OSCAL
OSCAL copied to clipboard
usnistgov
Add New Page for Publicly Available OSCAL Content
User Story:
As an OSCAL stakeholder, in order to find and consume OSCAL resources from other stakeholder organizations outside of the official NIST resources, I want a page itemizing OSCAL-based content from those organizations, and solicit contributions from such stakeholder organizations to keep the list current.
Goals:
We already have a list of OSCAL tools, but we don't have a similar page for OSCAL content (catalogs, profiles, component-definitions, etc.). Several stakeholder organizations have inquired if we can establish a page for them to contribute to such a list.
Dependencies:
N/A
Acceptance Criteria
- [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
- [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
- [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
@aj-stein-nist - It might be important to have a mechanism in place or a task force (mini-team of contributors) that are responsible for the correctness (format validation at minimum) of the information made available at the end of the hyperlinks. There is no benefit from making such a resource available if the OSCAL content deviates from NIST OSCAL. A second aspect we should discuss with the community members is the importance of implementing best practices, to avoid propagating/promoting the use of OSCAL not as designed/intended.
@iMichaela Not a fan of establishing an "OSCAL content police force" (I say this jokingly), or any similar committee. This doesn't scale well.
I believe the best way (and probably the only scalable way) to help content producers ensure they produce good content is to provide tools that enforce best practices. Such a tool also helps content consumers verify 3rd party content is good. This scales extremely well.
The Java tool I am working on is a start from a command line perspective. The NodeJS API @nikitawootten-nist is working on will help us produce some browser-based tools down the road.
@david-waltermire-nist - I see your point regarding the scalability but at the same time, everything we are listing on a NIST website becomes, partially, our responsibility to ensure the quality NIST always delivers, because the content will be perceived as being endorsed/reviewed for accuracy (aka correct OSCAL formatting). If that is not the case and the quality will not be there, what is the benefit of listing all that content that might pretend to be OSCAL? When we/NIST post examples in the oscal-content repo, the CI/CD pipeline validates the formats.
So, if we do not want to establish an "OSCAL content police force" from community members, or implement (at minimum) a community scoring and/or feedback system, then maybe we need to reconsider creating such a page if there is no guarantee that the OSCAL-content delivered by others is truly OSCAL.
Java library is good - you put so many months of work into it - thank you - but who said that the content creators or users will use it to validate respective content and not assume NIST did it before listing it? Also, developing similar libraries in other programming languages and maintaining all of them are not simple tasks. I am confident @nikitawootten-nist will deliver a great NodeJS API, but he also has other responsibilities and will not be able to finish it 'tomorrow'. Our first priority should be the delivery of all promised OSCAL features/models to make the current OSCAL version more usable (e.g. the SSRM/CRM model to facilitate leveraging ATOs when the SSP data is not available to the customer, the rules, the checks, the mapping model, etc..). The libraries should come after those features are part of OSCAL and are approved by the community. The libraries should be NIST's second priority until OSCAL promised features and models are done. We cannot afford to put the carriage ahead of the horse and expect that the horse can still run freely to the finish line.
Let's kindly ask the community members to help with the libraries if they are a must-have for the community, so our team can focus on the OSCAL features! With the first OSCAL SSP package submitted to FedRAMP, how will the customers of this CSP benefit from the submission if no Customer Responsibility Matrix (CRM) or SSRM can be created in OSCAL?
To sum: I believe having as many OSCAL content examples (OSCAL instances) as possible is a must, but I doubt the examples will deliver the expected values if some of them will provide pseudo-OSCAL/ claimed-to-be-OSCAL listed on our website for promotion purpose. This is the issue I am raising and looking for an optimal, scalable solution, with or without an OSCAL content police :)
I tried to capture the salient points about the benefits of published OSCAL content and community contribution guidelines in usnistgov/OSCAL#1310. Hopefully we can reach consensus and provide some of our community members a sensible location to publish notice of their own catalogs and sample content. For now it is just NIST and FedRAMP as official/semi-official resources.
We will post a link to https://github.com/oscal-club/awesome-oscal. This link will have a standard NIST exit page. We will include the standard NIST disclaimer.
Howdy @david-waltermire-nist and @iMichaela, club house manager here. Let us know in this issue or in Gitter what you want/need to make the distinction clear and how it ought to work.
If you do not want to litter your own Gitter channel with collaboration issues or content issues pertinent to OSCAL Club, the website, or Awesome OSCAL list, feel free to use our Gitter here.
https://gitter.im/oscal-club/lobby
If you prefer an alternate feedback mechanism, there is also admin at oscal.club email address to get the ball rolling. Have a nice weekend.
@david-waltermire-nist rolled off the project and someone else will need to take this up.
Arminta and Michaela agreed they will work together to update the page and send it in for review by the close of next sprint.
02/09/2023 Update:
Started working on this issue. Met with Armita and Ned to explain the process. I will address all OSCAL pages related issues in one PR (including the OSCAL mini workshops update)
02/09/2023 Update:
Started working on this issue. Met with Armita and Ned to explain the process. I will address all OSCAL pages related issues in one PR (including the OSCAL mini workshops update)
Thanks for the status update. I appreciate it. Like I requested in the other PR, I will ask that you keep the page content change for each PR separate and I will work with you to merge them efficiently, but still separately. If you need assistance and have concerns. Let me know. Thanks to both of you.
02/23/2023
I will submit a PR addressing this issue before Monday, 02/26/2023
Arminta and Michaela will sync up after today's status review meeting and/or later in the week to work on and complete this.
02/23/2023
I will submit a PR addressing this issue before Monday, 02/26/2023
Sorry also I was so bad at multi-tasking as I talked in the meeting and took notes I missed the previous update from you minutes before mine. Thanks for posting this.
Add https://github.com/usnistgov/OSCAL/issues/1683 to the backlog based on PR feedback in #1675. Can now officially close this and backfill it into completed Sprint 63. :-)