From 7c203f2136ba8daa0412dbf9a06cdb919449829e Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Wed, 7 Sep 2022 13:46:07 -0400 Subject: [PATCH] Examples of actions in SSP metadata for usnistgov/oscal-content#130. --- .github/workflows/content-artifacts.yml | 12 ++ oscal | 2 +- src/config | 15 +- src/examples/ssp/xml/actions/README.md | Bin 0 -> 7656 bytes .../ssp/xml/actions/example-approval-ssp.xml | 161 ++++++++++++++++++ .../actions/example-request-changes-ssp.xml | 150 ++++++++++++++++ 6 files changed, 338 insertions(+), 2 deletions(-) create mode 100644 src/examples/ssp/xml/actions/README.md create mode 100644 src/examples/ssp/xml/actions/example-approval-ssp.xml create mode 100644 src/examples/ssp/xml/actions/example-request-changes-ssp.xml diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index c8b862fb..ca46d3a9 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -96,6 +96,18 @@ jobs: - name: Auto-convert Content run: bash "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/copy-and-convert-content.sh" -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" -w "${GITHUB_WORKSPACE}/git-content" --resolve-profiles + - name: Zip Artifacts for Upload + if: always() + run: | + zip ${{ runner.temp }}/generated-content.zip -r . + working-directory: ${{ github.workspace }} + - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 + if: always() + with: + name: generated-content + path: | + ${{ runner.temp }}/generated-content.zip + retention-days: 5 - name: Publish Artifacts # only do this on main if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main' diff --git a/oscal b/oscal index 9365874b..9ce23971 160000 --- a/oscal +++ b/oscal @@ -1 +1 @@ -Subproject commit 9365874bfccfa385beaea64a2333b9913cdb0beb +Subproject commit 9ce2397179b3a2100f98b960af3134d0b77ec322 diff --git a/src/config b/src/config index 56bc6ab4..d61fa3e2 100644 --- a/src/config +++ b/src/config @@ -1,7 +1,20 @@ # path to source|format of source|model of source|format(s) to convert to src/examples/catalog/xml/*.xml|xml|catalog|json src/examples/ssp/xml/*.xml|xml|ssp|json -src/examples/ssp/json/ssp-example.json|json|ssp|xml +src/examples/ssp/xml/actions/*.xml|xml|ssp|json +# TODO: Review this error, cause unclear need to do RCA before merge. +# /home/runner/work/oscal-content/oscal-content/git-content/src/examples/ssp/json/ssp-example.json invalid +# [ +# { +# instancePath: '/system-security-plan/system-characteristics/props/0/name', +# schemaPath: '#/properties/name/allOf/1/enum', +# keyword: 'enum', +# params: { allowedValues: [Array] }, +# message: 'must be equal to one of the allowed values' +# } +# ] +# https://github.com/usnistgov/oscal-content/actions/runs/3191841714/jobs/5208629060 +# src/examples/ssp/json/ssp-example.json|json|ssp|xml