service Protocol Information Universally Unique Identifier</formal-name>
                   <!-- Identifier Declaration -->
-                  <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this service protocol information elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>service protocol</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+                  <description>A <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+                        machine-oriented</a>, <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+                        unique</a> identifier with <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+                        cross-instance</a> scope that can be used to reference this service protocol
+                        information elsewhere in <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this
+                        or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>service
+                        protocol</code> can be used to reference the data item locally or globally
+                        (e.g., in an imported OSCAL instance). This UUID should be assigned <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">
+                        per-subject</a>, which means it should be consistently used to identify the
+                        same subject across revisions of the document.</description>
             </define-flag>
             <define-flag name="name" required="yes">
                   <formal-name>Protocol Name</formal-name>
-                  <description>The common name of the protocol, which should be the appropriate "service name" from the <a href="https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml">IANA Service Name and Transport Protocol Port Number Registry</a>.
-                  </description>
+                  <description>The common name of the protocol, which should be the appropriate
+                        "service name" from the <a
+                              href="https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml">IANA
+                        Service Name and Transport Protocol Port Number Registry</a>. </description>
                   <remarks>
                         <p>The short name of the protocol (e.g., https).</p>
                   </remarks>
             </define-flag>
             <model>
                   <define-field name="title" as-type="markup-line">
-            <formal-name>Protocol Title</formal-name>
-                        <description>A human readable name for the protocol (e.g., Transport Layer Security).</description>
+                        <formal-name>Protocol Title</formal-name>
+                        <description>A human readable name for the protocol (e.g., Transport Layer
+                              Security).</description>
                   </define-field>
                   <assembly ref="port-range" max-occurs="unbounded">
-                        <group-as name="port-ranges" in-json="ARRAY"/>
+                        <group-as name="port-ranges" in-json="ARRAY" />
                   </assembly>
             </model>
             <constraint>
@@ -306,26 +430,33 @@
             </define-flag>
             <!-- Added Contraints as Warnings -->
             <constraint>
-                  <expect level="WARNING" id="port-range-start-and-end-not-specified" target="." test="exists(@start) and exists(@end)">
+                  <expect level="WARNING" id="port-range-start-and-end-not-specified" target="."
+                        test="exists(@start) and exists(@end)">
                         <message>If a protocol is defined, it should include a start and end port range. To define a single port, the start and end should be the same value.</message>
                   </expect>
-                  <expect level="WARNING" id="port-range-start-specified-with-no-end" target="." test="exists(@start) and not(exists(@end))">
+                  <expect level="WARNING" id="port-range-start-specified-with-no-end" target="."
+                        test="exists(@start) and not(exists(@end))">
                         <message>A start port exists, but an end point does not. To define a single port, the start and end should be the same value.</message>
                   </expect>
-                  <expect level="WARNING" id="port-range-end-specified-with-no-start" target="." test="not(exists(@start)) and exists(@end)">
+                  <expect level="WARNING" id="port-range-end-specified-with-no-start" target="."
+                        test="not(exists(@start)) and exists(@end)">
                         <message>An end point exists, but a start port does not. To define a single port, the start and end should be the same value.</message>
                   </expect>
-                  <expect level="WARNING" id="port-range-end-date-is-before-start-date" target="." test="@start &lt;= @end">
+                  <expect level="WARNING" id="port-range-end-date-is-before-start-date" target="."
+                        test="@start &lt;= @end">
                         <message>The port range specified has an end port that is less than the start port.</message>
                   </expect>
             </constraint>
             <remarks>
-                  <p>To be validated as a natural number (integer &gt;= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.</p>
+                  <p>To be validated as a natural number (integer &gt;= 1). A single port uses the
+                        same value for start and end. Use multiple 'port-range' entries for
+                        non-contiguous ranges.</p>
             </remarks>
             <example>
-                  <service xmlns="http://csrc.nist.gov/ns/oscal/example" id="svc-01" name="Domain Name Service (DNS) Lookup">
+                  <service xmlns="http://csrc.nist.gov/ns/oscal/example" id="svc-01"
+                        name="Domain Name Service (DNS) Lookup">
                         <protocol name="dns">
-                              <port-range start="53" end="53" transport="tcp"/>
+                              <port-range start="53" end="53" transport="tcp" />
                         </protocol>
                   </service>
             </example>
@@ -339,19 +470,23 @@
 
             <define-flag name="state" as-type="token" required="yes">
                   <formal-name>Implementation State</formal-name>
-                  <description>Identifies the implementation status of the control or control objective.</description>
+                  <description>Identifies the implementation status of the control or control
+                        objective.</description>
                   <constraint>
                         <allowed-values allow-other="yes">
                               <enum value="implemented">The control is fully implemented.</enum>
                               <enum value="partial">The control is partially implemented.</enum>
-                              <enum value="planned">There is a plan for implementing the control as explained in the remarks.</enum>
-                              <enum value="alternative">There is an alternative implementation for this control as explained in the remarks.</enum>
-                              <enum value="not-applicable">This control does not apply to this system as justified in the remarks.</enum>
+                              <enum value="planned">There is a plan for implementing the control as
+                                    explained in the remarks.</enum>
+                              <enum value="alternative">There is an alternative implementation for
+                                    this control as explained in the remarks.</enum>
+                              <enum value="not-applicable">This control does not apply to this
+                                    system as justified in the remarks.</enum>
                         </allowed-values>
                   </constraint>
             </define-flag>
             <model>
-                  <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
+                  <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1" />
             </model>
       </define-assembly>
 
@@ -364,12 +499,27 @@
             <define-flag name="uuid" as-type="uuid" required="yes">
                   <formal-name>User Universally Unique Identifier</formal-name>
                   <!-- Identifier Declaration -->
-                  <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this user class elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>system user</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+                  <description>A <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+                        machine-oriented</a>, <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+                        unique</a> identifier with <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+                        cross-instance</a> scope that can be used to reference this user class
+                        elsewhere in <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this
+                        or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>system
+                        user</code> can be used to reference the data item locally or globally
+                        (e.g., in an imported OSCAL instance). This UUID should be assigned <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">
+                        per-subject</a>, which means it should be consistently used to identify the
+                        same subject across revisions of the document.</description>
             </define-flag>
             <model>
                   <define-field name="title" as-type="markup-line">
                         <formal-name>User Title</formal-name>
-                        <description>A name given to the user, which may be used by a tool for display and navigation.</description>
+                        <description>A name given to the user, which may be used by a tool for
+                              display and navigation.</description>
                   </define-field>
                   <define-field name="short-name">
                         <formal-name>User Short Name</formal-name>
@@ -380,49 +530,62 @@
                         <description>A summary of the user's purpose within the system.</description>
                   </define-field>
                   <assembly ref="property" max-occurs="unbounded">
-                        <group-as name="props" in-json="ARRAY"/>
+                        <group-as name="props" in-json="ARRAY" />
                   </assembly>
                   <assembly ref="link" max-occurs="unbounded">
-                        <group-as name="links" in-json="ARRAY"/>
-                        <!-- TODO: Model specific link relationships?  (BJR - I don't think we need this now) -->
+                        <group-as name="links" in-json="ARRAY" />
+                        <!-- TODO: Model specific link relationships?  (BJR - I don't think we need
+                        this now) -->
                   </assembly>
                   <field ref="role-id" min-occurs="0" max-occurs="unbounded">
-                        <group-as name="role-ids" in-json="ARRAY"/>
+                        <group-as name="role-ids" in-json="ARRAY" />
                   </field>
                   <assembly ref="authorized-privilege" max-occurs="unbounded">
-                        <group-as name="authorized-privileges" in-json="ARRAY"/>
+                        <group-as name="authorized-privileges" in-json="ARRAY" />
                   </assembly>
-                  <field ref="remarks" in-xml="WITH_WRAPPER"/>
+                  <field ref="remarks" in-xml="WITH_WRAPPER" />
             </model>
             <constraint>
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-                        <enum value="type">The type of user, such as internal, external, or general-public.</enum>
-                        <enum value="privilege-level">The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.</enum>
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                        <enum value="type">The type of user, such as internal, external, or
+                              general-public.</enum>
+                        <enum value="privilege-level">The user's privilege level within the system,
+                              such as privileged, non-privileged, no-logical-access.</enum>
                   </allowed-values>
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value">
-                        <enum value="internal">A user account for a person or entity that is part of the organization who owns or operates the system.</enum>
-                        <enum value="external">A user account for a person or entity that is not part of the organization who owns or operates the system.</enum>
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value">
+                        <enum value="internal">A user account for a person or entity that is part of
+                              the organization who owns or operates the system.</enum>
+                        <enum value="external">A user account for a person or entity that is not
+                              part of the organization who owns or operates the system.</enum>
                         <enum value="general-public">A user of the system considered to be outside </enum>
                   </allowed-values>
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='privilege-level']/@value">
-                        <enum value="privileged">This role has elevated access to the system, such as a group or system administrator.</enum>
-                        <enum value="non-privileged">This role has typical user-level access to the system without elevated access.</enum>
-                        <enum value="no-logical-access">This role has no access to the system, such as a manager who approves access as part of a process.</enum>
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='privilege-level']/@value">
+                        <enum value="privileged">This role has elevated access to the system, such
+                              as a group or system administrator.</enum>
+                        <enum value="non-privileged">This role has typical user-level access to the
+                              system without elevated access.</enum>
+                        <enum value="no-logical-access">This role has no access to the system, such
+                              as a manager who approves access as part of a process.</enum>
                   </allowed-values>
                   <allowed-values target="role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
+                        &allowed-values-responsible-roles-operations;
                   </allowed-values>
             </constraint>
             <remarks>
-                  <p>Permissible values to be determined closer to the application, such as by a receiving authority.</p>
+                  <p>Permissible values to be determined closer to the application, such as by a
+                        receiving authority.</p>
             </remarks>
       </define-assembly>
       <define-assembly name="authorized-privilege">
             <formal-name>Privilege</formal-name>
-            <description>Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.</description>
+            <description>Identifies a specific system privilege held by the user, along with an
+                  associated description and/or rationale for the privilege.</description>
             <model>
                   <define-field name="title" as-type="markup-line" min-occurs="1">
-            <formal-name>Privilege Title</formal-name>
+                        <formal-name>Privilege Title</formal-name>
                         <description>A human readable name for the privilege.</description>
                   </define-field>
                   <define-field name="description" as-type="markup-multiline" in-xml="WITH_WRAPPER">
@@ -430,13 +593,14 @@
                         <description>A summary of the privilege's purpose within the system.</description>
                   </define-field>
                   <field ref="function-performed" min-occurs="1" max-occurs="unbounded">
-                        <group-as name="functions-performed" in-json="ARRAY"/>
+                        <group-as name="functions-performed" in-json="ARRAY" />
                   </field>
             </model>
       </define-assembly>
       <define-field name="function-performed" as-type="string">
             <formal-name>Functions Performed</formal-name>
-            <description>Describes a function performed for a given authorized privilege by this user class.</description>
+            <description>Describes a function performed for a given authorized privilege by this
+                  user class.</description>
       </define-field>
 
       <!-- ################################################ -->
@@ -450,160 +614,233 @@
             <define-flag name="uuid" as-type="uuid" required="yes">
                   <formal-name>Inventory Item Universally Unique Identifier</formal-name>
                   <!-- Identifier Declaration -->
-                  <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this inventory item elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>inventory item</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+                  <description>A <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+                        machine-oriented</a>, <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+                        unique</a> identifier with <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+                        cross-instance</a> scope that can be used to reference this inventory item
+                        elsewhere in <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this
+                        or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>inventory
+                        item</code> can be used to reference the data item locally or globally
+                        (e.g., in an imported OSCAL instance). This UUID should be assigned <a
+                              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">
+                        per-subject</a>, which means it should be consistently used to identify the
+                        same subject across revisions of the document.</description>
             </define-flag>
             <!-- CHANGED: Moved to property[@name='asset-id']. -->
             <!--      <define-flag name="asset-id">
          <!-\- This is an id because the idenfier is assigned and managed externally. -\->
          <formal-name>Asset Identifier</formal-name>
-         <description>Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerability scanning tool.</description>
+         <description>Organizational asset identifier that is unique in the context of the system. This may
+            be a reference to the identifier used in an asset tracking system or a vulnerability
+            scanning tool.</description>
       </define-flag>  -->
             <model>
-                  <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+                  <define-field name="description" as-type="markup-multiline" min-occurs="1"
+                        in-xml="WITH_WRAPPER">
                         <formal-name>Inventory Item Description</formal-name>
-                        <description>A summary of the inventory item stating its purpose within the system.</description>
+                        <description>A summary of the inventory item stating its purpose within the
+                              system.</description>
                   </define-field>
                   <assembly ref="property" max-occurs="unbounded">
-                        <group-as name="props" in-json="ARRAY"/>
+                        <group-as name="props" in-json="ARRAY" />
                   </assembly>
                   <assembly ref="link" max-occurs="unbounded">
-                        <group-as name="links" in-json="ARRAY"/>
+                        <group-as name="links" in-json="ARRAY" />
                   </assembly>
                   <assembly ref="responsible-party" max-occurs="unbounded">
-                        <group-as name="responsible-parties" in-json="ARRAY"/>
+                        <group-as name="responsible-parties" in-json="ARRAY" />
                   </assembly>
                   <define-assembly name="implemented-component" max-occurs="unbounded">
-                        <!-- TODO: Sync constraints with system-component; maybe remove this? (CHANGED (BJR): Dave-See Gitter for details on this. -->
+                        <!-- TODO: Sync constraints with system-component; maybe remove this?
+                        (CHANGED (BJR): Dave-See Gitter for details on this. -->
                         <formal-name>Implemented Component</formal-name>
-                        <description>The set of components that are implemented in a given system inventory item.</description>
-                        <group-as name="implemented-components" in-json="ARRAY"/>
+                        <description>The set of components that are implemented in a given system
+                              inventory item.</description>
+                        <group-as name="implemented-components" in-json="ARRAY" />
 
                         <define-flag required="yes" name="component-uuid" as-type="uuid">
                               <formal-name>Component Universally Unique Identifier Reference</formal-name>
                               <!-- Identifier Reference -->
-                              <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a <code>component</code> that is implemented as part of an inventory item.</description>
+                              <description>A <a
+                                          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+                                    machine-oriented</a> identifier reference to a <code>component</code>
+                                    that is implemented as part of an inventory item.</description>
                         </define-flag>
 
-                        <!-- CHANGED (daw): the following is not needed since it is required on the referenced component -->
-                        <!--      <!-\- CHANGED (BJR): Added component-type for alignment with system-component -\->
+                        <!-- CHANGED (daw): the following is not needed since it is required on the
+                        referenced component -->
+                        <!--      <!-\- CHANGED (BJR): Added component-type for alignment with
+                        system-component -\->
       <flag ref="component-type" required="yes" />
 -->
-                        <!-- The following is commented because this is not being used and can be inferred based on the type of the component -->
+                        <!-- The following is commented because this is not being used and can be
+                        inferred based on the type of the component -->
                         <!--
       <define-flag name="use">
          <formal-name>Implementation Use Type</formal-name>
          <description>The type of implementation</description>
          <constraint>
             <allowed-values allow-other="yes">
-               <enum value="runs-software">The implemented component is a 'software' component that the inventory item has installed and uses.</enum>
-               <enum value="uses-hardware">The implemented component is a 'hardware' component that the inventory item has installed and uses.</enum>
-               <enum value="enforces-policy">The implemented component is a 'policy' component that the inventory item supports and enforces.</enum>
-               <enum value="implements-process">The implemented component is a 'process' component that the inventory item supports and enforces.</enum>
+               <enum value="runs-software">The implemented component is a 'software' component that the inventory
+                        item has installed and uses.</enum>
+               <enum value="uses-hardware">The implemented component is a 'hardware' component that the inventory
+                        item has installed and uses.</enum>
+               <enum value="enforces-policy">The implemented component is a 'policy' component that the inventory
+                        item supports and enforces.</enum>
+               <enum value="implements-process">The implemented component is a 'process' component that the
+                        inventory item supports and enforces.</enum>
             </allowed-values>
          </constraint>
       </define-flag>
 -->
                         <model>
                               <assembly ref="property" max-occurs="unbounded">
-                                    <group-as name="props" in-json="ARRAY"/>
+                                    <group-as name="props" in-json="ARRAY" />
                               </assembly>
                               <assembly ref="link" max-occurs="unbounded">
-                                    <group-as name="links" in-json="ARRAY"/>
+                                    <group-as name="links" in-json="ARRAY" />
                               </assembly>
                               <assembly ref="responsible-party" max-occurs="unbounded">
-                                    <group-as name="responsible-parties" in-json="ARRAY"/>
+                                    <group-as name="responsible-parties" in-json="ARRAY" />
                                     <remarks>
-                                          <p>This construct is used to either: 1) associate a party or parties to a role defined on the component using the <code>responsible-role</code> construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing <code>inventory-item</code>.
-                                          </p>
+                                          <p>This construct is used to either: 1) associate a party
+                                                or parties to a role defined on the component using
+                                                the <code>responsible-role</code> construct, or 2)
+                                                to define a party or parties that are responsible
+                                                for a role defined within the context of the
+                                                containing <code>inventory-item</code>. </p>
                                     </remarks>
                               </assembly>
-                              <field ref="remarks" in-xml="WITH_WRAPPER"/>
+                              <field ref="remarks" in-xml="WITH_WRAPPER" />
                         </model>
                         <constraint>
-                              <!-- TODO: constrain component-uuid references to components defined in the document. ((BJR): Was unsure how to do this.) -->
-                              <!-- TODO: constrain link href values based on rel ((BJR): Was unsure of how to do this.) -->
-
-                              <!-- TODO: constrain property values based on name (CHANGED (BJR): Done.) -->
-                              <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-                  &allowed-values-component_component_property-name;
-                  &allowed-values-component_inventory-item_property-name;
+                              <!-- TODO: constrain component-uuid references to components defined
+                              in the document. ((BJR): Was unsure how to do this.) -->
+                              <!-- TODO: constrain link href values based on rel ((BJR): Was unsure
+                              of how to do this.) -->
+
+                              <!-- TODO: constrain property values based on name (CHANGED (BJR):
+                              Done.) -->
+                              <allowed-values
+                                    target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                                    &allowed-values-component_component_property-name;
+                                    &allowed-values-component_inventory-item_property-name;
 
