Examples of actions in SSP metadata for #130.

.github/workflows/content-artifacts.yml

@@ -96,6 +96,18 @@ jobs:
       - name: Auto-convert Content
         run:
           bash "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/copy-and-convert-content.sh" -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" -w "${GITHUB_WORKSPACE}/git-content" --resolve-profiles
+      - name: Zip Artifacts for Upload
+        if: always()
+        run: |
+          zip ${{ runner.temp }}/generated-content.zip -r .
+        working-directory: ${{ github.workspace }}
+      - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
+        if: always()
+        with:
+          name: generated-content
+          path: |
+            ${{ runner.temp }}/generated-content.zip
+          retention-days: 5
       - name: Publish Artifacts
         # only do this on main
         if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main'

src/config

@@ -1,7 +1,20 @@
 # path to source|format of source|model of source|format(s) to convert to
 src/examples/catalog/xml/*.xml|xml|catalog|json
 src/examples/ssp/xml/*.xml|xml|ssp|json
-src/examples/ssp/json/ssp-example.json|json|ssp|xml
+src/examples/ssp/xml/actions/*.xml|xml|ssp|json
+# TODO: Review this error, cause unclear need to do RCA before merge.
+# /home/runner/work/oscal-content/oscal-content/git-content/src/examples/ssp/json/ssp-example.json invalid
+# [ 
+#   {
+#     instancePath: '/system-security-plan/system-characteristics/props/0/name',
+#     schemaPath: '#/properties/name/allOf/1/enum',
+#     keyword: 'enum',
+#     params: { allowedValues: [Array] },
+#     message: 'must be equal to one of the allowed values'
+#   }
+# ]
+# https://github.com/usnistgov/oscal-content/actions/runs/3191841714/jobs/5208629060
+# src/examples/ssp/json/ssp-example.json|json|ssp|xml
 src/examples/component-definition/json/example-component.json|json|component|xml
 src/examples/component-definition/xml/*.xml|xml|component|json
 src/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json

