diff --git a/src/metaschema/examples/cis-sp-800-53-mapping.xml b/src/metaschema/examples/cis-sp-800-53-mapping.xml new file mode 100644 index 0000000000..c2407e36c7 --- /dev/null +++ b/src/metaschema/examples/cis-sp-800-53-mapping.xml @@ -0,0 +1,37 @@ + + + + + Example mapping between CIS controls and SP 800-53 rev5 + 2022-04-13T08:37:21.323321800-04:00 + 0.0.1 + 1.1.0 + + + + + + + subset-of + + + + + + + +

The combination of SP 800-53 CM-8 and CM-8(1) describe similar implementation requirements to CIS 1.1.

+ + + + + + + + + + + + \ No newline at end of file diff --git a/src/metaschema/examples/computer-build_metaschema.xml b/src/metaschema/examples/computer-build_metaschema.xml deleted file mode 100644 index 41416466d7..0000000000 --- a/src/metaschema/examples/computer-build_metaschema.xml +++ /dev/null @@ -1,57 +0,0 @@ - - - - - - Computer Build - 1.0 - computer-build - http://csrc.nist.gov/ns/computer-build/1.0 - http://csrc.nist.gov/ns/computer-build/1.0 - - - Computer Build - A description of the components used to build a computer. - - Computer Build Identifier - A unique id for a given build - - - - - - - - - - Computer Component - A description of a component used to build a computer. - - Computer Component Identifier - A unique id for a given component - - - - - - - - - - Component Name - A name of a component used to build a computer. - - - - Description - A description of a component used in a computer build. - - - - Model - The model code of a computer component. - - diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index de9d579653..085650df48 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -19,6 +19,7 @@ + Catalog A collection of controls. @@ -173,6 +174,22 @@ + + Mapping + A mapping between the containing control and another resource. + + Mapping Identifier + The unique identifier for the mapping. + + + + target-resource + + + + + + diff --git a/src/metaschema/oscal_complete_metaschema.xml b/src/metaschema/oscal_complete_metaschema.xml index 7a916ef79b..09ab98b223 100644 --- a/src/metaschema/oscal_complete_metaschema.xml +++ b/src/metaschema/oscal_complete_metaschema.xml @@ -15,6 +15,7 @@

This format represents a combination of all of the OSCAL models.

+ diff --git a/src/metaschema/oscal_mapping-common_metaschema.xml b/src/metaschema/oscal_mapping-common_metaschema.xml new file mode 100644 index 0000000000..6372a9d035 --- /dev/null +++ b/src/metaschema/oscal_mapping-common_metaschema.xml @@ -0,0 +1,123 @@ + + + + OSCAL Mapping Model -- Common Models + 1.0.0 + oscal-mapping-common + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + + + + + Mapping Entry + A relationship-based mapping between a source and target set consisting of members (i.e., controls, control statements) from the respective source and target. + + Mapping Entry Identifier + The unique identifier for the mapping entry. + + + + + + + + + + Mapping Entry Relationship + The relationship type for the mapping entry, which describes the relationship between the effective requirements of the specified source and target sets. + + Relationship Value Namespace + A namespace qualifying the relationship's value. This allows different organizations to associate distinct semantics for relationships with the same name. + +

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

+

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

+ + + + + The effective requirements of the source is equivalent in semantic meaning to the effective requirements of the target. The words may differ, but both mapped sets convey similar information with the same effective meaning. This relationship may be reversed, since `A equivalent-to B` also means that `B equivalent-to A`. + The actual requirements of the source are the same as the actual requirements target. Differences in capitalization, spelling, and grammar can be ignored, if these differences do not change the meaning. This relationship may be reversed, since `A equal-to B` also means that `B equal-to A`. + The effective requirements of the source is a semantic subset of the effective requirements of the target. This relationship may be reversed as a `superset-of`, since `A subset-of B` also means that `B superset-of A`. + The effective requirements of the source is a semantic superset of the effective requirements of the target. This relationship may be reversed as a `subset-of`, since `A superset-of B` also means that `B subset-of A`. + The effective requirements of the source and target have some semantic equivalence, but not all effective requirements from each are contained within the other. This relationship may be reversed, since `A intersects-with B` also means that `B intersects-with A`. A lower granularity mapping, such as a statement level mapping using 'equivalent-to', 'subset-of', and/or 'superset-of', may provide a more functional mapping that allows for more inference than using this relationship type. + + + +

When establishing relationships, mapping SHOULD be done at the control statement level where possible. This approach allows for more use of 'equivalent-to', which represents a stronger relationship than the other relationship types.

+ + + + source + + + + target + + + + + + + Mapping Entry Item (source or target) + Identifies a specific edge within a source or target that is the subject of a mapping. + + Subject Type + The semantic type of the subject. + + + A control as defined by OSCAL. + A textual element of a control that defines part of the control's requirements. + + + + + Subject Type + The semantic type of the subject. + + + + + + + + + + + + + + Mapped Resource Reference + A reference to a back-matter resource that is either the source or target of a mapping. + + Resource Type + The semantic type of the resource. + + + The mapped resource is a control catalog. + + + + + Catalog or Profile Reference + A resolvable URL reference to the base catalog or profile that this profile is tailoring. + +

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter + resource in the same document.

+ +

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

+

If an internet resource is used, the href value will be an absolute or relative URL pointing to the location of the referenced resource. A relative URL will be resolved relative to the location of the document containing the link.

+ + + + + + + + + + + + + \ No newline at end of file diff --git a/src/metaschema/oscal_mapping_metaschema.xml b/src/metaschema/oscal_mapping_metaschema.xml new file mode 100644 index 0000000000..8ba99643c8 --- /dev/null +++ b/src/metaschema/oscal_mapping_metaschema.xml @@ -0,0 +1,66 @@ + + + + + +]> + + OSCAL Control Mapping Model + 1.0.3 + oscal-mapping + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL Control mapping format can be used to describe how a collection of security controls and related control enhancements relate to another collection of controls. The root of the Control Catalog format is mapping-collection. +

+ + + + + + Mapping Collection + A collection of relationship-based control and/or control statement mappings. + mapping-collection + + Mapping Collection Universally Unique Identifier + A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised. + + + + + + + + + +

Back matter including references and resources.

+ + + + +

A mapping collection affirmatively declares the relationships that exist between sets of controls and/or control statements in a source and target. It is expected that inferences can be made based on what is mapped; however, no inferences should be made based on what is not mapped, since it is impossible to quantify how complete or granular a given mapping is.

+ + + + Control Mapping + A mapping between two target resources. + + Mapping Universally Unique Identifier + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mapping definition elsewhere in this or other OSCAL instances. The locally defined UUID of the mapping can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same mapping across revisions of the document. + + + + source-resource + + + target-resource + + + + + + +