                               </allowed-values>
                               <!-- ensure that at least one asset-id is provided -->
-                              <has-cardinality target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']" min-occurs="1"/>
+                              <has-cardinality
+                                    target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']"
+                                    min-occurs="1" />
 
 
                               <allowed-values target="responsible-party/@role-id" allow-other="yes">
-                  &allowed-values-responsible-roles-operations;
+                                    &allowed-values-responsible-roles-operations;
                               </allowed-values>
 
-                              <!-- TODO: constrain party-id references to parties defined in the document. (BJR Unsure how to do this. )-->
+                              <!-- TODO: constrain party-id references to parties defined in the
+                              document. (BJR Unsure how to do this. )-->
 
-                              <is-unique id="unique-implemented-component-responsible-party" target="responsible-party">
-                                    <key-field target="@role-id"/>
+                              <is-unique id="unique-implemented-component-responsible-party"
+                                    target="responsible-party">
+                                    <key-field target="@role-id" />
                                     <remarks>
-                                          <p>Since <code>responsible-party</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+                                          <p>Since <code>responsible-party</code> associates
+                                                multiple <code>party-uuid</code> entries with a
+                                                single <code>role-id</code>, each role-id must be
+                                                referenced only once.</p>
                                     </remarks>
                               </is-unique>
                         </constraint>
                   </define-assembly>
-                  <field ref="remarks" in-xml="WITH_WRAPPER"/>
+                  <field ref="remarks" in-xml="WITH_WRAPPER" />
             </model>
             <constraint>
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                         <enum value="ipv4-address">The Internet Protocol v4 Address of the asset.</enum>
-                        <enum value="ipv6-address">The Internet Protocol v6 Address of the asset.</enum>
-                        <enum value="fqdn">The full-qualified domain name (FQDN) of the asset.</enum>
-                        <enum value="uri">A Uniform Resource Identifier (URI) for the asset.</enum>
-                        <enum value="serial-number">A serial number for the asset.</enum>
-                        <enum value="netbios-name">The NetBIOS name for the asset.</enum>
-                        <enum value="mac-address">The media access control (MAC) address for the asset.</enum>
-                        <enum value="physical-location">The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).</enum>
-                        <enum value="is-scanned">is the asset subjected to network scans? (yes/no)</enum>
-                        <!-- =========================================================================================== -->
-                        <!-- = The following is to support the legacy approach for inventory-items without components. = -->
-                        <!-- =========================================================================================== -->
+                        <enum
+                              value="ipv6-address">The Internet Protocol v6 Address of the asset.</enum>
+                        <enum
+                              value="fqdn">The full-qualified domain name (FQDN) of the asset.</enum>
+                        <enum
+                              value="uri">A Uniform Resource Identifier (URI) for the asset.</enum>
+                        <enum
+                              value="serial-number">A serial number for the asset.</enum>
+                        <enum
+                              value="netbios-name">The NetBIOS name for the asset.</enum>
+                        <enum
+                              value="mac-address">The media access control (MAC) address for the
+                        asset.</enum>
+                        <enum value="physical-location">The physical location of the
+                        asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful
+                        location identifiers).</enum>
+                        <enum value="is-scanned">is the asset subjected
+                        to network scans? (yes/no)</enum>
+                        <!--
+                        =========================================================================================== -->
+                        <!-- = The following is to support the legacy approach for inventory-items
+                        without components. = -->
+                        <!--
+                        =========================================================================================== -->
                         <!-- This is "model" in the context of a component -->
-                        <enum value="hardware-model">The model number of the hardware used by the asset.</enum>
+                        <enum value="hardware-model">The model
+                        number of the hardware used by the asset.</enum>
                         <!-- This is "name" in the context of a component -->
-                        <enum value="os-name">The name of the operating system used by the asset.</enum>
+                        <enum value="os-name">The
+                        name of the operating system used by the asset.</enum>
                         <!-- This is "version" in the context of a component -->
-                        <enum value="os-version">The version of the operating system used by the asset.</enum>
+                        <enum
+                              value="os-version">The version of the operating system used by the
+                        asset.</enum>
                         <!-- This is "name" in the context of a component -->
-                        <enum value="software-name">The software product name used by the asset.</enum>
+                        <enum value="software-name">The software product name used by
+                        the asset.</enum>
                         <!-- This is "version" in the context of a component -->
-                        <enum value="software-version">The software product version used by the asset.</enum>
+                        <enum value="software-version">The software product version
+                        used by the asset.</enum>
                         <!-- This is "patch-level" in the context of a component -->
-                        <enum value="software-patch-level">The software product patch level used by the asset.</enum>
+                        <enum value="software-patch-level">The software
+                        product patch level used by the asset.</enum>
 
-                        <!-- =========================================================================================== -->
+                        <!--
+                        =========================================================================================== -->
                         <!-- = The following is shared with system-component. = -->
-                        <!-- =========================================================================================== -->
-                        &allowed-values-component_inventory-item_property-name;
-
-                  </allowed-values>
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value" allow-other="yes">
+                        <!--
+                        =========================================================================================== -->
+                        &allowed-values-component_inventory-item_property-name; </allowed-values>
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value"
+                        allow-other="yes">
                         &allowed-values-property-name-asset-type-values;
                   </allowed-values>
 
-                  <allowed-values target="(.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+                  <allowed-values
+                        target="(.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                         <enum value="vendor-name">The name of the company or organization </enum>
                   </allowed-values>
 
 
-                  <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='is-scanned']/@value">
+                  <allowed-values
+                        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='is-scanned']/@value">
                         <enum value="yes">The asset is included in periodic vulnerability scanning.</enum>
-                        <enum value="no">The asset is not included in periodic vulnerability scanning.</enum>
+                        <enum value="no">The asset is not included in periodic vulnerability
+                              scanning.</enum>
                   </allowed-values>
 
                   <allowed-values target="link/@rel" allow-other="yes">
-                        <enum value="baseline-template">A reference to the baseline template used to configure the asset.</enum>
+                        <enum value="baseline-template">A reference to the baseline template used to
+                              configure the asset.</enum>
                   </allowed-values>
-                  <!-- TODO: constrain link href values based on rel ((BJR): Was unsure how to do this.) -->
+                  <!-- TODO: constrain link href values based on rel ((BJR): Was unsure how to do
+                  this.) -->
 
                   <allowed-values target="responsible-party/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
-            &allowed-values-responsible-roles-component-production;
+                        &allowed-values-responsible-roles-operations;
+                        &allowed-values-responsible-roles-component-production;
                   </allowed-values>
 
                   <index-has-key name="index-metadata-role-id" target="responsible-party">
@@ -613,19 +850,21 @@
                         <key-field target="party-uuid"></key-field>
                   </index-has-key>
                   <is-unique id="unique-inventory-item-responsible-party" target="responsible-party">
-                        <key-field target="@role-id"/>
+                        <key-field target="@role-id" />
                         <remarks>
-                              <p>Since <code>responsible-party</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+                              <p>Since <code>responsible-party</code> associates multiple <code>
+                                    party-uuid</code> entries with a single <code>role-id</code>,
+                                    each role-id must be referenced only once.</p>
                         </remarks>
                   </is-unique>
             </constraint>
       </define-assembly>
 
 
-
       <!--   <define-assembly name="only-statement">
       <formal-name>Specific Statement</formal-name>
-      <description>Describes which specific statements are addressed by a requirement, by pointing to a specific requirement statement within a control.</description>
+      <description>Describes which specific statements are addressed by a requirement, by pointing to a
+      specific requirement statement within a control.</description>
       <json-key flag-name="statement-id"/>
       <flag ref="statement-id" required="yes">
          <remarks>
@@ -635,7 +874,8 @@
       <model>
          <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
             <formal-name>Statement Implementation Description</formal-name>
-            <description>A description of the component, including information about its function.</description>
+            <description>A description of the component, including information about its
+      function.</description>
          </define-field>
          <field ref="property" max-occurs="unbounded">
             <group-as name="props" in-json="ARRAY"/>
@@ -658,20 +898,23 @@
       <define-flag name="statement-id" as-type="token">
             <formal-name>Control Statement Reference</formal-name>
             <!-- Identifier Reference -->
-            <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">human-oriented</a> identifier reference to a <code>control statement</code>.</description>
+            <description>A <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">
+                  human-oriented</a> identifier reference to a <code>control statement</code>.</description>
       </define-flag>
       <define-assembly name="set-parameter">
             <formal-name>Set Parameter Value</formal-name>
             <description>Identifies the parameter that will be set by the enclosed value.</description>
-            <flag ref="param-id" required="yes"/>
+            <flag ref="param-id" required="yes" />
             <model>
                   <define-field name="value" as-type="string" min-occurs="1" max-occurs="unbounded">
-                        <!-- CHANGED type from "markup-line" to "string" since this is intended to be a scalar value -->
+                        <!-- CHANGED type from "markup-line" to "string" since this is intended to
+                        be a scalar value -->
                         <formal-name>Parameter Value</formal-name>
                         <description>A parameter value or set of values.</description>
-                        <group-as name="values" in-json="ARRAY"/>
+                        <group-as name="values" in-json="ARRAY" />
                   </define-field>
-                  <field ref="remarks" in-xml="WITH_WRAPPER"/>
+                  <field ref="remarks" in-xml="WITH_WRAPPER" />
             </model>
       </define-assembly>
 
@@ -682,36 +925,74 @@
             <!-- Identifier Declaration -->
             <!-- 
                   TODO: Given feedback, we need to update Metaschema with usnistgov/metaschema#222
-                  with props like in https://github.com/david-waltermire-nist/OSCAL/commit/3aafc080b3dc5f488c15b763f707326e77a61f5d#diff-4176d3cf694dd36b02a94207426934306ec0fdaecc54d1bb96f50f52cd7ceae6R27-R32.
+                  with props like in
+            https://github.com/david-waltermire-nist/OSCAL/commit/3aafc080b3dc5f488c15b763f707326e77a61f5d#diff-4176d3cf694dd36b02a94207426934306ec0fdaecc54d1bb96f50f52cd7ceae6R27-R32.
 
-                  We need to determine if both identifier-type='machine-oriented' and identifier-type='human-oriented'.
+                  We need to determine if both identifier-type='machine-oriented' and
+            identifier-type='human-oriented'.
                   Option 2 is identifier-type='unspecified'.
             -->
-            <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">human-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this system identification property elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. When referencing an externally defined <code>system identification</code>, the <code>system identification</code> must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same system across revisions of the document.</description>
+            <description>A <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">
+                  human-oriented</a>, <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+                  unique</a> identifier with <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+                  cross-instance</a> scope that can be used to reference this system identification
+                  property elsewhere in <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or
+                  other OSCAL instances</a>. When referencing an externally defined <code>system
+                  identification</code>, the <code>system identification</code> must be used in the
+                  context of the external / imported OSCAL instance (e.g., uri-reference). This
+                  string should be assigned <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">
+                  per-subject</a>, which means it should be consistently used to identify the same
+                  system across revisions of the document.</description>
             <json-value-key>id</json-value-key>
             <define-flag name="identifier-type" as-type="uri">
                   <formal-name>Identification System Type</formal-name>
-                  <description>Identifies the identification system from which the provided identifier was assigned. </description>
+                  <description>Identifies the identification system from which the provided
+                        identifier was assigned. </description>
                   <constraint>
                         <allowed-values allow-other="yes">
-                              <enum value="https://fedramp.gov" deprecated="1.0.3">**deprecated** The identifier was assigned by FedRAMP. This has been deprecated; use <code>http://fedramp.gov/ns/oscal</code> instead.</enum>
-                              <enum value="http://fedramp.gov/ns/oscal">The identifier was assigned by FedRAMP.</enum>
-                              <enum value="https://ietf.org/rfc/rfc4122" deprecated="1.0.3">**deprecated** A Universally Unique Identifier (UUID) as defined by RFC4122. This value has been deprecated; use <code>http://ietf.org/rfc/rfc4122</code> instead.</enum>
-                              <enum value="http://ietf.org/rfc/rfc4122">A Universally Unique Identifier (UUID) as defined by RFC4122.</enum>
+                              <enum value="https://fedramp.gov" deprecated="1.0.3">**deprecated**
+                                    The identifier was assigned by FedRAMP. This has been
+                                    deprecated; use <code>http://fedramp.gov/ns/oscal</code>
+                                    instead.</enum>
+                              <enum value="http://fedramp.gov/ns/oscal">The identifier was assigned
+                                    by FedRAMP.</enum>
+                              <enum value="https://ietf.org/rfc/rfc4122" deprecated="1.0.3">**deprecated**
+                                    A Universally Unique Identifier (UUID) as defined by RFC4122.
+                                    This value has been deprecated; use <code>
+                                    http://ietf.org/rfc/rfc4122</code> instead.</enum>
+                              <enum value="http://ietf.org/rfc/rfc4122">A Universally Unique
+                                    Identifier (UUID) as defined by RFC4122.</enum>
                         </allowed-values>
                   </constraint>
                   <remarks>
-                        <p>This value must be an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that serves as a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming system identifier</a>.</p>
+                        <p>This value must be an <a
+                                    href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute
+                              URI</a> that serves as a <a
+                                    href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming
+                              system identifier</a>.</p>
                   </remarks>
             </define-flag>
       </define-field>
 
+      <define-field name="date-authorized" as-type="date" scope="local">
+            <formal-name>System Authorization Date</formal-name>
+            <description>The date the system received its most recent authorization to operate.</description>
+      </define-field>
+          
       <!-- ===== FLAGS ===== -->
       <define-flag name="param-id" as-type="token">
             <!-- This is an id because the idenfier is assigned and managed by humans. -->
             <formal-name>Parameter ID</formal-name>
             <!-- Identifier Reference -->
-            <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">human-oriented</a> reference to a <code>parameter</code> within a control, who's catalog has been imported into the current implementation context.</description>
+            <description>A <a
+                        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">
+                  human-oriented</a> reference to a <code>parameter</code> within a control, who's
+                  catalog has been imported into the current implementation context.</description>
             <example>
                   <set-param xmlns="http://csrc.nist.gov/ns/oscal/example" param-id="ac-2_prm_2">
                         <enum>System ISSO</enum>
@@ -721,7 +1002,9 @@
 
       <define-flag name="exportable" as-type="boolean">
             <formal-name>Exportable</formal-name>
-            <description>Indicates that the implmentation status is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.</description>
-      </define-flag>        
+            <description>Indicates that the implmentation status is exportable for external
+                  consumption, such as with leveraged organizations, customer responsibility
+                  documentation, and shared security responsibility documentation.</description>
+      </define-flag>
 
-</METASCHEMA>
+</METASCHEMA>
\ No newline at end of file
diff --git a/src/metaschema/oscal_shared-responsibility_metaschema.xml b/src/metaschema/oscal_shared-responsibility_metaschema.xml
index efafe503e5..e906438c34 100644
--- a/src/metaschema/oscal_shared-responsibility_metaschema.xml
+++ b/src/metaschema/oscal_shared-responsibility_metaschema.xml
@@ -6,76 +6,88 @@
   <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
 ]>
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
+  xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+  xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
   <schema-name>OSCAL Shared Responsibility Model</schema-name>
   <schema-version>1.1.2</schema-version>
   <short-name>oscal-shared-responsibility</short-name>
   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
   <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
   <remarks>
-    <p>This is a prototype OSCAL Shared Responsibility Model for evaluation purposes, based on a copy of the OSCAL Component Definition Model.</p>
+    <p>This is a prototype OSCAL Shared Responsibility Model for evaluation purposes, based on a
+      copy of the OSCAL Component Definition Model.</p>
     <p>This prototype may contain assemblies that are not intended in this context.</p>
-    <p>The most important assemblies to consider within this current version are: provided, responsibilities, inherited, and satisfied.</p>
+    <p>The most important assemblies to consider within this current version are: provided,
+      responsibilities, inherited, and satisfied.</p>
   </remarks>
-
-  <import href="oscal_metadata_metaschema.xml"/>
-  <import href="oscal_implementation-common_metaschema.xml"/>
-  <import href="oscal_responsibility-common_metaschema.xml"/>
+  
+  <!-- IMPORT STATEMENTS -->
+  <import href="oscal_metadata_metaschema.xml" />
+  <import href="oscal_implementation-common_metaschema.xml" />
+  <import href="oscal_responsibility-common_metaschema.xml" />
 
   <define-assembly name="shared-responsibility">
     <formal-name>Shared Responsibility</formal-name>
-    <description>A collection of component descriptions, which may optionally be grouped by capability.</description>
+    <description>A collection of component descriptions, which may optionally be grouped by
+      capability.</description>
     <root-name>shared-responsibility</root-name>
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Shared Responsibility Universally Unique Identifier</formal-name>
-      <description>Provides a globally unique means to identify a given component definition instance.</description>
+      <description>Provides a globally unique means to identify a given component definition
+        instance.</description>
     </define-flag>
     <model>
-      <assembly ref="metadata" min-occurs="1"/>
-      <assembly ref="source-ssp" max-occurs="1"/>
-      <assembly ref="control-implementation" min-occurs="1"/>
-      <assembly ref="back-matter"/>
+      <assembly ref="metadata" min-occurs="1" />
+      <assembly ref="source-ssp" max-occurs="1" />
+      <assembly ref="control-implementation" min-occurs="1" />
+      <assembly ref="back-matter" />
     </model>
     <constraint>
-      <index name="by-component-uuid" target="control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component">
-        <key-field target="@uuid"/>
+      <index name="by-component-uuid"
+        target="control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component">
+        <key-field target="@uuid" />
       </index>
     </constraint>
   </define-assembly>
 
-
-
-<!-- 
+  <!-- 
     In the interest of evaluation simplicity, this is a direct copy from oscal_ssp_metaschema.xml.
-    If this ends up being used unchanged, consider using a common for these so they stay aligned over time.
+    If this ends up being used unchanged, consider using a common for these so they stay aligned over
+  time.
     BEGIN: SR Additions from SSP
   -->
-  
+
   <define-assembly name="control-implementation" scope="local">
     <formal-name>Control Implementation</formal-name>
     <description>Describes how the system satisfies a set of controls.</description>
     <model>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Control Implementation Description</formal-name>
-        <description>A statement describing important things to know about how this set of control satisfaction documentation is approached.</description>
+        <description>A statement describing important things to know about how this set of control
+          satisfaction documentation is approached.</description>
       </define-field>
       <assembly ref="set-parameter" max-occurs="unbounded">
-        <group-as name="set-parameters" in-json="ARRAY"/>
+        <group-as name="set-parameters" in-json="ARRAY" />
       </assembly>
       <assembly ref="implemented-requirement" min-occurs="1" max-occurs="unbounded">
-        <group-as name="implemented-requirements" in-json="ARRAY"/>
+        <group-as name="implemented-requirements" in-json="ARRAY" />
       </assembly>
     </model>
     <constraint>
       <is-unique id="unique-ssp-control-implementation-set-parameter" target="set-parameter">
-        <key-field target="@param-id"/>
+        <key-field target="@param-id" />
         <remarks>
-          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must be set only once.</p>
+          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must
+            be set only once.</p>
         </remarks>
       </is-unique>
     </constraint>
     <remarks>
-      <p>Use of <code>set-parameter</code> in this context, sets the parameter for all controls referenced by any <code>implemented-requirement</code> contained in this context. Any <code>set-parameter</code> defined in a child context will override this value. If not overridden by a child, this value applies in the child context.</p>
+      <p>Use of <code>set-parameter</code> in this context, sets the parameter for all controls
+        referenced by any <code>implemented-requirement</code> contained in this context. Any <code>
+        set-parameter</code> defined in a child context will override this value. If not overridden
+        by a child, this value applies in the child context.</p>
     </remarks>
   </define-assembly>
   <define-assembly name="implemented-requirement" scope="local">
@@ -84,84 +96,112 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Control Requirement Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this control requirement elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control requirement</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this control requirement elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control requirement</code>
+        can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
-    <flag ref="control-id" required="yes"/>
+    <flag ref="control-id" required="yes" />
     <model>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships -->
       </assembly>
       <assembly ref="set-parameter" max-occurs="unbounded">
-        <group-as name="set-parameters" in-json="ARRAY"/>
+        <group-as name="set-parameters" in-json="ARRAY" />
       </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
       <assembly ref="statement" max-occurs="unbounded">
-        <group-as name="statements" in-json="ARRAY"/>
+        <group-as name="statements" in-json="ARRAY" />
       </assembly>
       <assembly ref="by-component" min-occurs="0" max-occurs="unbounded">
-        <group-as name="by-components" in-json="ARRAY"/>
+        <group-as name="by-components" in-json="ARRAY" />
       </assembly>
       <!-- TODO: Implement parameters -->
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
-      <allowed-values target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-        <enum value="control-origination">Identifies the source of the implemented control.  Any <code>control-origination</code> prop defined in a child context will override the parent value.</enum>
+      <allowed-values
+        target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+        <enum value="control-origination">Identifies the source of the implemented control. Any <code>
+          control-origination</code> prop defined in a child context will override the parent value.</enum>
       </allowed-values>
-      <allowed-values target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='control-origination']/@value">
-        <enum value="organization">The control is implemented by the organization owning the system, but is not specific to the system itself.</enum>
+      <allowed-values
+        target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='control-origination']/@value">
+        <enum value="organization">The control is implemented by the organization owning the system,
+          but is not specific to the system itself.</enum>
         <enum value="system-specific">The control is implemented specifically to this system.</enum>
-        <enum value="customer-configured">The control is provided by the system, but must be configured by the customer.</enum>
+        <enum value="customer-configured">The control is provided by the system, but must be
+          configured by the customer.</enum>
         <enum value="customer-provided">The control must be implemented by the customer.</enum>
         <enum value="inherited">This control is inherited from an underlying system.</enum>
       </allowed-values>
       <allowed-values target="responsible-role/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
+        &allowed-values-responsible-roles-operations;
       </allowed-values>
-      <index-has-key name="index-metadata-role-id" target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
-        <key-field target="@role-id"/>
+      <index-has-key name="index-metadata-role-id"
+        target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
+        <key-field target="@role-id" />
       </index-has-key>
-      <index-has-key name="index-metadata-party-uuid" target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
-        <key-field target="party-uuid"/>
+      <index-has-key name="index-metadata-party-uuid"
+        target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
+        <key-field target="party-uuid" />
       </index-has-key>
       <has-cardinality target=".//by-component" min-occurs="1">
         <remarks>
-          <p>Since all implementation statements are defined at the by-component level (e.g., type=this-system), there must be at least one by-component.</p>
+          <p>Since all implementation statements are defined at the by-component level (e.g.,
+            type=this-system), there must be at least one by-component.</p>
         </remarks>
       </has-cardinality>
       <is-unique id="unique-ssp-implemented-requirement-set-parameter" target="set-parameter">
-        <key-field target="@param-id"/>
+        <key-field target="@param-id" />
         <remarks>
-          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must be set only once.</p>
+          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must
+            be set only once.</p>
         </remarks>
       </is-unique>
       <is-unique id="unique-ssp-implemented-requirement-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
       <is-unique id="unique-ssp-implemented-requirement-statement" target="statement">
-        <key-field target="@statement-id"/>
+        <key-field target="@statement-id" />
         <remarks>
-          <p>Since <code>statement</code> entries can be referenced using the statement's statement-id, each statement must be referenced only once.</p>
+          <p>Since <code>statement</code> entries can be referenced using the statement's
+            statement-id, each statement must be referenced only once.</p>
         </remarks>
       </is-unique>
       <is-unique id="unique-ssp-implemented-requirement-by-component" target="by-component">
-        <key-field target="@component-uuid"/>
+        <key-field target="@component-uuid" />
         <remarks>
-          <p>Since <code>by-component</code> can reference <code>component</code> entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same <code>by-component</code> entry.</p>
+          <p>Since <code>by-component</code> can reference <code>component</code> entries using the
+            component's uuid, each component must be referenced only once. This ensures that all
+            implementation statements are contained in the same <code>by-component</code> entry.</p>
         </remarks>
       </is-unique>
     </constraint>
     <remarks>
-      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the referenced control. Any <code>set-parameter</code> defined in a child context will override this value. If not overridden by a child, this value applies in the child context.</p>
+      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the referenced
+        control. Any <code>set-parameter</code> defined in a child context will override this value.
+        If not overridden by a child, this value applies in the child context.</p>
     </remarks>
   </define-assembly>
   <define-assembly name="statement" scope="local">
@@ -175,134 +215,172 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Control Statement Reference Universally Unique Identifier</formal-name>
       <!-- Identifier Reference -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this control statement elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The <em>UUID</em> of the <code>control statement</code> in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this control statement elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The <em>UUID</em> of the <code>control statement</code> in the source
+        OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an
+        imported OSCAL instance).</description>
     </define-flag>
     <model>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
       <assembly ref="by-component" max-occurs="unbounded">
-        <group-as name="by-components" in-json="ARRAY"/>
+        <group-as name="by-components" in-json="ARRAY" />
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <allowed-values target="responsible-role/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
+        &allowed-values-responsible-roles-operations;
       </allowed-values>
       <is-unique id="unique-ssp-statement-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
-      <is-unique id="unique-ssp-implemented-requirement-statement-by-component" target="by-component">
-        <key-field target="@component-uuid"/>
+      <is-unique id="unique-ssp-implemented-requirement-statement-by-component"
+        target="by-component">
+        <key-field target="@component-uuid" />
         <remarks>
-          <p>Since <code>by-component</code> can reference <code>component</code> entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same <code>by-component</code> entry.</p>
+          <p>Since <code>by-component</code> can reference <code>component</code> entries using the
+            component's uuid, each component must be referenced only once. This ensures that all
+            implementation statements are contained in the same <code>by-component</code> entry.</p>
         </remarks>
       </is-unique>
-      
+
     </constraint>
   </define-assembly>
   <define-assembly name="by-component">
-    <!-- QUESTION: Should set-parameter be moved here to allow component-specific parameter settings? or "this-system" for the whole system? -->
+    <!-- QUESTION: Should set-parameter be moved here to allow component-specific parameter
+    settings? or "this-system" for the whole system? -->
     <formal-name>Component Control Implementation</formal-name>
     <description>Defines how the referenced component implements a set of controls.</description>
     <define-flag required="yes" name="component-uuid" as-type="uuid">
       <formal-name>Component Universally Unique Identifier Reference</formal-name>
       <!-- Identifier Reference -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to the <code>component</code> that is implemeting a given control.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a> identifier reference to the <code>component</code> that is implemeting
+        a given control.</description>
     </define-flag>
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>By-Component Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this by-component entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>by-component</code> entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this by-component entry elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>by-component</code>
+        entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
     <model>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Control Implementation Description</formal-name>
-        <description>An implementation statement that describes how a control or a control statement is implemented within the referenced system component.</description>
+        <description>An implementation statement that describes how a control or a control statement
+          is implemented within the referenced system component.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
       <assembly ref="set-parameter" max-occurs="unbounded">
-        <group-as name="set-parameters" in-json="ARRAY"/>
+        <group-as name="set-parameters" in-json="ARRAY" />
       </assembly>
       <assembly ref="implementation-status">
         <remarks>
-          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented.</p>
+          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value
+            to indicate the degree to which the control is implemented.</p>
         </remarks>
       </assembly>
 
-      <!-- CHANGED from Export for CRM/SSRM: Shared Responsibility Assembly -->
-      <assembly ref="provided">
-        <group-as name="provided" in-json="ARRAY"/>
+      <!-- CHANGED from Export for SRM: Shared Responsibility Assembly -->
+      <assembly ref="provided" max-occurs="unbounded">
+        <group-as name="provided" in-json="ARRAY" />
       </assembly>
-      <assembly ref="responsibility">
-        <group-as name="responsibility" in-json="ARRAY"/>
+      <assembly ref="responsibility" max-occurs="unbounded">
+        <group-as name="responsibility" in-json="ARRAY" />
       </assembly>
-      <assembly ref="inherited">
-        <group-as name="inherited" in-json="ARRAY"/>
+      <assembly ref="inherited" max-occurs="unbounded">
+        <group-as name="inherited" in-json="ARRAY" />
       </assembly>
-      <assembly ref="satisfied">
-        <group-as name="satisfied" in-json="ARRAY"/>
+      <assembly ref="satisfied" max-occurs="unbounded">
+        <group-as name="satisfied" in-json="ARRAY" />
       </assembly>
-
-      <!-- <assembly ref="export" max-occurs="1">
-        <remarks>
-          <p>TODO: Documentation</p>
-        </remarks>
-      </assembly> -->
-
       <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
       <!-- CHANGED: removed "set-parameter" -->
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <allowed-values target="link/@rel" allow-other="yes">
-        <!-- TODO: More work needs to be done around link enforcement constraints and requires Metaschema work on recurse-depth-first() recursive index searching. -->
-        <enum value="imported-from">The hyperlink identifies a URI pointing to the <code>component</code> in a <code>component-definition</code> that originally described the <code>component</code> this component was based on.</enum>
+        <!-- TODO: More work needs to be done around link enforcement constraints and requires
+        Metaschema work on recurse-depth-first() recursive index searching. -->
+        <enum value="imported-from">The hyperlink identifies a URI pointing to the <code>component</code>
+          in a <code>component-definition</code> that originally described the <code>component</code>
+          this component was based on.</enum>
       </allowed-values>
       <allowed-values target=".//responsible-role/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
-            &allowed-values-responsible-roles-component-production;
+        &allowed-values-responsible-roles-operations;
+        &allowed-values-responsible-roles-component-production;
       </allowed-values>
       <is-unique id="unique-ssp-by-component-set-parameter" target="set-parameter">
-        <key-field target="@param-id"/>
+        <key-field target="@param-id" />
         <remarks>
-          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must be set only once.</p>
+          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must
+            be set only once.</p>
         </remarks>
       </is-unique>
 
       <allowed-values target="link/@rel" allow-other="yes">
-        <enum value="provided-by">A reference to the UUID of a control or statement <code>by-component</code> object that is used as evidence of implementation.</enum>
+        <enum value="provided-by">A reference to the UUID of a control or statement <code>
+          by-component</code> object that is used as evidence of implementation.</enum>
       </allowed-values>
       <index-has-key name="by-component-uuid" target="link[@rel='provided-by']">
         <key-field target="@href" pattern="#(.*)" />
       </index-has-key>
     </constraint>
     <remarks>
-      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the control referenced in the containing <code>implemented-requirement</code> applied to the referenced component. If the <code>by-component</code> is used as a child of a <code>statement</code>, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the <code>control-implementation</code> or a specific <code>implemented-requirement</code>, then this <code>by-component/set-parameter</code> value will override the other value(s) in the context of the referenced component, control, and statement (if parent).</p>
+      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the control
+        referenced in the containing <code>implemented-requirement</code> applied to the referenced
+        component. If the <code>by-component</code> is used as a child of a <code>statement</code>,
+        then the parameter value also applies only in the context of the referenced statement. If
+        the same parameter is also set in the <code>control-implementation</code> or a specific <code>
+        implemented-requirement</code>, then this <code>by-component/set-parameter</code> value will
+        override the other value(s) in the context of the referenced component, control, and
+        statement (if parent).</p>
     </remarks>
   </define-assembly>
 
-
   <!-- 
     END: SR Additions from SSP
   -->
 
 
-</METASCHEMA>
+</METASCHEMA>
\ No newline at end of file

From 45f671297105cc20c79f12e610847c04a1afab5b Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Sat, 23 Mar 2024 17:27:30 -0400
Subject: [PATCH 42/51] Made ssp-uuid not required to support SR from non OSCAL
 SSP and included it also in the leveraged-autorization assembly to support
 OSCAL SSPs for leveraged systems

---
 .../oscal_responsibility-common_metaschema.xml         | 10 ++++++----
 .../oscal_shared-responsibility_metaschema.xml         |  3 ++-
 src/metaschema/oscal_ssp_metaschema.xml                |  3 +++
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index 7a0868ec08..80290ec92c 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -1,10 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<!DOCTYPE METASCHEMA [
+<!-- <!DOCTYPE METASCHEMA [
   <!ENTITY allowed-values-responsible-roles-system SYSTEM "./shared-constraints/allowed-values-responsible-roles-system.ent">
   <!ENTITY allowed-values-responsible-roles-operations SYSTEM "./shared-constraints/allowed-values-responsible-roles-operations.ent">
   <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
 ]>
+-->
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
   xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd"
@@ -29,8 +30,9 @@
     <formal-name>Source SSP</formal-name>
     <description>The leveraged System Security Plan (SSP) that documents the components implementing
       inheritable controls.</description>
-
-    <define-flag name="ssp-uuid" as-type="uuid" required="yes">
+<!-- While it is desirable the SSP of an SP to be in OSCAL, legacy systems might not have one, 
+  and the SR would serve as the first step towards digitalization. In OSCAL v2.0 maybe we can require the ssp-uuid -->
+    <define-flag name="ssp-uuid" as-type="uuid" >
       <formal-name>SSP Universally Unique Identifier</formal-name>
       <description>A <a
           href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
@@ -318,7 +320,7 @@
     </constraint>
   </define-assembly>
 
-  <define-assembly name="export" deprecated="1.1.2">
+  <define-assembly name="export" deprecated="1.1.0">
     <formal-name>Shared Responsibility</formal-name>
     <description>Identifies content intended for external consumption, such as with leveraged
       organizations, customer responsibility documentation, and shared security responsibility
diff --git a/src/metaschema/oscal_shared-responsibility_metaschema.xml b/src/metaschema/oscal_shared-responsibility_metaschema.xml
index e906438c34..18f0213360 100644
--- a/src/metaschema/oscal_shared-responsibility_metaschema.xml
+++ b/src/metaschema/oscal_shared-responsibility_metaschema.xml
@@ -22,8 +22,9 @@
   </remarks>
   
   <!-- IMPORT STATEMENTS -->
+  <!-- Already imported in oscal_responsibility-common_metaschema.xml
   <import href="oscal_metadata_metaschema.xml" />
-  <import href="oscal_implementation-common_metaschema.xml" />
+  <import href="oscal_implementation-common_metaschema.xml" /> -->
   <import href="oscal_responsibility-common_metaschema.xml" />
 
   <define-assembly name="shared-responsibility">
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 9747c3bb7e..37d92942cf 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -381,10 +381,12 @@
       <p>If 'other' is selected, a remark must be included to describe the current state.</p>
     </remarks>
   </define-assembly>
+  <!-- Moved to oscal_implementation-commong_metaschema.xml to use it in SR and CDef
   <define-field name="date-authorized" as-type="date" scope="local">
     <formal-name>System Authorization Date</formal-name>
     <description>The date the system received its authorization.</description>
   </define-field>
+  -->
   <define-assembly name="authorization-boundary">
     <formal-name>Authorization Boundary</formal-name>
     <description>A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.</description>
@@ -552,6 +554,7 @@
           <!-- Identifier Declaration -->
           <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope and can be used to reference this leveraged authorization elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>leveraged authorization</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
         </define-flag>
+        <flag ref="ssp-uuid" />
         <model>
           <define-field name="title" as-type="markup-line" min-occurs="1">
             <formal-name>title field</formal-name>

From 4bd5bb505386f4850a6a53ad62de5d16f6c29122 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Sun, 24 Mar 2024 23:14:48 -0400
Subject: [PATCH 43/51] Added responsibility assembly to component def,
 corrected group-as name and added sr-uuid flag.

---
 src/metaschema/oscal_component_metaschema.xml | 79 +++++++++++++++++--
 ...oscal_implementation-common_metaschema.xml |  2 +-
 ...oscal_responsibility-common_metaschema.xml | 19 ++++-
 ...oscal_shared-responsibility_metaschema.xml |  2 +-
 src/metaschema/oscal_ssp_metaschema.xml       |  5 +-
 5 files changed, 94 insertions(+), 13 deletions(-)

diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml
index 156c8592a1..c205f698e3 100644
--- a/src/metaschema/oscal_component_metaschema.xml
+++ b/src/metaschema/oscal_component_metaschema.xml
@@ -26,8 +26,9 @@
     <p>The root of the OSCAL Implementation Layer Component Definition model is <code>component-definition</code>.</p>
   </remarks>
 
-  <import href="oscal_implementation-common_metaschema.xml"/>
-  <import href="oscal_responsibility-common_metaschema.xml"/>
+  <!-- IMPORTS -->
+  <import href="oscal_implementation-common_metaschema.xml"/> 
+  <!-- <import href="oscal_responsibility-common_metaschema.xml"/> -->
 
   <define-assembly name="component-definition">
     <formal-name>Component Definition</formal-name>
@@ -134,7 +135,6 @@
           <p>Used for <code>service</code> components to define the protocols supported by the service.</p>
         </remarks>
       </assembly>
-
       <assembly ref="control-implementation" max-occurs="unbounded">
         <group-as name="control-implementations" in-json="ARRAY"/>
       </assembly>
@@ -312,6 +312,7 @@
       <!-- Feature Request: add constraint ensuring a capability's incorporates-component references //component-definition/component/@uuid in the same component definition instance or an imported instance-->
     </constraint>
   </define-assembly>
+
   <define-assembly name="incorporates-component">
     <formal-name>Incorporates Component</formal-name>
     <!-- TODO: needs a description -->
@@ -329,6 +330,67 @@
     </model>
   </define-assembly>
 
+  <define-assembly name="responsibility" scope="local">
+    <formal-name>Control Implementation Responsibility</formal-name>
+    <description>Describes a control implementation responsibility imposed on a leveraging system.</description>
+    <!-- <group-as name="responsibilities" in-json="ARRAY"/> -->
+    <define-flag name="uuid" as-type="uuid" required="yes">
+      <formal-name>Responsibility Universally Unique Identifier</formal-name>
+      <!-- Identifier Declaration -->
+      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this responsibility elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>responsibility</code>
+        can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
+    </define-flag>
+    <!-- The following flags make no sense in teh context of a CDef.
+    <flag ref="provided-uuid" required="no" />
+    <flag ref="implemented-by" required="no" />
+    -->
+    <flag ref="exportable" />
+    <model>
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
+        <formal-name>Control Implementation Responsibility Description</formal-name>
+        <description>An implementation statement that describes the aspects of the control or
+          control statement implementation that a customer must implement to satisfy the
+          control provided by the component.</description>
+      </define-field>
+      <assembly ref="property" max-occurs="unbounded">
+        <group-as name="props" in-json="ARRAY" />
+      </assembly>
+      <assembly ref="link" max-occurs="unbounded">
+        <group-as name="links" in-json="ARRAY" />
+        <!-- TODO: Model specific link relationships -->
+      </assembly>
+      <assembly ref="responsible-role" min-occurs="0" max-occurs="unbounded">
+        <group-as name="responsible-roles" in-json="ARRAY" />
+        <remarks>
+          <p>A role defined at the by-component level takes precedence over the same role defined on
+            the parent implemented-requirement or on the referenced component. </p>
+        </remarks>
+      </assembly>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
+    </model>
+    <constraint>
+      <is-unique id="unique-responsibility-responsible-role" target="responsible-role">
+        <key-field target="@role-id" />
+        <remarks>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+        </remarks>
+      </is-unique>
+    </constraint>
+  </define-assembly>
+
   <define-assembly name="control-implementation" scope="local">
     <formal-name>Control Implementation Set</formal-name>
     <description>Defines how the component or capability supports a set of controls.</description>
@@ -412,11 +474,14 @@
       <assembly ref="set-parameter" max-occurs="unbounded">
         <group-as name="set-parameters" in-json="ARRAY"/>
       </assembly>
+      <assembly ref="responsibility" max-occurs="unbounded">
+        <group-as name="responsibilities" in-json="ARRAY"/>
+      </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
         <group-as name="responsible-roles" in-json="ARRAY"/>
       </assembly>
 
-      <!-- ADDED for CRM/SSRM: Implementation Status and Shared Responsibility Assembly -->
+      <!-- ADDED for SRM: Implementation Status and Shared Responsibility Assembly -->
       <!-- <assembly ref="implementation-status">
         <remarks>
           <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented.</p>
@@ -427,7 +492,7 @@
         <group-as name="provided" in-json="ARRAY"/>
       </assembly>
       <assembly ref="responsibility">
-        <group-as name="responsibility" in-json="ARRAY"/>
+        <group-as name="responsibilities" in-json="ARRAY"/>
       </assembly>
       <assembly ref="inherited">
         <group-as name="inherited" in-json="ARRAY"/>
@@ -435,7 +500,6 @@
       <assembly ref="satisfied">
         <group-as name="satisfied" in-json="ARRAY"/>
       </assembly>
-
       <assembly ref="export" max-occurs="1">
         <remarks>
           <p>TODO: Documentation</p>
@@ -497,6 +561,9 @@
       <assembly ref="link" max-occurs="unbounded">
         <group-as name="links" in-json="ARRAY"/>
       </assembly>
+      <assembly ref="responsibility" max-occurs="unbounded">
+        <group-as name="responsibilities" in-json="ARRAY"/>
+      </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
         <group-as name="responsible-roles" in-json="ARRAY"/>
       </assembly>
diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml
index 888cb3b39e..0650e2c476 100644
--- a/src/metaschema/oscal_implementation-common_metaschema.xml
+++ b/src/metaschema/oscal_implementation-common_metaschema.xml
@@ -1002,7 +1002,7 @@
 
       <define-flag name="exportable" as-type="boolean">
             <formal-name>Exportable</formal-name>
-            <description>Indicates that the implmentation status is exportable for external
+            <description>Indicates that the information is exportable for external
                   consumption, such as with leveraged organizations, customer responsibility
                   documentation, and shared security responsibility documentation.</description>
       </define-flag>
diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index 80290ec92c..6d8b6ec86b 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -30,8 +30,8 @@
     <formal-name>Source SSP</formal-name>
     <description>The leveraged System Security Plan (SSP) that documents the components implementing
       inheritable controls.</description>
-<!-- While it is desirable the SSP of an SP to be in OSCAL, legacy systems might not have one, 
-  and the SR would serve as the first step towards digitalization. In OSCAL v2.0 maybe we can require the ssp-uuid -->
+<!-- While it is desirable for the SSP of the system to be in OSCAL, legacy systems might not have one, 
+  and the SR would serve as the first step towards digitalization. The `ssp-uuid` will not be required -->
     <define-flag name="ssp-uuid" as-type="uuid" >
       <formal-name>SSP Universally Unique Identifier</formal-name>
       <description>A <a
@@ -45,6 +45,19 @@
         instances</a>.</description>
     </define-flag>
 
+    <define-flag name="sr-uuid" as-type="uuid" >
+      <formal-name>SR Universally Unique Identifier</formal-name>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference the Shared Responsibility leveraged in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL
+        instances</a>.</description>
+    </define-flag>
+
     <model>
       <define-field name="title" as-type="markup-line">
         <formal-name>Source Title</formal-name>
@@ -348,7 +361,7 @@
         <group-as name="provided" in-json="ARRAY" />
       </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">
-        <group-as name="responsibility" in-json="ARRAY" />
+        <group-as name="responsibilities" in-json="ARRAY" />
       </assembly>
       <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
diff --git a/src/metaschema/oscal_shared-responsibility_metaschema.xml b/src/metaschema/oscal_shared-responsibility_metaschema.xml
index 18f0213360..05c9e5a429 100644
--- a/src/metaschema/oscal_shared-responsibility_metaschema.xml
+++ b/src/metaschema/oscal_shared-responsibility_metaschema.xml
@@ -325,7 +325,7 @@
         <group-as name="provided" in-json="ARRAY" />
       </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">
-        <group-as name="responsibility" in-json="ARRAY" />
+        <group-as name="responsibilities" in-json="ARRAY" />
       </assembly>
       <assembly ref="inherited" max-occurs="unbounded">
         <group-as name="inherited" in-json="ARRAY" />
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 37d92942cf..f92abfa619 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -554,7 +554,8 @@
           <!-- Identifier Declaration -->
           <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope and can be used to reference this leveraged authorization elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>leveraged authorization</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
         </define-flag>
-        <flag ref="ssp-uuid" />
+        <flag ref="ssp-uuid" required="no"/>
+        <flag ref="sr-uuid" required="no"/>
         <model>
           <define-field name="title" as-type="markup-line" min-occurs="1">
             <formal-name>title field</formal-name>
@@ -862,7 +863,7 @@
         <group-as name="provided" in-json="ARRAY"/>
       </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">
-        <group-as name="responsibility" in-json="ARRAY"/>
+        <group-as name="responsibilities" in-json="ARRAY"/>
       </assembly>
       <assembly ref="inherited" max-occurs="unbounded">
         <group-as name="inherited" in-json="ARRAY"/>

From 72850142c54cf0ab8885bf7450cbb8fac51ae2b7 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Mon, 25 Mar 2024 12:39:03 -0400
Subject: [PATCH 44/51] Minor updates and enhancements.

---
 src/metaschema/oscal_component_metaschema.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml
index c205f698e3..48cffca4d0 100644
--- a/src/metaschema/oscal_component_metaschema.xml
+++ b/src/metaschema/oscal_component_metaschema.xml
@@ -351,7 +351,8 @@
         which means it should be consistently used to identify the same subject across revisions of
         the document.</description>
     </define-flag>
-    <!-- The following flags make no sense in teh context of a CDef.
+    <!-- The following flags make no sense in the context of a Component Definition 
+         since the control are implemented by the current component.
     <flag ref="provided-uuid" required="no" />
     <flag ref="implemented-by" required="no" />
     -->

From d0ec68158328c928c37f210d82457d5a85dd93d1 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Mon, 25 Mar 2024 12:40:43 -0400
Subject: [PATCH 45/51] Added flag to satisfy to link it to its interited
 counterpart.

---
 .../oscal_responsibility-common_metaschema.xml       | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index 6d8b6ec86b..39f5bd3096 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -301,6 +301,7 @@
       <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented"> machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this satisfied control implementation entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control implementation</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
     </define-flag>
     <flag ref="responsibility-uuid" required="no" />
+    <flag ref="inherited-uuid" required="no" />
     <flag ref="exportable" />
     <model>
       <define-field name="description" as-type="markup-multiline" min-occurs="1"
@@ -378,6 +379,7 @@
     </constraint>
   </define-assembly>
 
+  <!-- FLAGS DEFINITIONS -->
   <define-flag name="provided-uuid" as-type="uuid" scope="local">
     <formal-name>Provided UUID</formal-name>
     <!-- Identifier Reference -->
@@ -403,4 +405,14 @@
       responsibility imposed by a leveraged system.</description>
   </define-flag>
 
+  <define-flag name="inherited-uuid" as-type="uuid" scope="local">
+    <formal-name>Inherited UUID</formal-name>
+    <!-- Identifier Reference -->
+    <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+      machine-oriented</a> identifier reference to the control inherited by the leveraging system from the 
+      leveraged system. The complete satisfaction of the inherited control might depend on responsibilities 
+      that must be locally satisfied by the leveraging system or further passed on as customer responsibilities.
+      This flag binds the inherited control information with current additional control satisfaction information.</description>
+  </define-flag>
+
 </METASCHEMA>
\ No newline at end of file

From 6601aacca95c8ed185c22789cd0ef410ad134682 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Mon, 25 Mar 2024 17:03:50 -0400
Subject: [PATCH 46/51] Cleaned a duplicate definition causing transformation
 errors.

---
 ...oscal_implementation-common_metaschema.xml |  2 +-
 ...oscal_responsibility-common_metaschema.xml | 73 +++++++++++++------
 ...oscal_shared-responsibility_metaschema.xml |  3 +-
 src/metaschema/oscal_ssp_metaschema.xml       | 16 ++--
 4 files changed, 58 insertions(+), 36 deletions(-)

diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml
index 0650e2c476..bba6142f94 100644
--- a/src/metaschema/oscal_implementation-common_metaschema.xml
+++ b/src/metaschema/oscal_implementation-common_metaschema.xml
@@ -979,7 +979,7 @@
             </define-flag>
       </define-field>
 
-      <define-field name="date-authorized" as-type="date" scope="local">
+      <define-field name="date-authorized" as-type="date" >
             <formal-name>System Authorization Date</formal-name>
             <description>The date the system received its most recent authorization to operate.</description>
       </define-field>
diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index 39f5bd3096..64e22fd55a 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -1,9 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
 <!-- <!DOCTYPE METASCHEMA [
-  <!ENTITY allowed-values-responsible-roles-system SYSTEM "./shared-constraints/allowed-values-responsible-roles-system.ent">
-  <!ENTITY allowed-values-responsible-roles-operations SYSTEM "./shared-constraints/allowed-values-responsible-roles-operations.ent">
-  <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
+  <!ENTITY allowed-values-responsible-roles-system SYSTEM
+"./shared-constraints/allowed-values-responsible-roles-system.ent">
+  <!ENTITY allowed-values-responsible-roles-operations SYSTEM
+"./shared-constraints/allowed-values-responsible-roles-operations.ent">
+  <!ENTITY allowed-values-responsible-roles-component-production SYSTEM
+"./shared-constraints/allowed-values-responsible-roles-component-production.ent">
 ]>
 -->
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -25,14 +28,16 @@
   <import href="oscal_implementation-common_metaschema.xml" />
 
   <!-- Shared Responsibility Assemblies -->
-
+  <!-- ASSEMBLIES DEFINITIONS -->
   <define-assembly name="source-ssp">
     <formal-name>Source SSP</formal-name>
     <description>The leveraged System Security Plan (SSP) that documents the components implementing
       inheritable controls.</description>
-<!-- While it is desirable for the SSP of the system to be in OSCAL, legacy systems might not have one, 
-  and the SR would serve as the first step towards digitalization. The `ssp-uuid` will not be required -->
-    <define-flag name="ssp-uuid" as-type="uuid" >
+    <!-- While it is desirable for the SSP of the system to be in OSCAL, legacy systems might not
+    have one, 
+     and the SR would serve as the first step towards digitalization. The `ssp-uuid` will not be
+    required -->
+    <define-flag name="ssp-uuid" as-type="uuid">
       <formal-name>SSP Universally Unique Identifier</formal-name>
       <description>A <a
           href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
@@ -45,7 +50,7 @@
         instances</a>.</description>
     </define-flag>
 
-    <define-flag name="sr-uuid" as-type="uuid" >
+    <define-flag name="sr-uuid" as-type="uuid">
       <formal-name>SR Universally Unique Identifier</formal-name>
       <description>A <a
           href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
@@ -81,8 +86,8 @@
 
       <field ref="date-authorized" />
       <field ref="party-uuid" min-occurs="1" />
-      
-      <assembly ref="referenced-profile" max-occurs="1"/>
+
+      <assembly ref="referenced-profile" max-occurs="1" />
 
       <assembly ref="property" max-occurs="unbounded">
         <group-as name="props" in-json="ARRAY" />
@@ -151,7 +156,9 @@
       <define-field name="description" as-type="markup-multiline" min-occurs="1"
         in-xml="WITH_WRAPPER">
         <formal-name>Provided Control Implementation Description</formal-name>
-        <description>An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.</description>
+        <description>An implementation statement that describes the aspects of the control or
+          control statement implementation that can be provided to another system leveraging this
+          system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
         <group-as name="props" in-json="ARRAY" />
@@ -169,20 +176,22 @@
       <is-unique id="unique-provided-responsible-role" target="responsible-role">
         <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
     </constraint>
   </define-assembly>
 
-  <define-assembly name="responsibility" >
+  <define-assembly name="responsibility">
     <formal-name>Control Implementation Responsibility</formal-name>
     <description>Describes a control implementation responsibility imposed on a leveraging system.</description>
     <!-- <group-as name="responsibilities" in-json="ARRAY"/> -->
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Responsibility Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
         machine-oriented</a>, <a
           href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
         unique</a> identifier with <a
@@ -234,7 +243,7 @@
     </constraint>
   </define-assembly>
 
-  <define-assembly name="inherited" >
+  <define-assembly name="inherited">
     <formal-name>Inherited Control Implementation</formal-name>
     <description>Describes a control implementation inherited by a leveraging system.</description>
     <!-- CHANGED: "inherited-group" to "inherited" -->
@@ -298,7 +307,20 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Satisfied Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented"> machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this satisfied control implementation entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control implementation</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this satisfied control implementation entry elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control implementation</code>
+        can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
     <flag ref="responsibility-uuid" required="no" />
     <flag ref="inherited-uuid" required="no" />
@@ -339,7 +361,7 @@
     <description>Identifies content intended for external consumption, such as with leveraged
       organizations, customer responsibility documentation, and shared security responsibility
       documentation.</description>
-      
+
     <model>
       <!-- Not clear why exportable flag in an export assembly would be needed. It did not exist
       anyway.
@@ -379,7 +401,7 @@
     </constraint>
   </define-assembly>
 
-  <!-- FLAGS DEFINITIONS -->
+  <!-- FLAG DEFINITIONS -->
   <define-flag name="provided-uuid" as-type="uuid" scope="local">
     <formal-name>Provided UUID</formal-name>
     <!-- Identifier Reference -->
@@ -409,10 +431,17 @@
     <formal-name>Inherited UUID</formal-name>
     <!-- Identifier Reference -->
     <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
-      machine-oriented</a> identifier reference to the control inherited by the leveraging system from the 
-      leveraged system. The complete satisfaction of the inherited control might depend on responsibilities 
-      that must be locally satisfied by the leveraging system or further passed on as customer responsibilities.
-      This flag binds the inherited control information with current additional control satisfaction information.</description>
+      machine-oriented</a> identifier reference to the control inherited by the leveraging system
+      from the leveraged system. The complete satisfaction of the inherited control might depend on
+      responsibilities that must be locally satisfied by the leveraging system or further passed on
+      as customer responsibilities. This flag binds the inherited control information with current
+      additional control satisfaction information.</description>
   </define-flag>
 
+  <!-- FIELDS -->
+  <!-- <define-field name="date-authorized" as-type="date" scope="local">
+    <formal-name>System Authorization Date</formal-name>
+    <description>The date the system received its most recent authorization to operate.</description>
+  </define-field> -->
+
 </METASCHEMA>
\ No newline at end of file
diff --git a/src/metaschema/oscal_shared-responsibility_metaschema.xml b/src/metaschema/oscal_shared-responsibility_metaschema.xml
index 05c9e5a429..8c74a88d10 100644
--- a/src/metaschema/oscal_shared-responsibility_metaschema.xml
+++ b/src/metaschema/oscal_shared-responsibility_metaschema.xml
@@ -20,7 +20,7 @@
     <p>The most important assemblies to consider within this current version are: provided,
       responsibilities, inherited, and satisfied.</p>
   </remarks>
-  
+
   <!-- IMPORT STATEMENTS -->
   <!-- Already imported in oscal_responsibility-common_metaschema.xml
   <import href="oscal_metadata_metaschema.xml" />
@@ -383,5 +383,4 @@
     END: SR Additions from SSP
   -->
 
-
 </METASCHEMA>
\ No newline at end of file
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index f92abfa619..17af6d48d6 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-
-<!-- ** NOTES **
+<!-- <?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+-->
+  <!-- ** NOTES **
 - Need to check latest FR SSP template for "Privacy Impact Designation".
   Was it dropped in latest template, or is it missing from schema?
 -->
@@ -30,7 +30,7 @@
   <import href="oscal_implementation-common_metaschema.xml"/>
   -->
   <import href="oscal_responsibility-common_metaschema.xml"/>
-
+  
   <!-- ############################################## -->
   <!-- # The SSP Assembly and supporting constructs # -->
   <!-- ############################################## -->
@@ -381,12 +381,6 @@
       <p>If 'other' is selected, a remark must be included to describe the current state.</p>
     </remarks>
   </define-assembly>
-  <!-- Moved to oscal_implementation-commong_metaschema.xml to use it in SR and CDef
-  <define-field name="date-authorized" as-type="date" scope="local">
-    <formal-name>System Authorization Date</formal-name>
-    <description>The date the system received its authorization.</description>
-  </define-field>
-  -->
   <define-assembly name="authorization-boundary">
     <formal-name>Authorization Boundary</formal-name>
     <description>A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.</description>
@@ -859,7 +853,7 @@
       </assembly>
 
       <!-- CHANGED from Export for SRM: Shared Responsibility Assembly -->
-      <assembly ref="provided" max-occurs="unbounded">
+      <assembly ref="provided" max-occurs="unbounded" >
         <group-as name="provided" in-json="ARRAY"/>
       </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">

From a1b0ecac6a0868f0f6ed0cda2b9e63e479ff7f0c Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Tue, 26 Mar 2024 03:00:07 -0400
Subject: [PATCH 47/51] Fixed xml-to-json conversion

---
 ...oscal_responsibility-common_metaschema.xml | 102 +--
 src/metaschema/oscal_ssp_metaschema.xml       | 820 ++++++++++++------
 2 files changed, 591 insertions(+), 331 deletions(-)

diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index 64e22fd55a..a01bfe6a0b 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -1,12 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
 <!-- <!DOCTYPE METASCHEMA [
-  <!ENTITY allowed-values-responsible-roles-system SYSTEM
-"./shared-constraints/allowed-values-responsible-roles-system.ent">
-  <!ENTITY allowed-values-responsible-roles-operations SYSTEM
-"./shared-constraints/allowed-values-responsible-roles-operations.ent">
-  <!ENTITY allowed-values-responsible-roles-component-production SYSTEM
-"./shared-constraints/allowed-values-responsible-roles-component-production.ent">
+  <!ENTITY allowed-values-responsible-roles-system SYSTEM "./shared-constraints/allowed-values-responsible-roles-system.ent">
+  <!ENTITY allowed-values-responsible-roles-operations SYSTEM "./shared-constraints/allowed-values-responsible-roles-operations.ent">
+  <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
 ]>
 -->
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -28,40 +25,16 @@
   <import href="oscal_implementation-common_metaschema.xml" />
 
   <!-- Shared Responsibility Assemblies -->
-  <!-- ASSEMBLIES DEFINITIONS -->
+  <!-- ASSEMBLY DEFINITIONS -->
   <define-assembly name="source-ssp">
     <formal-name>Source SSP</formal-name>
     <description>The leveraged System Security Plan (SSP) that documents the components implementing
       inheritable controls.</description>
     <!-- While it is desirable for the SSP of the system to be in OSCAL, legacy systems might not
-    have one, 
-     and the SR would serve as the first step towards digitalization. The `ssp-uuid` will not be
+    have one, and the SR would serve as the first step towards digitalization. The `ssp-uuid` will not be
     required -->
-    <define-flag name="ssp-uuid" as-type="uuid">
-      <formal-name>SSP Universally Unique Identifier</formal-name>
-      <description>A <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
-        machine-oriented</a>, <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
-        unique</a> identifier with <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
-        scope that can be used to reference the sourced SSP in <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL
-        instances</a>.</description>
-    </define-flag>
-
-    <define-flag name="sr-uuid" as-type="uuid">
-      <formal-name>SR Universally Unique Identifier</formal-name>
-      <description>A <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
-        machine-oriented</a>, <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
-        unique</a> identifier with <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
-        scope that can be used to reference the Shared Responsibility leveraged in <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL
-        instances</a>.</description>
-    </define-flag>
+    <flag ref="ssp-uuid" required="no" />
+    <flag ref="sr-uuid" required="no" />
 
     <model>
       <define-field name="title" as-type="markup-line">
@@ -156,9 +129,7 @@
       <define-field name="description" as-type="markup-multiline" min-occurs="1"
         in-xml="WITH_WRAPPER">
         <formal-name>Provided Control Implementation Description</formal-name>
-        <description>An implementation statement that describes the aspects of the control or
-          control statement implementation that can be provided to another system leveraging this
-          system.</description>
+        <description>An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
         <group-as name="props" in-json="ARRAY" />
@@ -176,8 +147,7 @@
       <is-unique id="unique-provided-responsible-role" target="responsible-role">
         <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
-            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
     </constraint>
@@ -307,20 +277,12 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Satisfied Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
-        machine-oriented</a>, <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
-        unique</a> identifier with <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
-        scope that can be used to reference this satisfied control implementation entry elsewhere in <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
-        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control implementation</code>
-        can be used to reference the data item locally or globally (e.g., in an imported OSCAL
-        instance). This UUID should be assigned <a
-          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
-        which means it should be consistently used to identify the same subject across revisions of
-        the document.</description>
+      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this satisfied control implementation entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control implementation</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
     </define-flag>
     <flag ref="responsibility-uuid" required="no" />
     <flag ref="inherited-uuid" required="no" />
@@ -402,6 +364,32 @@
   </define-assembly>
 
   <!-- FLAG DEFINITIONS -->
+  <define-flag name="ssp-uuid" as-type="uuid" >
+    <formal-name>SSP Universally Unique Identifier</formal-name>
+    <description>A <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+      machine-oriented</a>, <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+      unique</a> identifier with <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+      scope that can be used to reference the sourced SSP in <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL
+      instances</a>.</description>
+  </define-flag>
+
+  <define-flag name="sr-uuid" as-type="uuid" >
+    <formal-name>SR Universally Unique Identifier</formal-name>
+    <description>A <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+      machine-oriented</a>, <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+      unique</a> identifier with <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+      scope that can be used to reference the Shared Responsibility leveraged in <a
+        href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL
+      instances</a>.</description>
+  </define-flag>
+
   <define-flag name="provided-uuid" as-type="uuid" scope="local">
     <formal-name>Provided UUID</formal-name>
     <!-- Identifier Reference -->
@@ -432,10 +420,10 @@
     <!-- Identifier Reference -->
     <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
       machine-oriented</a> identifier reference to the control inherited by the leveraging system
-      from the leveraged system. The complete satisfaction of the inherited control might depend on
-      responsibilities that must be locally satisfied by the leveraging system or further passed on
-      as customer responsibilities. This flag binds the inherited control information with current
-      additional control satisfaction information.</description>
+      from the leveraged system. The satisfaction of the inherited control might depend on the
+      responsibilities by the leveraging system and must be satisfied by either the leveraging system 
+      or be further passed on as customer responsibilities. The flag binds the inherited control information 
+      with this control information.</description>
   </define-flag>
 
   <!-- FIELDS -->
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 17af6d48d6..58013e73c4 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- <?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
--->
-  <!-- ** NOTES **
+<?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+
+<!-- ** NOTES **
 - Need to check latest FR SSP template for "Privacy Impact Designation".
   Was it dropped in latest template, or is it missing from schema?
 -->
@@ -13,24 +13,26 @@
   <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
 ]>
 <METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
+  xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+  xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
   <schema-name>OSCAL System Security Plan (SSP) Model</schema-name>
   <schema-version>1.1.2</schema-version>
   <short-name>oscal-ssp</short-name>
   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
   <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
   <remarks>
-    <p>The OSCAL Control SSP format can be used to describe the information typically specified in a system security plan, such as those defined in NIST SP 800-18.</p>
+    <p>The OSCAL Control SSP format can be used to describe the information typically specified in a
+      system security plan, such as those defined in NIST SP 800-18.</p>
     <p>The root of the OSCAL System Security Plan (SSP) format is <code>system-security-plan</code>.</p>
   </remarks>
 
   <!-- IMPORT STATEMENTS -->
   <!-- The following are already imported into oscal_implementation-common_metaschema.xml
-  <import href="oscal_metadata_metaschema.xml"/>
-  <import href="oscal_implementation-common_metaschema.xml"/>
+  <import href="oscal_metadata_metaschema.xml" />
+  <import href="oscal_implementation-common_metaschema.xml" />
   -->
-  <import href="oscal_responsibility-common_metaschema.xml"/>
-  
+  <import href="oscal_responsibility-common_metaschema.xml" />
+
   <!-- ############################################## -->
   <!-- # The SSP Assembly and supporting constructs # -->
   <!-- ############################################## -->
@@ -41,19 +43,33 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>System Security Plan Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this system security plan (SSP) elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>SSP</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this system security plan (SSP) elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>SSP</code> can be used
+        to reference the data item locally or globally (e.g., in an imported OSCAL instance).This
+        UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
     <model>
-      <assembly ref="metadata" min-occurs="1"/>
-      <assembly ref="import-profile" min-occurs="1"/>
-      <assembly ref="system-characteristics" min-occurs="1"/>
-      <assembly ref="system-implementation" min-occurs="1"/>
-      <assembly ref="control-implementation" min-occurs="1"/>
-      <assembly ref="back-matter"/>
+      <assembly ref="metadata" min-occurs="1" />
+      <assembly ref="import-profile" min-occurs="1" />
+      <assembly ref="system-characteristics" min-occurs="1" />
+      <assembly ref="system-implementation" min-occurs="1" />
+      <assembly ref="control-implementation" min-occurs="1" />
+      <assembly ref="back-matter" />
     </model>
     <constraint>
-      <index name="by-component-uuid" target="control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component">
-        <key-field target="@uuid"/>
+      <index name="by-component-uuid"
+        target="control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component">
+        <key-field target="@uuid" />
       </index>
     </constraint>
   </define-assembly>
@@ -66,20 +82,37 @@
     <description>Used to import the OSCAL profile representing the system's control baseline.</description>
     <define-flag name="href" as-type="uri-reference" required="yes">
       <formal-name>Profile Reference</formal-name>
-      <description>A resolvable URL reference to the profile or catalog to use as the system's control baseline.</description>
+      <description>A resolvable URL reference to the profile or catalog to use as the system's
+        control baseline.</description>
       <remarks>
         <p>This value may be one of:</p>
         <ol>
-          <li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that points to a network resolvable resource,</li>
-          <li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative reference</a> pointing to a network resolvable resource whose base URI is the URI of the containing document, or</li>
-          <li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in this or an imported document (see <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking to another OSCAL object</a>).</li>
+          <li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a>
+            that points to a network resolvable resource,</li>
+          <li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative
+            reference</a> pointing to a network resolvable resource whose base URI is the URI of the
+            containing document, or</li>
+          <li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in
+            this or an imported document (see <a
+              href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking
+            to another OSCAL object</a>).</li>
         </ol>
-        <p>If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL <a href="https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/">profile resolution specification</a> to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.</p>
-        <p>While it is possible to reference a previously resolved OSCAL profile as a catalog, this practice is discouraged since the unresolved form of the profile communicates more information about selections and changes to the underlying catalog. Furthermore, the underlying catalog can be maintained separately from the profile, which also has maintenance advantages for distinct maintainers, ensuring that the best available information is produced through profile resolution.</p>
+        <p>If the resource is an OSCAL profile, it is expected that a tool will resolve the profile
+          according to the OSCAL <a
+            href="https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/">profile
+          resolution specification</a> to produce a resolved profile for use when processing the
+          containing system security plan. This allows a system security plan processor to use the
+          baseline as a catalog of controls.</p>
+        <p>While it is possible to reference a previously resolved OSCAL profile as a catalog, this
+          practice is discouraged since the unresolved form of the profile communicates more
+          information about selections and changes to the underlying catalog. Furthermore, the
+          underlying catalog can be maintained separately from the profile, which also has
+          maintenance advantages for distinct maintainers, ensuring that the best available
+          information is produced through profile resolution.</p>
       </remarks>
     </define-flag>
     <model>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
   </define-assembly>
 
