From e11b651f7b0b3656812fe1d57a19c6758d261651 Mon Sep 17 00:00:00 2001 From: OSCAL GitHub Actions Bot Date: Wed, 2 Nov 2022 14:27:25 +0000 Subject: [PATCH 1/8] Publishing auto-converted artifacts --- ...00-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json | 4 ++-- ...SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json | 4 ++-- ...800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json | 4 ++-- ..._SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json | 4 ++-- ...3_rev4_MODERATE-baseline-resolved-profile_catalog-min.json | 4 ++-- ...00-53_rev4_MODERATE-baseline-resolved-profile_catalog.json | 4 ++-- ..._SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml | 4 ++-- ...T_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.xml | 4 ++-- ...800-53_rev4_MODERATE-baseline-resolved-profile_catalog.xml | 4 ++-- ...SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.yaml | 4 ++-- ..._SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.yaml | 4 ++-- ...00-53_rev4_MODERATE-baseline-resolved-profile_catalog.yaml | 4 ++-- ...00-53_rev5_HIGH-baseline-resolved-profile_catalog-min.json | 4 ++-- ...SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.json | 4 ++-- ...800-53_rev5_LOW-baseline-resolved-profile_catalog-min.json | 4 ++-- ..._SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.json | 4 ++-- ...3_rev5_MODERATE-baseline-resolved-profile_catalog-min.json | 4 ++-- ...00-53_rev5_MODERATE-baseline-resolved-profile_catalog.json | 4 ++-- ...53_rev5_PRIVACY-baseline-resolved-profile_catalog-min.json | 4 ++-- ...800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.json | 4 ++-- ...3_rev5-FPD_HIGH-baseline-resolved-profile_catalog-min.json | 4 ++-- ...00-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.json | 4 ++-- ...53_rev5-FPD_LOW-baseline-resolved-profile_catalog-min.json | 4 ++-- ...800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.json | 4 ++-- ...v5-FPD_MODERATE-baseline-resolved-profile_catalog-min.json | 4 ++-- ...3_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.json | 4 ++-- ...ev5-FPD_PRIVACY-baseline-resolved-profile_catalog-min.json | 4 ++-- ...53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.json | 4 ++-- ..._SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.xml | 4 ++-- ...T_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.xml | 4 ++-- ...800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml | 4 ++-- ...-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.xml | 4 ++-- ...800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.xml | 4 ++-- ...-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.xml | 4 ++-- ...53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.xml | 4 ++-- ...-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.xml | 4 ++-- ...SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.yaml | 4 ++-- ..._SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.yaml | 4 ++-- ...00-53_rev5_MODERATE-baseline-resolved-profile_catalog.yaml | 4 ++-- ...800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.yaml | 4 ++-- ...00-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.yaml | 4 ++-- ...800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.yaml | 4 ++-- ...3_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.yaml | 4 ++-- ...53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.yaml | 4 ++-- 44 files changed, 88 insertions(+), 88 deletions(-) diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json index 0b07b964..df8c819e 100644 --- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json +++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json @@ -1,9 +1,9 @@ { "catalog": { - "uuid": "0e91e70c-7b0d-46b3-aa43-479df3a22650", + "uuid": "3111d896-1fbf-4c87-b2a3-f70f4ccf377c", "metadata": { "title": "NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE", - "last-modified": "2022-11-01T18:51:24.98215Z", + "last-modified": "2022-11-02T14:19:18.841682Z", "version": "2015-01-22", "oscal-version": "1.0.0", "links": [ diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json index cf519b1c..1f74802d 100644 --- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json +++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json @@ -1,9 +1,9 @@ { "catalog": { - "uuid": "0e91e70c-7b0d-46b3-aa43-479df3a22650", + "uuid": "3111d896-1fbf-4c87-b2a3-f70f4ccf377c", "metadata": { "title": "NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE", - "last-modified": "2022-11-01T18:51:24.98215Z", + "last-modified": "2022-11-02T14:19:18.841682Z", "version": "2015-01-22", "oscal-version": "1.0.0", "links": [ diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json index 523cf74f..4d76a031 100644 --- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json +++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json @@ -1,9 +1,9 @@ { "catalog": { - "uuid": "7ec32ea5-3a64-4431-bea4-5daa7a1773c9", + "uuid": "3a882c05-0540-4399-a444-9f43539ec4c8", "metadata": { "title": "NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE", - "last-modified": "2022-11-01T18:51:55.109112Z", + "last-modified": "2022-11-02T14:19:48.635974Z", "version": "2015-01-22", "oscal-version": "1.0.0", "links": [ diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json index 850c8047..1d5c92ac 100644 --- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json +++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json @@ -1,9 +1,9 @@ { "catalog": { - "uuid": "7ec32ea5-3a64-4431-bea4-5daa7a1773c9", + "uuid": "3a882c05-0540-4399-a444-9f43539ec4c8", "metadata": { "title": "NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE", - "last-modified": "2022-11-01T18:51:55.109112Z", + "last-modified": "2022-11-02T14:19:48.635974Z", "version": "2015-01-22", "oscal-version": "1.0.0", "links": [ diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json index 7b9abbef..19784d19 100644 --- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json +++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json @@ -1,9 +1,9 @@ { "catalog": { - "uuid": "87737520-d804-4f12-8a69-61a55d812bfe", + "uuid": "dfee50fa-3c3e-465f-b9bf-8a6a4800c36b", "metadata": { "title": "NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE", - "last-modified": "2022-11-01T18:52:15.506089Z", + "last-modified": "2022-11-02T14:20:09.269653Z", "version": "2015-01-22", "oscal-version": "1.0.0", "links": [ diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json index 8e611219..2269d0c6 100644 --- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json +++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json @@ -1,9 +1,9 @@ { "catalog": { - "uuid": "87737520-d804-4f12-8a69-61a55d812bfe", + "uuid": "dfee50fa-3c3e-465f-b9bf-8a6a4800c36b", "metadata": { "title": "NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE", - "last-modified": "2022-11-01T18:52:15.506089Z", + "last-modified": "2022-11-02T14:20:09.269653Z", "version": "2015-01-22", "oscal-version": "1.0.0", "links": [ diff --git a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml index 7b12fc53..13c19266 100644 --- a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml +++ b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml @@ -1,9 +1,9 @@ + uuid="3111d896-1fbf-4c87-b2a3-f70f4ccf377c"> NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE - 2022-11-01T18:51:24.98215Z + 2022-11-02T14:19:18.841682Z 2015-01-22 1.0.0 + uuid="3a882c05-0540-4399-a444-9f43539ec4c8"> NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE - 2022-11-01T18:51:55.109112Z + 2022-11-02T14:19:48.635974Z 2015-01-22 1.0.0 + uuid="dfee50fa-3c3e-465f-b9bf-8a6a4800c36b"> NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE - 2022-11-01T18:52:15.506089Z + 2022-11-02T14:20:09.269653Z 2015-01-22 1.0.0 + uuid="2486041e-ea2a-48ad-ab1b-218f74aaeceb"> NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE - 2022-11-01T18:53:50.935794Z + 2022-11-02T14:21:44.749362Z Final 1.0.0 + uuid="49f4f754-914b-44b5-ab53-5ce3bec68ab7"> NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE - 2022-11-01T18:54:28.661191Z + 2022-11-02T14:22:21.654826Z Final 1.0.0 + uuid="df8bbd66-892f-4fe5-ad31-ad43e7eaf43a"> NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE - 2022-11-01T18:54:54.205193Z + 2022-11-02T14:22:46.296084Z Final 1.0.0 + uuid="a94d0d94-c206-448f-88b3-c58496040820"> NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE - 2022-11-01T18:55:27.807137Z + 2022-11-02T14:23:19.139521Z Final 1.0.0 + uuid="410f2ea3-d23b-4388-ade0-89950b7eb730"> SP800-53 HIGH IMPACT BASELINE - 2022-11-01T18:57:12.719504Z + 2022-11-02T14:25:04.284386Z FPD 1.0.0 + uuid="5f5e4f73-f6f9-442c-9233-867cdf60c0d8"> SP800-53 LOW IMPACT BASELINE - 2022-11-01T18:57:21.307935Z + 2022-11-02T14:25:11.690037Z FPD 1.0.0 + uuid="34d6d3fe-8221-490b-851d-26520a95b440"> SP800-53 MODERATE IMPACT BASELINE - 2022-11-01T18:57:29.713995Z + 2022-11-02T14:25:19.133636Z FPD 1.0.0 + uuid="cb503494-1e12-4cea-bd2a-40f0639265c7"> SP800-53 PRIVACY BASELINE - 2022-11-01T18:57:38.380464Z + 2022-11-02T14:25:26.474157Z FPD 1.0.0 Date: Mon, 14 Nov 2022 17:18:28 -0500 Subject: [PATCH 2/8] Update OSCAL submodule to current develop commit b08d9b7. --- oscal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oscal b/oscal index b66302e3..b08d9b78 160000 --- a/oscal +++ b/oscal @@ -1 +1 @@ -Subproject commit b66302e353c26311cebaa0e4266f56d3d0b33f16 +Subproject commit b08d9b78e113c1381c69e4182b34d695cf112d3d From 8b6e22c1978aef6d34464b10a8ee6d58d70757a9 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Mon, 14 Nov 2022 17:22:28 -0500 Subject: [PATCH 3/8] Example SSPs with actions and docs for usnistgov/oscal-content#130. --- src/config | 15 +- src/examples/ssp/xml/actions/README.md | Bin 0 -> 7656 bytes .../ssp/xml/actions/example-approval-ssp.xml | 161 ++++++++++++++++++ .../actions/example-request-changes-ssp.xml | 150 ++++++++++++++++ 4 files changed, 325 insertions(+), 1 deletion(-) create mode 100644 src/examples/ssp/xml/actions/README.md create mode 100644 src/examples/ssp/xml/actions/example-approval-ssp.xml create mode 100644 src/examples/ssp/xml/actions/example-request-changes-ssp.xml diff --git a/src/config b/src/config index 56bc6ab4..d61fa3e2 100644 --- a/src/config +++ b/src/config @@ -1,7 +1,20 @@ # path to source|format of source|model of source|format(s) to convert to src/examples/catalog/xml/*.xml|xml|catalog|json src/examples/ssp/xml/*.xml|xml|ssp|json -src/examples/ssp/json/ssp-example.json|json|ssp|xml +src/examples/ssp/xml/actions/*.xml|xml|ssp|json +# TODO: Review this error, cause unclear need to do RCA before merge. +# /home/runner/work/oscal-content/oscal-content/git-content/src/examples/ssp/json/ssp-example.json invalid +# [ +# { +# instancePath: '/system-security-plan/system-characteristics/props/0/name', +# schemaPath: '#/properties/name/allOf/1/enum', +# keyword: 'enum', +# params: { allowedValues: [Array] }, +# message: 'must be equal to one of the allowed values' +# } +# ] +# https://github.com/usnistgov/oscal-content/actions/runs/3191841714/jobs/5208629060 +# src/examples/ssp/json/ssp-example.json|json|ssp|xml src/examples/component-definition/json/example-component.json|json|component|xml src/examples/component-definition/xml/*.xml|xml|component|json src/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json diff --git a/src/examples/ssp/xml/actions/README.md b/src/examples/ssp/xml/actions/README.md new file mode 100644 index 0000000000000000000000000000000000000000..e142ed65f8ee4147aee863016eb4509e4319ffa4 GIT binary patch literal 7656 zcmd6s>u*~{5XJX1690qMerPM=gx9Bthx$NjAtgv@1yzNVmy-tU*w{`|K>X{#`R(y! z_ugycv>;SjPVQrOcIM2?nc4MUf8I{L^i_JD4$>%1(l8Blzo*Z4X{M{^`g@kn)2XiS zr=v92-B|at^nQ9Te{Uxwe4k!P!dzDeX_{rs^<dqBH1?IQjy2;*PZ@un-(kTl&q3ZG zZEDo6o?$ENP4d+^o#?*1%30R*K;v1lV6c(zm(3Vt9LxGxX>)J&H92gBw(=5k!@VsqXtvzoK($86op0ogUJj*&r!Y=-EKgk;5 z`$5LyM9;^1zj_8UPqX%C={Nl^abxUDBpBUu$-|42yy8sOOtso1&%4YzfK>SU>Kf0k zS9+Q^%N~9x+@@I`Q81K+cq}4rq;co^j-=f%zah#_ba$b9bh*rLF0O4hDl@%zoGn{B zJhz|M{Y7IzY@Ygg4l_>klYPnO4!`f~YLYD-K(BK2|^h!t#_2~&AXBSUr(wfLS)6=u84PzpbEOV?; zXw}5K=zy<+OI~CT7rT&Zj7lu>q%YhCIXcL9o}kq<`!XU8n@hytW3&(NGoSd!DlCbd z>0*U+)|lsUFVhd{X=boC%aj=ZG2K;s&h?pS&UV_;hYYgkHzkh@hy34q%r-B1eU$lv)lUC`F<~3Nld&^Q zm#p|nsK7w$>?rZ#+Vfbmt`@fR6n(Hn;mjHXJbfs9;Mjpac=o28M+Oi*j)#b&nJ|Xu zyGWM0M{V?4_9*oXDb&=qc1`KsT0}0D3e=3-5=C8Y$aM5KJ5qnCQ4{42Y)4*DSuQnZ zkg-G$Vr$yb@NMxU{>e92V*EoMm?2r2wdghQN6E;*xgDpQ()PZ-QJI1#%af>8!CW8^ zJ`5f(M;6@H*JPx?MR@QeGuw`Z|`(V8*C-!TfYoum*b7@wciLm}_Bac!@eqpK-6!sg6+k zJS2^jd9Dpn_spqqe@`DX31o~GI%Ah}&@3K*kECJg0O7KPSSMdB31Km{wYn`&tG2v%4(5^sZuYr44)-0&yZ zP+=!IyPMu^>U9&O;nxx?(Z^eA8`thGtoCc2ndU9333*R1PTxMt7J)%qGO-TRGPaF$ zJ6gyIBAjjoFBu*7FL*0B3T<2;7>hTMT&SlUB%&&WJ>2Q~8`cUdpTT6Epy z2Dx;az0>tTa7*ct$TIg)WCFA4RHHgj&AcAAO@t9F#Ryx(-V6rgt&t!`$^UNrf&8;v zS-aV7e!kGmu$g#&C4FFphL$N|LDL@L@z5cC*ioy;irnVG)Rg zZR~!)1|8{+LA_|#^e{U$b^^o`w$RBsVn$gLSUJuUBF|S<_nYTciL07v>pjH2_EY-{ zMj)2Ygb7TH58Z7z8XoCQ;oqnXRGH{094Fin>+l}uB2RVYvy1ZWd!*~ons~9kwdByfpT5xN1MOgn#BE7&lNV_1b;) z9UxLa1COpg?vl`k{DiX(CHY9*!?LwGPuWhNY0Om8Jr@nzJwMsy^QX_#t?Yr-X9l+x z^0p+g^oSvKIYyzu>ha;T=pIYA)y2xO6TSqe7eZo|Pfwid!IdG^yNOkZ!F%qAnx3sA zxAshUtJa|FsW*w7kC%F{u0Tc*%dI1kct_Y%4lgjYvtGd^xIBO-8lTnA38_;5FUll$L?@)A{a8N)`@!fZt!G8Sd%562m$Z+IQ!!qp_?D0%%_~tfFMy7xN%oo>$qy>#ybDjdi^`@ z{50#<>@iDbcGB)7PqT2GR5eo^!_@tY8+X_X@Q}blvXW(4junK~mVj?;m7T z>CM-7gUBnrg(IiUUy;jg`J7?Z-t+9c+4iD?z2V=WLK2mfvk2amJ!0YHHahKdzI&O4 zpJjXLyznx6e)I|6!Ryp1a%mZA{%tGpCvxig?mY?qFTE{y?R|0k^dfwL-|2m*z-Z81 wt(+D5_mMb*!<$4-K`;8ZsJYR_d#}MR#!viPi`NPa>b;OLpzHO?mQTz71}D@$od5s; literal 0 HcmV?d00001 diff --git a/src/examples/ssp/xml/actions/example-approval-ssp.xml b/src/examples/ssp/xml/actions/example-approval-ssp.xml new file mode 100644 index 00000000..ab04b898 --- /dev/null +++ b/src/examples/ssp/xml/actions/example-approval-ssp.xml @@ -0,0 +1,161 @@ + + + + Example System SSP with Actions + 2022-09-02T00:00:00.000000001-04:00 + 0.0.4 + 1.1.0 + + + 2022-08-30T00:00:00.000000001-04:00 + 0.0.1 + 1.1.0 + +

Submitted to ISSM before approval by system owner.

+ + + + 2022-09-02T00:00:00.000000001-04:00 + 0.0.2 + 1.1.0 + +

The legal officer for the Security & Compliance Office has requested changes.

+ + + + 2022-09-04T00:00:00.000000001-04:00 + 0.0.3 + 1.1.0 + +

ISSM resubmitted with changes per the lawyer's request.

+ + + + 2022-09-06T00:00:00.000000001-04:00 + 0.0.4 + 1.1.0 + +

The legal officer for the Security & Compliance Office approves this draft of the document.

+ + + + + BigCorp IT Security and Compliance Division Legal Officer + Legal + + + BigCourp Information System Security Manager + ISSM + + + BigCorp Office of Information Technology Security and Compliance Division Legal Office + BigCorp ITSECLAW + + legal@example.com +
+ 100 Main Street NW + Washington + DC + 20000 + US +
+ + + + 166befca-8f70-4170-8848-2af978990772 + + +

The Legal Office's staff reviewed this version of the SSP and its recent amendments. We approve disseminating this to the relevant customers outside of BigCorp.

+ + + + + + 103e77a8-ab96-4767-9625-19940fefde5f + Example System + +

This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.

+ + 2022-08-23 + fips-199-moderate + + + Summary of System Development Information in Example System + +

This application contains system development data.

+ + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

There is no authorization boundary for the application.

+ + +

This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.

+ + + + + + + System Developer Privilege + add functionality + modify functionality + maintain deploy system in environment + + + + The Example System Core Component + +

Example System, like other BigCorp information systems, uses security controls from a variety of frameworks, but is especially focused on NIST SP 800-53 controls.

+ + + +

This is an example system with notional examples, the system and this document will never be complete, regardless of the intention implicated by action examples.

+ + + + + +

+ + + + + +

The ISSM ensures staff developing and operating this system handle security awareness and training pretty well. The ISSM commits staff to operational guidelines and procedures based on BigCorp's Security Awareness and Training Policy. What is done by system staff in this description is much clearer and better than before.

+ + + + + + +

The ISSM ensures staff developing and operating this system handle vulnerability management pretty well. The ISSM commits staff to operational guidelines and procedures based on BigCorp's Vulnerability Management Program Policy and Threat Intelligence Program Policy. What is done by system staff in this description is much clearer and better than before.

+ + + + + + + + + + \ No newline at end of file diff --git a/src/examples/ssp/xml/actions/example-request-changes-ssp.xml b/src/examples/ssp/xml/actions/example-request-changes-ssp.xml new file mode 100644 index 00000000..64a00933 --- /dev/null +++ b/src/examples/ssp/xml/actions/example-request-changes-ssp.xml @@ -0,0 +1,150 @@ + + + + Example System SSP with Actions + 2022-09-02T00:00:00.000000001-04:00 + 0.0.2 + 1.1.0 + + + 2022-08-30T00:00:00.000000001-04:00 + 0.0.1 + 1.1.0 + +

Submitted to ISSM before approval by system owner.

+ + + + 2022-09-02T00:00:00.000000001-04:00 + 0.0.2 + 1.1.0 + +

The legal officer for the Security & Compliance Office has requested changes.

+ + + + + BigCorp IT Security and Compliance Division Legal Officer + Legal + + + BigCorp Information System Security Manager + ISSM + + + BigCorp Office of Information Technology Security and Compliance Division Legal Office + BigCorp ITSECLAW + + legal@example.com +
+ 100 Main Street NW + Washington + DC + 20000 + US +
+ + + + + 166befca-8f70-4170-8848-2af978990772 + + +

The legal department wants several changes made to this system security plan. Relevant security controls do not reference organization or division policies, and the narratives are in some cases are ambiguous. Please review each item of feedback below, update the relevant section, and re-submit to the department for further review.

+
    +
  • The narrative for implemented requirements of control AT-1 does not accurately cite or reference BigCorp's 2022 Security Awareness Training Policy. Please add references and clarify how this system and relevant staff apply it in their own standard operating procedures.
    • +
  • The narrative for implemented requirements of control RA-1 does not accurately cite or reference BigCorp's 2022 Security Awareness Training Policy. Please add references and clarify how this system and relevant staff apply it in their own standard operating procedures.
    • +
+ + + + + + 103e77a8-ab96-4767-9625-19940fefde5f + Example System + +

This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.

+ + 2022-08-23 + fips-199-moderate + + + Summary of System Development Information in Example System + +

This application contains system development data.

+ + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + fips-199-low + fips-199-low + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

There is no authorization boundary for the application.

+ + +

This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.

+ + + + + + + System Developer Privilege + add functionality + modify functionality + maintain deploy system in environment + + + + The Example System Core Component + +

+ + + +

This is an example system with notional examples, the system and this document will never be complete, regardless of the intention implicated by action examples.

+ + + + + +

Example System, like other BigCorp information systems, uses security controls from a variety of frameworks. Example System is especially focused on NIST SP 800-53 controls.

+ + + + + +

The ISSM ensures staff developing and operating this system handle security awareness and training pretty well.

+ + + + + + +

The ISSM ensures staff developing and operating this system handle vulnerability management pretty well. The ISSM even tells them to use threat intelligence from the BigCorp SOC to prioritize mitigations and fixes of vulnerabilities!