src/examples/component-definition/json/example-component.json|json|component|xml src/examples/component-definition/xml/*.xml|xml|component|json src/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json diff --git a/src/examples/ssp/xml/actions/README.md b/src/examples/ssp/xml/actions/README.md new file mode 100644 index 0000000000000000000000000000000000000000..e142ed65f8ee4147aee863016eb4509e4319ffa4 GIT binary patch literal 7656 zcmd6s>u*~{5XJX1690qMerPM=gx9Bthx$NjAtgv@1yzNVmy-tU*w{`|K>X{#`R(y! z_ugycv>;SjPVQrOcIM2?nc4MUf8I{L^i_JD4$>%1(l8Blzo*Z4X{M{^`g@kn)2XiS zr=v92-B|at^nQ9Te{Uxwe4k!P!dzDeX_{rs^<dqBH1?IQjy2;*PZ@un-(kTl&q3ZG zZEDo6o?$ENP4d+^o#?*1%30R*K;v1lV6c(zm(3Vt9LxGxX>)J&H92gBw(=5k!@VsqXtvzoK($86op0ogUJj*&r!Y=-EKgk;5 z`$5LyM9;^1zj_8UPqX%C={Nl^abxUDBpBUu$-|42yy8sOOtso1&%4YzfK>SU>Kf0k zS9+Q^%N~9x+@@I`Q81K+cq}4rq;co^j-=f%zah#_ba$b9bh*rLF0O4hDl@%zoGn{B zJhz|M{Y7IzY@Ygg4l_>klYPnO4!`f~YLYD-K(BK2|^h!t#_2~&AXBSUr(wfLS)6=u84PzpbEOV?; zXw}5K=zy<+OI~CT7rT&Zj7lu>q%YhCIXcL9o}kq<`!XU8n@hytW3&(NGoSd!DlCbd z>0*U+)|lsUFVhd{X=boC%aj=ZG2K;s&h?pS&UV_;hYYgkHzkh@hy34q%r-B1eU$lv)lUC`F<~3Nld&^Q zm#p|nsK7w$>?rZ#+Vfbmt`@fR6n(Hn;mjHXJbfs9;Mjpac=o28M+Oi*j)#b&nJ|Xu zyGWM0M{V?4_9*oXDb&=qc1`KsT0}0D3e=3-5=C8Y$aM5KJ5qnCQ4{42Y)4*DSuQnZ zkg-G$Vr$yb@NMxU{>e92V*EoMm?2r2wdghQN6E;*xgDpQ()PZ-QJI1#%af>8!CW8^ zJ`5f(M;6@H*JPx?MR@QeGuw`Z|`(V8*C-!TfYoum*b7@wciLm}_Bac!@eqpK-6!sg6+k zJS2^jd9Dpn_spqqe@`DX31o~GI%Ah}&@3K*kECJg0O7KPSSMdB31Km{wYn`&tG2v%4(5^sZuYr44)-0&yZ zP+=!IyPMu^>U9&O;nxx?(Z^eA8`thGtoCc2ndU9333*R1PTxMt7J)%qGO-TRGPaF$ zJ6gyIBAjjoFBu*7FL*0B3T<2;7>hTMT&SlUB%&&WJ>2Q~8`cUdpTT6Epy z2Dx;az0>tTa7*ct$TIg)WCFA4RHHgj&AcAAO@t9F#Ryx(-V6rgt&t!`$^UNrf&8;v zS-aV7e!kGmu$g#&C4FFphL$N|LDL@L@z5cC*ioy;irnVG)Rg zZR~!)1|8{+LA_|#^e{U$b^^o`w$RBsVn$gLSUJuUBF|S<_nYTciL07v>pjH2_EY-{ zMj)2Ygb7TH58Z7z8XoCQ;oqnXRGH{094Fin>+l}uB2RVYvy1ZWd!*~ons~9kwdByfpT5xN1MOgn#BE7&lNV_1b;) z9UxLa1COpg?vl`k{DiX(CHY9*!?LwGPuWhNY0Om8Jr@nzJwMsy^QX_#t?Yr-X9l+x z^0p+g^oSvKIYyzu>ha;T=pIYA)y2xO6TSqe7eZo|Pfwid!IdG^yNOkZ!F%qAnx3sA zxAshUtJa|FsW*w7kC%F{u0Tc*%dI1kct_Y%4lgjYvtGd^xIBO-8lTnA38_;5FUll$L?@)A{a8N)`@!fZt!G8Sd%562m$Z+IQ!!qp_?D0%%_~tfFMy7xN%oo>$qy>#ybDjdi^`@ z{50#<>@iDbcGB)7PqT2GR5eo^!_@tY8+X_X@Q}blvXW(4junK~mVj?;m7T z>CM-7gUBnrg(IiUUy;jg`J7?Z-t+9c+4iD?z2V=WLK2mfvk2amJ!0YHHahKdzI&O4 zpJjXLyznx6e)I|6!Ryp1a%mZA{%tGpCvxig?mY?qFTE{y?R|0k^dfwL-|2m*z-Z81 wt(+D5_mMb*!<$4-K`;8ZsJYR_d#}MR#!viPi`NPa>b;OLpzHO?mQTz71}D@$od5s; literal 0 HcmV?d00001 diff --git a/src/examples/ssp/xml/actions/example-approval-ssp.xml b/src/examples/ssp/xml/actions/example-approval-ssp.xml new file mode 100644 index 00000000..ab04b898 --- /dev/null +++ b/src/examples/ssp/xml/actions/example-approval-ssp.xml @@ -0,0 +1,161 @@ + + + + Example System SSP with Actions + 2022-09-02T00:00:00.000000001-04:00 + 0.0.4 + 1.1.0 + + + 2022-08-30T00:00:00.000000001-04:00 + 0.0.1 + 1.1.0 + +

