Extending 800-53 with additional controls #60
Assignees
Labels
bug
Something isn't working
help wanted
Extra attention is needed
question
Further information is requested
Comments
|
Yes. You can add new controls in a new catalog. You would then import both the original and the new catalog in the same OSCAL profile. Once resolved, the resulting catalog would contain selected controls from both source catalogs. |
|
I've captured the extra controls in a separate catalog, but for some reason the controls in the second catalog (only) are being imported twice. Below is a snippet from the profile. "imports": [
{
"href": "NIST_SP-800-53_rev5_catalog.json",
"include-all": {},
"exclude-controls": [
{
"with-ids": ["sc-19"]
}
]
},
{
"href": "cccs-catalog.json",
"include-all": {}
}
],
"merge": {
"as-is": true
}, |
|
I'll look into this. It might be a bug. |
david-waltermire
added
bug
|
It would be helpful if someone could help create a PR with a unit test to reproduce this error. |
|
I built a very simple profile resolution example as follows: catalog-a.xml <?xml version="1.0" encoding="UTF-8"?>
<?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.3/oscal_complete_schema.xsd"?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="a1dae246-6de7-4af8-a91c-ca74ba810464">
<metadata>
<title>Test Catalog A</title>
<last-modified>2024-12-09T00:00:00.000000-00:00</last-modified>
<version>1.0.0</version>
<oscal-version>1.1.3</oscal-version>
<role id="creator">
<title>Document creator</title>
</role>
<role id="contact">
<title>Contact</title>
</role>
<party type="organization" uuid="0c21052e-e092-4db5-944e-a0387cd674f8">
<name>Org A</name>
<email-address>[email protected]</email-address>
</party>
<responsible-party role-id="creator">
<party-uuid>0c21052e-e092-4db5-944e-a0387cd674f8</party-uuid>
</responsible-party>
<responsible-party role-id="contact">
<party-uuid>0c21052e-e092-4db5-944e-a0387cd674f8</party-uuid>
</responsible-party>
</metadata>
<group class="family" id="family-a">
<title>Family A</title>
<control id="a1">
<title>Control A1</title>
<part name="statement" id="statement-a1">
<p>This is control A1.</p>
</part>
</control>
<control id="a2">
<title>Control A2</title>
<part name="statement" id="statement-a2">
<p>This is control A2.</p>
</part>
</control>
</group>
</catalog>catalog-b.xml <?xml version="1.0" encoding="UTF-8"?>
<?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.3/oscal_complete_schema.xsd"?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="a1dae246-6de7-4af8-a91c-ca74ba810464">
<metadata>
<title>Test Catalog A</title>
<last-modified>2024-12-09T00:00:00.000000-00:00</last-modified>
<version>1.0.0</version>
<oscal-version>1.1.3</oscal-version>
<role id="creator">
<title>Document creator</title>
</role>
<role id="contact">
<title>Contact</title>
</role>
<party type="organization" uuid="cdd2ef10-5310-4058-9077-6c70e08f6ce5">
<name>Org B</name>
<email-address>[email protected]</email-address>
</party>
<responsible-party role-id="creator">
<party-uuid>cdd2ef10-5310-4058-9077-6c70e08f6ce5</party-uuid>
</responsible-party>
<responsible-party role-id="contact">
<party-uuid>cdd2ef10-5310-4058-9077-6c70e08f6ce5</party-uuid>
</responsible-party>
</metadata>
<group class="family" id="family-b">
<title>Family B</title>
<control id="b1">
<title>Control B1</title>
<part name="statement" id="statement-b1">
<p>This is control B1.</p>
</part>
</control>
<control id="b2">
<title>Control B2</title>
<part name="statement" id="statement-b2">
<p>This is control B2.</p>
</part>
</control>
</group>
</catalog>profile.xml <?xml version="1.0" encoding="UTF-8"?>
<?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd"?>
<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
uuid="7eca4589-7ed9-4552-9da6-738126660be3">
<metadata>
<title>Test Profile C</title>
<last-modified>2024-12-09T00:00:00.000000-00:00</last-modified>
<version>1.0.0</version>
<oscal-version>1.1.3</oscal-version>
<role id="creator">
<title>Document Creator</title>
</role>
<role id="contact">
<title>Contact</title>
</role>
<party uuid="d0655ea8-1f70-426a-b81b-650058c4423d" type="organization">
<name>Org C</name>
<email-address>[email protected]</email-address>
</party>
<responsible-party role-id="creator">
<party-uuid>d0655ea8-1f70-426a-b81b-650058c4423d</party-uuid>
</responsible-party>
<responsible-party role-id="contact">
<party-uuid>d0655ea8-1f70-426a-b81b-650058c4423d</party-uuid>
</responsible-party>
</metadata>
<import href="catalog-a.xml">
<include-all/>
<exclude-controls>
<with-id>a1</with-id>
</exclude-controls>
</import>
<import href="catalog-b.xml">
<include-all/>
</import>
</profile>Given these inputs, I ran OSCAL CLI with the following arguments:
It produced the following resolved profile. <?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="d4d8ecab-002a-4fcf-b6d7-bfe75ef1cc22">
<metadata>
<title>Test Profile C</title>
<last-modified>2024-12-09T15:41:27.351622313Z</last-modified>
<version>1.0.0</version>
<oscal-version>1.1.3</oscal-version>
<prop name="resolution-tool" value="libOSCAL-Java"/>
<link href="path/to/profile.xml" rel="source-profile"/>
</metadata>
<control id="a2">
<title>Control A2</title>
<part id="statement-a2" name="statement" ns="http://csrc.nist.gov/ns/oscal">
<p>This is control A2.</p>
</part>
</control>
<control id="b1">
<title>Control B1</title>
<part id="statement-b1" name="statement" ns="http://csrc.nist.gov/ns/oscal">
<p>This is control B1.</p>
</part></control>
<control id="b2">
<title>Control B2</title>
<part id="statement-b2" name="statement" ns="http://csrc.nist.gov/ns/oscal">
<p>This is control B2.</p>
</part>
</control>
</catalog>From what I can tell, the profile resolution is working as expected. @michaeldavie-amzn Can you provide a test case with inputs that illustrates the problem? I don't think I can do anything else to address this issue otherwise. I'll wait a few days for a response, before closing this issue without one. |
|
Thanks, here are the inputs I'm working with and the output I'm seeing. {
"catalog": {
"uuid": "75505e0e-a09d-484a-a4a7-405dab6de2c9",
"controls": [
{
"class": "CCCS-enhancement",
"id": "ac-17.400",
"parts": [
{
"prose": "Access to privileged account remotely is only done from dedicated management consoles.",
"name": "statement",
"id": "ac-17.400_smt"
},
{
"prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.",
"name": "guidance",
"id": "ac-17.400_gdn"
}
],
"props": [
{
"name": "label",
"class": "zero-padded",
"value": "AC-17(400)"
},
{
"name": "label",
"value": "AC-17(400)"
},
{
"name": "sort-id",
"value": "ac-17.400"
}
],
"title": "Privileged Accounts Remote Access"
},
{
"class": "CCCS",
"id": "sc-19",
"parts": [
{
"parts": [
{
"props": [
{
"name": "label",
"value": "a."
}
],
"prose": "Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and",
"name": "item",
"id": "sc-19_smt.a"
},
{
"props": [
{
"name": "label",
"value": "b."
}
],
"prose": "Authorizes, monitors, and controls the use of VoIP within the information system.",
"name": "item",
"id": "sc-19_smt.b"
}
],
"prose": "The organization:",
"name": "statement",
"id": "sc-19_smt"
},
{
"name": "guidance",
"links": [
{
"href": "#cm-6",
"rel": "related"
},
{
"href": "#sc-7",
"rel": "related"
},
{
"href": "#sc-15",
"rel": "related"
}
],
"id": "sc-19_gdn"
}
],
"props": [
{
"name": "label",
"value": "SC-19"
},
{
"name": "sort-id",
"value": "sc-19"
}
],
"title": "Voice Over Internet Protocol"
}
],
"metadata": {
"oscal-version": "1.1.2",
"last-modified": "2024-09-16T23:16:00Z",
"title": "CCCS Control Catalog",
"version": "1.0.0"
},
"back-matter": {}
}
}{
"profile": {
"back-matter": {},
"uuid": "e057c6c7-c436-44b4-9d75-c503eef04f37",
"metadata": {
"version": "1.0.0",
"oscal-version": "1.1.2",
"last-modified": "2024-10-01T23:16:00Z",
"title": "CCCS Modifications to NIST 800-53"
},
"imports": [
{
"href": "oscal-content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
"include-all": {},
"exclude-controls": [
{
"with-ids": ["sc-19"]
}
]
},
{
"href": "cccs-catalog.json",
"include-all": {}
}
],
"merge": {
"as-is": true
}
}
}{
"catalog" : {
"metadata" : {
"title" : "CCCS Modifications to NIST 800-53",
"links" : [ {
"href" : "file:///Users/mldavie/Documents/OSCAL/git/cccs-oscal-samples/cccs-mods-profile.json",
"rel" : "source-profile"
} ],
"last-modified" : "2024-12-09T16:15:18.740498Z",
"oscal-version" : "1.1.2",
"props" : [ {
"name" : "resolution-tool",
"value" : "libOSCAL-Java"
} ],
"version" : "1.0.0"
},
"controls" : [ {
"props" : [ {
"class" : "zero-padded",
"name" : "label",
"value" : "AC-17(400)"
}, {
"name" : "label",
"value" : "AC-17(400)"
}, {
"name" : "sort-id",
"value" : "ac-17.400"
} ],
"parts" : [ {
"name" : "statement",
"prose" : "Access to privileged account remotely is only done from dedicated management consoles.",
"id" : "ac-17.400_smt"
}, {
"name" : "guidance",
"prose" : "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.",
"id" : "ac-17.400_gdn"
} ],
"id" : "ac-17.400",
"class" : "CCCS-enhancement",
"title" : "Privileged Accounts Remote Access"
}, {
"props" : [ {
"name" : "label",
"value" : "SC-19"
}, {
"name" : "sort-id",
"value" : "sc-19"
} ],
"parts" : [ {
"name" : "statement",
"prose" : "The organization:",
"parts" : [ {
"name" : "item",
"prose" : "Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and",
"props" : [ {
"name" : "label",
"value" : "a."