src/examples/ssp/xml/actions/example-approval-ssp.xml

@@ -0,0 +1,161 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../../../oscal/xml/schema/oscal_complete_schema.xsd" uuid="182506ca-572f-47dd-9fe7-0d7e84c9f56a">
+    <metadata>
+        <title>Example System SSP with Actions</title>
+        <last-modified>2022-09-02T00:00:00.000000001-04:00</last-modified>
+        <version>0.0.4</version>
+        <oscal-version>1.1.0</oscal-version>
+        <revisions>
+            <revision>
+                <last-modified>2022-08-30T00:00:00.000000001-04:00</last-modified>
+                <version>0.0.1</version>
+                <oscal-version>1.1.0</oscal-version>
+                <remarks>
+                    <p>Submitted to ISSM before approval by system owner.</p>
+                </remarks>
+            </revision>
+            <revision>
+                <last-modified>2022-09-02T00:00:00.000000001-04:00</last-modified>
+                <version>0.0.2</version>
+                <oscal-version>1.1.0</oscal-version>
+                <remarks>
+                    <p>The legal officer for the Security &amp; Compliance Office has requested changes.</p>
+                </remarks>
+            </revision>
+            <revision>
+                <last-modified>2022-09-04T00:00:00.000000001-04:00</last-modified>
+                <version>0.0.3</version>
+                <oscal-version>1.1.0</oscal-version>
+                <remarks>
+                    <p>ISSM resubmitted with changes per the lawyer's request.</p>
+                </remarks>
+            </revision>
+            <revision>
+                <last-modified>2022-09-06T00:00:00.000000001-04:00</last-modified>
+                <version>0.0.4</version>
+                <oscal-version>1.1.0</oscal-version>
+                <remarks>
+                    <p>The legal officer for the Security &amp; Compliance Office approves this draft of the document.</p>
+                </remarks>
+            </revision>
+        </revisions>
+        <role id="legal-officer">
+            <title>BigCorp IT Security and Compliance Division Legal Officer</title>
+            <short-name>Legal</short-name>
+        </role>
+        <role id="issm">
+            <title>BigCourp Information System Security Manager</title>
+            <short-name>ISSM</short-name>
+        </role>
+        <party uuid="166befca-8f70-4170-8848-2af978990772" type="organization">
+            <name>BigCorp Office of Information Technology Security and Compliance Division Legal Office</name>
+            <short-name>BigCorp ITSECLAW</short-name>
+            <link href="https://example.com" rel="homepage" />
+            <email-address>[email protected]</email-address>
+            <address type="work">
+                <addr-line>100 Main Street NW</addr-line>
+                <city>Washington</city>
+                <state>DC</state>
+                <postal-code>20000</postal-code>
+                <country>US</country>
+            </address>
+        </party>
+        <action uuid="bc90bc6b-8d06-4422-8bbb-63fd525f62f6" date="2022-08-23T00:00:00.000000001-04:00" type="approval" system="http://csrc.nist.gov/ns/oscal">
+            <responsible-party role-id="legal-officer">
+                <party-uuid>166befca-8f70-4170-8848-2af978990772</party-uuid>
+            </responsible-party>
+            <remarks>
+                <p>The Legal Office's staff reviewed this version of the SSP and its recent amendments. We approve disseminating this to the relevant customers outside of BigCorp.</p>
+            </remarks>
+        </action>
+    </metadata>
+    <import-profile href="#9aa67a14-d18e-461f-8eee-d7b661703a9f" />
+    <system-characteristics>
+        <system-id identifier-type="http://ietf.org/rfc/rfc4122">103e77a8-ab96-4767-9625-19940fefde5f</system-id>
+        <system-name>Example System</system-name>
+        <description>
+            <p>This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.</p>
+        </description>
+        <date-authorized>2022-08-23</date-authorized>
+        <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
+        <system-information>
+            <information-type>
+                <title>Summary of System Development Information in Example System</title>
+                <description>
+                    <p>This application contains system development data.</p>
+                </description>
+                <confidentiality-impact>
+                    <base>fips-199-low</base>
+                    <selected>fips-199-low</selected>
+                </confidentiality-impact>
+                <integrity-impact>
+                    <base>fips-199-low</base>
+                    <selected>fips-199-low</selected>
+                </integrity-impact>
+                <availability-impact>
+                    <base>fips-199-low</base>
+                    <selected>fips-199-low</selected>
+                </availability-impact>
+            </information-type>
+        </system-information>
+        <security-impact-level>
+            <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
+            <security-objective-integrity>fips-199-moderate</security-objective-integrity>
+            <security-objective-availability>fips-199-moderate</security-objective-availability>
+        </security-impact-level>
+        <status state="under-development" />
+        <authorization-boundary>
+            <description>
+                <p>There is no authorization boundary for the application.</p>
+            </description>
+            <remarks>
+                <p>This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.</p>
+            </remarks>
+        </authorization-boundary>
+    </system-characteristics>
+    <system-implementation>
+        <user uuid="3260c490-ad55-4c99-a3d4-09a6b6f6fb17">
+            <authorized-privilege>
+                <title>System Developer Privilege</title>
+                <function-performed>add functionality</function-performed>
+                <function-performed>modify functionality</function-performed>
+                <function-performed>maintain deploy system in environment</function-performed>
+            </authorized-privilege>
+        </user>
+        <component uuid="1e3aaf69-258b-4e19-a4cc-0289049ceb7c" type="this-system">
+            <title>The Example System Core Component</title>
+            <description>
+                <p>Example System, like other BigCorp information systems, uses security controls from a variety of frameworks, but is especially focused on NIST SP 800-53 controls.</p>
+            </description>
+            <status state="under-development" />
+            <remarks>
+                <p>This is an example system with notional examples, the system and this document will never be complete, regardless of the intention implicated by <code>action</code> examples.</p>
+            </remarks>
+        </component>
+    </system-implementation>
+    <control-implementation>
+        <description>
+            <p></p>
+        </description>
+        <implemented-requirement uuid="e7d0fd18-0bc6-4583-9eb2-66e77956a96d" control-id="at-1">
+            <responsible-role role-id="issm"/>
+            <by-component component-uuid="1e3aaf69-258b-4e19-a4cc-0289049ceb7c" uuid="e188a871-6d0e-47c0-a5a8-9939114979d6">
+                <description>
+                    <p>The ISSM ensures staff developing and operating this system handle security awareness and training pretty well. The ISSM commits staff to operational guidelines and procedures based on BigCorp's Security Awareness and Training Policy. What is done by system staff in this description is much clearer and better than before.</p>
+                </description>
+            </by-component>
+        </implemented-requirement>
+        <implemented-requirement uuid="1e3aaf69-258b-4e19-a4cc-0289049ceb7c" control-id="ra-1">
+            <by-component component-uuid="1e3aaf69-258b-4e19-a4cc-0289049ceb7c" uuid="d1f3ad99-670f-4db9-a849-b24a6e4bac69">
+                <description>
+                    <p>The ISSM ensures staff developing and operating this system handle vulnerability management pretty well. The ISSM commits staff to operational guidelines and procedures based on BigCorp's Vulnerability Management Program Policy and Threat Intelligence Program Policy. What is done by system staff in this description is much clearer and better than before.</p>
+                </description>
+            </by-component>
+        </implemented-requirement>
+    </control-implementation>
+    <back-matter>
+        <resource uuid="9aa67a14-d18e-461f-8eee-d7b661703a9f">
+            <rlink href="https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml" />
+        </resource>
+    </back-matter>
+</system-security-plan>