[EPIC] Revisit NIST SP 800-53A Modeling

[brian-ruf]

User Story:

As an OSCAL modeler and content author, I need the OSCAL syntax to support various ways in which I may work with content from NIST SP 800-53A, and incorporate it into assessment activities.

Goals:

For 800-53A content:

• Ensure content is granular enough, and addressable (via IDs) at an appropriate level of granularity.
• Ensure existing and added ID assignments are logical and predictable to the degree practical.
• Provide the ability to map specific assessment activities (EXAMINE, INTERVIEW, TEST) to individual assessment objectives, instead of just assigned to the control as a whole.

Dependencies:

None; however, this impacts the SAP and SAR Modeling (Issues usnistgov/OSCAL#589, usnistgov/OSCAL#617, and usnistgov/OSCAL#621).

Acceptance Criteria

• [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.

• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

• [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

• [ ] If necessary, catalog and profile syntax has been updated.

• [ ] All 800-53A assigned IDs are logical and predictable

• [ ] 800-53A content is modeled at the appropriate level of detail, with addressability (IDs) at an appropriate level of detail.

[brian-ruf]

More Intuitive ID Assignments of Objectives

For assessment objectives, I'd like to recommend the assigned IDs follow a pattern more similar to those of statement IDs.

In other words, statement IDs start with the control (or enhancement) ID, followed by "_smt", then followed by any part identifiers (a, 1, b, 2, etc.).

Currently objective IDs start with the control (or enhancement) ID, and include "_obj" somewhere inside the ID; however, some of the part identifiers are before the "_obj" and some are after it. The logic used to determine which portion appears before the _obj and which appears after is unclear.

If we follow the same approach as statements, the objective IDs would start with the control (or enhancement) ID, followed immediately by the "_obj", and then with any and all part identifiers appended beyond the obj.

[brian-ruf]

IDs on Assessment Actions and Objects

For assessment activities (EXAMINE, INTERVIEW, TEST), the objects listed are a list of components to be examined or tested, or parties (people, roles, teams) to be interviewed.

Even though these are clearly individual list items, they are separated as prose paragraphs

item

, rather than by a more appropriate set of distinct fields. Further, prose paragraphs are not addressable under OSCAL. There is no way to assign an ID.

         <part name="assessment">
            <prop name="method">EXAMINE</prop>
            <part name="objects">
               <p>Access control policy</p>
               <p>procedures addressing account management</p>
               <p>security plan</p>
               <p>information system design documentation</p>
               <p>information system configuration settings and associated documentation</p>
               <p>list of active system accounts along with the name of the individual associated with each account</p>
               <p>list of conditions for group and role membership</p>
               <p>notifications or records of recently transferred, separated, or terminated employees</p>
               <p>list of recently disabled information system accounts along with the name of the individual associated with each account</p>
               <p>access authorization records</p>
               <p>account management compliance reviews</p>
               <p>information system monitoring records</p>
               <p>information system audit records</p>
               <p>other relevant documents or records</p>
            </part>
         </part>

         <part name="assessment">
            <prop name="method">INTERVIEW</prop>
            <part name="objects">
               <p>Organizational personnel with account management responsibilities</p>
               <p>system/network administrators</p>
               <p>organizational personnel with information security responsibilities</p>
            </part>
         </part>

I recommend these are converted to part fields, and appear something like this:

         <part id='ac-2_ass.e' name="assessment">
            <prop name="method">EXAMINE</prop>
            <part id='ac-2_ass.e.1' name="object">Access control policy</part>
            <part id='ac-2_ass.e.2' name="object">procedures addressing account management</part>
            <part id='ac-2_ass.e.3' name="object">security plan</part>
            <part id='ac-2_ass.e.4' name="object">information system design documentation</part>
            <part id='ac-2_ass.e.5' name="object">information system configuration settings and associated documentation</part>
            <part id='ac-2_ass.e.6' name="object">list of active system accounts along with the name of the individual associated with each account</part>
            <part id='ac-2_ass.e.7' name="object">list of conditions for group and role membership</part>
            <part id='ac-2_ass.e.8' name="object">notifications or records of recently transferred, separated, or terminated employees</part>
            <part id='ac-2_ass.e.9' name="object">list of recently disabled information system accounts along with the name of the individual associated with each account</part>
            <part id='ac-2_ass.e.10' name="object">access authorization records</part>
            <part id='ac-2_ass.e.11' name="object">account management compliance reviews</part>
            <part id='ac-2_ass.e.12' name="object">information system monitoring records</part>
            <part id='ac-2_ass.e.13' name="object">information system audit records</part>
            <part id='ac-2_ass.e.14' name="object">other relevant documents or records</part>
         </part>

