Add Catalog Content for NIST 800-171

[matt-f5]

User Story:

As a DoD contractor subject to DFARS 252.204-7012, I would like to implement the security requirements in NIST SP 800-171 while still leveraging the technological advancements of OSCAL.

Goals:

Create at least an OSCAL Catalog to represent the security requirement content from NIST SP 800-171.

Dependencies:

None that I'm aware of.

Acceptance Criteria

• All readme documentation affected by the changes in this issue have been updated.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

Discussion Primer

I wrote a parser to transform the content from csv to OSCAL and pushed a draft OSCAL Catalog and example Full Inclusion Profile here: https://github.com/FATHOM5/oscal/tree/main/content/SP800-171/oscal-content

I wanted to open this enhancement issue to gauge the general interest in this content before creating the proper fork and opening a pull request. In general, the industry is struggling with 800-171. I feel OSCAL can be a valuable resource across the defense industrial base if the necessary base content existed.

[iMichaela]

@matt-f5 - Thank you for your initiative. The catalog you produced looks good (note - I did not validate it or try review its content in detail).
We had several community members inquiring when 800-171 will be represented in OSCAL. Since 800-53 is also provided in OSCAL, to fully benefit from this information (and to avoid assessment duplication), I think that the OSCAL Mapping Model @Compton-NIST is working on (see OSCAL repo issue #1332 and related) would be needed to reproduce the Annex D/Table D-1 (800-171 <-> 800-53 mapping) and to allow the 'relations' to be more accurately documented.

[matt-f5]

@iMichaela I love the sound of the OSCAL Mapping Model and agree it would be particularly useful for 800-171. Another thing to note in 800-171 that makes it unique from 800-53 is that 800-171A doesn't explicitly identify ODPs throughout the determination statements. Maybe this is an improvement recommendation for 800-171A itself, but there are many statements like "3.1.1[a] authorized users are identified" which are probably more useful as control parameters. The catalog I wrote just considers all the 3.x.x[a-z] tier as normal assessment objectives.

[aj-stein-nist]

First off, the NIST OSCAL Team is very excited to see community members like yourself take other NIST security control frameworks and transform them into OSCAL. Great work!

The 800-171 control catalog is maintained by another team within the Computer Security Division of ITL in NIST. The maintainers of that catalog would need to initiate an effort to publish the catalog in OSCAL. They need to hear from you and other community members about your interest in that.

Contact information for the catalog authors is on this page, feel free to email them at sec-cert@nist.gov.

We are going to close this issue as there is no action item for 800-171 at this time. We can re-open this if the 800-171 maintainers decide to start an effort. Thanks again!