Merge pull request #30 from GovReady/doc-oscal-update

Add doc about OSCAL 1.0.0 RC1 and JSON SSP.

source/appendixes/oscal-compliance.rst

@@ -5,20 +5,21 @@
 OSCAL Compliance Notes
 ======================
 
-GovReady-Q supports OSCAL version 1.0 milestone 3 in the following
+GovReady-Q supports OSCAL version 1.0.0 RC1 in the following
 scenarios:
 
 * Import of OSCAL components in JSON format
 * Export of OSCAL components in JSON format
+* Export of OSCAL SSP in JSON format
 
 The OSCAL specification is complex and subject to change.  Refer to
 this appendix for information on how GovReady-Q currently implements
 the OSCAL specificaiton.
 
-Implementation Notes
---------------------
+OSCAL Component Implementation Notes
+------------------------------------
 GovReady-Q will only import OSCAL component files that are valid
-according to the OSCAL version 1.0 milestone 3 schema.
+according to the OSCAL version 1.0.0 RC1 schema.
 
 When importing an OSCAL component, GovReady-Q expects to find the
 control statement narratives in OSCAL *statement* elements with a
@@ -38,5 +39,20 @@ include:
 * NIST_SP-800-53_rev5
 * NIST_SP-800-171_rev1
 
+OSCAL SSP Implementation Notes
+------------------------------
+To export OSCAL SSP in JSON format, you must use a Compliance App that
+includes the OSCAL SSP JSON output template. An OSCAL SSP JSON output template
+can be found in the included the General IT System ATO (v1.0.1) and the 
+Lightweight_ATO_Template > light-ato-ssp (v0.2.9).
+
+While the OSCAL SSP JSON that GovReady-Q produces is valid according
+to the OSCAL SSP JSON schema, many optional elements are currently
+omitted.  The component and control implementations, including
+organizational parameters, are relatively complete, however.
+
+The completeness and fidelity of the OSCAL SSP JSON representation
+will continue to improve over time.
+