Closed david-waltermire closed 5 years ago
9/12/2017 Sprint Review Call Notes
The current profile resolver XSLT keeps track of profiles it reads, and refuses to read a profile for a second time, thereby preventing cyclic traversals.
9/19/2017 Sprint Review Call Notes
9/25/2017 Sprint Review Call Notes
A profile describing (what I believe to be*) the MODERATE baseline (profile of SP800-53/a) is here:
working/SP800-53/MODERATE-baseline-profile-oscal.xml
Next to it, you will also find LOW and HIGH.
(*) I say "what I believe to be" since these were pulled via query, and I am assuming both the data and the query are correct. (Under spot checking it looks good.)
Additionally, each of these profile documents can be run through a transformation pipeline that (a) expands (resolves) it against the catalog(s) it calls (always SP800-53-enhanced.xml
) and (b) converts it into HTML for display on the web. This addresses point 3 above. The result of running MEDIUM is here:
working/SP800-53/MODERATE-baseline-profile-oscal-rendered.html
... and similarly for the others.
The remaining functionalities relate to correct resolution profiles calling profiles and profiles calling multiple catalogs. A (small) profile calling multiple catalogs is available here:
working/SP800-53/testing-profile.xml
and a profile that calls a profile is here:
working/SP800-53/testing2-profile.xml
They both have rendered (HTML) versions next to them. (The rendering is not what a designer would do but it shows the data with parameter insertion working.)
Additionally, you will find a FedRAMP demo in subdirectory working/FedRAMP. It should have a readme.md explaining it. This together with the "naive" MODERATE baseline mentioned above, should address point 1.
10/24/2017 - Sprint 4 Review Call Notes
10/31/2017 - Sprint 5 Progress Notes
As of 11/3 we have two separate tracks of activity underway bearing on this Issue
At last week's meeting I admitted that if we worked hard enough, we could perhaps cover the three FedRAMP baselines given the spreadsheet inputs. Now I'd like to qualify this and suggest we aim instead to do enough (a representative subset) so we understand the scale and scope of the entire job -- and prioritize the quality of the expression (as a demo), rather than just slap together the data we have.
11/7/2017 - Sprint 5 Progress Notes
The /examples/mini-testing catalog with profiles (various common and exotic), is in place. More examples will be coming.
The /examples/SP800-53 directory now contains more-or-less "reference" or "best available" versions of SP800-53 rev4, and its three defined profiles HIGH, MODERATE and LOW. (How these are related to the production pipeline over in /working/SP800-53, is documented.)
The /examples/FedRAMP directory contains not-yet-finished "castings" of the three FedRAMP spreadsheets, into OSCAL profiles. (These profiles call, respectively, the profiles for HIGH MODERATE and LOW kept in /examples/SP800-53.) These profiles show controls selection, parameterization and patching (if only roughly so far). These too were produced by a semi-automated process maintained in the /working subdirectory (but kept out of the way here); however since the machine cannot do the final revisions, those are left (for demo), with the exception of HIGH, which has been finished about halfway so far.
Andrew has been making regular refreshes to JSON versions of everything.
11/21/2017 - Sprint 5 Progress Notes
DETAILED PROGRESS NOTE: On Github or in your updated copy you will find there is an /examples subdirectory in OSCAL now, containing three subdirectories, including not only the unit tests (/mini-testing) but also the FedRAMP demo (both a /FedRAMP subdir and a subdir /SP800-53 for the latter control catalog and its profiles, on which the FedRAMP profiles depend).
Each directory has a readme.md.
In particular, note that the SP800-53 readme lists the different validations (i.e., not only schema validations but also Schematron) that have been performed on the various files.
Also the FedRAMP readme describes what is going on there. Summary version: while there is definitive progress to show towards getting complete FedRAMP profiles in place (derived from the spreadsheet data) -- it also becomes much clearer where there are "gaps" that have to be bridged in some way.
In some places these are due to gaps remaining in the model (an obvious case would be where catalogs have 'selection' parameters, which as you know we do not support yet), but more pervasively and problematically, they reveal gaps in the process of how we proceed to determine and assign parameter values (with correct syntax and ids) and specify interventions (alterations) -- both in the practical case of these demonstrations, but also more generally (at least if such a process is in scope for OSCAL).
I have made a couple of new issues as placeholders (#66 selection parameters; #67 merging 'invocation trees' in catalog resolution) but nothing about the last set of questions, as I am not yet sure how to address them or what's missing here. (Only that I think something is. Or maybe not: maybe "hand finishing" these profiles is exactly the percentage play here.)
FOR DAVE IN PARTICULAR: Your input before Sprint ends next Tuesday (11/28) would be most welcome especially as it bears on whether we meet acceptance criteria for the user stories. If you are able to take a look at the FedRAMP readme and associated profile examples and provide your thoughts/direction I might still have time to address remaining issues or questions (or at least take notes).
11/28/2017 - Sprint 5 Acceptance Notes
@wendellpiez, Are the latest examples in the sprint-9 branch or are they in your repo in a feature branch? If the latter is true, can you provide a link to your repo branch for me to review?
David @david-waltermire-nist , my repo is here:
https://github.com/wendellpiez/OSCAL/tree/sprint-9
Probably nothing, or not much, in /examples has diverged from the main repo, though I could be wrong. I know they need more than "review"; at least the unit tests are very much partial and WIP.
FedRAMP profiles call SP800-53 profiles as well as the base catalog. These will work for testing for now. Closing.
Goals: 1) A user can extend an existing profile to create a new profile 2) A user can choose which controls from a given catalog are excluded from a profile (already done, but needs to be tested). If an extended profile, this should allow controls in the extended profile to be excluded. #34 3) A user can modify existing statements for a control included in the profile. #37 The changes made to a control in this way must be discernible. #16 4) A user can set a value for a parameter for a control included in the profile. #14 5) Multiple catalogs must be supported for inclusion of controls.
Dependencies:
Acceptance Criteria: 1) A mockup is produced demonstrating implementation of the FedRamp "moderate" baseline that uses profile extension and tailoring features described above (goals 1-4). 2) A mockup is produced demonstrating implementation of a profile supporting multiple source catalogs used as a basis for a tailored profile. This should include use of all features described above (goals 1-5). 3) A stylesheet is produced that supports rendering a human-readable view of the profile. The stylesheet will be used with the mockups from items 1 and 2 above.