Various changes to markdown docs

[enikonovad]

Issue description / feature objectives

This is a general issue to contain known issues in the Markdown Docs.

Issues:

1. No new line after the tag

   # AC-2(1) - Automated System Account Management
             <-- SHOULD NOT BE AN EMPTY LINE HERE
   {: #ac-2.1}

2. Print only sections that were provided in the Jinja. i.e.

   ['statement', 'additional_guidance', 'guidance', 'table_of_parameters'], 
   {
     'statement':'Requirements',
     'additional_guidance':'Additional FS Cloud Specifications',
     'guidance':'Supplemental Guidance',
     'table_of_parameters':'Parameters'
   }
   ) 

   Should not print implementation guidance

3. Override section names entirely, without the "Control.." prefix. i.e. 'guidance':'Supplemental Guidance' should output header Supplemental Guidance and not Control Supplemental Guidance

Completion Criteria

All issues above are fixed.

[aerwin]

@enikonovad Thanks for your help. I tried again after reading the Slack, and updated my Jinja to this:

{{ control_writer.write_control_with_sections(
   control, group_title, 
   ['statement', 'additional_fs_cloud_guidance', 'guidance', 'table_of_parameters', 'above_the_line_guidance'], 
   {
      'statement':'Requirements',
      'additional_fs_cloud_guidance':'Additional FS Cloud Specifications',
      'guidance':'Supplemental Guidance',
      'table_of_parameters':'Parameters',
      'above_the_line_guidance': 'What is the solution and how is it implemented?'
   }, label_column=True,
    add_group_to_title=False,
    param_dict=displayname_param_dict
   ) | safe
}}

Below is the output:

---
copyright:
  years: 2020, [{CURRENT_YEAR}]
lastupdated: "[{LAST_UPDATED_DATE}]"
keywords: 
subcollection: controls
---

[{site.data.keyword.attribute-definition-list}]

# SC-28 - Protection of Information at Rest

{: #sc-28}

## Requirements

{: #requirements}
The information system protects the [data in all regions and availability zones] of [organization-defined information at rest].

## Control Supplemental Guidance

{: #control-supplemental-guidance}
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

## Parameters

| Parameter ID | Values | Label or Choices |
|---|---|---|
| sc-28_prm_1 | data in all regions and availability zones | Choose one or more: confidentiality; integrity |
| sc-28_prm_2 |  | organization-defined information at rest |
{: #Parameters for SC-28 caption-side="top"}

A few things to notice:

• There is an empty line between the headers and the anchor tag, and there is no empty line after the anchor tag.

## Requirements

{: #requirements}
The information system protects the [data in all regions and availability zones] of [organization-defined information at rest].

But, instead should be:

## Requirements
{: #requirements}

The information system protects the [data in all regions and availability zones] of [organization-defined information at rest].

• Quotes are missing around the title in the table caption

{: #Parameters for SC-28 caption-side="top"}

should be

{: #"Parameters for SC-28" caption-side="top"}

• This is no anchor after the Parameters header

## Parameters
{: #parameters} <-- MISSING

• It's not bringing in above_the_line_guidance even though it exists in the md_guidance/sc/sc-28.md file, and I did the trestle assemble. This was working in the production trestle.

---
x-trestle-set-params:
  sc-28_prm_1:
    select:
      how_many: one_or_more
      choice:
        - confidentiality
        - integrity
    values: data in all regions and availability zones
  sc-28_prm_2:
    label: organization-defined information at rest
sort-id: sc-28
---

# sc-28 - \[System and Communications Protection\] Protection of Information at Rest

## Control Statement

The information system protects the {{ insert: param, sc-28_prm_1 }} of {{ insert: param, sc-28_prm_2 }}.

## Control Objective

Determine if:

- \[SC-28[1]\] the organization defines information at rest requiring one or more of the following:

  - \[SC-28[1][a]\] confidentiality protection; and/or
  - \[SC-28[1][b]\] integrity protection;

- \[SC-28[2]\] the information system protects:

  - \[SC-28[2][a]\] the confidentiality of organization-defined information at rest; and/or
  - \[SC-28[2][b]\] the integrity of organization-defined information at rest.

