Skip to content

Allow for other security categorization schemes (#1795)#1872

Closed
nikitawootten-nist wants to merge 3 commits intousnistgov:developfrom
nikitawootten-nist:nikitawootten-nist/issue1795
Closed

Allow for other security categorization schemes (#1795)#1872
nikitawootten-nist wants to merge 3 commits intousnistgov:developfrom
nikitawootten-nist:nikitawootten-nist/issue1795

Conversation

@nikitawootten-nist
Copy link
Copy Markdown
Contributor

@nikitawootten-nist nikitawootten-nist commented Aug 3, 2023

Committer Notes

All Submissions:

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Changes to Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you included examples of how to use your new feature(s)?
  • Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.

@nikitawootten-nist nikitawootten-nist changed the base branch from main to develop August 3, 2023 19:29
aj-stein-nist
aj-stein-nist reviewed Aug 10, 2023
View reviewed changes
src/metaschema/oscal_ssp_metaschema.xml
Comment on lines +332 to +344
<define-flag name="characterization-ns" as-type="uri">
<formal-name>Characterization Namespace</formal-name>
<description>A namespace qualifying the system information characterization scheme.</description>
<use-name>ns</use-name>
<constraint>
<allowed-values allow-other="yes">
<enum value="http://csrc.nist.gov/ns/fips-199">The system is categorized according to <a href="https://csrc.nist.gov/pubs/fips/199/final">FIPS-199.</a></enum>
</allowed-values>
</constraint>
<remarks>
<p>This value must be an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that serves as a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming system identifier</a>.</p>
</remarks>
</define-flag>
Copy link
Copy Markdown
Contributor

@aj-stein-nist aj-stein-nist Aug 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this afford us that using the normal @ns extension mechanism doesn't?

Copy link
Copy Markdown
Contributor Author

@nikitawootten-nist nikitawootten-nist Aug 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re our discussion on gitter, the idea would be that the @ns would apply to the entire system-categorization, which would allow for future (in this PR or in future PRs) constraints to apply to the information.types.*-impact, security-impact-level.*, and security-sensitivity-level

Copy link
Copy Markdown
Contributor

@aj-stein-nist aj-stein-nist Aug 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, without grouping as a backwards compatible option, I would recommend we stick to @ns and not add this at this time lest we make things more complex and hard to manage. If I misunderstanding something, let's chat (I guess after review, or during if you're up to it).

This was referenced Aug 11, 2023
Closed
Merged
@nikitawootten-nist
Copy link
Copy Markdown
Contributor Author

nikitawootten-nist commented Aug 15, 2023

Superseded by #1888

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aj-stein-nist aj-stein-nist aj-stein-nist left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use other security categorization frameworks besides FIPS 199 in an SSP

2 participants

@nikitawootten-nist @aj-stein-nist