Closed GaryGapinski closed 1 year ago
wendellpiez
commented
2 years ago The table includes around 25 items, maybe half of which are errors in the source OSCAL.
For the others, the spreadsheet-extractor XSLTs must be examined to rectify if they are failing.
Use this opportunity also to document the spreadsheet extractor for future uses.
david-waltermire
commented
2 years ago @wendellpiez Can you analyze where the errors are occurring and create a checklist in this issue identifying the classes and quantities of errors that need to be fixed. We can use this to verify the result of your fixes after the repairs are made.
wendellpiez
commented
2 years ago Noting that errors, where they are found, tend to be in the neighborhood of punctuation such as / (solidus) and ( ) (parentheses).
We could do some top-down inspection to help validate that we have them all.
wendellpiez
commented
2 years ago To look for (at least):
matches(.,'\p{Ps}\p{Ll}') open bracket directly followed by lower case lettermatches(.,'舒\w') em dash directly followed by word charactermatches(.,'/\w) solidus directly followed by word character
GaryGapinski
commented
2 years ago em dash directly followed by word character
That only works if one anticipates Chicago style. The superior AP style uses spaces around the em dash..
wendellpiez
commented
2 years ago Turns out that's not a problem anywhere in any case. 😎
wendellpiez
commented
2 years ago Should this be "Non-organizationally-owned"? Otherwise I don't see an issue. Rev 5 PDF has "NON-ORGANIZATIONALLY OWNED SYSTEMS" (all caps) for the enhancement title (revised from Rev 4 "NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES").
| OSCAL catalog | Use of External Systems | Non-organizationally Owned Systems — Restricted Use |
| 800-53 spreadsheet | Use of External Systems | Non-organizationally Owned Systems — Restricted Use |
| 800-53b spreadsheet | Use of External Systems | Non-organizationally Owned Systems — Restricted Use |
Apparent lapse in profile spreadsheet extraction (enhancement title dropped after em dash).
| OSCAL catalog | Least Functionality | Unauthorized Software — Deny-by-exception |
| 800-53 spreadsheet | Least Functionality | Unauthorized Software — Deny-by-exception |
| 800-53b spreadsheet | Least Functionality | Unauthorized Software |
Apparent lapse in profile spreadsheet extraction (enhancement title dropped after em dash).
| OSCAL catalog | Least Functionality | Authorized Software — Allow-by-exception |
| 800-53 spreadsheet | Least Functionality | Authorized Software — Allow-by-exception |
| 800-53b spreadsheet | Least Functionality | Authorized Software |
Apparent lapse in profile spreadsheet extraction (enhancement title dropped after em dash).
| OSCAL catalog | System Backup | Dual Authorization for Deletion or Destruction |
| 800-53 spreadsheet | System Backup | Dual Authorization for Deletion or Destruction |
| 800-53b spreadsheet | System Backup | Dual Authorization |
Spreadsheet extractor un-capitalizes after open parenthesis?
The same issue recurs in 13 enhancements when title is expanded.
| OSCAL catalog | Identification and Authentication (Organizational Users) |
| 800-53 spreadsheet | Identification and Authentication (organizational Users) |
| 800-53b spreadsheet | Identification and Authentication (organizational Users) |
Requires correction in source.
| OSCAL catalog | Authenticator Management | Gsa-approved Products and Services |
| 800-53 spreadsheet | Authenticator Management | GSA-approved Products and Services |
| 800-53b spreadsheet | Authenticator Management | GSA-approved Products and Services |
IA-8 title in current version has (correctly) "Identification and Authentication (Non-organizational Users)".
I have no accounting for why 'PIV' might become 'PVI'.
| OSCAL catalog | Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials |
| 800-53 spreadsheet | Identification and Authentication (non-organizational Users) | Acceptance of PVI-I Credentials |
| 800-53b spreadsheet | Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials |
Apparent collapse of em dash to hyphen in spreadsheet extraction?
| OSCAL catalog | Fire Protection | Detection Systems — Automatic Activation and Notification |
| 800-53 spreadsheet | Fire Protection | Detection Systems — Automatic Activation and Notification |
| 800-53b spreadsheet | Fire Protection | Detection Systems – Automatic Activation and Notification |
Another apparent collapse of em dash to hyphen in spreadsheet extraction?
| OSCAL catalog | Fire Protection | Suppression Systems — Automatic Activation and Notification |
| 800-53 spreadsheet | Fire Protection | Suppression Systems — Automatic Activation and Notification |
| 800-53b spreadsheet | Fire Protection | Suppression Systems – Automatic Activation and Notification |
Very strange variance in 800-53b spreadsheet? (A word promoted up from control text?)
| OSCAL catalog | Information Leakage | National Emissions Policies and Procedures |
| 800-53 spreadsheet | Information Leakage | National Emissions Policies and Procedures |
| 800-53b spreadsheet | Information Leakage | National Emissions and Tempest Policies and Procedures |
Very strange variance in 800-53b spreadsheet?
| OSCAL catalog | Personnel Screening | Information Requiring Special Protective Measures |
| 800-53 spreadsheet | Personnel Screening | Information Requiring Special Protective Measures |
| 800-53b spreadsheet | Personnel Screening | Information with Special Protective Measures |
Requires correction in source.
| OSCAL catalog | Acquisition Process | Niap-approved Protection Profiles |
| 800-53 spreadsheet | Acquisition Process | NIAP-approved Protection Profiles |
| 800-53b spreadsheet | Acquisition Process | NIAP-approved Protection Profiles |
Currently the catalog has "Processing and Storage Location — U.S. Jurisdiction". (This looks fine in the file sent with the bug report also.)
| OSCAL catalog | External System Services | Processing and Storage Location — U.s. Jurisdiction |
| 800-53 spreadsheet | External System Services | Processing and Storage Location — U.S. Jurisdiction |
| 800-53b spreadsheet | External System Services | Processing and Storage Location — U.S. Jurisdiction |
Variance in 800-53b spreadsheet extraction? (word dropped).
| OSCAL catalog | Developer Configuration Management | Alternative Configuration Management Processes |
| 800-53 spreadsheet | Developer Configuration Management | Alternative Configuration Management Processes |
| 800-53b spreadsheet | Developer Configuration Management | Alternative Configuration Management |
Requires correction in source.
| OSCAL catalog | Supply Chain Risk Management Plan | Establish Scrm Team |
| 800-53 spreadsheet | Supply Chain Risk Management Plan | Establish SCRM Team |
| 800-53b spreadsheet | Supply Chain Risk Management Plan | Establish SCRM Team |
IA-5(15) - "GSA" SA-4(7) - "NIAP" SR-2(1) - "SCRM"
Scroll up for the details -
wendellpiez
commented
2 years ago Current status: the single problem identified and confirmed in source data is corrected PR #137.
With respect to reported lapses in spreadsheet extraction logic, let's make a spinoff issue to track any down? There is nothing to correct in this repository for those (and nothing to be done if we cannot confirm a cause).
david-waltermire
commented
1 year ago The OSCAL content has been corrected and the NIST RMF team has been notified about the issues in the spreadsheets.
Describe the bug
Errors in control titles (
/catalog//control/titleelements).See attached.
Who is the bug affecting?
Users of oscal-content.
What is affected by this bug?
Use of oscal-content to present control information.
When does this occur?
As of this writing.
How do we replicate the issue?
See attached.
{What are the steps to reproduce the behavior?
Perform a text comparison of control titles amongst the sources.
Expected behavior (i.e. solution)
Corrected control titles
Other Comments
XML conversions of the spreadsheets were used.
One class of errors is mishandled abbreviations/acronyms.
There are errors not only in the OSCAL content but in the spreadsheets (the OSCAL content can/could be correct).
Comparisons to the normative SP 800-53 rev5 PDF document rendition are of course not possible (because it is PDF and as well someone chose to CAPITALIZE ALL CONTROL ENHANCEMENT TITLES).
Attachment: table.zip