-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Catalog constraint relax for CSF Data #1949
Comments
Hi @nkeller08 👋. We will triage this issue and get back to you once it is prioritized, ready for work, and then completed. |
In CSF, all The commit: 76eec06 enforced very 800-53 specific constraints. To preserve the intent of not commit: "Removed allow-other="yes" from prop and part names in the OSCAL namespace to avoid namespace squatting on the official OSCAL namespace. Organizations using their own props will now be forced to use their own namespace, which was the original intention" but support NIST mission, the following values need to be added to the constraints:
|
The other recommendation, at face value, seems sensible. @iMichaela, what this is proposing is having parts that are statements that are not embedded with controls, and are free-form statements within groups this Metapath Is that really what the CSF or other control frameworks expect? I want to make sure I understand. Is this the current CSF 2.x catalog we are referencing now? This is missing from the feature request and it is specific to the data cited in the issue. |
@aj-stein-nist The CSF (v1.1 and v2.0) defines Functions, that have categories and are broken down into subcategories. At each level there are requirements-like statements. This is , to some extend , the situation in ISO 27002 (if I remember correctly). Here is a format (partial) that would reflect the description of the issue above:
Current constraints would only allow for a name='overview' but the stmt is not an overview:
As for the second constraint,
CSF calls those |
@aj-stein-nist - The above proposal is in [1949-imichaela-catalog-part-name 7cf6920]. I will not submit a PR before this discussion concludes favorably. I am looking for consensus and not enforcement. I strongly believe that the current catalog/group/part/@name="overview" as the ONLY allowed value for the name is super restrictive for other NIST CPRT data. Other discussed catalogs (ISO) can use their own |
We started with a restrictive set of values to drive discussion like this with the intention that names will get expanded over time through subsequent OSCAL releases. +1 for adding the allowed value In a control part, a It would be better to create a new part name for this purpose. While I don't support the use of I would have no concern adding any of these terms to control parts or other similar places either, as there may be cases where descriptive text may be used in a control that isn't an |
@aj-stein-nist The catalog you are listing in not the one NIST is creating and plans to make available from the CPRT website. |
@david-waltermire-nist - Thank you for the +1 on 'example'. If this is OK, I can update the proposal and submit the PR. I am looking for reusability to make it easier adoptable.. Thoughts? |
@david-waltermire-nist - BTY - I thought of |
So to better understand this issue and refine it, can we confirm it is the one you sent via email for debugging/troubleshooting pairing we had last week? Is it ok we publish relevant snippets to understand the request and be certain of the proposed changes given feedback from others? Thanks. |
@aj-stein-nist -- Sure, we can post any snipper necessary. There is no secret. The latest draft is a little more polished, that is all. And I already provided snippets above. The
|
On 10/19 Triage Meeting: Remove allowed values or require the use of namespace for their own values. |
@Arminta-Jenkins-NIST - CSF namespace included in core OSCAL like the RMF namespace is not something we should encourage. Without a registry, the information under a new namespace is not useful for a GRC tool. The proposed change in the PR #1952 is useful to other data sets and makes core OSCAL easier to use. If allowing other values is something preferred (as the constraints were written until 10 months ago, then we can do that too. I personally believe the PR #1952 is a much better compromise (not only 800-53 constraints but not open to the entire universe either). Nobody is fast tracking any change! Unless there is a logical explanation and a reasonable justification for push back, the issue and its PR should be included in the sprint, and reviewed by the team and the interested community members as part of the normal track. |
I provided a logical explanation for why adding As a community member, looking at this from a FedRAMP perspective, I don't believe PR #1952 is ready. IMHO, alternative approaches should to be considered. According to @Arminta-Jenkins-NIST it looks like others on the NIST OSCAL team have suggested using a namespace approach. IMHO, this is a great way to experiment with a way forward, without committing to a more permanent change. |
…1949 (#1952) * Two additional allowed values for catalog/group/part/@name and catalog/group/control/part/@name * aligned the description of group/part@name='statement' and control/part@name='statement' * Fixed typo in the oscal_ssp_metaschema and updated controversial constraint for group/part in oscal_catalog_metaschema * Update src/metaschema/oscal_catalog_metaschema.xml Fixed grammar. Co-authored-by: Chris Compton <[email protected]> --------- Co-authored-by: Iorga <[email protected]> Co-authored-by: Chris Compton <[email protected]>
…1949 (#1952) * Two additional allowed values for catalog/group/part/@name and catalog/group/control/part/@name * aligned the description of group/part@name='statement' and control/part@name='statement' * Fixed typo in the oscal_ssp_metaschema and updated controversial constraint for group/part in oscal_catalog_metaschema * Update src/metaschema/oscal_catalog_metaschema.xml Fixed grammar. Co-authored-by: Chris Compton <[email protected]> --------- Co-authored-by: Iorga <[email protected]> Co-authored-by: Chris Compton <[email protected]>
Completed |
User Story
Request for Metaschema constrains for catalog/group/part/@name to accept "statement".
Request for Metaschema constrains for catalog/group/control/part/@name to accept "example".
Goals
Implement both requests so that 100% validation can be achieved for CSF 2.0 in OSCAL.
Dependencies
NONE
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response
The text was updated successfully, but these errors were encountered: