Add imported-from relation to links in SSP

[mruge]

User Story:

To better document how components, capabilities, and controls all relate to one another. Additional pre-defined relation types would be useful. Although the Link assembly allows for arbitrary values some of the time, pre-defined acceptable values would provide users and tool developers better ability to make more universally compatible documents.

Adding additional values to the following Links would simplify importing and referencing source information for objects within the SSP

Goals:

• Add imported-from as a accepted value in the ssp -> system implementation -> component -> link stanza. This relation is intended to represent the UUID and/or href back to the Component Definition that defined that component.

• Add imported-from as a accepted value in the ssp -> Control implementation -> implemented requirements -> by-component -> link stanza. This relation is intended to represent the UUID and/or href back to the Component Definition that defined that control narrative.

Dependencies:

• Enhancing 'link' to indicate internal targets in a 'resource' #756 is completed, as linking to the component-definition/@uuid and its original component/@uuid within need to be addressed at the same time with two different fields or a complex syntax in the one field that is not very ergonomic, @link at this time doesn't support that currently.

Acceptance Criteria

• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

[david-waltermire]

The second case of imported-from maybe should be named provided-by .as described in teh example we produced a few weeks back.

[iMichaela]

This issue is derived from the following scenario (schematically represented below):

system-implementation
- component[@uuid="app1",@type="software"]
  - link[@rel="depends-on", @href="storage1"]
- component[@uuid="storage1",@type="hardware"]
- component[@uuid="this-system",@type="this-system"]
- inventory-item[@uuid="inv1"]
  - implemented-component[@component-uuid="app1"]
  - implemented-component[@component-uuid="storage1"]
control-implementation
- implemented-requirements
  - control[@id="enc-1"]
    - by-component[@component-uuid="storage1"]
      - description: implementation narrative
    - by-component[@component-uuid="app1"]
      - link[@rel="provided-by", @href="storage1"]
      - description: encryption is provided by the storage array
  - control[@id="enc-2"]
    - by-component[@component-uuid="this-system"]
      - description: not needed
  - control[@id="enc-3"]
    - by-component[@component-uuid="storage1"]
      - description: is needed here
    - by-component[@component-uuid="app1"]
      - link[@rel="provided-by", @href="storage1"]
      - description: not needed

[aj-stein-nist]

Talked with @david-waltermire-nist and team during weekly status meeting. We are going to break out the #756 dependency be implicit, not explicit, and removed from the deps section of the user story. I will update that issue accordingly to circle back and update the docs or code in the PR attached to that issue and circle back on this once merged.