Add support for profile tailoring

[david-waltermire]

Goals:

1. A user can extend an existing profile to create a new profile
2. A user can choose which controls from a given catalog are excluded from a profile (already done, but needs to be tested). If an extended profile, this should allow controls in the extended profile to be excluded. Build a profile that works by exclusion #34
3. A user can modify existing statements for a control included in the profile. Use a profile to patch controls #37 The changes made to a control in this way must be discernible. Display the delta between controls #16
4. A user can set a value for a parameter for a control included in the profile. Set parameter values for controls within the context of the union of multiple profile standards #14
5. Multiple catalogs must be supported for inclusion of controls.

Dependencies:

• Existing control catalogs defined for SP 800-53, ISO/IEC 27001/2, COBIT 5
• Parameters will be used from the SP 800-53 catalog
• Need a spreadsheet or equivalent content documenting the FedRamp "moderate" baseline

Acceptance Criteria:

1. A mockup is produced demonstrating implementation of the FedRamp "moderate" baseline that uses profile extension and tailoring features described above (goals 1-4).
2. A mockup is produced demonstrating implementation of a profile supporting multiple source catalogs used as a basis for a tailored profile. This should include use of all features described above (goals 1-5).
3. A stylesheet is produced that supports rendering a human-readable view of the profile. The stylesheet will be used with the mockups from items 1 and 2 above.

[akarmel]

9/12/2017 Sprint Review Call Notes

• Wendell has been working on this and will show Dave tomorrow.
• We now have profiles that read profiles. which may create infinite loops. Need to write code to prevent that from happening.
• We can read multiple catalogs now as well
• Everything is in one namespace at this time. Namespace needs to be sorted out first.

[wendellpiez]

The current profile resolver XSLT keeps track of profiles it reads, and refuses to read a profile for a second time, thereby preventing cyclic traversals.

[akarmel]

9/19/2017 Sprint Review Call Notes

• This is now working with the exception of one criteria that needs discussion with Dave. Will be addressed during the scheduled working session this Friday.

[akarmel]

9/25/2017 Sprint Review Call Notes

• Per Wendell, we're ready to show this next week during the Sprint 4 retrospective / Sprint 5 planning session.
  • Wendell will add a comment to this issue with pointers to the files that require feedback prior to next week's meeting.

[wendellpiez]

A profile describing (what I believe to be*) the MODERATE baseline (profile of SP800-53/a) is here:

working/SP800-53/MODERATE-baseline-profile-oscal.xml

Next to it, you will also find LOW and HIGH.

(*) I say "what I believe to be" since these were pulled via query, and I am assuming both the data and the query are correct. (Under spot checking it looks good.)

Additionally, each of these profile documents can be run through a transformation pipeline that (a) expands (resolves) it against the catalog(s) it calls (always SP800-53-enhanced.xml) and (b) converts it into HTML for display on the web. This addresses point 3 above. The result of running MEDIUM is here:

working/SP800-53/MODERATE-baseline-profile-oscal-rendered.html

... and similarly for the others.

The remaining functionalities relate to correct resolution profiles calling profiles and profiles calling multiple catalogs. A (small) profile calling multiple catalogs is available here:

working/SP800-53/testing-profile.xml

and a profile that calls a profile is here:

working/SP800-53/testing2-profile.xml

They both have rendered (HTML) versions next to them. (The rendering is not what a designer would do but it shows the data with parameter insertion working.)

[wendellpiez]

Additionally, you will find a FedRAMP demo in subdirectory working/FedRAMP. It should have a readme.md explaining it. This together with the "naive" MODERATE baseline mentioned above, should address point 1.

[akarmel]

10/24/2017 - Sprint 4 Review Call Notes

• We need to develop an examples directory at the root of OSCAL with complete examples
• Need to develop a complete, fully reviewed FedRAMP example in the next sprint as a way to prove that we've implemented all the necessary functionality in OSCAL
• Need to identify requirements around modifying existing statements for a control included in the profile. Use a profile to patch controls #37 The changes made to a control in this way must be discernible. Display the delta between controls #16
• We will clarify this issue and carry it into Sprint 5

[akarmel]

10/31/2017 - Sprint 5 Progress Notes

• Looking at FedRAMP samples and creating artificial, streamlined XML examples per each goal.
  • Andrew will create equivalent JSON examples based off the XML examples
• Discovering that we will need several new features around the parameters which will be reported next week.
• Put 800.53 r5 in OSCAL format. With that said, FedRAMP is based off r4.

[wendellpiez]

As of 11/3 we have two separate tracks of activity underway bearing on this Issue

• In a new /examples/mini-testing directory, we have begun developing a set of unit tests for demonstrating OSCAL functionalities
  • focused initially on profiling and profile-resolution functionalities (semantics of profiling)
  • includes "pathological" examples illustrating range of normal and edge cases
  • eventually it will expand to supporting other regression testing besides profiling e.g. schema(s), Schematron
  • at the same time, it will serve as a public and reference demo
• We also expect to have a new /examples/FedRAMP directory (as discussed here), contents tbd.

At last week's meeting I admitted that if we worked hard enough, we could perhaps cover the three FedRAMP baselines given the spreadsheet inputs. Now I'd like to qualify this and suggest we aim instead to do enough (a representative subset) so we understand the scale and scope of the entire job -- and prioritize the quality of the expression (as a demo), rather than just slap together the data we have.

[akarmel]

11/7/2017 - Sprint 5 Progress Notes

• Per Wendell's comment above, examples subdirectory has been created and associated work is underway.
  - Unit Test examples allows us to regression test the various components of OSCAL.
• For FedRAMP examples, implemented a rudimentary patching example. Selection parameters haven't been addressed yet.
• Plan to complete this story by the end of the sprint is to complete the unit tests by the end of the week to pass along to Andrew for the JSON user story, then work on completing the FedRAMP examples.
• Wendell will reach out to David via email to request feedback. Flag items that require immediate feedback so David can prioritize responses.

[wendellpiez]

The /examples/mini-testing catalog with profiles (various common and exotic), is in place. More examples will be coming.

The /examples/SP800-53 directory now contains more-or-less "reference" or "best available" versions of SP800-53 rev4, and its three defined profiles HIGH, MODERATE and LOW. (How these are related to the production pipeline over in /working/SP800-53, is documented.)

The /examples/FedRAMP directory contains not-yet-finished "castings" of the three FedRAMP spreadsheets, into OSCAL profiles. (These profiles call, respectively, the profiles for HIGH MODERATE and LOW kept in /examples/SP800-53.) These profiles show controls selection, parameterization and patching (if only roughly so far). These too were produced by a semi-automated process maintained in the /working subdirectory (but kept out of the way here); however since the machine cannot do the final revisions, those are left (for demo), with the exception of HIGH, which has been finished about halfway so far.

Andrew has been making regular refreshes to JSON versions of everything.

[akarmel]

11/21/2017 - Sprint 5 Progress Notes

• Unit test examples have been created in /examples/mini-testing and are ready for NIST review
• Readme.md has been updated as well and is ready for NIST review

DETAILED PROGRESS NOTE:
On Github or in your updated copy you will find there is an /examples subdirectory in OSCAL now, containing three subdirectories, including not only the unit tests (/mini-testing) but also the FedRAMP demo (both a /FedRAMP subdir and a subdir /SP800-53 for the latter control catalog and its profiles, on which the FedRAMP profiles depend).

Each directory has a readme.md.

In particular, note that the SP800-53 readme lists the different validations (i.e., not only schema validations but also Schematron) that have been performed on the various files.

Also the FedRAMP readme describes what is going on there. Summary version: while there is definitive progress to show towards getting complete FedRAMP profiles in place (derived from the spreadsheet data) -- it also becomes much clearer where there are "gaps" that have to be bridged in some way.

In some places these are due to gaps remaining in the model (an obvious case would be where catalogs have 'selection' parameters, which as you know we do not support yet), but more pervasively and problematically, they reveal gaps in the process of how we proceed to determine and assign parameter values (with correct syntax and ids) and specify interventions (alterations) -- both in the practical case of these demonstrations, but also more generally (at least if such a process is in scope for OSCAL).

I have made a couple of new issues as placeholders (#66 selection parameters; #67 merging 'invocation trees' in catalog resolution) but nothing about the last set of questions, as I am not yet sure how to address them or what's missing here. (Only that I think something is. Or maybe not: maybe "hand finishing" these profiles is exactly the percentage play here.)

FOR DAVE IN PARTICULAR: Your input before Sprint ends next Tuesday (11/28) would be most welcome especially as it bears on whether we meet acceptance criteria for the user stories. If you are able to take a look at the FedRAMP readme and associated profile examples and provide your thoughts/direction I might still have time to address remaining issues or questions (or at least take notes).

[akarmel]

11/28/2017 - Sprint 5 Acceptance Notes

• User Story accepted by David and Michaela
• David will read through all the examples, see if they are adequately commented and demonstrate adequate functionality with outstanding questions/issues documented as new issues in GitHub for future Sprints.

[david-waltermire]

@wendellpiez, Are the latest examples in the sprint-9 branch or are they in your repo in a feature branch? If the latter is true, can you provide a link to your repo branch for me to review?

[wendellpiez]

David @david-waltermire-nist , my repo is here:

https://github.com/wendellpiez/OSCAL/tree/sprint-9

Probably nothing, or not much, in /examples has diverged from the main repo, though I could be wrong. I know they need more than "review"; at least the unit tests are very much partial and WIP.

[wendellpiez]

FedRAMP profiles call SP800-53 profiles as well as the base catalog. These will work for testing for now. Closing.