OSCAL
OSCAL copied to clipboard
usnistgov
Profile import identifier handling
Committer Notes
Provides identifier reassignment capabilities for remapping identifiers in imported catalogs during the import phase of profile resolution.
All Submissions:
- [ ] Have you selected the correct base branch per Contributing guidance?
- [ ] Have you set "Allow edits and access to secrets by maintainers "?
- [ ] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
- [ ] Have you squashed any non-relevant commits and commit messages? [instructions]
- [ ] Do all automated CI/CD checks pass?
By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.
Changes to Core Features:
- [ ] Have you added an explanation of what your changes do and why you'd like us to include them?
- [ ] Have you written new tests for your core changes, as applicable?
- [ ] Have you included examples of how to use your new feature(s)?
- [ ] Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.
The following is an example of the resulting solution.
{
"imports": [
{
"href": "#FedRAMP_rev4_MODERATE-baseline_profile.json",
"include-controls": [
{
"with-ids": [
"ac-6.9",
"ac-6.10",
"ac-7",
"ac-8"
]
}
],
"identifier-reassignment": {
"with-prefix": "prefixA-",
"with-suffix": "-suffixA",
"controls": {
"with-prefix": "prefixB-",
"with-suffix": "-suffixB",
"reassignments": [
{
"from": "ac-6.9",
"to": "ac-6.9-new"
}
]
}
// ac-6.9 -> prefixA-prefixB-ac-6.9-new-suffixB-suffixA
// ac-6.10 -> prefixA-prefixB-ac-6.10-suffixB-suffixA
// ac-7 -> prefixA-prefixB-ac-7-suffixB-suffixA
// ac-8 -> prefixA-prefixB-ac-8-suffixB-suffixA
}
}
]
}
When reading through the example, I see "with-ids" acting as a filter of sorts in the "include-controls" section, identifying the controls to include from the profile, and then I scan down to the "identifier-reassignment" that uses "with-prefix" and "with-suffix" and my first thought was "are those also filters?". After studying for a few more minutes and reviewing the examples it is obvious they are actions to apply the prefix and suffix values for the resulting identifiers or the reassignment transformation.
My suggestion would be to change the "with-" portion to something that more clearly communicates these are actions, such as "use-" or "apply-", e.g.:
"use-prefix": "prefixB-",
"use-suffix": "-suffixB",
or
"apply-prefix": "prefixB-",
"apply-suffix": "-suffixB",
I think I like apply- best of these two.
"apply-prefix": "prefixB-", "apply-suffix": "-suffixB",I think I like apply- best of these two.
I too like the apply- and the rationale Adam provides resonated with. I think it is looking at too much Python using with context managers. 😆
{ "imports": [ { "href": "#FedRAMP_rev4_MODERATE-baseline_profile.json", "include-controls": [ { "with-ids": [ "ac-6.9", "ac-6.10", "ac-7", "ac-8" ] } ], "identifier-reassignment": { "with-prefix": "prefixA-", "with-suffix": "-suffixA", "controls": { "with-prefix": "prefixB-", "with-suffix": "-suffixB", "reassignments": [ { "from": "ac-6.9", "to": "ac-6.9-new" } ] } // ac-6.9 -> prefixA-prefixB-ac-6.9-new-suffixB-suffixA // ac-6.10 -> prefixA-prefixB-ac-6.10-suffixB-suffixA // ac-7 -> prefixA-prefixB-ac-7-suffixB-suffixA // ac-8 -> prefixA-prefixB-ac-8-suffixB-suffixA } } ] }
I am confused by the use of with-prefix in a few places and the model didn't really help me. Does the nested with-prefix and with-suffix declarations apply to some controls and not others as a subset of the include-controls assembly? If not, why do we double up the directives? I think I am just confused by the example given all controls in the example have wrapped suffixes and prefixes the same way.
Is the following interpretation accurate, considering the following assumptions:
- I am creating a new profile derived from FedRAMP's moderate profile, and I want to have an easy way to remember what I did since I am tailoring the controls in the process
- I want to know (easily remember that my controls started with fedramp baseline, moderate impact, and will end in my profile for highly regulated env hre, low impact profile
- I want later on to easily remember what I did in 2) just by looking at the ID
NOTE: I am using, as an example, the prefix for governance traceability and the suffix for impact level.
{
"imports": [
{
"href": "#FedRAMP_rev4_MODERATE-baseline_profile.json",
"include-controls": [
{
"with-ids": [
"ac-6.9",
"ac-6.10",
"ac-7",
"ac-8"
]
}
],
"identifier-reassignment": {
"with-prefix": "hre-",
"with-suffix": "-low",
"controls": {
"with-prefix": "fedramp-",
"with-suffix": "-moderate",
"reassignments": [
{
"from": "ac-6.9",
"to": "hre-fedramp-ac-6.9-moderate-low"
}
]
}
// ac-6.9 -> hre-fedramp-ac-6.9-moderate-low
}
}
]
}
OR
The identifier-reassignment is only informative and the reassignment should read
"reassignments": [
{
"from": "ac-6.9",
"to": "ac-6.9-new"
}
]
and the new ID is actually ac-6.9-new
I am not sure I understand the part of the example in red that highlights the new name PLUS the chained prefixes-suffixes. Where or when should it be used as shown?
@david-waltermire-nist I would like to take some time next week to meet up about this work and how it relates to other issues. After that, I will determine how we work on the issue in future sprints and update this branch.