## Control guidance

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

# Editable Content

<!-- Make additions and edits below -->
<!-- The above represents the contents of the control as received by the profile, prior to additions. -->
<!-- If the profile makes additions to the control, they will appear below. -->
<!-- The above markdown may not be edited but you may edit the content below, and/or introduce new additions to be made by the profile. -->
<!-- If there is a yaml header at the top, parameter values may be edited. Use --set-parameters to incorporate the changes during assembly. -->
<!-- The content here will then replace what is in the profile for this control, after running profile-assemble. -->
<!-- The added parts in the profile for this control are below.  You may edit them and/or add new ones. -->
<!-- Each addition must have a heading of the form ## Control my_addition_name -->
<!-- See https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring for guidance. -->

## Control implementation_guidance

Encrypt all client data at rest in accordance with PaaS and IaaS System and Communications Protection Policies.

Supplemental Guidance for Cryptography Governance located here: https://pages.github.ibm.com/ibmcloud/Security/guidance/crypto_reqs.html

## Control expected_evidence

Code or configuration showing any service-internal storage of customer or service data is encrypted at rest.

## Control above_the_line_guidance

### Implementation Guidance

Provider is to protect data against unauthorized disclosure, modification or destruction by applying controls according to the data classification as assigned by the consumer, throughout the data lifecycle (i.e., creation, at rest, in transit, in process, archival, and destruction) and consistent with laws and regulations applicable to the data. 

Data at rest must always be encrypted.  The provider must implement controls to ensure cryptographic controls are in place in all regions and availability zones to protect the confidentiality and integrity of data. 

Provider is to ensure the use of unique encryption keys per consumer, for data at rest encryption.  Provider must also ensure that they use Keep Your Own Key (KYOK) solution so that the keys are in exclusive control and they have full control of the HSM; and thus, have technical assurance that Cloud provider cannot access the keys.  To meet this requirement, the provider must use IBM Hyper Protect Crypto Services (HPCS) to support this requirement.  HPCS enables KYOK support and protected with FIPS 140-2 level 4 HSM. 

When the consumer is a financial institution, the consumer's key should be used for encrypting consumer data. This means the consumer has full control and authority over the encryption keys so that neither the provider nor IBM can decrypt the consumer's data. 

Note: There is currently no Financial Services Validated solution for retrieving the consumer's keys. For the time being provider will need to use their own keys with KYOK.

### Evidence Guidance

Automated mechanisms supporting and/or implementing encryption, confidentiality, and integrity protections for information in all zones and regions, primary and alternate sites.Configurations showing encryption type, size, and level for information at rest. Samples of data at rest showing encryption implementation. System and communications protection policy.

[aerwin]

@enikonovad Thanks for the updates in development. I tried them out and most things are working pretty well now. However, the following major issue mentioned above still occurs:

• It's not bringing in above_the_line_guidance even though it exists in the md_guidance/sc/sc-28.md file, and I did the trestle assemble. This was working in the production trestle.

[enikonovad]

@aerwin That is odd, did you pull latest changes from develop? I just tested it locally and it seems like it is working for me, here is above_the_line_section in a newly generated controls-output\sc\sc-28.md:

## Above The line guidance
{: #above-the-line-guidance}

### Implementation Guidance

Provider is to protect data against unauthorized disclosure, modification or destruction by applying controls according to the data classification as assigned by the consumer, throughout the data lifecycle (i.e., creation, at rest, in transit, in process, archival, and destruction) and consistent with laws and regulations applicable to the data.

Data at rest must always be encrypted.  The provider must implement controls to ensure cryptographic controls are in place in all regions and availability zones to protect the confidentiality and integrity of data.

Provider is to ensure the use of unique encryption keys per consumer, for data at rest encryption.  Provider must also ensure that they use Keep Your Own Key (KYOK) solution so that the keys are in exclusive control and they have full control of the HSM; and thus, have technical assurance that Cloud provider cannot access the keys.  To meet this requirement, the provider must use IBM Hyper Protect Crypto Services (HPCS) to support this requirement.  HPCS enables KYOK support and protected with FIPS 140-2 level 4 HSM.

When the consumer is a financial institution, the consumer's key should be used for encrypting consumer data. This means the consumer has full control and authority over the encryption keys so that neither the provider nor IBM can decrypt the consumer's data.

