-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing top level objective paragraphs from NIST rev 5 Control Catalog #193
Comments
I will transfer this to usnistgov/oscal-content, since this is about the NIST SP 800-53 catalogs, not the schema or data structures themselves. |
Thanks for your report @Telos-sa, we will be reviewing this during the next internal issue triage and backlog refinement meeting. We will update accordingly here in the comments. At first glance, this may be a duplicate of #194 (the number comes after because it was transferred here where I went looking for it). We will review during the team's next issue triage and backlog refinement meeting this week, and update with a comment here accordingly. |
So we met to look at the data: SP 800-53 Rev. 4, SP 800-53 Rev. 5, SP 800-53A Rev. 4, and SP 800-53A Rev. 5. @Telos-sa you appear to be asking about the following issue phrase in the PDF version of SP 800-53 Rev. 4, correct?
See in the above screenshot, you are inquiring as to why this is missing in Rev. 5? Are we misunderstanding your example and screenshot? There is no real analogue of this phrase as it pertains to the objective in SP 800-53A Rev. 5 generally and there is significant difference the similar position in similar controls in both versions. Once we receive your clarification in a follow-up comment, we want to consider if there is a "close enough" approximation to where you can find similar data in the 800-53A Rev. 5 catalog in OSCAL format and perhaps more general implementation guidance (as it pertains to processing 800-53 catalog controls, assessment procedures, and cross-referenced parameters; this is applicable to this issue and #194, which are slightly different). We will consider these short-term and long-term approaches once we hear back. Thanks. |
I took a look at this and found a few things. I did not look at any rev4 content. I started with the I found 800-53A §2.4.3 has examples of its assessment objective scheme. I checked to see if the phrase "Determine if:" was a popular phrase in 800-53A. It is, and occurs 1,014 times in the document, always in the vicinity of "ASSESSMENT OBJECTIVE" (someone else's bolding, not mine). It appears safe to assert (in that document) that objectives are the subject of determination. In contrast, in That also indicates that the original prose is not recoverable from See §2.2 of NIST IR 8011 volume 1 regarding potential assessment automation methods. It is unfortunate that the normative form of NIST special publications is their PDF rendition, which entangles presentation with content. In this case it appears that the phrase "Determine if:" was considered an artifact of a presentation template rather than a component of prose statements. |
Nice catch.
Thanks for reporting the disparity.
Thanks for the feedback. We will consult amongst ourselves and the FISMA Team and update the issue accordingly in the coming weeks. |
@GaryGapinski and @Telos-sa - We apologize not reviewing this reported bug under the latest release. It might have been addressed but I would like to review it more thoroughly and provide a feedback here first and then address it, if we haven't done so. |
Describe the bug
In Rev 4 Catalog, the Objectives are listed to mirror the 800-53A, where the tests procedures can be fully built from the OSCAL catalog.
In Rev5, the structure of the catalog has changed, where the top level objectives are not listed as paragraphs in OSCAL. Because this data is missing, the tests procedures cannot be automatically built out.
Example: Rev 4:
Determine if the organization:
develops and documents an access control policy that addresses:
purpose;
Can be built into a test:
Determine if the organization:
develops and documents an access control policy that addresses:
purpose
Example: Rev 5:
an access control policy is developed and documented;
Can be built into a test:
an access control policy is developed and documented;
Which is missing the paragraph from "ac-1_obj.a".
What it should be:
Determine if:
an access control policy is developed and documented;
Who is the bug affecting
Anyone who wants to automate the build of objectives for testing within a GUI tool or other such methods.
What is affected by this bug
OSCAL Content
How do we replicate this issue
Review the NIST rev 5 catalog against the NIST rev4 catalog, and the NIST 800-53.a objectives. Notice the objective is listed at the top, with the text, but that is missing from the rev 5.
Expected behavior (i.e. solution)
Content within OSCAL should be representative and the SAME as non-OSCAL content.
Other comments
NA
The text was updated successfully, but these errors were encountered: