Naming conventions for OSCAL-formatted artifacts

[anweiss]

At this point, the names given to OSCAL-formatted artifacts are completely arbitrary. We should provide OSCAL tool/catalog maintainers with some naming conventions and guidance for any OSCAL-formatted artifacts that they produce/consume.

Supports #58.

[david-waltermire]

I need to understand what your concern is here. We should avoid being overly prescriptive to a large degree. How does naming of artifacts harm interoperability or use?

[akarmel]

4/23/2018 - Discussion STANDARD_REVISION_OSCALLAYER_FUNCTION

STANDARD = SP800-53 REVISION = R4 OSCALLAYER = catalog, profile, ETC FUNCTION = WHAT IT DOES

e.g. SP800-53_R4_catalog.xml SP800-53_R4_low_profile.xml FedRAMP_moderate_profile.xml FedRAMPSaaS_low_profile.xml (tailored)

[iMichaela]

4/23/2018 - OSCAL artifacts naming convention concerns:

• SP800-53_R4_low_profile.xml example is not matching the description STANDARD_REVISION_OSCALLAYER_FUNCTION. "_low" is not a REVISION". 'profile' is the 'OSCALLAYER'. So, the description needs to better reflect current and/or desired naming convention at least fro profiles.
• To facilitate artifact name parsing, I suggest 'REVISION" to be preceded by a period, so if there is no version, then no ".VERSION" will exist.
• To accommodate FedRAMP's profiles with different flavors (HHH watermark vs Tailored), we need more flexibility in the naming convention. I think we need to allow for additional information through a mechanism similar to the version described above. E.g. FedRAMP.R4_low.SaaS_profile.xml which will imply this is a FedRAMP profile using SP800-53 R4 controls (as opposed to R5), it is a LOW baseline, tailored for SaaS and it is based on profile OSCAL layer. In this way, a proprietary profile based on ISO would be ISO27001.2013_profile.xml. So, the general formula would be: STANDARD.StandardRevision_CATEGORY.CategoryVersion_OSCALLayer.ext For SP800-53, for a profile, the CATEGORY would be the impact level, version would be tailored or nothing/default (= HHH watermark).

[david-waltermire]

I will document naming conventions in the README.md in the examples directory. I'll do this based on the feedback.

[david-waltermire]

Naming conventions have been documented.