Note: There is currently no Financial Services Validated solution for retrieving the consumer's keys. For the time being provider will need to use their own keys with KYOK.

### Evidence Guidance

Automated mechanisms supporting and/or implementing encryption, confidentiality, and integrity protections for information in all zones and regions, primary and alternate sites.Configurations showing encryption type, size, and level for information at rest. Samples of data at rest showing encryption implementation. System and communications protection policy.

I use this call in Jinja template:

{{ control_writer.write_control_with_sections(
   control, profile, group_title, 
   ['statement', 'additional_fs_cloud_guidance', 'guidance', 'table_of_parameters', 'above_the_line_guidance'], 
   {
      'statement':'Requirements',
      'additional_fs_cloud_guidance':'Additional FS Cloud Specifications',
      'guidance':'Supplemental Guidance',
      'table_of_parameters':'Parameters',
      'above_the_line_guidance': 'Above The line guidance'
   }, label_column=True,
    add_group_to_title=False,
    param_dict=displayname_param_dict
   ) | safe
}}

[aerwin]

@enikonovad Yes, I had pulled the latest from dev (as evidenced by the fact everything else was working). But, that is odd it works for you. This is my full jinja file:

---
copyright:
  years: 2020, [{CURRENT_YEAR}]
lastupdated: "[{LAST_UPDATED_DATE}]"
keywords: 
subcollection: {{ names.subcollection }}
---

{# 
   NOTE: [{CURRENT_YEAR}] and [{LAST_UPDATED_DATE}] in YML header above ^^^^
    will be populated by Enrichie in Cloud Docs. -->
#}

{# TODO: 
   I want to insert {{site.data.keyword.attribute-definition-list}} per Cloud Docs 
   best practices. However, my attempts to do so failed -- including the two techniques shown in in
    https://jinja.palletsprojects.com/en/3.1.x/templates/#escaping:

   1. {% raw %}{{ site.data.keyword.attribute-definition-list }}{% endraw %}
   2. {{ '{{ site.data.keyword.attribute-definition-list }}' }}

   So, I'm replacing this string in final output via Python
#}
[{site.data.keyword.attribute-definition-list}]

{% if variables.above_the_line %}
{# 
{{ control_writer.write_control_with_sections(
   control, group_title, 
   ['statement', 'additional_fs_cloud_guidance', 'guidance', 'table_of_parameters', 'above_the_line_guidance'], 
   {
      'statement':'Requirements\n{: #requirements}',
      'additional_fs_cloud_guidance':'Additional FS Cloud Specifications\n{: #additional-fs-cloud-specifications}',
      'guidance':'Supplemental Guidance\n{: #supplemental-guidance}',
      'table_of_parameters':'Parameters\n{: #control-parameters}',
      'above_the_line_guidance': 'What is the solution and how is it implemented?\n{: #control-parameters}'
   }
   ) 
}}
#}

{{ control_writer.write_control_with_sections(
   control, profile, group_title, 
   ['statement', 'additional_fs_cloud_guidance', 'guidance', 'table_of_parameters', 'above_the_line_guidance'], 
   {
      'statement':'Requirements',
      'additional_fs_cloud_guidance':'Additional FS Cloud Specifications',
      'guidance':'Supplemental Guidance',
      'table_of_parameters':'Parameters',
      'above_the_line_guidance': 'What is the solution and how is it implemented?'
   }, label_column=True,
    add_group_to_title=False,
    param_dict=displayname_param_dict
   ) | safe
}}

{% else %}
{# 
{{ control_writer.write_control_with_sections(
   control, group_title, 
   ['statement', 'additional_fs_cloud_guidance', 'guidance', 
      'implementation_guidance', 'expected_evidence', 'table_of_parameters'], 
   {
      'statement':'Requirements\n{: #requirements}',
      'additional_fs_cloud_guidance':'Additional FS Cloud Specifications\n{: #additional-fs-cloud-specifications}',
      'guidance':'Supplemental Guidance\n{: #supplemental-guidance}',
      'implementation_guidance':'Implementation Guidance\n{: #implementation-guidance}', 
      'expected_evidence':'Evidence Guidance\n{: #evidence_guidance}', 
      'table_of_parameters':'Parameters\n{: #control-parameters}'
   }
   ) 
}}
#}