} ],
"id" : "sc-19_smt.a"
}, {
"name" : "item",
"prose" : "Authorizes, monitors, and controls the use of VoIP within the information system.",
"props" : [ {
"name" : "label",
"value" : "b."
} ],
"id" : "sc-19_smt.b"
} ],
"id" : "sc-19_smt"
}, {
"links" : [ {
"href" : "#cm-6",
"rel" : "related"
}, {
"href" : "#sc-7",
"rel" : "related"
}, {
"href" : "#sc-15",
"rel" : "related"
} ],
"name" : "guidance",
"id" : "sc-19_gdn"
} ],
"id" : "sc-19",
"class" : "CCCS",
"title" : "Voice Over Internet Protocol"
}, {
"props" : [ {
"class" : "zero-padded",
"name" : "label",
"value" : "AC-17(400)"
}, {
"name" : "label",
"value" : "AC-17(400)"
}, {
"name" : "sort-id",
"value" : "ac-17.400"
} ],
"parts" : [ {
"name" : "statement",
"prose" : "Access to privileged account remotely is only done from dedicated management consoles.",
"id" : "ac-17.400_smt"
}, {
"name" : "guidance",
"prose" : "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.",
"id" : "ac-17.400_gdn"
} ],
"id" : "ac-17.400",
"class" : "CCCS-enhancement",
"title" : "Privileged Accounts Remote Access"
}, {
"props" : [ {
"name" : "label",
"value" : "SC-19"
}, {
"name" : "sort-id",
"value" : "sc-19"
} ],
"parts" : [ {
"name" : "statement",
"prose" : "The organization:",
"parts" : [ {
"name" : "item",
"prose" : "Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and",
"props" : [ {
"name" : "label",
"value" : "a."
} ],
"id" : "sc-19_smt.a"
}, {
"name" : "item",
"prose" : "Authorizes, monitors, and controls the use of VoIP within the information system.",
"props" : [ {
"name" : "label",
"value" : "b."
} ],
"id" : "sc-19_smt.b"
} ],
"id" : "sc-19_smt"
}, {
"links" : [ {
"href" : "#cm-6",
"rel" : "related"
}, {
"href" : "#sc-7",
"rel" : "related"
}, {
"href" : "#sc-15",
"rel" : "related"
} ],
"name" : "guidance",
"id" : "sc-19_gdn"
} ],
"id" : "sc-19",
"class" : "CCCS",
"title" : "Voice Over Internet Protocol"
} ],
[...] |
|
@michaeldavie-amzn Thank you. I am able to reproduce the same erroneous behavior locally now. I'll start investigating a fix. |
david-waltermire
added a commit
to david-waltermire/liboscal-java-enhanced
that referenced
this issue
Dec 10, 2024
… controls defined at the catalog level. Resolved metaschema-framework/oscal-cli#60.
9 tasks
9 tasks
|
This is fixed by metaschema-framework/liboscal-java#92. |
aj-stein-gsa
pushed a commit
to david-waltermire/liboscal-java-enhanced
that referenced
this issue
Dec 11, 2024
… controls defined at the catalog level. Resolved metaschema-framework/oscal-cli#60.
aj-stein-gsa
pushed a commit
to metaschema-framework/liboscal-java
that referenced
this issue
Dec 11, 2024
… controls defined at the catalog level. Resolved metaschema-framework/oscal-cli#60. (#92)
github-project-automation
bot
moved this from In review
to Done
in Spec and Tooling Work Board
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Canadian Centre for Cyber Security publishes a modified version of NIST 800-53. While I have been able to capture most of their modifications in an OSCAL profile using the
altersfunctionality, in some cases they have added new controls such as AC-17(400).Is there a way to capture these additional controls in a separate OSCAL catalog, and for
oscal-clito merge them into their existing NIST 800-53 structure?The text was updated successfully, but these errors were encountered: