Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revision to Handling of Assessment Objects #1896

Open
3 tasks
brian-comply0 opened this issue Aug 22, 2023 · 2 comments
Open
3 tasks

Revision to Handling of Assessment Objects #1896

brian-comply0 opened this issue Aug 22, 2023 · 2 comments
Labels
enhancement User Story

Comments

@brian-comply0
Copy link

brian-comply0 commented Aug 22, 2023
edited

User Story

As an OSCAL tool developer, I want to be able to enumerate each of the assessment objects independently, so that I can more appropriately tie a specific assessment object to an assessment activity. Individual assessment objects are assessment subjects in the context of the AP and AR models.

Currently all assessment objects of a control's assessment method are lumped into a single part with name="assessment-objects". Instead, each assessment object should be in its own part" with name="assessment-object"` (note: singular. No "s" at the end.)

Goals

  • Revise the OSCAL specification to use assessment-object instead of assessment-objects.

Dependencies

No response

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response
@github-actions github-actions bot added this to Needs Triage in Issue Triage Aug 22, 2023
@brian-comply0
Copy link
Author

brian-comply0 commented Aug 22, 2023
edited

As an example. The following is an excerpt from the NIST SP 800-53r5 catalog. It is the "examine" assessment method for AC-1.

Current:

         <part id="ac-1_asm-examine" name="assessment-method">
            <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
            <prop name="label" class="sp800-53a" value="AC-01-Examine"/>
            <part name="assessment-objects">
               <p>Access control policy and procedures</p>
               <p>system security plan</p>
               <p>privacy plan</p>
               <p>other relevant documents or records</p>
            </part>
         </part>

Proposed (pre OSCAL 2.0) non-breaking change suggestion:

         <part id="ac-1_asm-examine" name="assessment-method">
            <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
            <prop name="label" class="sp800-53a" value="AC-01-Examine"/>
            <part name="assessment-object" id="ac-1_asm-examine-object-1">
               <p>Access control policy and procedures</p>
            </part>
            <part name="assessment-object" id="ac-1_asm-examine-object-2">
               <p>system security plan</p>
            </part>
            <part name="assessment-object" id="ac-1_asm-examine-object-3">
               <p>privacy plan</p>
            </part>
            <part name="assessment-object" id="ac-1_asm-examine-object-4">
               <p>other relevant documents or records</p>
            </part>
         </part>

Proposed Ideal (OSCAL 2.0 breaking change), uses properties instead of parts as the values are better expressed as just text fields without formatting:

         <part id="ac-1_asm-examine" name="assessment-method">
            <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
            <prop name="label" class="sp800-53a" value="AC-01-Examine"/>
            <prop name="assessment-object" uuid="UUID-VALUE" value="Access control policy and procedures">
            <prop name="assessment-object" uuid="UUID-VALUE" value="system security plan">
            <prop name="assessment-object" uuid="UUID-VALUE" value="privacy plan">
            <prop name="assessment-object" uuid="UUID-VALUE" value="other relevant documents or records">
         </part>

@aj-stein-nist aj-stein-nist moved this from Needs Triage to Further Analysis Needed in Issue Triage Aug 24, 2023
@aj-stein-nist
Copy link
Contributor

  1. We need to review this issue and circle back next week during the following triage/backlog review issue.
  2. We need to consider the feasibility and/or impact of this change, AJ to consider inviting @brian-easyd to discuss merits during upcoming MEM.
  3. Up for consideration here or likely separate issue: we can consider using Schematron processing to check for usage of plural names like we have for consistency in field names for example, per Nikita's recommendation.

@aj-stein-nist aj-stein-nist removed this from Further Analysis Needed in Issue Triage Sep 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement User Story
Projects
NIST OSCAL Work Board
Status: Further Analysis Needed
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aj-stein-nist @brian-comply0