{{ control_writer.write_control_with_sections(
   control, profile, group_title, 
   ['statement', 'additional_fs_cloud_guidance', 'guidance', 'table_of_parameters',
      'implementation_guidance', 'expected_evidence'],  
   {
      'statement':'Requirements',
      'additional_fs_cloud_guidance':'Additional FS Cloud Specifications',
      'guidance':'Supplemental Guidance',
      'table_of_parameters':'Parameters',
      'implementation_guidance':'Implementation Guidance', 
      'expected_evidence':'Evidence Guidance',
   }, label_column=True,
    add_group_to_title=False,
    param_dict=displayname_param_dict
   ) | safe
}}

{% endif %}

[aerwin]

@enikonovad Aside from the issue with above_the_line_guidance, I have a few more misc items that haven't been listed this this ticket before. @vikas-agarwal76 told me I could add them here, but let me know if you want any of them in separate issues.

Parameters

For parameters, we need the human-readable id's like we see in the FedRAMP SSP template. I know that Lou worked on the reverse of this problem while importing the spreadsheet.

For example, for SI-6 the output in Cloud Docs is:

But, in the SSP template we see human-readable id's like the following:

Human Readable ID's (Spaces in Control Enhancements)

It's great that the main Markdown header now shows text like AC-2(1) - Automated System Account Management However, the SSP template shows a space before the paren like: AC-2 (1)

Would it be possible to add that?

Control Enhancement Titles

Staying with the AC-2 (1) example, the text part of the header should really be Account Management | Automated System Account Management (that is [Title of Control Being Enhanced] | [Title of Enhancement])

Escaping in Jinja Template

I need to insert {{site.data.keyword.attribute-definition-list}} in my Markdown file per Cloud Docs best practices. However, my attempts to do so via the Jinja file failed. This included the two techniques shown in https://jinja.palletsprojects.com/en/3.1.x/templates/#escaping:

1. {% raw %}{{ site.data.keyword.attribute-definition-list }}{% endraw %}
2. {{ '{{ site.data.keyword.attribute-definition-list }}' }}

[enikonovad]

@enikonovad Yes, I had pulled the latest from dev (as evidenced by the fact everything else was working). But, that is odd it works for you. This is my full jinja file:

Now I am puzzled, I just ran your Jinja template and this is the controls-output\sc\sc-28.md and the above_the_line_guidance section is there as well (it was renamed to What is the solution and how is it implemented?). See output below.

Could I please ask you to share the Trestle command that you are running? I.e. I use trestle author jinja --input profile_to_docs.md.jinja --output build/controls-output/ -p FSCloud_internal -dp -pf [.] -lut jinja-lookup-table-atl.yml

---
copyright:
  years: 2020, [{CURRENT_YEAR}]
lastupdated: "[{LAST_UPDATED_DATE}]"
keywords: 
subcollection: controls
---

[{site.data.keyword.attribute-definition-list}]

# SC-28 - Protection of Information at Rest
{: #sc-28}

## Requirements
{: #requirements}

The information system protects the [data in all regions and availability zones] of [organization-defined information at rest].

## Supplemental Guidance
{: #supplemental-guidance}

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

## Parameters
{: #parameters}

| Parameter ID | Values | Label or Choices |
|---|---|---|
| sc-28_prm_1 | data in all regions and availability zones | Choose one or more: confidentiality; integrity |
| sc-28_prm_2 |  | organization-defined information at rest |
{: #"Parameters for SC-28" caption-side="top"}

## What is the solution and how is it implemented?
{: #what-is-the-solution-and-how-is-it-implemented?}

### Implementation Guidance

Provider is to protect data against unauthorized disclosure, modification or destruction by applying controls according to the data classification as assigned by the consumer, throughout the data lifecycle (i.e., creation, at rest, in transit, in process, archival, and destruction) and consistent with laws and regulations applicable to the data.

Data at rest must always be encrypted.  The provider must implement controls to ensure cryptographic controls are in place in all regions and availability zones to protect the confidentiality and integrity of data.

