Skip to content

Commit

Permalink
Adding missing prop, link, and part names used in the SP 800-53 catal…
Browse files Browse the repository at this point in the history 
…og that were missing in the OSCAL Metaschemas.

Added additional constraints to support new and existing uses of prop, link, and part names. Removed allow-other="yes" from prop and part names in the OSCAL namespace to avoid namespace squatting on the official OSCAL namespace. Organizations using their own props will now be forced to use their own namespace, which was the original intention.
  • Loading branch information
@david-waltermire
david-waltermire committed Jan 28, 2022
1 parent f610a1b commit 76eec06
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 37 deletions.
16 changes: 9 additions & 7 deletions src/metaschema/oscal_assessment-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,16 @@
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
<constraint>
<allowed-values target="part">
<enum value="objective"></enum>
<enum value="assessment"></enum>
<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]">
<enum value="objective">(deprecated) Use 'assessment-objective' instead.</enum>
<enum value="assessment">(deprecated) Use 'assessment-method' instead</enum>
<enum value="assessment-objective">The part defines an assessment objective.</enum>
<enum value="assessment-method">The part defines an assessment method.</enum>
</allowed-values>
<has-cardinality target="part[@name='objective']" max-occurs="1" />
<has-cardinality target="part[@name='assessment']/prop[@name='method']" min-occurs="1" max-occurs="1" />
<has-cardinality target="part[@name='assessment']/part[@name='objects']" min-occurs="1" max-occurs="1" />
<has-cardinality target="part[@name='objective']/prop[@name='method-id']" min-occurs="1" />
<has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]" max-occurs="1" />
<has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']" min-occurs="1" max-occurs="1" />
<has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objects','assessment-objects')]" min-occurs="1" max-occurs="1" />
<has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method-id']" min-occurs="1" />
</constraint>
</define-assembly>
<define-assembly name="assessment-method">
Expand Down
53 changes: 49 additions & 4 deletions src/metaschema/oscal_catalog_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
</assembly>
</model>
<constraint>
<allowed-values target="metadata/prop/@name">
<allowed-values target="metadata/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="resolution-tool">The tool used to produce a resolved profile.</enum>
</allowed-values>
<allowed-values target="metadata/link/@rel">
Expand Down Expand Up @@ -115,9 +115,12 @@
</model>
<constraint>
<!-- CHANGE: added allowed values for a property/@name -->
<allowed-values target="prop/@name" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
&allowed-values-control-group-property-name;
</allowed-values>
<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="overview">An introduction to a control or a group of controls.</enum>
</allowed-values>
</constraint>
<remarks>
<p>Catalogs can use a <code>group</code> to collect related controls into a single grouping. That can be useful to group controls into a family or other logical grouping.</p>
Expand Down Expand Up @@ -177,18 +180,60 @@
</model>
<constraint>
<expect id="catalog-control-require-statement-when-not-withdrawn" target="." test="prop[@name='status']/@value='withdrawn' or part[@name='statement']" />
<allowed-values target="prop/@name" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
&allowed-values-control-group-property-name;
<enum value="status">The status of a <code>control</code>. For example, a value of 'withdrawn' can indicate that the <code>control</code> has been withdrawn and should no longer be used.</enum>
</allowed-values>
<allowed-values target="prop[@name='status']/@value">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='status']/@value">
<enum value="withdrawn">The control is no longer used.</enum>
</allowed-values>
<allowed-values target="link/@rel" allow-other="yes">
<enum value="reference">The link cites an external resource related to this control.</enum>
<enum value="related">The link identifies another control with bearing to this control.</enum>
<enum value="required">The link identifies another control that must be present if this control is present.</enum>
<enum value="incorporated-into">The link identifies other control content where this control content is now addressed.</enum>
<enum value="moved-to">The containing control definition was moved to the referenced control.</enum>
</allowed-values>

<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="overview">An introduction to a control or a group of controls.</enum>
<enum value="statement">A set of control implementation requirements.</enum>
<enum value="guidance">Additional information to consider when selecting, implementing, assessing, and monitoring a control.</enum>
<enum value="assessment">(deprecated) Use 'assessment-method' instead.</enum>
<enum value="assessment-method">The part describes a method-based assessment over a set of assessment objects.</enum>
</allowed-values>
<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='statement']//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="item">An individual item within a control statement.</enum>
<remarks>
<p>Nested statement parts are "item" parts.</p>
</remarks>
</allowed-values>
<allowed-values target=".//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="objective">(deprecated) Use 'assessment-objective' instead.</enum>
<enum value="assessment-objective">The part describes a set of assessment objectives.</enum>
<remarks>
<p>Objectives can be nested.</p>
</remarks>
</allowed-values>
<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="objects">(deprecated) Use 'assessment-objects' instead.</enum>
<enum value="assessment-objects">Provides a listing of assessment objects.</enum>
<remarks>
<p>Assessment objects appear on assessment methods.</p>
</remarks>
</allowed-values>

<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="method">(deprecated) Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment".</enum>
</allowed-values>
<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name">
<enum value="method">The assessment method to use. This typically appears on parts with the name "assessment".</enum>
</allowed-values>
<expect level="WARNING" target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]" test="prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']"/>
<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']/@value">
<enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
<enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
<enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
</allowed-values>
</constraint>
<remarks>
Expand Down
32 changes: 10 additions & 22 deletions src/metaschema/oscal_control-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,18 +28,6 @@
<define-flag name="name" as-type="token" required="yes">
<formal-name>Part Name</formal-name>
<description>A textual label that uniquely identifies the part's semantic type.</description>
<constraint>
<allowed-values allow-other="yes">
<!-- QUESTION: "method" doesn't appear in this list, but has a constraint below. Why? -->
<enum value="overview">An introduction to a control or a group of controls.</enum>
<enum value="statement">A set of control implementation requirements.</enum>
<enum value="item">An individual item within a control statement.</enum>
<enum value="guidance">Additional information to consider when selecting, implementing, assessing, and monitoring a control.</enum>
<enum value="objective">Describes a set of assessment objectives.</enum>
<enum value="assessment">Describes a method-based assessment over a set of assessment objects.</enum>
<enum value="objects">Provides a list of assessment objects.</enum>
</allowed-values>
</constraint>
</define-flag>
<define-flag name="ns" as-type="uri">
<!-- CHANGED: data type to uri -->
Expand Down Expand Up @@ -82,18 +70,9 @@
</model>
<constraint>
<!-- CHANGE: added allowed values for a property/@name -->
<allowed-values target="prop/@name" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
&allowed-values-control-group-property-name;
</allowed-values>
<allowed-values target=".[@name='assessment']/prop/@name" allow-other="yes">
<enum value="method">The assessment method to use. This typically appears on parts with the name "assessment".</enum>
</allowed-values>
<expect level="WARNING" target=".[@name='assessment']" test="prop[@name='method']"/>
<allowed-values target=".[@name='assessment']/prop[@name='method']/@value">
<enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
<enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
<enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
</allowed-values>
</constraint>
<remarks>
<p>A <code>part</code> provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A <code>part</code> can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A <code>part</code> can contain <code>prop</code> objects that allow for enriching prose text with structured name/value information.</p>
Expand Down Expand Up @@ -182,6 +161,15 @@
<field ref="remarks" in-xml="WITH_WRAPPER"/>
<!-- <any/> -->
</model>
<constraint>
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
&allowed-values-control-group-property-name;
<enum value="alt-label">An alternate to the value provided by the parameter's label. This will typically be qualified by a class.</enum>
</allowed-values>
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name">
<enum value="aggregates">The parent parameter provides an aggregation of 2 or more other parameters, each described by this property.</enum>
</allowed-values>
</constraint>
<remarks>
<p>In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The <code>value</code> may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.</p>
<p>A parameter can include a variety of metadata options that support the future solicitation of one or more values. A <code>label</code> provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The <code>desc</code> provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A <code>constraint</code> can be used to provide criteria for the allowed values. A <code>guideline</code> provides a recommendation for the use of a parameter.</p>
Expand Down
11 changes: 8 additions & 3 deletions src/metaschema/oscal_metadata_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,14 @@
</remarks>
</is-unique>
<allowed-values id="allowed-metadata-responsibe-party-role-ids" target="responsible-party/@role-id" allow-other="yes">
<enum value="prepared-by">Indicates the organization that created this content.</enum>
<enum value="creator">Indicates the organization that created this content.</enum>
<enum value="prepared-by">Indicates the organization that prepared this content.</enum>
<enum value="prepared-for">Indicates the organization for which this content was created.</enum>
<enum value="content-approver">Indicates the organization responsible for all content represented in the "document".</enum>
<enum value="contact">Indicates the organization to contact for questions or support related to this content.</enum>
</allowed-values>
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="keywords">The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications.</enum>
</allowed-values>
<allowed-values target="link/@rel" allow-other="yes">
<enum value="canonical">The link identifies the authoritative location for this file. Defined by <a href="https://tools.ietf.org/html/rfc6596">RFC 6596</a>.</enum>
Expand Down Expand Up @@ -511,7 +516,7 @@
<enum value="version">For resources representing a published document, this represents the version number of that document.</enum>
<enum value="published">For resources representing a published document, this represents the publication date of that document.</enum>
</allowed-values>
<matches target="prop[(not(exists(@ns)) or @ns='http://csrc.nist.gov/ns/oscal') and @name='published']/@value" datatype="dateTime"/>
<matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='published']/@value" datatype="dateTime"/>
<!-- CHANGED: Added enumerated choices for the resource type property -->
<allowed-values target="prop[@name='type']/@value" allow-other="yes">
<!-- More general. Applies across all models. -->
Expand Down Expand Up @@ -542,7 +547,7 @@
<enum value="report">Indicates the resource is a report.</enum>
<enum value="agreement">Indicates the resource is a formal agreement between two or more parties.</enum>
</allowed-values>
<has-cardinality target="rlink|base64" min-occurs="1"/>
<has-cardinality level="WARNING" target="rlink|base64" min-occurs="1"/>
<is-unique id="unique-resource-rlink-href" target="rlink">
<key-field target="@href"/>
<remarks>
Expand Down
3 changes: 2 additions & 1 deletion src/metaschema/shared-constraints/allowed-values-control-group-property-name.ent
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
<enum xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" value="label">A human-readable label for the parent context.</enum>
<enum xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" value="label">A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.</enum>
<enum xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" value="sort-id">An alternative identifier, whose value is easily sortable among other such values in the document.</enum>
<enum xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" value="alt-identifier">An alternate or aliased identifier for the parent context.</enum>

0 comments on commit 76eec06

Please sign in to comment.