@@ -88,10 +121,11 @@
   <!-- ################################################################# -->
   <define-assembly name="system-characteristics">
     <formal-name>System Characteristics</formal-name>
-    <description>Contains the characteristics of the system, such as its name, purpose, and security impact level.</description>
+    <description>Contains the characteristics of the system, such as its name, purpose, and security
+      impact level.</description>
     <model>
       <field ref="system-id" min-occurs="1" max-occurs="unbounded">
-        <group-as name="system-ids" in-json="ARRAY"/>
+        <group-as name="system-ids" in-json="ARRAY" />
       </field>
       <define-field name="system-name" as-type="string" min-occurs="1">
         <formal-name>System Name - Full</formal-name>
@@ -99,173 +133,248 @@
       </define-field>
       <define-field name="system-name-short" as-type="string">
         <formal-name>System Name - Short</formal-name>
-        <description>A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.</description>
+        <description>A short name for the system, such as an acronym, that is suitable for display
+          in a data table or summary list.</description>
         <remarks>
-          <p>Since <code>system-name-short</code> is optional, if the <code>system-name-short</code> is not provided, the <code>system-name</code> can be used as a substitute.</p>
+          <p>Since <code>system-name-short</code> is optional, if the <code>system-name-short</code>
+            is not provided, the <code>system-name</code> can be used as a substitute.</p>
         </remarks>
       </define-field>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>System Description</formal-name>
         <description>A summary of the system.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
-      <field ref="date-authorized"/>
+      <field ref="date-authorized" />
       <define-field name="security-sensitivity-level" min-occurs="0">
         <formal-name>Security Sensitivity Level</formal-name>
-        <description>The overall information system sensitivity categorization, such as defined by <a href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>.</description>
+        <description>The overall information system sensitivity categorization, such as defined by <a
+            href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>.</description>
         <remarks>
-          <p>Often, organizations require the security sensitivity level to correspond with the highest confidentiality, integrity, or availability level identified by <code>security-impact-level</code>.
-          </p>
+          <p>Often, organizations require the security sensitivity level to correspond with the
+            highest confidentiality, integrity, or availability level identified by <code>
+            security-impact-level</code>. </p>
         </remarks>
       </define-field>
-      <assembly ref="system-information" min-occurs="1"/>
-      <assembly ref="security-impact-level" min-occurs="0"/>
-      <assembly ref="status" min-occurs="1"/>
-      <assembly ref="authorization-boundary" min-occurs="1"/>
-      <assembly ref="network-architecture"/>
-      <assembly ref="data-flow"/>
+      <assembly ref="system-information" min-occurs="1" />
+      <assembly ref="security-impact-level" min-occurs="0" />
+      <assembly ref="status" min-occurs="1" />
+      <assembly ref="authorization-boundary" min-occurs="1" />
+      <assembly ref="network-architecture" />
+      <assembly ref="data-flow" />
       <assembly ref="responsible-party" max-occurs="unbounded">
-        <group-as name="responsible-parties" in-json="ARRAY"/>
+        <group-as name="responsible-parties" in-json="ARRAY" />
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-        <enum value="identity-assurance-level">A value of 1, 2, or 3 as defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>.
-        </enum>
-        <enum value="authenticator-assurance-level">A value of 1, 2, or 3 as defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>.
-        </enum>
-        <enum value="federation-assurance-level">A value of 1, 2, or 3 as defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>.
-        </enum>
+        <enum value="identity-assurance-level">A value of 1, 2, or 3 as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>. </enum>
+        <enum value="authenticator-assurance-level">A value of 1, 2, or 3 as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>. </enum>
+        <enum value="federation-assurance-level">A value of 1, 2, or 3 as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>. </enum>
       </allowed-values>
-      <allowed-values target="prop[@name=('identity-assurance-level','authenticator-assurance-level','federation-assurance-level')]/@value">
-        <enum value="1">As defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>.
+      <allowed-values
+        target="prop[@name=('identity-assurance-level','authenticator-assurance-level','federation-assurance-level')]/@value">
+        <enum value="1">As defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>
+          .
         </enum>
-        <enum value="2">As defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>.
+        <enum value="2">As defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>
+          .
         </enum>
-        <enum value="3">As defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>.
+        <enum value="3">As defined by <a href="https://doi.org/10.6028/NIST.SP.800-63-3">SP 800-63-3</a>
+          .
         </enum>
       </allowed-values>
       <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-        <enum value="cloud-deployment-model">The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other.</enum>
-        <enum value="cloud-service-model">The associated value is one of: saas, paas, iaas, or other.</enum>
+        <enum value="cloud-deployment-model">The associated value is one of: public-cloud,
+          private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other.</enum>
+        <enum value="cloud-service-model">The associated value is one of: saas, paas, iaas, or
+          other.</enum>
       </allowed-values>
-      <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-deployment-model']/@value">
-        <enum value="public-cloud">The public cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+      <allowed-values
+        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-deployment-model']/@value">
+        <enum value="public-cloud">The public cloud deployment model as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>
+          .
         </enum>
-        <enum value="private-cloud">The private cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+        <enum value="private-cloud">The private cloud deployment model as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>
+          .
         </enum>
-        <enum value="community-cloud">The community cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+        <enum value="community-cloud">The community cloud deployment model as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>
+          .
         </enum>
-        <enum value="hybrid-cloud">The hybrid cloud deployment model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+        <enum value="hybrid-cloud">The hybrid cloud deployment model as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>
+          .
         </enum>
         <!-- TODO: consider generalizing this in a way that applies to other usage contexts. -->
-        <enum value="government-only-cloud">A specific type of community-cloud for use only by government services.</enum>
-        <enum value="other">Any other type of cloud deployment model that is exclusive to the other choices.</enum>
+        <enum value="government-only-cloud">A specific type of community-cloud for use only by
+          government services.</enum>
+        <enum value="other">Any other type of cloud deployment model that is exclusive to the other
+          choices.</enum>
         <remarks>
-          <p>The hybrid cloud deployment model, as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>, can be supported by selecting two or more of the existing deployment models.</p>
+          <p>The hybrid cloud deployment model, as defined by <a
+              href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>,
+            can be supported by selecting two or more of the existing deployment models.</p>
         </remarks>
       </allowed-values>
-      <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-service-model']/@value">
-        <enum value="saas">Software as a service (SaaS) cloud service model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+      <allowed-values
+        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-service-model']/@value">
+        <enum value="saas">Software as a service (SaaS) cloud service model as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>
+          .
         </enum>
-        <enum value="paas">Platform as a service (PaaS) cloud service model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+        <enum value="paas">Platform as a service (PaaS) cloud service model as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>
+          .
         </enum>
-        <enum value="iaas">Infrastructure as a service (IaaS) cloud service model as defined by <a href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>.
+        <enum value="iaas">Infrastructure as a service (IaaS) cloud service model as defined by <a
+            href="https://doi.org/10.6028/NIST.SP.800-145">The NIST Definition of Cloud Computing</a>
+          .
         </enum>
-        <enum value="other">Any other type of cloud service model that is exclusive to the other choices.</enum>
+        <enum value="other">Any other type of cloud service model that is exclusive to the other
+          choices.</enum>
       </allowed-values>
       <is-unique id="unique-ssp-system-characteristics-responsible-party" target="responsible-party">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-party</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-party</code> associates multiple <code>party-uuid</code>
+            entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
       <allowed-values target="responsible-party/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-system;
+        &allowed-values-responsible-roles-system;
       </allowed-values>
     </constraint>
   </define-assembly>
   <define-assembly name="system-information">
     <formal-name>System Information</formal-name>
-    <description>Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in <a href="https://doi.org/10.6028/NIST.SP.800-60v2r1">NIST SP 800-60</a>.</description>
+    <description>Contains details about all information types that are stored, processed, or
+      transmitted by the system, such as privacy information, and those defined in <a
+        href="https://doi.org/10.6028/NIST.SP.800-60v2r1">NIST SP 800-60</a>.</description>
     <model>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
       <define-assembly name="information-type" min-occurs="1" max-occurs="unbounded">
         <formal-name>Information Type</formal-name>
-        <description>Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in <a href="https://doi.org/10.6028/NIST.SP.800-60v2r1">NIST SP 800-60</a>.</description>
-        <group-as name="information-types" in-json="ARRAY"/>
+        <description>Contains details about one information type that is stored, processed, or
+          transmitted by the system, such as privacy information, and those defined in <a
+            href="https://doi.org/10.6028/NIST.SP.800-60v2r1">NIST SP 800-60</a>.</description>
+        <group-as name="information-types" in-json="ARRAY" />
         <define-flag name="uuid" as-type="uuid">
           <formal-name>Information Type Universally Unique Identifier</formal-name>
           <!-- Identifier Declaration -->
-          <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this information type elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>information type</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+          <description>A <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+            machine-oriented</a>, <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+            unique</a> identifier with <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+            cross-instance</a> scope that can be used to reference this information type elsewhere
+            in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this
+            or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>information
+            type</code> can be used to reference the data item locally or globally (e.g., in an
+            imported OSCAL instance). This UUID should be assigned <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+            which means it should be consistently used to identify the same subject across revisions
+            of the document.</description>
         </define-flag>
         <model>
           <define-field name="title" as-type="markup-line" min-occurs="1">
             <formal-name>title field</formal-name>
-            <description>A human readable name for the information type. This title should be meaningful within the context of the system.</description>
+            <description>A human readable name for the information type. This title should be
+              meaningful within the context of the system.</description>
           </define-field>
-          <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+          <define-field name="description" as-type="markup-multiline" min-occurs="1"
+            in-xml="WITH_WRAPPER">
             <formal-name>Information Type Description</formal-name>
             <description>A summary of how this information type is used within the system.</description>
           </define-field>
           <define-assembly name="categorization" max-occurs="unbounded">
             <!-- CHANGED: replaced the information-type-id structure with the current structure -->
             <formal-name>Information Type Categorization</formal-name>
-            <description>A set of information type identifiers qualified by the given identification <code>system</code> used, such as NIST SP 800-60.</description>
-            <group-as name="categorizations" in-json="ARRAY"/>
+            <description>A set of information type identifiers qualified by the given identification <code>
+              system</code> used, such as NIST SP 800-60.</description>
+            <group-as name="categorizations" in-json="ARRAY" />
             <define-flag name="system" as-type="uri" required="yes">
               <formal-name>Information Type Identification System</formal-name>
               <description>Specifies the information type identification system used.</description>
               <constraint>
                 <allowed-values allow-other="yes">
-                  <enum value="http://doi.org/10.6028/NIST.SP.800-60v2r1">Based on the section identifiers in NIST <a href="https://doi.org/10.6028/NIST.SP.800-60v2r1">Special Publication 800-60 Volume II Revision 1</a>.</enum>
+                  <enum value="http://doi.org/10.6028/NIST.SP.800-60v2r1">Based on the section
+                    identifiers in NIST <a href="https://doi.org/10.6028/NIST.SP.800-60v2r1">Special
+                    Publication 800-60 Volume II Revision 1</a>.</enum>
                 </allowed-values>
               </constraint>
               <remarks>
-                <p>This value must be an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that serves as a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming system identifier</a>.</p>
+                <p>This value must be an <a
+                    href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a>
+                  that serves as a <a
+                    href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming
+                  system identifier</a>.</p>
               </remarks>
             </define-flag>
             <model>
               <define-field name="information-type-id" as-type="string" max-occurs="unbounded">
-                <!-- This is an id because the idenfier is assigned and managed externally by humans. -->
+                <!-- This is an id because the idenfier is assigned and managed externally by
+                humans. -->
                 <formal-name>Information Type Systematized Identifier</formal-name>
                 <!-- Identifier Declaration -->
-                <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">human-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier qualified by the given identification <code>system</code> used, such as NIST SP 800-60.  This identifier has <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope and can be used to reference this system elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. This id should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+                <description>A <a
+                    href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">
+                  human-oriented</a>, <a
+                    href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+                  unique</a> identifier qualified by the given identification <code>system</code>
+                  used, such as NIST SP 800-60. This identifier has <a
+                    href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+                  cross-instance</a> scope and can be used to reference this system elsewhere in <a
+                    href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this
+                  or other OSCAL instances</a>. This id should be assigned <a
+                    href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">
+                  per-subject</a>, which means it should be consistently used to identify the same
+                  subject across revisions of the document.</description>
                 <json-value-key>id</json-value-key>
-                <group-as name="information-type-ids" in-json="ARRAY"/>
+                <group-as name="information-type-ids" in-json="ARRAY" />
               </define-field>
             </model>
           </define-assembly>
           <assembly ref="property" max-occurs="unbounded">
-            <group-as name="props" in-json="ARRAY"/>
+            <group-as name="props" in-json="ARRAY" />
           </assembly>
           <assembly ref="link" max-occurs="unbounded">
-            <group-as name="links" in-json="ARRAY"/>
+            <group-as name="links" in-json="ARRAY" />
           </assembly>
           <assembly ref="impact">
             <formal-name>Confidentiality Impact Level</formal-name>
-            <description>The expected level of impact resulting from the unauthorized disclosure of the described information.</description>
+            <description>The expected level of impact resulting from the unauthorized disclosure of
+              the described information.</description>
             <use-name>confidentiality-impact</use-name>
           </assembly>
           <assembly ref="impact">
             <formal-name>Integrity Impact Level</formal-name>
-            <description>The expected level of impact resulting from the unauthorized modification of the described information.</description>
+            <description>The expected level of impact resulting from the unauthorized modification
+              of the described information.</description>
             <use-name>integrity-impact</use-name>
           </assembly>
           <assembly ref="impact">
             <formal-name>Availability Impact Level</formal-name>
-            <description>The expected level of impact resulting from the disruption of access to or use of the described information or the information system.</description>
+            <description>The expected level of impact resulting from the disruption of access to or
+              use of the described information or the information system.</description>
             <use-name>availability-impact</use-name>
           </assembly>
         </model>
@@ -280,31 +389,38 @@
       <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
         <enum value="privacy-designation">Is this a privacy sensitive system? yes or no</enum>
       </allowed-values>
-      <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='privacy-designation']/@value">
+      <allowed-values
+        target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='privacy-designation']/@value">
         <enum value="yes">The system is privacy sensitive.</enum>
         <enum value="no">The system is not privacy sensitive.</enum>
       </allowed-values>
       <allowed-values target="link/@rel" allow-other="yes">
         <enum value="privacy-impact-assessment">A link to the privacy impact assessment.</enum>
       </allowed-values>
-      <matches target="link[@rel='privacy-impact-assessment']/@href[starts-with(.,'#')]" datatype="uri-reference"/>
-      <index-has-key name="index-back-matter-resource" target="link[@rel='privacy-impact-assessment' and starts-with(@href,'#')]">
-        <key-field target="@href" pattern="#(.*)"/>
+      <matches target="link[@rel='privacy-impact-assessment']/@href[starts-with(.,'#')]"
+        datatype="uri-reference" />
+      <index-has-key name="index-back-matter-resource"
+        target="link[@rel='privacy-impact-assessment' and starts-with(@href,'#')]">
+        <key-field target="@href" pattern="#(.*)" />
       </index-has-key>
       <!-- 
         TODO: Per discussion in usnisgov/OSCAL#1331 review on 29 July 2022,
         add the path target to security-sensitivity-level as well.
       -->
-      <matches target="link[@rel='privacy-impact-assessment']/@href[not(starts-with(.,'#'))]" datatype="uri"/>
-      <allowed-values target="information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)" allow-other="yes">
-        <enum value="fips-199-low">A 'low' sensitivity level as defined in <a href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>.
-        </enum>
-        <enum value="fips-199-moderate">A 'moderate' sensitivity level as defined in <a href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>.
-        </enum>
-        <enum value="fips-199-high">A 'high' sensitivity level as defined in <a href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>.
-        </enum>
+      <matches target="link[@rel='privacy-impact-assessment']/@href[not(starts-with(.,'#'))]"
+        datatype="uri" />
+      <allowed-values
+        target="information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"
+        allow-other="yes">
+        <enum value="fips-199-low">A 'low' sensitivity level as defined in <a
+            href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>. </enum>
+        <enum value="fips-199-moderate">A 'moderate' sensitivity level as defined in <a
+            href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>. </enum>
+        <enum value="fips-199-high">A 'high' sensitivity level as defined in <a
+            href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>. </enum>
         <remarks>
-          <p>FIPS-199 taxonomy is provided here as a starting point. We will provide other taxonomies based on community requests.</p>
+          <p>FIPS-199 taxonomy is provided here as a starting point. We will provide other
+            taxonomies based on community requests.</p>
         </remarks>
       </allowed-values>
     </constraint>
@@ -314,19 +430,20 @@
     <description>The expected level of impact resulting from the described information.</description>
     <model>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
-      <field ref="base" min-occurs="1"/>
-      <field ref="selected"/>
-      <field ref="adjustment-justification" in-xml="WITH_WRAPPER"/>
+      <field ref="base" min-occurs="1" />
+      <field ref="selected" />
+      <field ref="adjustment-justification" in-xml="WITH_WRAPPER" />
     </model>
   </define-assembly>
   <define-field name="base" as-type="string" scope="local">
     <formal-name>Base Level (Confidentiality, Integrity, or Availability)</formal-name>
-    <description>The prescribed base (Confidentiality, Integrity, or Availability) security impact level.</description>
+    <description>The prescribed base (Confidentiality, Integrity, or Availability) security impact
+      level.</description>
   </define-field>
   <define-field name="selected" as-type="string" scope="local">
     <formal-name>Selected Level (Confidentiality, Integrity, or Availability)</formal-name>
@@ -334,11 +451,13 @@
   </define-field>
   <define-field name="adjustment-justification" as-type="markup-multiline" scope="local">
     <formal-name>Adjustment Justification</formal-name>
-    <description>If the selected security level is different from the base security level, this contains the justification for the change.</description>
+    <description>If the selected security level is different from the base security level, this
+      contains the justification for the change.</description>
   </define-field>
   <define-assembly name="security-impact-level">
     <formal-name>Security Impact Level</formal-name>
-    <description>The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.</description>
+    <description>The overall level of expected impact resulting from unauthorized disclosure,
+      modification, or loss of access to information.</description>
     <model>
       <!-- 
         TODO: Per discussion in usnisgov/OSCAL#1331 review on 29 July 2022,
@@ -346,15 +465,18 @@
       -->
       <define-field name="security-objective-confidentiality" as-type="string" min-occurs="1">
         <formal-name>Security Objective: Confidentiality</formal-name>
-        <description>A target-level of confidentiality for the system, based on the sensitivity of information within the system.</description>
+        <description>A target-level of confidentiality for the system, based on the sensitivity of
+          information within the system.</description>
       </define-field>
       <define-field name="security-objective-integrity" as-type="string" min-occurs="1">
         <formal-name>Security Objective: Integrity</formal-name>
-        <description>A target-level of integrity for the system, based on the sensitivity of information within the system.</description>
+        <description>A target-level of integrity for the system, based on the sensitivity of
+          information within the system.</description>
       </define-field>
       <define-field name="security-objective-availability" as-type="string" min-occurs="1">
         <formal-name>Security Objective: Availability</formal-name>
-        <description>A target-level of availability for the system, based on the sensitivity of information within the system.</description>
+        <description>A target-level of availability for the system, based on the sensitivity of
+          information within the system.</description>
       </define-field>
     </model>
   </define-assembly>
@@ -368,45 +490,52 @@
         <allowed-values>
           <enum value="operational">The system is currently operating in production.</enum>
           <enum value="under-development">The system is being designed, developed, or implemented</enum>
-          <enum value="under-major-modification">The system is undergoing a major change, development, or transition.</enum>
+          <enum value="under-major-modification">The system is undergoing a major change,
+            development, or transition.</enum>
           <enum value="disposition">The system is no longer operational.</enum>
           <enum value="other">Some other state.</enum>
         </allowed-values>
       </constraint>
     </define-flag>
     <model>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <remarks>
       <p>If 'other' is selected, a remark must be included to describe the current state.</p>
     </remarks>
   </define-assembly>
+  <define-field name="date-authorized" as-type="date" scope="local">
+    <formal-name>System Authorization Date</formal-name>
+    <description>The date the system received its authorization.</description>
+  </define-field>
   <define-assembly name="authorization-boundary">
     <formal-name>Authorization Boundary</formal-name>
-    <description>A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.</description>
+    <description>A description of this system's authorization boundary, optionally supplemented by
+      diagrams that illustrate the authorization boundary.</description>
     <model>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Authorization Boundary Description</formal-name>
         <description>A summary of the system's authorization boundary.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships? -->
       </assembly>
       <assembly ref="diagram" max-occurs="unbounded">
-        <group-as name="diagrams" in-json="ARRAY"/>
+        <group-as name="diagrams" in-json="ARRAY" />
         <remarks>
           <p>A visual depiction of the system's authorization boundary.</p>
         </remarks>
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <is-unique id="unique-ssp-authorization-boundary-diagram" target="diagram">
-        <key-field target="@uuid"/>
+        <key-field target="@uuid" />
         <remarks>
           <p>A given <code>uuid</code> must be assigned only once to a diagram.</p>
         </remarks>
@@ -419,105 +548,128 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Diagram ID</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this diagram elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>diagram</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this diagram elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>diagram</code> can be
+        used to reference the data item locally or globally (e.g., in an imported OSCAL instance).
+        This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
     <model>
       <define-field name="description" as-type="markup-multiline" in-xml="WITH_WRAPPER">
         <formal-name>Diagram Description</formal-name>
         <description>A summary of the diagram.</description>
         <remarks>
-          <p>This description is intended to be used as alternate text to support compliance with requirements from <a href="https://www.section508.gov/manage/laws-and-policies">Section 508 of the United States Workforce Rehabilitation Act of 1973</a>.
-          </p>
+          <p>This description is intended to be used as alternate text to support compliance with
+            requirements from <a href="https://www.section508.gov/manage/laws-and-policies">Section
+            508 of the United States Workforce Rehabilitation Act of 1973</a>. </p>
         </remarks>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
       <define-field name="caption" as-type="markup-line">
         <formal-name>Caption</formal-name>
         <description>A brief caption to annotate the diagram.</description>
       </define-field>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <allowed-values target="link/@rel" allow-other="yes">
         <enum value="diagram">A reference to the diagram image.</enum>
       </allowed-values>
-      <matches target="link[@rel='diagram']/@href[starts-with(.,'#')]" datatype="uri-reference"/>
-      <index-has-key name="index-back-matter-resource" target="link[@rel='diagram' and starts-with(@href,'#')]">
-        <key-field target="@href" pattern="#(.*)"/>
+      <matches target="link[@rel='diagram']/@href[starts-with(.,'#')]" datatype="uri-reference" />
+      <index-has-key name="index-back-matter-resource"
+        target="link[@rel='diagram' and starts-with(@href,'#')]">
+        <key-field target="@href" pattern="#(.*)" />
       </index-has-key>
-      <matches target="link[@rel='diagram']/@href[not(starts-with(.,'#'))]" datatype="uri"/>
+      <matches target="link[@rel='diagram']/@href[not(starts-with(.,'#'))]" datatype="uri" />
     </constraint>
     <remarks>
-      <p>A diagram must include a <code>link</code> with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.</p>
+      <p>A diagram must include a <code>link</code> with a rel value of "diagram", who's href
+        references a remote URI or an internal reference within this document containing the
+        diagram.</p>
     </remarks>
     <example>
       <remarks>
-        <p>The internal reference "#diagram1" points to an attached resource defined in the <code>back-matter</code> as a <code>resource</code>. The <code>media-type</code> indicates that the image is a Portable Network Graphics (PNG) image.</p>
+        <p>The internal reference "#diagram1" points to an attached resource defined in the <code>
+          back-matter</code> as a <code>resource</code>. The <code>media-type</code> indicates that
+          the image is a Portable Network Graphics (PNG) image.</p>
       </remarks>
       <o:diagram xmlns:o="http://csrc.nist.gov/ns/oscal/example" id="boundary-diagram-1">
         <o:description>A boundary diagram.</o:description>
-        <o:link rel="diagram" href="#diagram1" media-type="image/png"/>
+        <o:link rel="diagram" href="#diagram1" media-type="image/png" />
       </o:diagram>
     </example>
   </define-assembly>
   <define-assembly name="network-architecture">
     <formal-name>Network Architecture</formal-name>
-    <description>A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.</description>
+    <description>A description of the system's network architecture, optionally supplemented by
+      diagrams that illustrate the network architecture.</description>
     <model>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Network Architecture Description</formal-name>
         <description>A summary of the system's network architecture.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships? -->
       </assembly>
       <assembly ref="diagram" max-occurs="unbounded">
-        <group-as name="diagrams" in-json="ARRAY"/>
+        <group-as name="diagrams" in-json="ARRAY" />
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <is-unique id="unique-ssp-network-architecture-diagram" target="diagram">
-        <key-field target="@uuid"/>
+        <key-field target="@uuid" />
         <remarks>
           <p>A given <code>uuid</code> must be assigned only once to a diagram.</p>
         </remarks>
       </is-unique>
     </constraint>
-    
+
   </define-assembly>
   <define-assembly name="data-flow">
     <formal-name>Data Flow</formal-name>
-    <description>A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.</description>
+    <description>A description of the logical flow of information within the system and across its
+      boundaries, optionally supplemented by diagrams that illustrate these flows.</description>
     <model>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Data Flow Description</formal-name>
         <description>A summary of the system's data flow.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships? -->
       </assembly>
       <assembly ref="diagram" max-occurs="unbounded">
-        <group-as name="diagrams" in-json="ARRAY"/>
+        <group-as name="diagrams" in-json="ARRAY" />
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <is-unique id="unique-ssp-data-flow-diagram" target="diagram">
-        <key-field target="@uuid"/>
+        <key-field target="@uuid" />
         <remarks>
           <p>A given <code>uuid</code> must be assigned only once to a diagram.</p>
         </remarks>
@@ -533,116 +685,157 @@
     <description>Provides information as to how the system is implemented.</description>
     <model>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships? -->
       </assembly>
       <define-assembly name="leveraged-authorization" max-occurs="unbounded">
         <formal-name>Leveraged Authorization</formal-name>
-        <description>A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a <em>common control provider</em>.</description>
-        <group-as name="leveraged-authorizations" in-json="ARRAY"/>
+        <description>A description of another authorized system from which this system inherits
+          capabilities that satisfy security requirements. Another term for this concept is a <em>common
+          control provider</em>.</description>
+        <group-as name="leveraged-authorizations" in-json="ARRAY" />
         <define-flag name="uuid" as-type="uuid" required="yes">
           <formal-name>Leveraged Authorization Universally Unique Identifier</formal-name>
           <!-- Identifier Declaration -->
-          <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope and can be used to reference this leveraged authorization elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>leveraged authorization</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+          <description>A <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+            machine-oriented</a>, <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+            unique</a> identifier with <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">
+            cross-instance</a> scope and can be used to reference this leveraged authorization
+            elsewhere in <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or
+            other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>leveraged
+            authorization</code> can be used to reference the data item locally or globally (e.g.,
+            in an imported OSCAL instance). This UUID should be assigned <a
+              href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+            which means it should be consistently used to identify the same subject across revisions
+            of the document.</description>
         </define-flag>
-        <flag ref="ssp-uuid" required="no"/>
-        <flag ref="sr-uuid" required="no"/>
+        <flag ref="ssp-uuid" required="no" />
+        <flag ref="sr-uuid" required="no" />
         <model>
           <define-field name="title" as-type="markup-line" min-occurs="1">
             <formal-name>title field</formal-name>
-            <description>A human readable name for the leveraged authorization in the context of the system.</description>
+            <description>A human readable name for the leveraged authorization in the context of the
+              system.</description>
           </define-field>
           <assembly ref="property" max-occurs="unbounded">
-            <group-as name="props" in-json="ARRAY"/>
+            <group-as name="props" in-json="ARRAY" />
           </assembly>
           <assembly ref="link" max-occurs="unbounded">
-            <group-as name="links" in-json="ARRAY"/>
+            <group-as name="links" in-json="ARRAY" />
           </assembly>
-          <field ref="party-uuid" min-occurs="1"/>
-          <field ref="date-authorized" min-occurs="1"/>
-          <field ref="remarks" in-xml="WITH_WRAPPER"/>
+          <define-field name="party-uuid" as-type="uuid" min-occurs="1">
+            <formal-name>party-uuid field</formal-name>
+            <!-- Identifier Reference -->
+            <description>A <a
+                href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+              machine-oriented</a> identifier reference to the <code>party</code> that manages the
+              leveraged system.</description>
+          </define-field>
+          <field ref="date-authorized" min-occurs="1" />
+          <field ref="remarks" in-xml="WITH_WRAPPER" />
         </model>
         <constraint>
           <allowed-values target="link/@rel" allow-other="yes">
-            <enum value="system-security-plan">A reference to the system security plan for the leveraged authorization.</enum>
+            <enum value="system-security-plan">A reference to the system security plan for the
+              leveraged authorization.</enum>
           </allowed-values>
-          <matches target="link[@rel='system-security-plan']/@href[starts-with(.,'#')]" datatype="uri-reference"/>
-          <index-has-key name="index-back-matter-resource" target="link[@rel='system-security-plan' and starts-with(@href,'#')]">
-            <key-field target="@href" pattern="#(.*)"/>
+          <matches target="link[@rel='system-security-plan']/@href[starts-with(.,'#')]"
+            datatype="uri-reference" />
+          <index-has-key name="index-back-matter-resource"
+            target="link[@rel='system-security-plan' and starts-with(@href,'#')]">
+            <key-field target="@href" pattern="#(.*)" />
           </index-has-key>
-          <matches target="link[@rel='system-security-plan']/@href[not(starts-with(.,'#'))]" datatype="uri"/>
+          <matches target="link[@rel='system-security-plan']/@href[not(starts-with(.,'#'))]"
+            datatype="uri" />
         </constraint>
       </define-assembly>
 