Submitted to ISSM before approval by system owner.

+ + + + 2022-09-02T00:00:00.000000001-04:00 + 0.0.2 + 1.1.0 + +

The legal officer for the Security & Compliance Office has requested changes.

+ + + + 2022-09-04T00:00:00.000000001-04:00 + 0.0.3 + 1.1.0 + +

ISSM resubmitted with changes per the lawyer's request.

+ + + + 2022-09-06T00:00:00.000000001-04:00 + 0.0.4 + 1.1.0 + +

The legal officer for the Security & Compliance Office approves this draft of the document.

+ + + + + BigCorp IT Security and Compliance Division Legal Officer + Legal + + + BigCourp Information System Security Manager + ISSM + + + BigCorp Office of Information Technology Security and Compliance Division Legal Office + BigCorp ITSECLAW + + legal@example.com +
+ 100 Main Street NW + Washington + DC + 20000 + US +
+ + + + 166befca-8f70-4170-8848-2af978990772 + + +

The Legal Office's staff reviewed this version of the SSP and its recent amendments. We approve disseminating this to the relevant customers outside of BigCorp.

+ + + + + + 103e77a8-ab96-4767-9625-19940fefde5f + Example System + +

This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.

+ + 2022-08-23 + fips-199-moderate + + + Summary of System Development Information in Example System + +

This application contains system development data.

+ + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

There is no authorization boundary for the application.

+ + +

This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.

+ + + + + + + System Developer Privilege + add functionality + modify functionality + maintain deploy system in environment + + + + The Example System Core Component + +

Example System, like other BigCorp information systems, uses security controls from a variety of frameworks, but is especially focused on NIST SP 800-53 controls.

+ + + +

This is an example system with notional examples, the system and this document will never be complete, regardless of the intention implicated by action examples.

+ + + + + +

+ + + + + +

The ISSM ensures staff developing and operating this system handle security awareness and training pretty well. The ISSM commits staff to operational guidelines and procedures based on BigCorp's Security Awareness and Training Policy. What is done by system staff in this description is much clearer and better than before.

+ + + + + + +

The ISSM ensures staff developing and operating this system handle vulnerability management pretty well. The ISSM commits staff to operational guidelines and procedures based on BigCorp's Vulnerability Management Program Policy and Threat Intelligence Program Policy. What is done by system staff in this description is much clearer and better than before.

+ + + + + + + + + + \ No newline at end of file diff --git a/src/examples/ssp/xml/actions/example-request-changes-ssp.xml b/src/examples/ssp/xml/actions/example-request-changes-ssp.xml new file mode 100644 index 00000000..64a00933 --- /dev/null +++ b/src/examples/ssp/xml/actions/example-request-changes-ssp.xml @@ -0,0 +1,150 @@ + + + + Example System SSP with Actions + 2022-09-02T00:00:00.000000001-04:00 + 0.0.2 + 1.1.0 + + + 2022-08-30T00:00:00.000000001-04:00 + 0.0.1 + 1.1.0 + +

Submitted to ISSM before approval by system owner.

+ + + + 2022-09-02T00:00:00.000000001-04:00 + 0.0.2 + 1.1.0 + +

The legal officer for the Security & Compliance Office has requested changes.

+ + + + + BigCorp IT Security and Compliance Division Legal Officer + Legal + + + BigCorp Information System Security Manager + ISSM + + + BigCorp Office of Information Technology Security and Compliance Division Legal Office + BigCorp ITSECLAW + + legal@example.com +
+ 100 Main Street NW + Washington + DC + 20000 + US +
+ + + + + 166befca-8f70-4170-8848-2af978990772 + + +

The legal department wants several changes made to this system security plan. Relevant security controls do not reference organization or division policies, and the narratives are in some cases are ambiguous. Please review each item of feedback below, update the relevant section, and re-submit to the department for further review.

+
    +
  • The narrative for implemented requirements of control AT-1 does not accurately cite or reference BigCorp's 2022 Security Awareness Training Policy. Please add references and clarify how this system and relevant staff apply it in their own standard operating procedures.
    • +
  • The narrative for implemented requirements of control RA-1 does not accurately cite or reference BigCorp's 2022 Security Awareness Training Policy. Please add references and clarify how this system and relevant staff apply it in their own standard operating procedures.
    • +
+ + + + + + 103e77a8-ab96-4767-9625-19940fefde5f + Example System + +

This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.

+ + 2022-08-23 + fips-199-moderate + + + Summary of System Development Information in Example System + +

This application contains system development data.

+ + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

There is no authorization boundary for the application.

+ + +

This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.

+ + + + + + + System Developer Privilege + add functionality + modify functionality + maintain deploy system in environment + + + + The Example System Core Component + +

+ + + +

This is an example system with notional examples, the system and this document will never be complete, regardless of the intention implicated by action examples.

+ + + + + +

Example System, like other BigCorp information systems, uses security controls from a variety of frameworks. Example System is especially focused on NIST SP 800-53 controls.

+ + + + + +

The ISSM ensures staff developing and operating this system handle security awareness and training pretty well.

+ + + + + + +

The ISSM ensures staff developing and operating this system handle vulnerability management pretty well. The ISSM even tells them to use threat intelligence from the BigCorp SOC to prioritize mitigations and fixes of vulnerabilities!

+ + + + + + + + + + \ No newline at end of file