System Inventory Use Cases and Examples

[ohsh6o]

User Story:

As an OSCAL developer and SSP author, I would like examples and clearer guidance on how to model different kinds of system inventories.

Goals:

As discussed in last week's model meeting, there is a large variety in information systems. NIST OSCAL guidance in the design of system inventories of a system security plan is limited. For conventional and more unconventional ephemeral workloads, it would be helpful if the following existed in documentation.

• Common use cases for system inventories
• Modeling recommendations with summaries or diagrams of information system patterns with accompanying OSCAL system inventories
• Modeling guidance on how to properly connect different pieces of these representative information systems with relations (Dave Waltermire said it supports this, but I am unclear on the richness of how those relations can be represented)

Dependencies:

• Creation and understanding of different representative models for system inventory

Acceptance Criteria

• [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[david-waltermire]

We can work on this for OSCAL 1.1. This has been discussed before in #590.