@class Under-Defined in OSCAL Specification
#2009
Comments
|
I would argue that there is similarity between As for the use of If the point is profile resolution, guidance and documentation is needed to clarify that class values should be assigned with this use case in mind, or a different mechanism for clarifying upstream catalog sources should be defined and documented. (In this case, the use of @Class is still ambiguous if both r4 and r5 catalogs are inadvertently included in a more complex profile resolution scenario. |
|
@brian-comply0 - NIST 800-53 catalog is most likely not reflecting OSCAL best catalog representation practices based on your descriptions above, but we need to also admit that 800-53 + 53A is far from being a simple data set or easy to represent. In addition, 800-53 evolved and NIST team did their best of capturing the original data. With CPRT as original data format, I hope we can do better when it will come to representing v6.0. Please note thoughl that an initial attempt of eliminating some of the prop@name="label" caused big commotions among our community members because tools are using them.
In 800-53 a group is called "family" , in CSF a group is a 'function' , in other catalogs, a group is 'chapter'
I am assuming you are referring to the I am aware of other data sets (catalogs) that are using Please let me know if you would like to meet and chat more around this topic. I am always open for improvements. I also agree that some guidance could be useful. But being very prescriptive will prevent others from being innovative with their data set representation. |
|
The flip side of But I'm afraid that enforcing more rigor upstream isn't really possible or wanted until we can be more specific about what such rigor entails or how to enforce it. (And this applies not only to The alternative isn't always pretty, but it works - analysis, surfacing regularities, expressing constraints, and data normalization as appropriate. Like @iMichaela, I feel there is more to discuss here, but the discussion takes the form as so often of looking at specific examples and considering options and tradeoffs, before generalizing. |
|
Thank you @iMichaela and @wendellpiez for your responses. It sounds like both of you are suggesting that the use of The problem here is that the NIST OSCAL Team is trying to represent content owned by the NIST RMF Team, thus it becomes unclear as to what should be addressed as part of the OSCAL spec and what should be addressed by the NIST RMF Team. (The OSCAL team is acting as an agent of the RMF team when making decisions about the representation of 800-53 content in OSCAL.) At a minimum, I recommend:
As a best practice recommendation, content owners should have a single mechanism for packaging up both human-readable and machine-readable guidance on:
|
|
@brian-comply0 - All your points are valid.
I personally think that the two hats (OSCAL maintainers, OSCAL catalog(s) author) NIST is wearing need to be have a better delineation, especially that NIST intends to represent other frameworks in OSCAL (we have and will make available soon the CSF v2.0). Personally I think that some guidance is needed, and the point I was making is that we still have work to do on identifying what needs to be part of OSCAL guidance and what should be left open. So, yes, I agree with you, an OSCAL registry as I see it, (similar to FHIR) will have to allow documentation of more than the 'ns' and the elements including them. To get it right, we need input like yours from the community members, and contributions (ideas, proposed solutions). |
|
The problem as @brian-comply0 describes it is likely to grow worse, not better, over time. But it is not a problem that will ever be 'solved' either. FWIW I always assume that content and hence its quality are always the responsibility of the data owners and publishers on their behalf -- I feel publishers of content may defer to 'standards' but even this doesn't let them off the hook if data is bad or broken, however nominally conformant. Similarly with documenting your usage ('dialect' or local form) of a standard language. One application of a constraint layer is indeed to capture these 'emergent regularities'. If you have a rule that says that each control must have exactly one X and that X must follow rules X1 X2 X3, that all serves as documentation of X. @brian-comply0 if you are interested in writing a set of Metaschema constraints that would validate regularities within any of the published docs or doc sets, let me know - this would be interesting to think about and is an obvious early application of standoff constraint definitions. |
Describe the bug
The use of
@classis under-defined in the OSCAL syntax leading to inconsistent or ambiguous usage in actual content.When analyzing the current uses cases of
@classin NIST content examples, it appears this is serving a similar function to@ns, but with different syntax and a lack of consistency among values.For example, when developing tools to handle the
@name='label'property as used in NIST SP 800-53r5 catalog, there is nothing in the specification that helps me understand how to interpret class, or when to display which label.Who is the bug affecting
Tool developers attempting to consistently process OSCAL content.
What is affected by this bug
Documentation
How do we replicate this issue
@class, such as groups, controls, and label properties in NIST SP 800-53r5.Expected behavior (i.e. solution)
Tool developers should clearly understand the use of the
@classattribute and its use should be consistent with the content.Other comments
Some of this is related to the authoring of 800-53 itself and may be better suited to an issue in the oscal-content repo; however, the ambiguous use of @Class in that content highlights a lack of clear OSCAL guidance on the topic.
Revisions
No response
The text was updated successfully, but these errors were encountered: