-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leading zero's not consistent throught the OSCAL catalog #224
Comments
@Telos-sa - You are absolutely right, to avoid implementation issues for the implementers of OSCAL. The team discussed this issue at length, and concluded that the @id are just IDs, not capitalized either and not aiming to reflect the CPRT Control ID. The catalog had even before a
If the community considers the @id updates a positive improvement for them with no support issues, we can add those through a patch release. |
At the 12/7 Triage Meeting: The team is concerned that changing the IDs to include leading 0s could break the implementation of current adopters, in particular FedRAMP that provides templates . We are seeking feedback from the community on replacing the
with
Please provide feedback on the proposed approach no later than 12/08, EOB since the patch release with the bug fixed and official control identifier captured correctly is urgent. |
the OSCAL IDs cannot be zero-padded due to backwards compatibility issues. PR #228 addressed it by adding |
Describe the bug
The introduction of padding zero's to match 5.1.1 has not been implemented in the following:
catalog[group][control][@id]
catalog[group][control][parameter][@id]
catalog[group][control][part][@id]
Who is the bug affecting?
Customers that are wishing to convert to OSCAL, customers still working through conversion from rev 4 to rev 5, GRC tools that create control catalogs for users are impacted by this change.
What is affected by this bug?
Change in how to programmatically map the rev 4 content to Rev 5. Inconsistent messaging between the OSCAL Catalog, the CPRT, and Control Catalog excel https://csrc.nist.gov/files/pubs/sp/800/53/r5/upd1/final/docs/sp800-53r5-control-catalog.xlsx
are creating confusion for which is the source of truth, what the structure should be, and how we should be developing our content.
When does this occur?
With the introduction of 5.1.1
How do we replicate the issue?
Review content from OSCAL elements path outlined above, to the CPRT, to the Control catalog.
CPRT (With leading Zero's)
OSCAL Catalog (No Leading Zero's)
XLSX Catalog (No leading Zero's)
Expected behavior (i.e. solution)
Consistent and clear messaging from OSCAL, to CPRT, to xlsx Catalog.
The text was updated successfully, but these errors were encountered: