Rendering OSCAL to look like a SP 800-18 SSP template

[wendellpiez]

User Story:

As an OSCAL user, I would like to be able to produce an SSP document in the form of a familiar SSP template. That is, I should be able to encode my SSP in OSCAL, then produce (by automated means) a document in a familiar format such as PDF or Word docx, emulating a particular SSP template.

Templates for the production of SSPs are familiar to security professionals, and assessors and evaluators rely (both explicitly and implicitly) on the consistency of documentation, and (sometimes) its fidelity to a prescribed templates, as one relevant criterion for evaluation of SSPs. This makes a template layout an attractive target for presentation of OSCAL data. If an OSCAL SSP can appear like -- and be evaluated as -- a familiar SSP produced by means of an accepted template and delivered in the usual or mandated format (possibly docx or PDF), OSCAL becomes a viable means of production for such documents.

Goals:

Building on the more general capability described in #9, we would like further to be able to produce SSPs that look like a prescribed template. Producing OSCAL with a look-and-feel familiar to domain professionals helps both to validate the OSCAL, and demonstrate its utility.

PDF is an appropriate target format for this, with an HTML work-alike, optionally, as a nice-to-have. In any case, it should print well at US Letter size, show headers and page apparatus like its template model, emulate its tables, etc.

This application must be good enough to serve as a proof of concept, but perhaps not necessarily good enough (without enhancement) for production use over the long term (especially as targets change). Here, we wish to catalyze this capability by demonstrating it, rather than providing it, inasmuch as organizations' requirements are likely to vary too much for a single general solution, while a monoculture in SSP processing would be inimical to our goals.

Core to this is two general functional requirements:

• familiar, cozy look and feel emulating a credible (authoritative) SSP template example
• dynamic inclusion of catalog and baseline contents into display of SSP

Dependencies:

There is potentially a dependency on #9 if this work is built on that. (With this capability provided as a customization of that capability and as such, a demonstration of how to customize it.) However they could also be aligned later.

The template must be identified. NIST has the option of doing this work internally with a template available to us (achieving some goals if not all), however public release may be an issue. Whether we can adapt this work to publish a fictional-but-plausible alternative, or find some other way to address this question, is tbd. (Need advice @david-waltermire-nist @iMichaela.)

Also, goals for this effort must be stipulated clearly enough not to compete with similar initiatives elsewhere exploiting OSCAL data. We wish to encourage this; indeed the more different SSP page templates that can be accommodated by OSCAL, the better.

Finally, early analysis of this problem suggests that an SSP template implies not only an SSP, but a profile, inasmuch as the template itself may provide guidance and enhancement per control. Given that this "meta-information" (not guidance on a control but guidance on how to document it) must live somewhere, some modeling and potentially workflow issues are likely to arise.

Acceptance Criteria

TBD

• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[wendellpiez]

Off line I have made significant progress on this work (based on the above-mentioned NIST template), but it is now on hold pending work on the SSP model. See usnistgov/OSCAL#478 and related issues. It also depends on #9, now nearing completion.

We need to return to this issue as soon as we:

• Take next steps refactoring and documenting SSP model
• Make more sample data exercising the model
• Clarifying the release status of the NIST template on which it is based, or an alternative template if this one is not available

[wendellpiez]

Sprint 26 Update Jan 30 2020

See last comment. I have some solid preliminary work on this but there is work on the SSP model / examples to be done before it can be usefully feature-complete.

[wendellpiez]

Update Feb 6 2020

Off line I have a demonstration producing an HTML version of a NIST SSP template, populated with OSCAL SSP data. It is about 60% complete, enough to demonstrate the principle.

Further work depends on work on the SSP model, including realistic examples.

[david-waltermire]

@wendellpiez We can answer any current mapping questions that you have in our next modeling session. It would be helpful if you posted your questions here.

[wendellpiez]

In addition to posting questions here, it could be helpful for me to demo (in the modeling session) the SSP formatting XSLT in progress. It exposes questions not only of appropriate generic handling, but of how to map the SSP structures correctly into the NIST Mod/Lo SSP template. (Ordinarily we might do this later but it could be useful input.)

[wendellpiez]

Sprint 27 Update Feb 13 2020

Evidently I have not yet posted questions on the SSP presentation so far.

However, recent changes in the SSP model also warrant some updates to the transformations, So this needs to be warmed up again and aligned (with latest-greatest) to reduce noise in any conversation about semantics (presentational or otherwise).

[wendellpiez]

Update March 12

@wendellpiez will review and confirm current status. The work goes along with developing more illustrative SSP examples demonstrating semantics.

[wendellpiez]

Update March 19

Still pending. Will try to do this by end of week (tomorrow). There is code that can be migrated to an internal repo, then organized.

[wendellpiez]

Deciding to migrate the code into the usnistgov/oscal-tools repo, where it can live with other rendering logic for catalog and profile formats.

[wendellpiez]

An XSLT is in a working branch here: https://github.com/wendellpiez/oscal-tools/tree/oscal-issue575-SSP-html-xslt

It demonstrates about half of the transformation, and provides scaffolding/approach for the remaining half.

For this XSLT to be useful (even as a demo):

• A canonical / complete sample SSP would be available for testing and demo
• Functional gaps between current and expected functionality must be mapped and bridged

Of these, the first is something of a blocker. The second will require a few hours once we have samples and specs worked out.

[wendellpiez]

Sprint 28 Update April 2

As noted above I have a branch where this is underway. We need more sample data to make headway.

This work is a good follow-on to usnistgov/OSCAL#630, which lays some of the groundwork we will need for this as well (for example to run FOP).

[wendellpiez]

Sprint 28 Update April 8 2020

Ongoing work on this XSLT is here:

https://github.com/wendellpiez/oscal-tools/tree/oscal-issue575-SSP-html-xslt

It is stable, but functionally not complete. It requires more sample data.

[aj-stein-nist]

Per discussion with the team today during backlog review, I am moving this to the appropriate repository per our guidance, oscal-xslt.