       <assembly ref="system-user" min-occurs="1" max-occurs="unbounded">
         <use-name>user</use-name>
-        <group-as name="users" in-json="ARRAY"/>
+        <group-as name="users" in-json="ARRAY" />
       </assembly>
       <assembly ref="system-component" min-occurs="1" max-occurs="unbounded">
         <use-name>component</use-name>
-        <group-as name="components" in-json="ARRAY"/>
+        <group-as name="components" in-json="ARRAY" />
       </assembly>
       <!--         <assembly ref="capability" max-occurs="unbounded">
             <group-as name="capabilities" in-json="BY_KEY"/>
          </assembly>
          -->
       <assembly ref="inventory-item" min-occurs="0" max-occurs="unbounded">
-        <group-as name="inventory-items" in-json="ARRAY"/>
+        <group-as name="inventory-items" in-json="ARRAY" />
         <remarks>
-          <p>A set of <code>inventory-item</code> entries that represent the managed inventory instances of the system.</p>
+          <p>A set of <code>inventory-item</code> entries that represent the managed inventory
+            instances of the system.</p>
         </remarks>
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
-      <!-- TODO: future: for FedRAMP, have user counts as props: current/internal, current/external, future/internal, future, external -->
-      <index name="index-system-implementation-leveraged-authorization-uuid" target="leveraged-authorization">
-        <key-field target="@uuid"/>
+      <!-- TODO: future: for FedRAMP, have user counts as props: current/internal, current/external,
+      future/internal, future, external -->
+      <index name="index-system-implementation-leveraged-authorization-uuid"
+        target="leveraged-authorization">
+        <key-field target="@uuid" />
       </index>
-      <index-has-key name="index-system-implementation-leveraged-authorization-uuid" target="component/prop[@name='leveraged-authorization-uuid']">
-        <key-field target="@value"/>
+      <index-has-key name="index-system-implementation-leveraged-authorization-uuid"
+        target="component/prop[@name='leveraged-authorization-uuid']">
+        <key-field target="@value" />
       </index-has-key>
 
       <!-- References to components -->
       <index name="index-system-implementation-component-uuid" target="component">
-        <key-field target="@uuid"/>
+        <key-field target="@uuid" />
       </index>
-      <index-has-key name="index-system-implementation-component-uuid" target="component/link[@rel='depends-on']">
-        <key-field target="@href"/>
+      <index-has-key name="index-system-implementation-component-uuid"
+        target="component/link[@rel='depends-on']">
+        <key-field target="@href" />
       </index-has-key>
 
       <!-- References to components of @type="validation" -->
-      <index name="index-system-implementation-component-uuid-validation" target="component[@type='validation']">
-        <key-field target="@uuid"/>
+      <index name="index-system-implementation-component-uuid-validation"
+        target="component[@type='validation']">
+        <key-field target="@uuid" />
       </index>
-      <index-has-key name="index-system-implementation-component-uuid-validation" target="component/link[@rel='validated-by']">
-        <key-field target="@href"/>
+      <index-has-key name="index-system-implementation-component-uuid-validation"
+        target="component/link[@rel='validated-by']">
+        <key-field target="@href" />
       </index-has-key>
-      <index-has-key name="index-system-implementation-component-uuid-validation" target="component/link[@rel='proof-of-compliance']">
-        <key-field target="@href"/>
+      <index-has-key name="index-system-implementation-component-uuid-validation"
+        target="component/link[@rel='proof-of-compliance']">
+        <key-field target="@href" />
       </index-has-key>
 
       <!-- References to components of @type="service" -->
-      <index name="index-system-implementation-component-uuid-service" target="component[@type='service']">
-        <key-field target="@uuid"/>
+      <index name="index-system-implementation-component-uuid-service"
+        target="component[@type='service']">
+        <key-field target="@uuid" />
       </index>
-      <index-has-key name="index-system-implementation-component-uuid-service" target="component/link[@rel='uses-service']">
-        <key-field target="@href"/>
+      <index-has-key name="index-system-implementation-component-uuid-service"
+        target="component/link[@rel='uses-service']">
+        <key-field target="@href" />
       </index-has-key>
 
       <!-- References to components of @type="software" -->
-      <index name="index-system-implementation-component-uuid-software" target="component[@type='service']">
-        <key-field target="@uuid"/>
+      <index name="index-system-implementation-component-uuid-software"
+        target="component[@type='service']">
+        <key-field target="@uuid" />
       </index>
-      <index-has-key name="index-system-implementation-component-uuid-software" target="component[@type='service']/link[@rel='provided-by']">
-        <key-field target="@href"/>
+      <index-has-key name="index-system-implementation-component-uuid-software"
+        target="component[@type='service']/link[@rel='provided-by']">
+        <key-field target="@href" />
       </index-has-key>
 
       <!-- TODO: check that prop names are defined -->
-      <allowed-values target="(component | inventory-item)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value">
+      <allowed-values
+        target="(component | inventory-item)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value">
         <enum value="yes">The component allows an authenticated scan.</enum>
         <enum value="no">The component does not allow an authenticated scan.</enum>
       </allowed-values>
@@ -650,7 +843,7 @@
       <!-- TODO: only allow a single "this-system" component -->
 
       <is-unique id="unique-ssp-system-implementation-user" target="user">
-        <key-field target="@uuid"/>
+        <key-field target="@uuid" />
         <remarks>
           <p>A given <code>uuid</code> must be assigned only once to a user.</p>
         </remarks>
@@ -662,27 +855,33 @@
     <formal-name>Control Implementation</formal-name>
     <description>Describes how the system satisfies a set of controls.</description>
     <model>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Control Implementation Description</formal-name>
-        <description>A statement describing important things to know about how this set of control satisfaction documentation is approached.</description>
+        <description>A statement describing important things to know about how this set of control
+          satisfaction documentation is approached.</description>
       </define-field>
       <assembly ref="set-parameter" max-occurs="unbounded">
-        <group-as name="set-parameters" in-json="ARRAY"/>
+        <group-as name="set-parameters" in-json="ARRAY" />
       </assembly>
       <assembly ref="implemented-requirement" min-occurs="1" max-occurs="unbounded">
-        <group-as name="implemented-requirements" in-json="ARRAY"/>
+        <group-as name="implemented-requirements" in-json="ARRAY" />
       </assembly>
     </model>
     <constraint>
       <is-unique id="unique-ssp-control-implementation-set-parameter" target="set-parameter">
-        <key-field target="@param-id"/>
+        <key-field target="@param-id" />
         <remarks>
-          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must be set only once.</p>
+          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must
+            be set only once.</p>
         </remarks>
       </is-unique>
     </constraint>
     <remarks>
-      <p>Use of <code>set-parameter</code> in this context, sets the parameter for all controls referenced by any <code>implemented-requirement</code> contained in this context. Any <code>set-parameter</code> defined in a child context will override this value. If not overridden by a child, this value applies in the child context.</p>
+      <p>Use of <code>set-parameter</code> in this context, sets the parameter for all controls
+        referenced by any <code>implemented-requirement</code> contained in this context. Any <code>
+        set-parameter</code> defined in a child context will override this value. If not overridden
+        by a child, this value applies in the child context.</p>
     </remarks>
   </define-assembly>
   <define-assembly name="implemented-requirement" scope="local">
@@ -691,84 +890,112 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Control Requirement Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this control requirement elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control requirement</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this control requirement elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>control requirement</code>
+        can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
-    <flag ref="control-id" required="yes"/>
+    <flag ref="control-id" required="yes" />
     <model>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
         <!-- TODO: Model specific link relationships -->
       </assembly>
       <assembly ref="set-parameter" max-occurs="unbounded">
-        <group-as name="set-parameters" in-json="ARRAY"/>
+        <group-as name="set-parameters" in-json="ARRAY" />
       </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
       <assembly ref="statement" max-occurs="unbounded">
-        <group-as name="statements" in-json="ARRAY"/>
+        <group-as name="statements" in-json="ARRAY" />
       </assembly>
       <assembly ref="by-component" min-occurs="0" max-occurs="unbounded">
-        <group-as name="by-components" in-json="ARRAY"/>
+        <group-as name="by-components" in-json="ARRAY" />
       </assembly>
       <!-- TODO: Implement parameters -->
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
-      <allowed-values target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
-        <enum value="control-origination">Identifies the source of the implemented control.  Any <code>control-origination</code> prop defined in a child context will override the parent value.</enum>
+      <allowed-values
+        target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
+        <enum value="control-origination">Identifies the source of the implemented control. Any <code>
+          control-origination</code> prop defined in a child context will override the parent value.</enum>
       </allowed-values>
-      <allowed-values target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='control-origination']/@value">
-        <enum value="organization">The control is implemented by the organization owning the system, but is not specific to the system itself.</enum>
+      <allowed-values
+        target="(.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='control-origination']/@value">
+        <enum value="organization">The control is implemented by the organization owning the system,
+          but is not specific to the system itself.</enum>
         <enum value="system-specific">The control is implemented specifically to this system.</enum>
-        <enum value="customer-configured">The control is provided by the system, but must be configured by the customer.</enum>
+        <enum value="customer-configured">The control is provided by the system, but must be
+          configured by the customer.</enum>
         <enum value="customer-provided">The control must be implemented by the customer.</enum>
         <enum value="inherited">This control is inherited from an underlying system.</enum>
       </allowed-values>
       <allowed-values target="responsible-role/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
+        &allowed-values-responsible-roles-operations;
       </allowed-values>
-      <index-has-key name="index-metadata-role-id" target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
-        <key-field target="@role-id"/>
+      <index-has-key name="index-metadata-role-id"
+        target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
+        <key-field target="@role-id" />
       </index-has-key>
-      <index-has-key name="index-metadata-party-uuid" target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
-        <key-field target="party-uuid"/>
+      <index-has-key name="index-metadata-party-uuid"
+        target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
+        <key-field target="party-uuid" />
       </index-has-key>
       <has-cardinality target=".//by-component" min-occurs="1">
         <remarks>
-          <p>Since all implementation statements are defined at the by-component level (e.g., type=this-system), there must be at least one by-component.</p>
+          <p>Since all implementation statements are defined at the by-component level (e.g.,
+            type=this-system), there must be at least one by-component.</p>
         </remarks>
       </has-cardinality>
       <is-unique id="unique-ssp-implemented-requirement-set-parameter" target="set-parameter">
-        <key-field target="@param-id"/>
+        <key-field target="@param-id" />
         <remarks>
-          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must be set only once.</p>
+          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must
+            be set only once.</p>
         </remarks>
       </is-unique>
       <is-unique id="unique-ssp-implemented-requirement-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
       <is-unique id="unique-ssp-implemented-requirement-statement" target="statement">
-        <key-field target="@statement-id"/>
+        <key-field target="@statement-id" />
         <remarks>
-          <p>Since <code>statement</code> entries can be referenced using the statement's statement-id, each statement must be referenced only once.</p>
+          <p>Since <code>statement</code> entries can be referenced using the statement's
+            statement-id, each statement must be referenced only once.</p>
         </remarks>
       </is-unique>
       <is-unique id="unique-ssp-implemented-requirement-by-component" target="by-component">
-        <key-field target="@component-uuid"/>
+        <key-field target="@component-uuid" />
         <remarks>
-          <p>Since <code>by-component</code> can reference <code>component</code> entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same <code>by-component</code> entry.</p>
+          <p>Since <code>by-component</code> can reference <code>component</code> entries using the
+            component's uuid, each component must be referenced only once. This ensures that all
+            implementation statements are contained in the same <code>by-component</code> entry.</p>
         </remarks>
       </is-unique>
     </constraint>
     <remarks>
-      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the referenced control. Any <code>set-parameter</code> defined in a child context will override this value. If not overridden by a child, this value applies in the child context.</p>
+      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the referenced
+        control. Any <code>set-parameter</code> defined in a child context will override this value.
+        If not overridden by a child, this value applies in the child context.</p>
     </remarks>
   </define-assembly>
   <define-assembly name="statement" scope="local">
@@ -782,88 +1009,122 @@
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Control Statement Reference Universally Unique Identifier</formal-name>
       <!-- Identifier Reference -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this control statement elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The <em>UUID</em> of the <code>control statement</code> in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this control statement elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The <em>UUID</em> of the <code>control statement</code> in the source
+        OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an
+        imported OSCAL instance).</description>
     </define-flag>
     <model>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
       <assembly ref="by-component" max-occurs="unbounded">
-        <group-as name="by-components" in-json="ARRAY"/>
+        <group-as name="by-components" in-json="ARRAY" />
       </assembly>
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <allowed-values target="responsible-role/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
+        &allowed-values-responsible-roles-operations;
       </allowed-values>
       <is-unique id="unique-ssp-statement-responsible-role" target="responsible-role">
-        <key-field target="@role-id"/>
+        <key-field target="@role-id" />
         <remarks>
-          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+          <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+            with a single <code>role-id</code>, each role-id must be referenced only once.</p>
         </remarks>
       </is-unique>
-      <is-unique id="unique-ssp-implemented-requirement-statement-by-component" target="by-component">
-        <key-field target="@component-uuid"/>
+      <is-unique id="unique-ssp-implemented-requirement-statement-by-component"
+        target="by-component">
+        <key-field target="@component-uuid" />
         <remarks>
-          <p>Since <code>by-component</code> can reference <code>component</code> entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same <code>by-component</code> entry.</p>
+          <p>Since <code>by-component</code> can reference <code>component</code> entries using the
+            component's uuid, each component must be referenced only once. This ensures that all
+            implementation statements are contained in the same <code>by-component</code> entry.</p>
         </remarks>
       </is-unique>
-      
+
     </constraint>
   </define-assembly>
   <define-assembly name="by-component">
-    <!-- QUESTION: Should set-parameter be moved here to allow component-specific parameter settings? or "this-system" for the whole system? -->
+    <!-- QUESTION: Should set-parameter be moved here to allow component-specific parameter
+    settings? or "this-system" for the whole system? -->
     <formal-name>Component Control Implementation</formal-name>
     <description>Defines how the referenced component implements a set of controls.</description>
     <define-flag required="yes" name="component-uuid" as-type="uuid">
       <formal-name>Component Universally Unique Identifier Reference</formal-name>
       <!-- Identifier Reference -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to the <code>component</code> that is implemeting a given control.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a> identifier reference to the <code>component</code> that is implemeting
+        a given control.</description>
     </define-flag>
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>By-Component Universally Unique Identifier</formal-name>
       <!-- Identifier Declaration -->
-      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this by-component entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>by-component</code> entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
+      <description>A <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+        machine-oriented</a>, <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+        unique</a> identifier with <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+        scope that can be used to reference this by-component entry elsewhere in <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+        OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>by-component</code>
+        entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+        instance). This UUID should be assigned <a
+          href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+        which means it should be consistently used to identify the same subject across revisions of
+        the document.</description>
     </define-flag>
     <model>
-      <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
+      <define-field name="description" as-type="markup-multiline" min-occurs="1"
+        in-xml="WITH_WRAPPER">
         <formal-name>Control Implementation Description</formal-name>
-        <description>An implementation statement that describes how a control or a control statement is implemented within the referenced system component.</description>
+        <description>An implementation statement that describes how a control or a control statement
+          is implemented within the referenced system component.</description>
       </define-field>
       <assembly ref="property" max-occurs="unbounded">
-        <group-as name="props" in-json="ARRAY"/>
+        <group-as name="props" in-json="ARRAY" />
       </assembly>
       <assembly ref="link" max-occurs="unbounded">
-        <group-as name="links" in-json="ARRAY"/>
+        <group-as name="links" in-json="ARRAY" />
       </assembly>
       <assembly ref="set-parameter" max-occurs="unbounded">
-        <group-as name="set-parameters" in-json="ARRAY"/>
+        <group-as name="set-parameters" in-json="ARRAY" />
       </assembly>
       <assembly ref="implementation-status">
         <remarks>
-          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented.</p>
+          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value
+            to indicate the degree to which the control is implemented.</p>
         </remarks>
       </assembly>
 