Provider is to ensure the use of unique encryption keys per consumer, for data at rest encryption.  Provider must also ensure that they use Keep Your Own Key (KYOK) solution so that the keys are in exclusive control and they have full control of the HSM; and thus, have technical assurance that Cloud provider cannot access the keys.  To meet this requirement, the provider must use IBM Hyper Protect Crypto Services (HPCS) to support this requirement.  HPCS enables KYOK support and protected with FIPS 140-2 level 4 HSM.

When the consumer is a financial institution, the consumer's key should be used for encrypting consumer data. This means the consumer has full control and authority over the encryption keys so that neither the provider nor IBM can decrypt the consumer's data.

Note: There is currently no Financial Services Validated solution for retrieving the consumer's keys. For the time being provider will need to use their own keys with KYOK.

### Evidence Guidance

Automated mechanisms supporting and/or implementing encryption, confidentiality, and integrity protections for information in all zones and regions, primary and alternate sites.Configurations showing encryption type, size, and level for information at rest. Samples of data at rest showing encryption implementation. System and communications protection policy.

[aerwin]

@enikonovad Well, it looks like the profile.json file loses the above_the_line_guidance when I run trestle author profile-assemble -m md_guidance -o FSCloud_internal -v

I don't understand why it would do that, and I'm not sure if that will become an issue later. But, when I reverted the profile.json file to what's in the repo, things worked fine.

--

However, I do notice an issue that shows in your output above. Could we remove punctuation from the auto-generated header anchors? Specifically, I mean the question mark in the second line below:

## What is the solution and how is it implemented?
{: #what-is-the-solution-and-how-is-it-implemented?}

--

And, sorry, one more 😀 For AC-2, there are subsections in the above-the-the-line guidance. For example, see an excerpt below:

## What is the solution and how is it implemented?
{: #what-is-the-solution-and-how-is-it-implemented?}

### Part a.

#### Implementation Guidance

Identify types of accounts to support organizational missions/business functions.  When specifying account types, the provider considers the following account types that apply for their IBM Cloud accounts, host operating systems, and applications: individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, service accounts, privileged administrator accounts, domain administrator accounts, local device accounts, and customer privileged administrative accounts.

...

#### Evidence Guidance

List of all account types identified and established for the provider environment (IBM Cloud account, provider admin accounts for both the environment and the application), including roles, authorized privileges, and functions performed for each account type.
System demos/walkthroughs of all account management systems (IBM Cloud, provider corporate IdP, etc.).

List of all service accounts including the following:
- account name
- account function
- users with access to service account

### Part b.

#### Implementation Guidance

The provider assigns account managers for IBM Cloud, and provider IdP accounts used by DevOps and other operations staff.  Account managers include the individual's or system's manager and account owner.

#### Evidence Guidance

Identified account managers for all accounts supporting the provider application (IBM Cloud, application)

This may be a bit more complicated, but could we generate unique anchors for those as well? Ideally, something like:

## What is the solution and how is it implemented?
{: #what-is-the-solution-and-how-is-it-implemented}

### Part a.
{: #what-is-the-solution-and-how-is-it-implemented-part-a}

#### Implementation Guidance
{: #what-is-the-solution-and-how-is-it-implemented-part-a-implementation-guidance}

Identify types of accounts to support organizational missions/business functions.  When specifying account types, the provider considers the following account types that apply for their IBM Cloud accounts, host operating systems, and applications: individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, service accounts, privileged administrator accounts, domain administrator accounts, local device accounts, and customer privileged administrative accounts.

...

#### Evidence Guidance
{: #what-is-the-solution-and-how-is-it-implemented-part-a-evidence-guidance}

List of all account types identified and established for the provider environment (IBM Cloud account, provider admin accounts for both the environment and the application), including roles, authorized privileges, and functions performed for each account type.
System demos/walkthroughs of all account management systems (IBM Cloud, provider corporate IdP, etc.).

List of all service accounts including the following:
- account name
- account function
- users with access to service account

### Part b.
{: #what-is-the-solution-and-how-is-it-implemented-part-b}

#### Implementation Guidance
{: #what-is-the-solution-and-how-is-it-implemented-part-b-implementation-guidance}

The provider assigns account managers for IBM Cloud, and provider IdP accounts used by DevOps and other operations staff.  Account managers include the individual's or system's manager and account owner.

