AP Tasks Need Asset Linkage

User Story

As a developer of cATO capabilities using OSCAL, I need the ability to define which tool will be performing a specific task in the Assessment Plan model.

Currently, the AP provides for the definition of:

assessors (parties)
activities (Examine, Test, Interview)
assets (assessment tools and platforms)
subjects (parties, components, inventory items, users locations)

The AP also provides tasks, which are used to link assessors, activities and subjects as well as define a time interval; however, it is missing the ability to associate assessment assets with tasks.

For snapshot in time assessments, the inability to link assets to tasks is inconvenient, but not critical.

However, when attempting to use an OSCAL AP as a specification for automated continuous ATO, the ability to associate an asset to a task becomes critical. Under cATO the tool is the actor in lieu of the assessor.

The frequency of an automated activity is defined in a AP task (i.e. every 10 minutes, once an hour, once a day). There needs to be a way to indicate what assessment asset (tool, script, or automated process) performs that task.

Goals

add an associated-asset-uuid field to assessment-plan/task with a cardinality of 0 or more. (this would be a non-breaking change)

Dependencies

No response

Acceptance Criteria

[ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
[ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
[ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response

usnistgov / OSCAL