       <!-- CHANGED from Export for SRM: Shared Responsibility Assembly -->
-      <assembly ref="provided" max-occurs="unbounded" >
-        <group-as name="provided" in-json="ARRAY"/>
+      <assembly ref="provided" max-occurs="unbounded">
+        <group-as name="provided" in-json="ARRAY" />
       </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">
-        <group-as name="responsibilities" in-json="ARRAY"/>
+        <group-as name="responsibilities" in-json="ARRAY" />
       </assembly>
       <assembly ref="inherited" max-occurs="unbounded">
-        <group-as name="inherited" in-json="ARRAY"/>
+        <group-as name="inherited" in-json="ARRAY" />
       </assembly>
       <assembly ref="satisfied" max-occurs="unbounded">
-        <group-as name="satisfied" in-json="ARRAY"/>
+        <group-as name="satisfied" in-json="ARRAY" />
       </assembly>
 
       <assembly ref="export" max-occurs="1">
@@ -873,38 +1134,49 @@
       </assembly>
 
       <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
+        <group-as name="responsible-roles" in-json="ARRAY" />
       </assembly>
       <!-- CHANGED: removed "set-parameter" -->
-      <field ref="remarks" in-xml="WITH_WRAPPER"/>
+      <field ref="remarks" in-xml="WITH_WRAPPER" />
     </model>
     <constraint>
       <allowed-values target="link/@rel" allow-other="yes">
-        <!-- TODO: More work needs to be done around link enforcement constraints and requires Metaschema work on recurse-depth-first() recursive index searching. -->
-        <enum value="imported-from">The hyperlink identifies a URI pointing to the <code>component</code> in a <code>component-definition</code> that originally described the <code>component</code> this component was based on.</enum>
+        <!-- TODO: More work needs to be done around link enforcement constraints and requires
+        Metaschema work on recurse-depth-first() recursive index searching. -->
+        <enum value="imported-from">The hyperlink identifies a URI pointing to the <code>component</code>
+          in a <code>component-definition</code> that originally described the <code>component</code>
+          this component was based on.</enum>
       </allowed-values>
       <allowed-values target=".//responsible-role/@role-id" allow-other="yes">
-            &allowed-values-responsible-roles-operations;
-            &allowed-values-responsible-roles-component-production;
+        &allowed-values-responsible-roles-operations;
+        &allowed-values-responsible-roles-component-production;
       </allowed-values>
       <is-unique id="unique-ssp-by-component-set-parameter" target="set-parameter">
-        <key-field target="@param-id"/>
+        <key-field target="@param-id" />
         <remarks>
-          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must be set only once.</p>
+          <p>Since multiple <code>set-parameter</code> entries can be provided, each parameter must
+            be set only once.</p>
         </remarks>
       </is-unique>
 
       <allowed-values target="link/@rel" allow-other="yes">
-        <enum value="provided-by">A reference to the UUID of a control or statement <code>by-component</code> object that is used as evidence of implementation.</enum>
+        <enum value="provided-by">A reference to the UUID of a control or statement <code>
+          by-component</code> object that is used as evidence of implementation.</enum>
       </allowed-values>
       <index-has-key name="by-component-uuid" target="link[@rel='provided-by']">
         <key-field target="@href" pattern="#(.*)" />
       </index-has-key>
     </constraint>
     <remarks>
-      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the control referenced in the containing <code>implemented-requirement</code> applied to the referenced component. If the <code>by-component</code> is used as a child of a <code>statement</code>, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the <code>control-implementation</code> or a specific <code>implemented-requirement</code>, then this <code>by-component/set-parameter</code> value will override the other value(s) in the context of the referenced component, control, and statement (if parent).</p>
+      <p>Use of <code>set-parameter</code> in this context, sets the parameter for the control
+        referenced in the containing <code>implemented-requirement</code> applied to the referenced
+        component. If the <code>by-component</code> is used as a child of a <code>statement</code>,
+        then the parameter value also applies only in the context of the referenced statement. If
+        the same parameter is also set in the <code>control-implementation</code> or a specific <code>
+        implemented-requirement</code>, then this <code>by-component/set-parameter</code> value will
+        override the other value(s) in the context of the referenced component, control, and
+        statement (if parent).</p>
     </remarks>
   </define-assembly>
 
-
 </METASCHEMA>

From e9131145dfd1ec86e5ab19b30115ef20e858003d Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Tue, 26 Mar 2024 13:44:39 -0400
Subject: [PATCH 48/51] Removed implemented-by flag from the responsibility
 assembly.

---
 src/metaschema/oscal_responsibility-common_metaschema.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index a01bfe6a0b..97e184e73b 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -176,7 +176,9 @@
         the document.</description>
     </define-flag>
     <flag ref="provided-uuid" required="no" />
+    <!-- Identifying the implementer of an inheritable control for which a responsibility exists can be done through provided-uuid.
     <flag ref="implemented-by" required="no" />
+    -->
     <flag ref="exportable" />
     <model>
       <define-field name="description" as-type="markup-multiline" min-occurs="1"

From 7a5098c042bd33360fa02f8b372c6b265efad528 Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Thu, 28 Mar 2024 01:44:05 -0400
Subject: [PATCH 49/51] Model documentation updates.

---
 .../oscal_responsibility-common_metaschema.xml   | 16 +++++++++++-----
 .../oscal_shared-responsibility_metaschema.xml   |  3 +--
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/metaschema/oscal_responsibility-common_metaschema.xml b/src/metaschema/oscal_responsibility-common_metaschema.xml
index 97e184e73b..be13322539 100644
--- a/src/metaschema/oscal_responsibility-common_metaschema.xml
+++ b/src/metaschema/oscal_responsibility-common_metaschema.xml
@@ -34,7 +34,8 @@
     have one, and the SR would serve as the first step towards digitalization. The `ssp-uuid` will not be
     required -->
     <flag ref="ssp-uuid" required="no" />
-    <flag ref="sr-uuid" required="no" />
+    <!-- should an SR be created from another SR? 
+    <flag ref="sr-uuid" required="no" /> -->
 
     <model>
       <define-field name="title" as-type="markup-line">
@@ -101,7 +102,7 @@
 
   <define-assembly name="provided">
     <formal-name>Provided Control Implementation</formal-name>
-    <description>Describes a capability which may be inherited by a leveraging system.</description>
+    <description>Describes a capability provided by a component of the leveraged system which may be inherited by a leveraging system.</description>
     <!-- CHANGED: "provided-group" to "provided" -->
     <!-- <group-as name="provided" in-json="ARRAY"/> -->
     <define-flag name="uuid" as-type="uuid" required="yes">
@@ -404,9 +405,14 @@
     <formal-name>Implementer UUID</formal-name>
     <!-- Identifier Reference -->
     <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
-      machine-oriented</a> identifier reference to the control implementation. An inheritable
-      control provided by a leveraged system can be inherited by a leveraging system and further
-      provid it to their customers, with or without associated responsibilities.</description>
+      machine-oriented</a>, <a
+      href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+    unique</a> identifier with <a
+      href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+    scope that is used to reference the party responsible for the implemented capability or control. An inheritable
+      capability or control provided by a leveraged system can be inherited by a leveraging system and further
+      provided to leveraging system's customers. The entity responsible for implementing the control is often
+       rederred to as the “Control Originator”.</description>
   </define-flag>
 
   <define-flag name="responsibility-uuid" as-type="uuid" scope="local">
diff --git a/src/metaschema/oscal_shared-responsibility_metaschema.xml b/src/metaschema/oscal_shared-responsibility_metaschema.xml
index 8c74a88d10..88ecb66072 100644
--- a/src/metaschema/oscal_shared-responsibility_metaschema.xml
+++ b/src/metaschema/oscal_shared-responsibility_metaschema.xml
@@ -29,8 +29,7 @@
 
   <define-assembly name="shared-responsibility">
     <formal-name>Shared Responsibility</formal-name>
-    <description>A collection of component descriptions, which may optionally be grouped by
-      capability.</description>
+    <description>A collection of components or capabilities provided by a leveraged system and which can be inherited by a leveraging system.</description>
     <root-name>shared-responsibility</root-name>
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Shared Responsibility Universally Unique Identifier</formal-name>

From 054c0b70ac14d7a543e709280abe5b5bc6dc071f Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Thu, 28 Mar 2024 11:22:56 -0400
Subject: [PATCH 50/51] Augemnting reference and added implementation-status to
 component-def per issue 1300.

---
 src/metaschema/oscal_component_metaschema.xml | 43 +++++++------------
 src/metaschema/oscal_ssp_metaschema.xml       |  8 +++-
 2 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml
index 48cffca4d0..d601456242 100644
--- a/src/metaschema/oscal_component_metaschema.xml
+++ b/src/metaschema/oscal_component_metaschema.xml
@@ -475,39 +475,20 @@
       <assembly ref="set-parameter" max-occurs="unbounded">
         <group-as name="set-parameters" in-json="ARRAY"/>
       </assembly>
-      <assembly ref="responsibility" max-occurs="unbounded">
-        <group-as name="responsibilities" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="responsible-role" max-occurs="unbounded">
-        <group-as name="responsible-roles" in-json="ARRAY"/>
-      </assembly>
-
-      <!-- ADDED for SRM: Implementation Status and Shared Responsibility Assembly -->
-      <!-- <assembly ref="implementation-status">
+      <assembly ref="implementation-status">
         <remarks>
-          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented.</p>
+          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented by this component when the component is integrated into a system (e.g. a cloud service).</p>
         </remarks>
       </assembly>
-      
-      <assembly ref="provided">
-        <group-as name="provided" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="responsibility">
+      <assembly ref="responsibility" max-occurs="unbounded">
         <group-as name="responsibilities" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="inherited">
-        <group-as name="inherited" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="satisfied">
-        <group-as name="satisfied" in-json="ARRAY"/>
-      </assembly>
-      <assembly ref="export" max-occurs="1">
         <remarks>
-          <p>TODO: Documentation</p>
+          <p>The <code>responsibility</code> in the context of a <code>component-definition</code> instance documents the customer's responsibilities when this component becomes part of a system, and it is expected to provide the declared <code>implementation-status</code> of the <code>implemented-requirement</code>.</p>
         </remarks>
-      </assembly> -->
-      <!-- END ADDED -->
-      
+      </assembly>
+      <assembly ref="responsible-role" max-occurs="unbounded">
+        <group-as name="responsible-roles" in-json="ARRAY"/>
+      </assembly>
       <assembly ref="statement" max-occurs="unbounded">
         <group-as name="statements" in-json="ARRAY"/>
       </assembly>
@@ -562,8 +543,16 @@
       <assembly ref="link" max-occurs="unbounded">
         <group-as name="links" in-json="ARRAY"/>
       </assembly>
+      <assembly ref="implementation-status">
+        <remarks>
+          <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the statement of a control is implemented by this component when the component is integrated into a system (e.g. a cloud service).</p>
+        </remarks>
+      </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">
         <group-as name="responsibilities" in-json="ARRAY"/>
+        <remarks>
+          <p>The <code>responsibility</code> in the context of a <code>component-definition</code> instance documents the customer's responsibilities when this component becomes part of a system, and is expected to provide the declared <code>implementation-status</code> of the <code>statement</code>.</p>
+        </remarks>
       </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
         <group-as name="responsible-roles" in-json="ARRAY"/>
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index 58013e73c4..c873a06c9f 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -695,7 +695,13 @@
         <formal-name>Leveraged Authorization</formal-name>
         <description>A description of another authorized system from which this system inherits
           capabilities that satisfy security requirements. Another term for this concept is a <em>common
-          control provider</em>.</description>
+          control provider</em>.The information regarding the inheritable capabilities can be retrieved 
+        directly from the leveraging system's SSP (when available) and can be noted in the <code>ssp-uuid</code> flag, 
+        or from a <code>shared-responsibility</code> instance of the system, when the leveraging system's SSP  
+        is not available (docuemnted in this case by the <code>sr-uuid</code> flag). 
+        Additionally, when the leveraging system's SSP is available in OSCAL, the 
+        <em>UUID</em> of the leveraged system's SSP will be availabe in the <code>source-ssp</code> of 
+        the <code>shared-responsibility</code> instance, provided by the <code>ssp-uuid</code> flag.</description>
         <group-as name="leveraged-authorizations" in-json="ARRAY" />
         <define-flag name="uuid" as-type="uuid" required="yes">
           <formal-name>Leveraged Authorization Universally Unique Identifier</formal-name>

From 9ad2278968c2f3e29dc9b1f485833a97a93ab79c Mon Sep 17 00:00:00 2001
From: Michaela Iorga <michaela.iorga@nist.gov>
Date: Thu, 28 Mar 2024 13:37:35 -0400
Subject: [PATCH 51/51] Added remarks in provided, responsibility, inherited
 and satisfied.

---
 .../oscal_shared-responsibility_metaschema.xml    | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/metaschema/oscal_shared-responsibility_metaschema.xml b/src/metaschema/oscal_shared-responsibility_metaschema.xml
index 88ecb66072..cf2b89fa3d 100644
--- a/src/metaschema/oscal_shared-responsibility_metaschema.xml
+++ b/src/metaschema/oscal_shared-responsibility_metaschema.xml
@@ -29,7 +29,8 @@
 
   <define-assembly name="shared-responsibility">
     <formal-name>Shared Responsibility</formal-name>
-    <description>A collection of components or capabilities provided by a leveraged system and which can be inherited by a leveraging system.</description>
+    <description>A collection of components or capabilities provided by a leveraged system and which
+      can be inherited by a leveraging system.</description>
     <root-name>shared-responsibility</root-name>
     <define-flag name="uuid" as-type="uuid" required="yes">
       <formal-name>Shared Responsibility Universally Unique Identifier</formal-name>
@@ -322,15 +323,27 @@
       <!-- CHANGED from Export for SRM: Shared Responsibility Assembly -->
       <assembly ref="provided" max-occurs="unbounded">
         <group-as name="provided" in-json="ARRAY" />
+        <remarks>
+          <p>The leveraged system's <code>provided</code> information could be used to document the leveraging system's <code>inherited</code> capability.</p>
+        </remarks>
       </assembly>
       <assembly ref="responsibility" max-occurs="unbounded">
         <group-as name="responsibilities" in-json="ARRAY" />
+        <remarks>
+          <p>The leveraged system's <code>responsibity</code> information could be used to docuemnt the leveraged system's <code>satisfied</code> capability.</p>
+        </remarks>
       </assembly>
       <assembly ref="inherited" max-occurs="unbounded">
         <group-as name="inherited" in-json="ARRAY" />
+        <remarks>
+          <p>The leveraged system's <code>provided</code> information could be used to document the leveraging system's <code>inherited</code> capability.</p>
+        </remarks>
       </assembly>
       <assembly ref="satisfied" max-occurs="unbounded">
         <group-as name="satisfied" in-json="ARRAY" />
+        <remarks>
+          <p>The leveraged system's <code>responsibity</code> information could be used to docuemnt the leveraged system's <code>satisfied</code> capability.</p>
+        </remarks>
       </assembly>
       <assembly ref="responsible-role" max-occurs="unbounded">
         <group-as name="responsible-roles" in-json="ARRAY" />