#### Evidence Guidance
{: #what-is-the-solution-and-how-is-it-implemented-part-b-evidence-guidance}

Identified account managers for all accounts supporting the provider application (IBM Cloud, application)

[enikonovad]

Well, it looks like the profile.json file loses the above_the_line_guidance when I run trestle author profile-assemble -m md_guidance -o FSCloud_internal -v

Indeed... good catch! That explains why the section was not there in the docs. I believe this is a bug that needs to be fixed. I will make an issue for that. Edit: issue created - https://github.com/IBM/compliance-trestle/issues/1175

This may be a bit more complicated, but could we generate unique anchors for those as well? Ideally, something like:

Those sections are coming from prose, the code currently only allows modifying the names of the parts and doesn't process the proses and just prints whatever is there. However, it can be added if needed, I think before that we need to have a discussion here on whether the new subsections from the markdown have to be added as subparts instead of the prose.

[enikonovad]

@aerwin Added more complex tags and ability to rename parts as required in the comment above. All changes were merged to the develop. Please have a look once you have time, thanks

[aerwin]

@enikonovad Perhaps I'm doing something wrong, but I'm not seeing any difference in the output after rerunning pip install git+https://github.com/IBM/compliance-trestle@develop. Do I need any changes to my Jinja file?

[aerwin]

@enikonovad I've found a new issue on top of the ones above. My Python code does some post-processing of the markdown and I've temporarily worked around most of the existing issues. However, I'm not sure how to solve the problem below in post-processing so the problem below should be considered the highest priority right now.

Basically, all of the parameters in the control requirement output are missing the modifiers like Assignment:, Selection (one or more):, etc. that are seen in Asif's spreadsheet, the prime spreadsheet, and the CIO template.

For example, SI-6 should read as follows (I've added emphasis to show what is missing in the Trestle-generated markdown.

• a. The information system: Verifies the correct operation of [Assignment: organization-defined security functions]."
• b. The information system: Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]].
• c. The information system: Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests.
• d. The information system: [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.

Can this be fixed? I'm guessing @degenaro is having to solve a similar problem when he is regenerating the controls spreadsheet.

[enikonovad]

@aerwin I have just looked at the profile on the master branch in the guidance repo, it seems to be invalid, in particular this part is incorrect:

{
              "position": "after",
              "by-id": "sc-28_smt",
              "parts": [
                {
                  "id": "sc-28_above_the_line_guidance",
                  "name": "above_the_line_guidance",
                  "title": "above_the_line_guidance",
                  "prose": "### Implementation Guidance\n\nProvider is to protect data against unauthorized disclosure, modification or destruction by applying controls according to the data classification as assigned by the consumer, throughout the data lifecycle (i.e., creation, at rest, in transit, in process, archival, and destruction) and consistent with laws and regulations applicable to the data.\n\nData at rest must always be encrypted.  The provider must implement controls to ensure cryptographic controls are in place in all regions and availability zones to protect the confidentiality and integrity of data.\n\nProvider is to ensure the use of unique encryption keys per consumer, for data at rest encryption.  Provider must also ensure that they use Keep Your Own Key (KYOK) solution so that the keys are in exclusive control and they have full control of the HSM; and thus, have technical assurance that Cloud provider cannot access the keys.  To meet this requirement, the provider must use IBM Hyper Protect Crypto Services (HPCS) to support this requirement.  HPCS enables KYOK support and protected with FIPS 140-2 level 4 HSM.\n\nWhen the consumer is a financial institution, the consumer's key should be used for encrypting consumer data. This means the consumer has full control and authority over the encryption keys so that neither the provider nor IBM can decrypt the consumer's data.\n\nNote: There is currently no Financial Services Validated solution for retrieving the consumer's keys. For the time being provider will need to use their own keys with KYOK.\n\n### Evidence Guidance\n\nAutomated mechanisms supporting and/or implementing encryption, confidentiality, and integrity protections for information in all zones and regions, primary and alternate sites.Configurations showing encryption type, size, and level for information at rest. Samples of data at rest showing encryption implementation. System and communications protection policy."
                }
              ]
            }

Notice how the parts are all in prose instead of being in subparts.

Please reassemble (profile-assemble) your profile and run the docs generation again. If all goes well it should work after this.