         <part id='ac-2_ass.i' name="assessment">
            <prop name="method">INTERVIEW</prop>
            <part name="objects">
            <part id='ac-2_ass.i.1' name="object">Organizational personnel with account management responsibilities</part>
            <part id='ac-2_ass.i.2' name="object">system/network administrators</part>
            <part id='ac-2_ass.i.3' name="object">organizational personnel with information security responsibilities</part>
         </part>

[brian-ruf]

Ability to Map Assessment Activities to Objectives

NIST SP 800-53A provides the security objectives and recommended assessment activities (EXAMINE, INTERVIEW, TEST). In Appendix F, it lists the security control objectives, and then lists "Potential Assessment Methods and Objects".

The organization is expected to select from the methods and objects provided. Currently in the 800-53 OSCAL catalog, all methods and objects for a particular control are provided once within that control, and have no IDs assigned.

FedRAMP's Test Case Procedure Workbook maps individual objectives to assessment activities. The following is an example of the mapping for AC-2 in the test case workbook:

AC-2.a.1 (ac-2.a_obj.1) - Examine
AC-2.a.2 (ac-2.a_obj.2) - Examine, Interview
AC-2.b (ac-2.b_obj)     - Examine, Interview
AC-2.c (ac-2.c_obj)     - Examine
AC-2.d (ac-2.d_obj)     - Examine
AC-2.e.1 (ac-2.e_obj.1) - Examine
AC-2.e.2 (ac-2.e_obj.2) -         Interview, Test
AC-2.f.1 (ac-2.f_obj.1) - Examine
AC-2.f.2 (ac-2.f_obj.2) -         Interview, Test
AC-2.g (ac-2.g_obj)     -         Interview, Test
AC-2.h (ac-2.h_obj)     -         Interview, Test
AC-2.i (ac-2.i_obj)     -         Interview, Test
AC-2.j.1 (ac-2.j_obj.1) - Examine
AC-2.j.2 (ac-2.j_obj.2) -         Interview, Test
AC-2.k.1 (ac-2.k_obj)   - Examine

Each place "Examine" appears, the entire Examine activity and objects from AC-2 are prescribed by FedRAMP. Each place "Interview" appears, the entire Interview activity and objects from AC-2 are prescribed by FedRAMP. Each place "Test" appears, the entire Test activity and objects from AC-2 are prescribed by FedRAMP.

There is no clear method of expressing this mapping in OSCAL. For now, I am looking at adding something like this into the FedRAMP profiles:

<alter control-id="ac-2">
    <add position="starting" id-ref="ac-2.a_obj.1">
        <prop name="method">EXAMINE</prop>
    </add>
    <add position="starting" id-ref="ac-2.a_obj.2">
        <prop name="method">EXAMINE</prop>
        <prop name="method">INTERVIEW</prop>
    </add>
    <add position="starting" id-ref="ac-2.b_obj">
        <prop name="method">EXAMINE</prop>
        <prop name="method">INTERVIEW</prop>
    </add>
    <add position="starting" id-ref="ac-2.c_obj">
        <prop name="method">EXAMINE</prop>
    </add>
    <add position="starting" id-ref="ac-2.d_obj">
        <prop name="method">EXAMINE</prop>
    </add>
    <add position="starting" id-ref="ac-2.e_obj.1">
        <prop name="method">EXAMINE</prop>
    </add>
    <add position="starting" id-ref="ac-2.e_obj.2">
        <prop name="method">INTERVIEW</prop>
        <prop name="method">TEST</prop>
    </add>
    <add position="starting" id-ref="ac-2.f_obj.1">
        <prop name="method">EXAMINE</prop>
    </add>
    <add position="starting" id-ref="ac-2.f_obj.2">
        <prop name="method">INTERVIEW</prop>
        <prop name="method">TEST</prop>
    </add>
    <add position="starting" id-ref="ac-2.g_obj">
        <prop name="method">INTERVIEW</prop>
        <prop name="method">TEST</prop>
    </add>
    <add position="starting" id-ref="ac-2.h_obj">
        <prop name="method">INTERVIEW</prop>
        <prop name="method">TEST</prop>
    </add>
    <add position="starting" id-ref="ac-2.i_obj">
        <prop name="method">INTERVIEW</prop>
        <prop name="method">TEST</prop>
    </add>
    <add position="starting" id-ref="ac-2.j_obj.1">
        <prop name="method">EXAMINE</prop>
    </add>
    <add position="starting" id-ref="ac-2.j_obj.2">
        <prop name="method">INTERVIEW</prop>
        <prop name="method">TEST</prop>
    </add>
    <add position="starting" id-ref="ac-2.h_obj">
        <prop name="method">EXAMINE</prop>
    </add>
</alter>

This is very tedious. I only want to invest the time if it's the best approach in the short term. If the assessment activities had IDs, I'd rather map to the specific IDs.

[brian-ruf]

Per conversation between @david-waltermire-nist, @wendellpiez and @brianrufgsa - review for possible linkages between assessment objectives and control statements.

Example with added links and ids:

<control class="SP800-53" id="ac-2">
   <title>Account Management</title>
   <param id="ac-2_prm_1">
      <label>organization-defined information system account types</label>
   </param>
   <!-- snip -->
   <prop name="label">AC-2</prop>
   <prop name="sort-id">ac-02</prop>
   <part id="ac-2_smt" name="statement">
      <p>The organization:</p>
      <!-- snip -->
      <part id="ac-2_smt.a" name="item">
         <prop name="label">a.</prop>
         <p>Identifies and selects the following types of information system accounts to support organizational missions/business functions: <insert param-id="ac-2_prm_1"/>;</p>
      </part>
      <!-- snip -->
   </part>
   <!-- snip -->
   <part id="ac-2_obj" name="objective">
      <p>Determine if the organization:</p>
      <part id="ac-2.a_obj" name="objective">
         <prop name="label">AC-2(a)</prop>
         <part id="ac-2_smt.a_obj.1" name="objective">
            <prop name="label">AC-2(a)[1]</prop>
            <!-- added -->
            <link rel="related" href="#ac-2_smt.a"/>
            <p>defines information system account types to be identified and selected to support organizational missions/business functions;</p>
         </part>
         <!-- snip -->
      </part>
      <!-- snip -->
   </part>
   <!-- snip -->
   <!-- added id -->
   <part id="ac-2_asm.1" name="assessment">
      <prop name="method">TEST</prop>
      <!-- added link here for the whole method; likely not used in catalog, but in profile or SAP -->
      <link rel="assesses" href="#ac-2_smt.a_obj.1"/>
      <part name="objects">
         <!-- added part with ID; need to come up with IOD format -->
         <part id="ac-2_asmo.1.1" name="object">
            <!-- added link here for just the following object; likely not used in catalog, but in profile or SAP -->
            <link rel="assesses" href="#ac-2_smt.a_obj.1"/>
            <p>Organizational processes account management on the information system</p>
         </part>
         <!-- snip -->
      </part>
   </part>
</control>

[brian-ruf]

@david-waltermire-nist this issue impacts the SAP/SAR Test Case Workbook. I still believe it is important to assign IDs to the assessment action assemblies ("TEST", "INSPECT", "INTERVIEW"); however, I think reversing the mapping approach now makes more sense.

In other words, instead of citing the relevant objective IDs from within the assessment actions, I now believe it's better to cite the relevant assessment actions from within the objectives. In part because the SAP and SAR point to the objective IDs for scope inclusion/exclusion.

That also allows me to move forward now without changes to the 800-53 catalog. My plan is to update the FedRAMP profiles to insert "TEST", INSPECT", and/or "INTERVIEW" props to the cited objectives.

That is all I need for now. Later those can be updated with actual assessment action IDs once those are assigned in the 800-53 catalog. I'll post sample profile content here once available.

[wendellpiez]

Brian's May 8 suggestion is a good workaround.

Due to limitations of Markdown, the simplest solution (allow an ID on p or li) is not feasible. An alternative solution could introduce a new (lightweight) structure into OSCAL that would support IDs at the item level. Or (with no change to the schema required) express the data with extra wrappers --

<part id='ac-2_asm.e.1' name="object"><p>Access control policy</p></part>
<part id='ac-2_asme.2' name="object"><p>procedures addressing account management</p></part>
<part id='ac-2_asm.e.3' name="object"><p>security plan</p></part>

[david-waltermire]

Some of this work has been addressed already, while some of this work, if desired, might require large-scale changes to the SP 800-53 content, which would be best done on a major version change. More discussion is needed to sort out the specific actions to take.