From 3c72868569b89ad997a7f24c151f58593ea7f22e Mon Sep 17 00:00:00 2001
From: Alexander Stein <alexander.stein@nist.gov>
Date: Fri, 12 Aug 2022 11:11:46 -0400
Subject: [PATCH] Week 30 feedback on SSP model. (#49)

---
 .../oscal_implementation-common_metaschema.xml   |  7 +++++++
 src/metaschema/oscal_ssp_metaschema.xml          | 16 ++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml
index 199eb552ee..f9c7602ffa 100644
--- a/src/metaschema/oscal_implementation-common_metaschema.xml
+++ b/src/metaschema/oscal_implementation-common_metaschema.xml
@@ -665,6 +665,13 @@
             <!-- This is an id because the idenfier is assigned and managed by humans. -->
             <formal-name>System Identification</formal-name>
             <!-- Identifier Declaration -->
+            <!-- 
+                  TODO: Given feedback, we need to update Metaschema with usnistgov/metaschema#222
+                  with props like in https://github.com/david-waltermire-nist/OSCAL/commit/3aafc080b3dc5f488c15b763f707326e77a61f5d#diff-4176d3cf694dd36b02a94207426934306ec0fdaecc54d1bb96f50f52cd7ceae6R27-R32.
+
+                  We need to determine if both identifier-type='machine-oriented' and identifier-type='human-oriented'.
+                  Option 2 is identifier-type='unspecified'.
+            -->
             <description>A <a href="/concepts/identifier-use/#human-oriented">human-oriented</a>, <a href="/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this system identification property elsewhere in <a href="/concepts/identifier-use/#scope">this or other OSCAL instances</a>. When referencing an externally defined <code>system identification</code>, the <code>system identification</code> must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned <a href="/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same system across revisions of the document.</description>
             <json-value-key>id</json-value-key>
             <define-flag name="identifier-type" as-type="uri">
diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml
index e6bee63bfc..373e742352 100644
--- a/src/metaschema/oscal_ssp_metaschema.xml
+++ b/src/metaschema/oscal_ssp_metaschema.xml
@@ -62,7 +62,7 @@
         <!-- TODO: Add a link to "within the scope of the containing OSCAL document" to point to documentation of identification scopes" -->
         <p>If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified <code>resource</code> in the document's <code>back-matter</code> or another object that is within the scope of the containing OSCAL document. The identified resource will be used instead as the target resource.</p>
         <p>If an internet resource is used, the <code>href</code> value will be an absolute or relative URI pointing to the location of the target resource. A relative URI will be resolved relative to the location of the document containing the link.</p>
-        <p>If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL [profile resolution specification](https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/) to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.</p>
+        <p>If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL <a href="https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/">profile resolution specification</a> to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.</p>
         <p>While it is possible to reference a previously resolved OSCAL profile as a catalog, this practice is discouraged since the unresolved form of the profile communicates more information about selections and changes to the underlying catalog. Furthermore, the underlying catalog can be maintained separately from the profile, which also has maintenance advantages for distinct maintainers, ensuring that the best available information is produced through profile resolution.</p>
       </remarks>
     </define-flag>
@@ -88,6 +88,9 @@
       <define-field name="system-name-short" as-type="string">
         <formal-name>System Name - Short</formal-name>
         <description>A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.</description>
+        <remarks>
+          <p>Since <code>system-name-short</code> is optional, if the <code>system-name-short</code> is not provided, the <code>system-name</code> can be used as a substitute.</p>
+        </remarks>
       </define-field>
       <define-field name="description" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
         <formal-name>System Description</formal-name>
@@ -304,6 +307,10 @@
       <index-has-key name="index-back-matter-resource" target="link[@rel='privacy-impact-assessment' and starts-with(@href,'#')]">
         <key-field target="@href" pattern="#(.*)"/>
       </index-has-key>
+      <!-- 
+        TODO: Per discussion in usnisgov/OSCAL#1331 review on 29 July 2022,
+        add the path target to security-sensitivity-level as well.
+      -->
       <matches target="link[@rel='privacy-impact-assessment']/@href[not(starts-with(.,'#'))]" datatype="uri"/>
       <allowed-values target="information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)">
         <enum value="fips-199-low">A 'low' sensitivity level as defined in <a href="https://doi.org/10.6028/NIST.FIPS.199">FIPS-199</a>.
@@ -334,18 +341,19 @@
     <formal-name>Security Impact Level</formal-name>
     <description>The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.</description>
     <model>
+      <!-- 
+        TODO: Per discussion in usnisgov/OSCAL#1331 review on 29 July 2022,
+        add the path target to security-impact-level as well for fips-199-low/mod/high.
+      -->
       <define-field name="security-objective-confidentiality" as-type="string" min-occurs="1">
-        <!-- CHANGED: cardinality to min 1 -->
         <formal-name>Security Objective: Confidentiality</formal-name>
         <description>A target-level of confidentiality for the system, based on the sensitivity of information within the system.</description>
       </define-field>
       <define-field name="security-objective-integrity" as-type="string" min-occurs="1">
-        <!-- CHANGED: cardinality to min 1 -->
         <formal-name>Security Objective: Integrity</formal-name>
         <description>A target-level of integrity for the system, based on the sensitivity of information within the system.</description>
       </define-field>
       <define-field name="security-objective-availability" as-type="string" min-occurs="1">
-        <!-- CHANGED: cardinality to min 1 -->
         <formal-name>Security Objective: Availability</formal-name>
         <description>A target-level of availability for the system, based on the sensitivity of information within the system.</description>
       </define-field>