Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing top level objective paragraphs from NIST rev 5 Control Catalog #193

Open
Telos-sa opened this issue Apr 18, 2023 · 6 comments
Open
Assignees
Labels
bug The issue is a bug report.

Comments

@Telos-sa
Copy link

Describe the bug

In Rev 4 Catalog, the Objectives are listed to mirror the 800-53A, where the tests procedures can be fully built from the OSCAL catalog.
In Rev5, the structure of the catalog has changed, where the top level objectives are not listed as paragraphs in OSCAL. Because this data is missing, the tests procedures cannot be automatically built out.

Example: Rev 4:

Determine if the organization:








develops and documents an access control policy that addresses:




purpose;


Can be built into a test:
Determine if the organization:
develops and documents an access control policy that addresses:
purpose

Example: Rev 5:






an access control policy is developed and documented;


Can be built into a test:
an access control policy is developed and documented;

Which is missing the paragraph from "ac-1_obj.a".
What it should be:



Determine if:





an access control policy is developed and documented;


Who is the bug affecting

Anyone who wants to automate the build of objectives for testing within a GUI tool or other such methods.

What is affected by this bug

OSCAL Content

How do we replicate this issue

Review the NIST rev 5 catalog against the NIST rev4 catalog, and the NIST 800-53.a objectives. Notice the objective is listed at the top, with the text, but that is missing from the rev 5.
F79A67F9-0159-4505-93BE-142BE41D3AE1

Expected behavior (i.e. solution)

Content within OSCAL should be representative and the SAME as non-OSCAL content.

Other comments

NA

@Telos-sa Telos-sa added the bug The issue is a bug report. label Apr 18, 2023
@aj-stein-nist
Copy link
Contributor

I will transfer this to usnistgov/oscal-content, since this is about the NIST SP 800-53 catalogs, not the schema or data structures themselves.

@aj-stein-nist aj-stein-nist transferred this issue from usnistgov/OSCAL Apr 18, 2023
@aj-stein-nist
Copy link
Contributor

Thanks for your report @Telos-sa, we will be reviewing this during the next internal issue triage and backlog refinement meeting. We will update accordingly here in the comments. At first glance, this may be a duplicate of #194 (the number comes after because it was transferred here where I went looking for it). We will review during the team's next issue triage and backlog refinement meeting this week, and update with a comment here accordingly.

@aj-stein-nist
Copy link
Contributor

So we met to look at the data: SP 800-53 Rev. 4, SP 800-53 Rev. 5, SP 800-53A Rev. 4, and SP 800-53A Rev. 5. @Telos-sa you appear to be asking about the following issue phrase in the PDF version of SP 800-53 Rev. 4, correct?

develops and documents an access control policy that addresses:

image

See in the above screenshot, you are inquiring as to why this is missing in Rev. 5? Are we misunderstanding your example and screenshot?

There is no real analogue of this phrase as it pertains to the objective in SP 800-53A Rev. 5 generally and there is significant difference the similar position in similar controls in both versions.

Once we receive your clarification in a follow-up comment, we want to consider if there is a "close enough" approximation to where you can find similar data in the 800-53A Rev. 5 catalog in OSCAL format and perhaps more general implementation guidance (as it pertains to processing 800-53 catalog controls, assessment procedures, and cross-referenced parameters; this is applicable to this issue and #194, which are slightly different). We will consider these short-term and long-term approaches once we hear back. Thanks.

@GaryGapinski
Copy link

I took a look at this and found a few things. I did not look at any rev4 content. I started with the oscal-content NIST_SP-800-53_rev5_catalog.xml and NIST SP 800-53A rev5 PDF content.

I found 800-53A §2.4.3 has examples of its assessment objective scheme.

I checked to see if the phrase "Determine if:" was a popular phrase in 800-53A. It is, and occurs 1,014 times in the document, always in the vicinity of "ASSESSMENT OBJECTIVE" (someone else's bolding, not mine). It appears safe to assert (in that document) that objectives are the subject of determination.

In contrast, in NIST_SP-800-53_rev5_catalog.xml control/part[@name eq 'assessment-objective] occurs 1,007 times (there are 2.747 assessment objectives in total). The difference of 7 can be accounted for due to 800-53A examples prior to its section 4. Tellingly, there is no occurrence of the phrase "Determine if:". The phrase must be supplied by the beholder. This does afford latitude to the 800-53A authors to change the phrase at will without requiring a corresponding change to the oscal-content (though a prop somewhere with the chosen phrase would have been a polite gesture).

That also indicates that the original prose is not recoverable from oscal-content without augmentation. The prose statements in NIST_SP-800-53_rev5_catalog.xml and SP 800-53A rev5 are a very close match. The statements are generally falsifiable (either boolean or on a continuum).

See §2.2 of NIST IR 8011 volume 1 regarding potential assessment automation methods.

It is unfortunate that the normative form of NIST special publications is their PDF rendition, which entangles presentation with content. In this case it appears that the phrase "Determine if:" was considered an artifact of a presentation template rather than a component of prose statements.

@aj-stein-nist
Copy link
Contributor

I found 800-53A §2.4.3 has examples of its assessment objective scheme.

I checked to see if the phrase "Determine if:" was a popular phrase in 800-53A. It is, and occurs 1,014 times in the document, always in the vicinity of "ASSESSMENT OBJECTIVE" (someone else's bolding, not mine). It appears safe to assert (in that document) that objectives are the subject of determination.

Nice catch.

In contrast, in NIST_SP-800-53_rev5_catalog.xml control/part[@name eq 'assessment-objective] occurs 1,007 times (there are 2.747 assessment objectives in total). The difference of 7 can be accounted for due to 800-53A examples prior to its section 4. Tellingly, there is no occurrence of the phrase "Determine if:". The phrase must be supplied by the beholder. This does afford latitude to the 800-53A authors to change the phrase at will without requiring a corresponding change to the oscal-content (though a prop somewhere with the chosen phrase would have been a polite gesture).

Thanks for reporting the disparity.

It is unfortunate that the normative form of NIST special publications is their PDF rendition, which entangles presentation with content. In this case it appears that the phrase "Determine if:" was considered an artifact of a presentation template rather than a component of prose statements.

Thanks for the feedback. We will consult amongst ourselves and the FISMA Team and update the issue accordingly in the coming weeks.

@aj-stein-nist aj-stein-nist moved this from Todo to Further Analysis Needed in NIST OSCAL Work Board Sep 21, 2023
@iMichaela iMichaela self-assigned this Dec 6, 2023
@iMichaela
Copy link
Contributor

@GaryGapinski and @Telos-sa - We apologize not reviewing this reported bug under the latest release. It might have been addressed but I would like to review it more thoroughly and provide a feedback here first and then address it, if we haven't done so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug The issue is a bug report.
Projects
Status: Further Analysis Needed
Development

No branches or pull requests

4 participants