[/assessment-plan/local-definitions[1]/objectives-and-methods[1]/part[2]/prop[1]/@name] Value 'method' doesn't match one of 'alt-identifier, label, marking, or sort-id' at path '/assessment-plan/local-definitions[1]/objectives-and-methods[1]/part[2]/prop[1]/@name'

[Telos-sa]

Validation error seems to conflict with cardinality rules for assessment-method. Located in Local Definitions.

What was validated

 "local-definitions":{
            "objectives-and-methods":[
               {
                            "name":"assessment-objective",
                            "ns":"http://csrc.nist.gov/ns/oscal",
                            "props": [
                                {
                                    "name": "method-id",
                                    "ns":"http://csrc.nist.gov/ns/oscal",
                                    "value":"Examine databases"
                                }
                            ]
                        },
                        {
                            "name":"assessment-method",
                            "ns":"http://csrc.nist.gov/ns/oscal",
                            "props":[
                                {
                                    **"name":"method",**
                                    "uuid":"df1c6b21-679c-57f0-b0e1-c6b6a4f05bad",
                                    "ns":"http://csrc.nist.gov/ns/oscal",
                                    "value":"EXAMINE"
                                }
                            ]
                        }
                    ]
                },

Cardinality rules from Model seems to indicate the structure is correct.

Can you please provide guidance in determining our error:

[Telos-sa]

When testing without the prop, get a cardinality issue. Cannot identify the structure discrepancy
sap_val.txt
sap_val2.txt
to determine how to proceed.

[iMichaela]

@Telos-sa - Thank you for pointing to this bug. I noticed it too and I raised it in the Data bites (FedRAMP) meeting so we fix it in a way that aligns with the community's expectations, FedRAMP in particular.

Do you mind moving the issue to the correct repo? Alternatively, I can move it, and close it here.

[Telos-sa]

@iMichaela If you could move it, that would be helpful, and drop us a line as to where we should place these. We are starting to ramp up on the FedRAMP validation pilot, so there will be elements coming through from all of the models.

Let me know what the best practice should be for this, so we can sort these issues appropriately.

[iMichaela]

@iMichaela If you could move it, that would be helpful, and drop us a line as to where we should place these. We are starting to ramp up on the FedRAMP validation pilot, so there will be elements coming through from all of the models.

Let me know what the best practice should be for this, so we can sort these issues appropriately.

Hi Lacy - those are all OSCAL schema issues and the OSCAL repo is the place for this kind of bugs. In this repo we only keep the artifacts in OSCAL. Wishing you and Telos team the best of luck with the pilot.

[iMichaela]

@Telos-sa - On a more careful review of theobjectives-and-methods code snippet is incorrect. I am assuming a part with name= "assessment-objective" was intended to be in place.

With that said, I am guessing you are alluding to a known constraints bug that requires a fix in the OSCAL metaschema definitions.

Here is the SAP file demonstrating it:

<?xml version="1.0" encoding="UTF-8"?>
<assessment-plan 
    uuid="60077e84-e62f-4375-8c6c-b0e0d4560c5f"
    xmlns="http://csrc.nist.gov/ns/oscal/1.0">
    <metadata>
        <title>IFA Assessment Plan</title>
        <last-modified>2023-05-18T13:57:28.355446-04:00</last-modified>
        <version>1.0</version>
        <oscal-version>1.1.2</oscal-version>
        <role id="assessor">
            <title>IFA Security Control Assessor</title>
        </role>
        <party uuid="e7730080-71ce-4b20-bec4-84f33136fd58" type="person">
            <name>Amy Assessor</name>
            <member-of-organization>3a675986-b4ff-4030-b178-e953c2e55d64</member-of-organization>
        </party>
        <party uuid="3a675986-b4ff-4030-b178-e953c2e55d64" type="organization">
            <name>Important Federal Agency</name>
            <short-name>IFA</short-name>
            <link href="https://www.ifa.gov" rel="website"/>
        </party>
        <responsible-party role-id="assessor">
            <party-uuid>e7730080-71ce-4b20-bec4-84f33136fd58</party-uuid>
        </responsible-party>
    </metadata>
    <import-ssp href="../3-implementation/ssp.oscal.xml"/>
    <local-definitions>
        <objectives-and-methods control-id="ac-6.1">
            <description>
                <p>documenting AC-06(01) assessment objectives and methods</p>
            </description>
            <prop name="marking" value="ac-6.1_om"/>
            <part id="ac-6.1_obj" name="assessment-objective">
                <prop name="method-id" value="some-objective-value">
                    <remarks>
                        <p>some obj text</p>
                    </remarks>
                </prop>
                <p>some more obj info</p>
            </part>
            <part id="ac-6.1_mtd" name="assessment-method">
                <prop name="method" value="some-value">
                    <remarks>
                        <p>some text</p>
                    </remarks>
                </prop>
                <p>some more info</p>
                <part id="ac-6.1_obj" name="assessment-objects"> 
                </part>
            </part>
            
        </objectives-and-methods>
        <activity uuid="52277182-1ba3-4cb6-8d96-b1b97aaf9d6b">
            <title>Examine System Elements for Least Privilege Design and Implementation</title>
            <description>
                <p>The activity and it steps will be performed by the assessor and facilitated by owner, ISSO, and product team for the IFA GoodRead system with necessary information and access about least privilege design and implementation of the system's elements: the application, web framework, server, and cloud account infrastructure.</p>
            </description>
            <prop name="method" value="EXAMINE"/>
            <step uuid="733e3cbf-e398-46b6-9c02-a2cb534c341e">
                <title>Obtain Network Access via VPN to IFA GoodRead Environment</title>
                <description>
                    <p>The assessor will obtain network access with appropriately configured VPN account to see admin frontend to the application for PAO staff, which is only accessible via VPN with an appropriately configured role for PAO staff accounts.</p>
                </description>
            </step>
            <step uuid="4ce7e0b4-d69e-4b80-a700-8600b4d4d933">
                <title>Obtain Credentials and Access to AwesomeCloud Account for IFA GoodRead System</title>
                <description>
                    <p>The assessor will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role.</p>
                </description>
            </step>
            <step uuid="3d0297de-e47b-4360-b9c3-cf5c425f86cd">
                <title>Obtain Applcation Access Provided by Product Team</title>
                <description>
                    <p>The assessor will obtain non-privileged account credentials with the PAO staff role to test this role in the application does not permit excessive administrative operations.</p>
                </description>
            </step>
            <step uuid="64ca1ef6-3ad4-4747-97c6-40890222463f">
                <title>Confirm Load Balancer Blocks Access to Admin Frontend from Internet</title>
                <description>
                    <p>The assessor will confirm that the load balancer for public access does not allow access to Admin Frontend of the application from the Internet.</p>
                </description>
            </step>
            <step uuid="715f0592-166f-44f6-bb66-d99623e035dc">
                <title>Confirm GoodRead's PAO Role Cannot Manage Users</title>
                <description>
                    <p>The assessor will confirm that user's logged into the GoodRead Application with the PAO staff role cannot add, modify, or disable users from the system.</p>
                </description>
            </step>
            <step uuid="4641957b-a0fa-4c61-af1a-d3e9101efe40">
                <title>Confirm Django Admin Panel Not Available</title>
                <description>
                    <p>The assessor will confirm with web-based interface and API methods users with the PAO Staff role cannot access the Django admin panel functions and interactively change application's database records.</p>
                </description>
            </step>
            <related-controls>
                <control-selection>
                    <include-control control-id="ac-6.1"/>
                </control-selection>
            </related-controls>
            <responsible-role role-id="assessor">
                <party-uuid>e7730080-71ce-4b20-bec4-84f33136fd58</party-uuid>
            </responsible-role>
        </activity>
    </local-definitions>
    <reviewed-controls>
        <control-selection>
            <include-control control-id="ac-6.1"/>
        </control-selection>
        <control-objective-selection>
            <include-all/>
        </control-objective-selection>
    </reviewed-controls>
    <assessment-subject type="component">
        <description>
            <p>The assessor for the IFA GoodRead Project, including the application and infrastructure for this information system, are within scope of this assessment.</p>
        </description>
        <include-all/>
    </assessment-subject>
    <task uuid="b3504d22-0e75-4dd7-9247-618661beba4e" type="action">
        <title>Examine Least Privilege Design and Implementation</title>
        <associated-activity activity-uuid="0d243b23-a889-478f-9716-6d4870e56209">
            <subject type="component">
                <include-all/>
            </subject>
        </associated-activity>
        <responsible-role role-id="assessor"/>
        <remarks>
            <p>Per IFA's use of NIST SP-800 53A, the assessor, with the support of the owner, information system security officer, and product team for the IFA GoodRead project, will examine least privilege design and implementation with the following:</p>
            <ul>
                <li>list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized;</li>
                <li>system configuration settings and associated documentation;</li>
            </ul>
        </remarks>
    </task>
</assessment-plan>

I moved this to the usnistgov/OSCAL#2059 bug in OSCAL repo and close it here.