Clarification on NIST OSCAL Team's new policy on non-OSCAL schemas

[aj-stein-gsa]

In #2079 (review), @iMichaela claims that NIST (I presume OSCAL, but more generally, CSD, ITL, or NIST overall) does not accept schemas from entities other than NIST.

NIST does not accept schemas not developed by NIST (see https://raw.githubusercontent.com/metaschema-framework/metaschema/refs/heads/develop/schema/xml/metaschema.xsd">)

Where is this policy documented? If so, how will OSCAL work in XML and JSON formats? XML Schema and JSON Schema are dependencies, implicitly or explicitly, to OSCAL in those respective formats. W3C maintains the canonical XML Schema schemas and JSON Schema maintainers (having moved away from IETF specifications that have not advanced) maintain the JSON Schema's schema and extended data types. OSCAL do not really work without those. The same is also true of several variants of Schematron, and your use of the XSpec schemas (written in XML Schema).

https://github.com/usnistgov/OSCAL/blob/v1.1.2/src/metaschema/oscal_metadata_metaschema.xml#L6

https://github.com/usnistgov/OSCAL/blob/v1.1.2/src/specifications/profile-resolution/lib/build-xspec.xsl#L3-L4

The published JSON Schemas (not the source Metaschema) also include the $schema directive that points to the JSON schema not maintained or contributed to by NIST staff, and OSCAL specializes it, with this directive: "$schema" : "http://json-schema.org/draft-07/schema#",.

https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_complete_schema.json

If this change is an intentional one, @iMichaela, I would appreciate it if you and the team document it to discuss how it will impact ongoing FedRAMP development.

[iMichaela]

@aj-stein-gsa - Let's be serious, please. I am assuming you did not read all messages because I cannot accept you did not understand the comment after working on OSCAL project at NIST, and knowing NIST policy.
My comment below (which you are extrapolating here) is very clear and states that we use, for NIST OSCAL schemas, only NIST Metaschema, aka usnistgov/metaschema project, updated when needed, but maintained and published by NIST with contributions from the community (you and your team included), and not the metaschema-framework/metaschema which is not a NIST project.

NIST does not accept schemas not developed by NIST (see [https://raw.githubusercontent.com/metaschema-framework/metaschema/refs/heads/develop/schema/xml/metaschema.xsd">](https://raw.githubusercontent.com/metaschema-framework/metaschema/refs/heads/develop/schema/xml/metaschema.xsd%22%3E))

[aj-stein-gsa]

@aj-stein-gsa - Let's be serious, please. I am assuming you did not read all messages because I cannot accept you did not understand the comment after working on OSCAL project at NIST, and knowing NIST policy.

I was being quite serious, where is the policy documented? The implication of this policy, documented or not, is that NIST-maintained version of the OSCAL models are not easily usable by FedRAMP in the long term, or at all.

[iMichaela]

The implication of this policy, documented or not, is that NIST-maintained version of the OSCAL models are not easily usable by FedRAMP in the long term, or at all.

Not sure what you are implying here - that FedRAMP is not using NIST OSCAL (with the addition of necessary constraints and extensions)? OSCAL is adopted internationally and NIST team's intention (as directed by NIST management) is to equally support all adopters, without favoring one in ways perceived detrimental of others.

[aj-stein-gsa]

I think I've asked the same question several times that is unanswered: where does OSCAL Team or CSD or ITL or NIST document they should not or must not use schemas or data that are not created by NIST? What is special open the Metaschema Framework community as opposed to W3C or XSpec or Saxonica?

Like all other open source projects we are dependent on schemas and code from other entities so I am not sure how NIST can maintain OSCAL without them.

[aj-stein-gsa]

It would seem that for schemas, like software, I will not get a clear answer on a policy and consistent application of a policy, but what is clear is that the NIST OSCAL Team do not want to review or discuss improvements they can leverage from the metschema-framework community without explanation like in #2087, and that's ok.