OSCAL Extensions Model

[brian-ruf]

User Story

As a tool developer, I want to create OSCAL-based tools that can "learn" organization-specific extensions and allowed values automatically and apply them to OSCAL content.

The OSCAL community of tool developers requires a mechanism that allows organizations to define their extensions, allowed values and other constraints using a common mechanism, and publish these definitions to a common repository.

Goals

• create an OSCAL model that organizations can use to define OSCAL extensions, allowed values, and constraints
• the approach should allow an OSCAL tool developer to use one or more extension definitions from various organizations simultaneously to validate OSCAL content (for example, an organization creating OSCAL content for both SOC 2 and FedRAMP should be able to use extension models for both frameworks to validate their content)

Dependencies

No response

Acceptance Criteria

• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
• A valid metaschema definition for an extensions model exists
• The OSCAL Layers representation must be updated to include the extensions model

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response

[brian-ruf]

Assuming this is created, the REST API specification should be updated to include the publishing and retrieval of OSCAL Extension Definition files, as well as the retrieval of a list of all available OSCAL Extension Definitions.

[brian-ruf]

Here is a metaschema file I drafted last-fall. While it attempted to align as much as possible with the metaschema syntax at that time, it may need to be refreshed as a result of ongoing work in the usnistgov/metaschema repository.

oscal_extensions_metaschema.xml.txt
NOTE: GitHub does not allow XML attachments. Had to append .txt to attach here.

[iMichaela]

@brian-ruf - Thank you for opening the issue and proposing an OSCAL Extension model. I believe such model is needed in order to have meaningful OSCAL extensions for adopters that core OSCAL is not sufficient. Such model supports data portability and interoperability, preventing fragmentation of OSCAL into vertical-specific dialects.
The model needs to be presented to the community as part of the research/DEFINE process, examples need to be generated, then a prototype is published with the corresponding documentation (similar to the prototype Shared Responsibility (SR) Model and the prototype Control Mapping (CM) Model)
I would be more than happy to work with you and other community members on finalizing it.

[iMichaela]

Some comments in #1972 are touching on the Extension model idea.