search

usnistgov / oscal-content

NIST SP 800-53 content and other OSCAL content examples
Other
292 stars 122 forks source link

Missing top level objective paragraphs from NIST rev 5 Control Catalog #193

Open Telos-sa opened 1 year ago

Telos-sa commented 1 year ago

Describe the bug

In Rev 4 Catalog, the Objectives are listed to mirror the 800-53A, where the tests procedures can be fully built from the OSCAL catalog.
In Rev5, the structure of the catalog has changed, where the top level objectives are not listed as paragraphs in OSCAL. Because this data is missing, the tests procedures cannot be automatically built out.

Example: Rev 4:

Determine if the organization:

develops and documents an access control policy that addresses:

purpose;

 Can be built into a test: Determine if the organization: develops and documents an access control policy that addresses: purpose Example: Rev 5:

an access control policy is developed and documented;

 Can be built into a test: an access control policy is developed and documented; Which is missing the paragraph from "ac-1_obj.a". What it should be:

Determine if:

an access control policy is developed and documented;

 ### Who is the bug affecting Anyone who wants to automate the build of objectives for testing within a GUI tool or other such methods. ### What is affected by this bug OSCAL Content ### How do we replicate this issue Review the NIST rev 5 catalog against the NIST rev4 catalog, and the NIST 800-53.a objectives. Notice the objective is listed at the top, with the text, but that is missing from the rev 5. ![F79A67F9-0159-4505-93BE-142BE41D3AE1](https://user-images.githubusercontent.com/127163717/232841162-14080f5b-0c4b-4923-a580-37278475a77e.jpg) ### Expected behavior (i.e. solution) Content within OSCAL should be representative and the SAME as non-OSCAL content. ### Other comments NA
aj-stein-nist commented 1 year ago

I will transfer this to usnistgov/oscal-content, since this is about the NIST SP 800-53 catalogs, not the schema or data structures themselves.

aj-stein-nist commented 1 year ago

Thanks for your report @Telos-sa, we will be reviewing this during the next internal issue triage and backlog refinement meeting. We will update accordingly here in the comments. At first glance, this may be a duplicate of usnistgov/oscal-content#194 (the number comes after because it was transferred here where I went looking for it). We will review during the team's next issue triage and backlog refinement meeting this week, and update with a comment here accordingly.

aj-stein-nist commented 1 year ago

So we met to look at the data: SP 800-53 Rev. 4, SP 800-53 Rev. 5, SP 800-53A Rev. 4, and SP 800-53A Rev. 5. @Telos-sa you appear to be asking about the following issue phrase in the PDF version of SP 800-53 Rev. 4, correct?

develops and documents an access control policy that addresses:

image

See in the above screenshot, you are inquiring as to why this is missing in Rev. 5? Are we misunderstanding your example and screenshot?

There is no real analogue of this phrase as it pertains to the objective in SP 800-53A Rev. 5 generally and there is significant difference the similar position in similar controls in both versions.

Once we receive your clarification in a follow-up comment, we want to consider if there is a "close enough" approximation to where you can find similar data in the 800-53A Rev. 5 catalog in OSCAL format and perhaps more general implementation guidance (as it pertains to processing 800-53 catalog controls, assessment procedures, and cross-referenced parameters; this is applicable to this issue and #194, which are slightly different). We will consider these short-term and long-term approaches once we hear back. Thanks.

GaryGapinski commented 1 year ago

I took a look at this and found a few things. I did not look at any rev4 content. I started with the oscal-content NIST_SP-800-53_rev5_catalog.xml and NIST SP 800-53A rev5 PDF content.

I found 800-53A §2.4.3 has examples of its assessment objective scheme.

I checked to see if the phrase "Determine if:" was a popular phrase in 800-53A. It is, and occurs 1,014 times in the document, always in the vicinity of "ASSESSMENT OBJECTIVE" (someone else's bolding, not mine). It appears safe to assert (in that document) that objectives are the subject of determination.

In contrast, in NIST_SP-800-53_rev5_catalog.xml control/part[@name eq 'assessment-objective] occurs 1,007 times (there are 2.747 assessment objectives in total). The difference of 7 can be accounted for due to 800-53A examples prior to its section 4. Tellingly, there is no occurrence of the phrase "Determine if:". The phrase must be supplied by the beholder. This does afford latitude to the 800-53A authors to change the phrase at will without requiring a corresponding change to the oscal-content (though a prop somewhere with the chosen phrase would have been a polite gesture).

That also indicates that the original prose is not recoverable from oscal-content without augmentation. The prose statements in NIST_SP-800-53_rev5_catalog.xml and SP 800-53A rev5 are a very close match. The statements are generally falsifiable (either boolean or on a continuum).

See §2.2 of NIST IR 8011 volume 1 regarding potential assessment automation methods.

It is unfortunate that the normative form of NIST special publications is their PDF rendition, which entangles presentation with content. In this case it appears that the phrase "Determine if:" was considered an artifact of a presentation template rather than a component of prose statements.

aj-stein-nist commented 1 year ago

I found 800-53A §2.4.3 has examples of its assessment objective scheme.

I checked to see if the phrase "Determine if:" was a popular phrase in 800-53A. It is, and occurs 1,014 times in the document, always in the vicinity of "ASSESSMENT OBJECTIVE" (someone else's bolding, not mine). It appears safe to assert (in that document) that objectives are the subject of determination.

Nice catch.

In contrast, in NIST_SP-800-53_rev5_catalog.xml control/part[@name eq 'assessment-objective] occurs 1,007 times (there are 2.747 assessment objectives in total). The difference of 7 can be accounted for due to 800-53A examples prior to its section 4. Tellingly, there is no occurrence of the phrase "Determine if:". The phrase must be supplied by the beholder. This does afford latitude to the 800-53A authors to change the phrase at will without requiring a corresponding change to the oscal-content (though a prop somewhere with the chosen phrase would have been a polite gesture).

Thanks for reporting the disparity.

It is unfortunate that the normative form of NIST special publications is their PDF rendition, which entangles presentation with content. In this case it appears that the phrase "Determine if:" was considered an artifact of a presentation template rather than a component of prose statements.

Thanks for the feedback. We will consult amongst ourselves and the FISMA Team and update the issue accordingly in the coming weeks.

iMichaela commented 9 months ago

@GaryGapinski and @Telos-sa - We apologize not reviewing this reported bug under the latest release. It might have been addressed but I would like to review it more thoroughly and provide a feedback here first and then address it, if we haven't done so.