+ + + + + + + + + + \ No newline at end of file From 1c9e79a5ffe7b80fc87fe57e01da5554aea7d9f1 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Mon, 14 Nov 2022 17:29:11 -0500 Subject: [PATCH 4/8] Further focus OSCAL doc instance filter, only test actions examples. --- src/config | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/config b/src/config index d61fa3e2..ff45fff4 100644 --- a/src/config +++ b/src/config @@ -1,6 +1,6 @@ # path to source|format of source|model of source|format(s) to convert to -src/examples/catalog/xml/*.xml|xml|catalog|json -src/examples/ssp/xml/*.xml|xml|ssp|json +#src/examples/catalog/xml/*.xml|xml|catalog|json +#src/examples/ssp/xml/*.xml|xml|ssp|json src/examples/ssp/xml/actions/*.xml|xml|ssp|json # TODO: Review this error, cause unclear need to do RCA before merge. # /home/runner/work/oscal-content/oscal-content/git-content/src/examples/ssp/json/ssp-example.json invalid @@ -15,11 +15,11 @@ src/examples/ssp/xml/actions/*.xml|xml|ssp|json # ] # https://github.com/usnistgov/oscal-content/actions/runs/3191841714/jobs/5208629060 # src/examples/ssp/json/ssp-example.json|json|ssp|xml -src/examples/component-definition/json/example-component.json|json|component|xml -src/examples/component-definition/xml/*.xml|xml|component|json -src/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json -src/nist.gov/SP800-53/rev4/xml/*profile.xml|xml|profile|json -src/nist.gov/SP800-53/rev5/xml/*catalog.xml|xml|catalog|json -src/nist.gov/SP800-53/rev5/xml/*profile.xml|xml|profile|json -src/nist.gov/SP800-53/rev5/xml/draft/*catalog.xml|xml|catalog|json -src/nist.gov/SP800-53/rev5/xml/draft/*profile.xml|xml|profile|json +#src/examples/component-definition/json/example-component.json|json|component|xml +#src/examples/component-definition/xml/*.xml|xml|component|json +#src/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json +#src/nist.gov/SP800-53/rev4/xml/*profile.xml|xml|profile|json +#src/nist.gov/SP800-53/rev5/xml/*catalog.xml|xml|catalog|json +#src/nist.gov/SP800-53/rev5/xml/*profile.xml|xml|profile|json +#src/nist.gov/SP800-53/rev5/xml/draft/*catalog.xml|xml|catalog|json +#src/nist.gov/SP800-53/rev5/xml/draft/*profile.xml|xml|profile|json From 8fcd30f00b5a379c355ca793777ab6ab98516f6a Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Mon, 14 Nov 2022 17:47:18 -0500 Subject: [PATCH 5/8] Loosen OSCAL document instance file filter. Convert and validate most of the XML-source examples. --- src/config | 36 ++++++------------ src/examples/ssp/{xml => }/actions/README.md | Bin .../xml}/example-approval-ssp.xml | 0 .../xml}/example-request-changes-ssp.xml | 0 4 files changed, 12 insertions(+), 24 deletions(-) rename src/examples/ssp/{xml => }/actions/README.md (100%) rename src/examples/ssp/{xml/actions => actions/xml}/example-approval-ssp.xml (100%) rename src/examples/ssp/{xml/actions => actions/xml}/example-request-changes-ssp.xml (100%) diff --git a/src/config b/src/config index ff45fff4..50d51ff7 100644 --- a/src/config +++ b/src/config @@ -1,25 +1,13 @@ # path to source|format of source|model of source|format(s) to convert to -#src/examples/catalog/xml/*.xml|xml|catalog|json -#src/examples/ssp/xml/*.xml|xml|ssp|json -src/examples/ssp/xml/actions/*.xml|xml|ssp|json -# TODO: Review this error, cause unclear need to do RCA before merge. -# /home/runner/work/oscal-content/oscal-content/git-content/src/examples/ssp/json/ssp-example.json invalid -# [ -# { -# instancePath: '/system-security-plan/system-characteristics/props/0/name', -# schemaPath: '#/properties/name/allOf/1/enum', -# keyword: 'enum', -# params: { allowedValues: [Array] }, -# message: 'must be equal to one of the allowed values' -# } -# ] -# https://github.com/usnistgov/oscal-content/actions/runs/3191841714/jobs/5208629060 -# src/examples/ssp/json/ssp-example.json|json|ssp|xml -#src/examples/component-definition/json/example-component.json|json|component|xml -#src/examples/component-definition/xml/*.xml|xml|component|json -#src/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json -#src/nist.gov/SP800-53/rev4/xml/*profile.xml|xml|profile|json -#src/nist.gov/SP800-53/rev5/xml/*catalog.xml|xml|catalog|json -#src/nist.gov/SP800-53/rev5/xml/*profile.xml|xml|profile|json -#src/nist.gov/SP800-53/rev5/xml/draft/*catalog.xml|xml|catalog|json -#src/nist.gov/SP800-53/rev5/xml/draft/*profile.xml|xml|profile|json +src/examples/catalog/xml/*.xml|xml|catalog|json +src/examples/ssp/xml/*.xml|xml|ssp|json +src/examples/ssp/actions/xml/*.xml|xml|ssp|json +src/examples/ssp/json/ssp-example.json|json|ssp|xml +src/examples/component-definition/json/example-component.json|json|component|xml +src/examples/component-definition/xml/*.xml|xml|component|json +src/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json +src/nist.gov/SP800-53/rev4/xml/*profile.xml|xml|profile|json +src/nist.gov/SP800-53/rev5/xml/*catalog.xml|xml|catalog|json +src/nist.gov/SP800-53/rev5/xml/*profile.xml|xml|profile|json +src/nist.gov/SP800-53/rev5/xml/draft/*catalog.xml|xml|catalog|json +src/nist.gov/SP800-53/rev5/xml/draft/*profile.xml|xml|profile|json diff --git a/src/examples/ssp/xml/actions/README.md b/src/examples/ssp/actions/README.md similarity index 100% rename from src/examples/ssp/xml/actions/README.md rename to src/examples/ssp/actions/README.md diff --git a/src/examples/ssp/xml/actions/example-approval-ssp.xml b/src/examples/ssp/actions/xml/example-approval-ssp.xml similarity index 100% rename from src/examples/ssp/xml/actions/example-approval-ssp.xml rename to src/examples/ssp/actions/xml/example-approval-ssp.xml diff --git a/src/examples/ssp/xml/actions/example-request-changes-ssp.xml b/src/examples/ssp/actions/xml/example-request-changes-ssp.xml similarity index 100% rename from src/examples/ssp/xml/actions/example-request-changes-ssp.xml rename to src/examples/ssp/actions/xml/example-request-changes-ssp.xml From c790bc06842d22e049ef7769e779fb0b58ebf2be Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 3 Jan 2023 14:28:44 -0500 Subject: [PATCH 6/8] Update import paths for usnistgov/oscal-content#168. --- .../xml/draft/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml | 2 +- .../xml/draft/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml | 2 +- .../draft/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml | 2 +- .../draft/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml index 260c2078..625958ec 100644 --- a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml +++ b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml @@ -33,7 +33,7 @@ a90f4235-ab3c-4bf1-ba0a-865bbc833346 - + ac-1 ac-2 diff --git a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml index e8c555b4..5239ca53 100644 --- a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml +++ b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml @@ -33,7 +33,7 @@ fcba95f8-df3b-47cd-ae6f-57089a2b7174 - + ac-1 ac-2 diff --git a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml index 8a4d4f37..9bc0d2be 100644 --- a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml +++ b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml @@ -33,7 +33,7 @@ 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - + ac-1 ac-2 diff --git a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml index 07b50f9e..98530d89 100644 --- a/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml +++ b/src/nist.gov/SP800-53/rev5/xml/draft/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml @@ -33,7 +33,7 @@ d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - + ac-1 ac-3.14 From d670bb6f96e4646179178cd9f12298b808372bab Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 3 Jan 2023 16:48:43 -0500 Subject: [PATCH 7/8] [WIP] Enable bash debugging, understand other Schematron errors. --- .github/workflows/content-artifacts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index 92c472e5..37316423 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -93,11 +93,11 @@ jobs: - name: Validate Content run: # mkdir -p "${OSCAL_BUILD_DIR_PATH}" - bash "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/validate-content.sh" -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" + bash -x "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/validate-content.sh" -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" # job-copy-and-convert-content - name: Auto-convert Content run: - bash "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/copy-and-convert-content.sh" -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" -w "${GITHUB_WORKSPACE}/git-content" --resolve-profiles + bash -x "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/copy-and-convert-content.sh" -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" -w "${GITHUB_WORKSPACE}/git-content" --resolve-profiles - name: Zip Artifacts for Upload if: always() run: | From 26f0fe160932016638575cfafdc55d796d4c6f5b Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 3 Jan 2023 17:05:20 -0500 Subject: [PATCH 8/8] Update submodule branch for maven.restlet.org workaround. --- oscal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oscal b/oscal index b08d9b78..dd2e4971 160000 --- a/oscal +++ b/oscal @@ -1 +1 @@ -Subproject commit b08d9b78e113c1381c69e4182b34d695cf112d3d +Subproject commit dd2e4971745786da12608292e633fa0a9e66cc1e