Investigate OSCAL for supplementing requirements model

[ronaldtse]

Sample: https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/nist.gov/SP800-53/rev4/NIST_SP-800-53_rev4_catalog.xml

[opoudjis]

https://pages.nist.gov/OSCAL/examples/

[opoudjis]

https://www.metanorma.com/author/topics/document-format/requirements-recommendations-permissions/ : documentation of what we have

https://github.com/metanorma/metanorma-requirements-models: formal model, UML and RNC grammar

[anermina]

URL update for OSCAL sample: https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml

I guess the second URL is now: https://pages.nist.gov/OSCAL/documentation/examples/

[anermina]

OSCAL structure: Top level containers: "profile", "catalog" Sub-containers: "metadata", "group", "back-matter", "import", "merge", "modify" Sub-sub-containers: "control", "prop", "link", "role", "party", "responsible-party", "org", "address", "addr-line", "param", "part", "citation", "resource", "rlink", "insert", "call", "include" Attributes and elements: "title", "last-modified", "version", "oscal-version", "org-name", "city", "state", "postal-code", "email", "party-id", "label", "target", "as-is", "desc" Sub-sub-container attributes: "name", "rel", "href", "class", "media-type", "id", "param-id", "control-id", "role-id", "position"

METADATA -> contains "role", "party", "responsible-party" (can also contain "prop" and "link"), and attributes "title", "last-modified", "version" and "oscal-version"

• title -> the same as in Metanorma

• last-modified (date and time)

• version (date)

• oscal-version

• role -> defines different roles using attribute "id" which can take values 'creator' and 'contact'

• party -> defines parties

  • org (organization)
    • org-name (name of the organization)
    • address
      • addr-line -> one line of the address in case it needs to be written in multiple lines
      • city
      • state
      • postal-code
    • email

• responsible-party -> defines a responsible party; similar as subject in Metanorma

GROUP -> contains "control" and attributes "title", "class" and "id"

• control -> it is used as some kind of separator; contains "part", "link", "prop" and "param" and attributes "class" and "id"
• link -> combination of "import" and "inherit" in Metanorma using "href" token; classification is made with "rel" token, which can take values: 'corresp', 'incorporated-into', 'related' and 'reference'
• part -> defines different parts; classification is made with token "name", which can take values: 'statement', 'guidance', 'objective', 'assessment', 'objects' and 'item'; also uses attribute "id"
• param -> can contain "label" or "select" and attribute "id"
• prop -> similar to "classification" in Metanorma; property that gives the "name" or "number" of the control, enhancement, or component part of a control such as statements or objectives; classification is made with token "name", which can take values 'sort-id', 'label', 'method', 'status', 'priority'
• insert
• label -> human readable labels
• select -> enables to choose one option
  • choice -> options to choose between

BACK-MATTER -> contains "resource", "citation"

• citation -> similar to "references" in Metanorma, uses attributes "target" (URL) and "title" (human readable), as well as "id" token
• resource -> provides URL of resource through "rlink"; it can be described by human readable text using attribute "desc"
• rlink -> resource URL, which is specified through "href" attribute, and whose type is specified by "media-type" attribute which can, for example, be 'application/pdf' or 'application/oscal.catalog+xml'
• desc -> human readable text that describes some resource

IMPORT -> contains "include" and uses "href" attribute (e.g. '#catalog')

• include -> specifies what to include
• call -> specifies "control-id"

MERGE

• as-is -> Boolean value

MODIFY -> contains "alter"

• alter -> specifies what kind of alteration should be made (e.g. "add")
• add -> specifies what should be added, uses attribute "control-id", as well as "position" (e.g. 'starting') for each added "prop"

[opoudjis]

Wow. Thank you @anermina. I don't have the headspace to investigate this now, but this gives me a start. And I can already see that this is radically different to the modelling we have done...

[ronaldtse]

Under the new thinking, OSCAL represents one way of modeling a requirement. Metanorma should support multiple ways of modeling requirements, and for sure we should support OSCAL.

[opoudjis]

No longer a priority