Merging controls from multiple catalogs in (viewing) a profile

[wendellpiez]

At time of writing, rendered profiles show their controls "split" by invocation, rather than in a single unified view. Users probably expect a unified view.

Goals

Provide a view onto single unified hierarchy even when multiple control catalogs are called. (Only viewing is in scope, not editing. That is, only the rendered HTML results must show a unified hierarchy, not any OSCAL preliminary to that.)

Background

Currently, when a profile calls in controls, its resolved results (that is, the catalog that comes back from recursively resolving any profiles/catalogs invoked, given the delta provided by the invoking profile) are rendered in separate branches (sections) of a single resolved "expanded catalog" (actually a framework underneath). But one would ordinarily expect to see all the controls together in a single hierarchy reflecting their hierarchies of origin -- not split out according to how they were invoked.

An example can be seen in almost any rendering of an OSCAL profile that calls in controls from multiple profiles resolving back to the same catalog, such as the FedRAMP LOW profile, which combines calls to the SP800-53 'base' catalog and its Low Baseline (which resolves back to the base).

Dependencies

• Examples such as the FedRAMP profile, that illustrate the problem

Acceptance Criteria

• A view that shows the various controls together in a single "correct" hierarchy rather than split across the invocations
• A reusable approach can be articulated for addressing this problem, along with reusable code to the extent possible

• Documentation that describes how to interpret a profile that combines multiple control catalogs and/or multiple references to the same control

Developer's note: the means to the goal might not be "merge" logic so much as logic that regroups all controls into the organization implied by their prop[@class='name'].

[wendellpiez]

Also note: is it sufficient to perform the merge only in rendition: shouldn't (or doesn't) this affect how resolution occurs? (That is, does the intermediate "resolved/expanded catalog" have to show the merged organization or can it as at present reflect its provenance or "chain of custody"?)

[wendellpiez]

Michaela observes (Sprint Acceptance mtg 11/28) that actually, the source of a particular control in a profile (that is, the profile or catalog from which it derives, i.e. 'chain of custody') is information of interest and shouldn't be freely discarded. This suggests that no merge should be automatic or "blind" -- and that merges might also need to be configurable. (Also, a merger might annotate the merged results with provenance info?)

[akarmel]

Sprint 6 Progress Notes

• Wendell got started on this yesterday (12/4) and several prose documents have been created for review in docs/prose. Wendell and David will collaboratively review today (12/5).

[kscarf1]

I discussed this with Wendell late last week, and he recommended that I wait on this. He is still making significant additions and revisions to the draft documents. I will coordinate with him on the best time to begin my review.

[akarmel]

Sprint 6 Progress Notes

• Specification documentation 2/3 of the way complete in Draft format. Doc is in the Sprint 6 branch.
• David and Wendell will review together and will loop in Karen moving forward for review.

[akarmel]

Sprint 6 Progress Notes

• Have a clearer understanding of our emerging requirements which has led to significant structural improvements to the profile model which are underway
  • Working towards a model where we have three containers in the profile:
    1. Select what controls are included from other reference profiles/catalogs
    2. Add directives that would change the default behavior
    3. Other customizations (local updates to controls - patching, static parameters)
  • Updates to this model will add growing room to add new features
  • Resolution logic must be updated as well
• Wendell expects to have these updates done within the week

[kscarf1]

Dave, Wendell, and I discussed the status of this today. Wendell is working on the first draft and expects to be done by the end of December. At that time he'll notify me and I will edit the draft, contacting him with any questions I have.

[kscarf1]

No update on this. I'll check with Wendell when he returns from travel.

[akarmel]

Sprint 6 Acceptance

• Revised implementation to the new model, everything is stable again
  • Modeling issue has been identified that requires David's review and feedback

[akarmel]

Sprint 7 Planning

• We have a stable model and code base, but we have a use case that may break it
  • Wendell has a proposal for Dave to review
• We need to design and document the functional requirements for the merging and modifying of layers: Issue Design and document the functional requirements for the merging and modifying of profiles #93
• We need to develop usable documentation that is written, edited and ready for public review: Issue Develop Profile layer documentation that is edited and ready for public review #94

[akarmel]

Closing this issue as it is now broken into three new issues: #93, #94, #95