-
Notifications
You must be signed in to change notification settings - Fork 174
NIST SP 800‐53 OSCAL Content Data Governance
Per ADR 8, this guidance exists so that NIST OSCAL Team developers can have clear expectations on how to review and prepare profiles, catalogs, and examples. The primary data owner of the official representation of NIST SP 800-53A and SP 800-53B are staff in the SERM Group. Given below criteria, there are criteria where the SERM Group must be consulted before some releases.
If any OSCAL catalog, profile, or resolved catalogs should align with the textual content of the controls and related tables for the SP 800-53 document (which includes textual and table-based description of 800-53B baseline profiles) and assessment methods for controls in 800-53A. This means the control and assessment content, and relevant tables for only those portions of the documents. For the SP 800-53 document (which includes the 800-53 catalog and the 800-53B baseline profiles), the front matter is everything excluding "THE CONTROLS," "REFERENCES," and tables in "THE CONTROL SUMMARIES" section. In the 800-53A document, the front matter is everything except the "SECURITY AND PRIVACY ASSESSMENT PROCEDURES" and "REFERENCES" section.
Other than front-matter, OSCAL catalogs, profiles, and resolved catalogs may have "upstream changes" (to the official data in SP 800-53 and 800-53A documents relevant to OSCAL not in front matter) and OSCAL-specific "transformation changes."
Such changes are diverging from the official content. Corrections where OSCAL content needs to be re-aligned with the official publication data is not an upstream change. Such a correction in usnistgov/oscal-content#212 is a transformation change.
When an upstream change occurs, initiated by either SERM Group or the NIST OSCAL Team, the NIST OSCAL Team should brief a SERM Group staff member and confirm via written communication the changes are acceptable for a coordinated release. For the OSCAL Team, this would constitute a major or minor release. All transformation-changes reflect patch changes.
- When the team determines they are creating an upstream change, they must email sec-cert@nist.gov and prepare a briefing document (like our release briefs) where we itemize changes and request if there any objections to release. (NOTE: This review will take at least five business days for a first response, and potentially longer. Do factor in ten business days, or one sprint, before final approval and not immediate confirmation response with no objections at the very beginning or end of sprint.) Once ready, the team will create the major or minor version tag, release it, and merge it to
main. - When the team determines they are only creating a transformation change, they prepare
develop, create a patch version tag, associate it with a release, and then merge that into themainbranch.
NOTE: This information exists for the benefit of NIST staff. Although the community may reference or inquire about content, this material is not explicitly intended for community support. The community may create issues to report bugs or request enhancements related to this documentation, but there is no support guarantees for this material. All issues will be considered on a case by case basis.
- Contributing to OSCAL Development
- Issue Completeness Review
- OSCAL Patch (Hot Fix) Release Checklist
- OSCAL Release Branching
- Public Events Calendar Management
- Link Check Report Procedure
- Dependency Pull Request Procedure
- Issue Triage and Backlog Refinement
- NIST SP 800-53 OSCAL Content Data Governance
- Workflow for Prototyping a New OSCAL Model
- Backlog Review Process for OSCAL-related Repositories