From 949fdd7ae0b948cca94375b0620f4694e3f9efb8 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Fri, 25 Feb 2022 13:18:01 -0500 Subject: [PATCH 1/5] Adding draft mapping model. --- src/metaschema/oscal_catalog_metaschema.xml | 17 +++ .../oscal_mapping-common_metaschema.xml | 107 ++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 src/metaschema/oscal_mapping-common_metaschema.xml diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index de9d579653..085650df48 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -19,6 +19,7 @@ + Catalog A collection of controls. @@ -173,6 +174,22 @@ + + Mapping + A mapping between the containing control and another resource. + + Mapping Identifier + The unique identifier for the mapping. + + + + target-resource + + + + + + diff --git a/src/metaschema/oscal_mapping-common_metaschema.xml b/src/metaschema/oscal_mapping-common_metaschema.xml new file mode 100644 index 0000000000..5dcc1dda2d --- /dev/null +++ b/src/metaschema/oscal_mapping-common_metaschema.xml @@ -0,0 +1,107 @@ + + + + OSCAL Mapping Model -- Common Models + 1.0.0 + oscal-mapping-common + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + + + + + Mapping Entry + An individual entry that is part of a larger mapping. + + Mapping Entry Identifier + The unique identifier for the mapping entry. + + + + + + + + + + Mapping Entry Relationship + The relationship type for the mapping entry. + + Relationship Value Namespace + A namespace qualifying the relationship's value. This allows different organizations to associate distinct semantics for relationships with the same name. + +

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

+

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

+ + + + + The source is equivalent in semantic meaning to the target. + The source is a semantic subset of the target. + The source is a semantic superset of the target. + + + + + source + + + + target + + + + + + + Mapping Entry Item (source or target) + Identfies a specific edge within a source or target that is the subject of a mapping. + + Subject Type + The semantic type of the subject. + + + Subject Type + The semantic type of the subject. + + + + + + + + + + + + + + Mapped Resource Reference + A reference to a back-matter resource that is either the source or target of a mapping. + + Resource Type + The semantic type of the resource. + + + Catalog or Profile Reference + A resolvable URL reference to the base catalog or profile that this profile is tailoring. + +

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter + resource in the same document.

+ +

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

+

If an internet resource is used, the href value will be an absolute or relative URL pointing to the location of the referenced resource. A relative URL will be resolved relative to the location of the document containing the link.

+ + + + + + + + + + + + + \ No newline at end of file From 96014285cd3591905c66f4ef6f79b0580d984fbb Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 14 Apr 2022 08:48:52 -0400 Subject: [PATCH 2/5] Added standalone mapping model. --- .../examples/cis-sp-800-53-mapping.xml | 36 +++++++++++ .../examples/computer-build_metaschema.xml | 57 ----------------- src/metaschema/oscal_complete_metaschema.xml | 1 + src/metaschema/oscal_mapping_metaschema.xml | 63 +++++++++++++++++++ 4 files changed, 100 insertions(+), 57 deletions(-) create mode 100644 src/metaschema/examples/cis-sp-800-53-mapping.xml delete mode 100644 src/metaschema/examples/computer-build_metaschema.xml create mode 100644 src/metaschema/oscal_mapping_metaschema.xml diff --git a/src/metaschema/examples/cis-sp-800-53-mapping.xml b/src/metaschema/examples/cis-sp-800-53-mapping.xml new file mode 100644 index 0000000000..bff550c103 --- /dev/null +++ b/src/metaschema/examples/cis-sp-800-53-mapping.xml @@ -0,0 +1,36 @@ + + + + + Example mapping between CIS controls and SP 800-53 rev5 + 2022-04-13T08:37:21.323321800-04:00 + 0.0.1 + 1.0.3 + + + + + + equal-to + + + + + + + +

The combination of SP 800-53 CM-8 and CM-8(1) describe similar implementation requirements to CIS 1.1.

+ + + + + + + + + + + + \ No newline at end of file diff --git a/src/metaschema/examples/computer-build_metaschema.xml b/src/metaschema/examples/computer-build_metaschema.xml deleted file mode 100644 index 41416466d7..0000000000 --- a/src/metaschema/examples/computer-build_metaschema.xml +++ /dev/null @@ -1,57 +0,0 @@ - - - - - - Computer Build - 1.0 - computer-build - http://csrc.nist.gov/ns/computer-build/1.0 - http://csrc.nist.gov/ns/computer-build/1.0 - - - Computer Build - A description of the components used to build a computer. - - Computer Build Identifier - A unique id for a given build - - - - - - - - - - Computer Component - A description of a component used to build a computer. - - Computer Component Identifier - A unique id for a given component - - - - - - - - - - Component Name - A name of a component used to build a computer. - - - - Description - A description of a component used in a computer build. - - - - Model - The model code of a computer component. - - diff --git a/src/metaschema/oscal_complete_metaschema.xml b/src/metaschema/oscal_complete_metaschema.xml index 7a916ef79b..09ab98b223 100644 --- a/src/metaschema/oscal_complete_metaschema.xml +++ b/src/metaschema/oscal_complete_metaschema.xml @@ -15,6 +15,7 @@

This format represents a combination of all of the OSCAL models.

+ diff --git a/src/metaschema/oscal_mapping_metaschema.xml b/src/metaschema/oscal_mapping_metaschema.xml new file mode 100644 index 0000000000..3b0017874b --- /dev/null +++ b/src/metaschema/oscal_mapping_metaschema.xml @@ -0,0 +1,63 @@ + + + + + +]> + + OSCAL Control Mapping Model + 1.0.3 + oscal-mapping + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL Control mapping format can be used to describe how a collection of security controls and related control enhancements relate to another collection of controls. The root of the Control Catalog format is mapping-collection. +

+ + + + + + Mapping Collection + A collection of control mappings. + mapping-collection + + Mapping Collection Universally Unique Identifier + A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised. + + + + + + + + + +

Back matter including references and resources.

+ + + + + + Control Mapping + A mapping between two target resources. + + Mapping Universally Unique Identifier + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mapping definition elsewhere in this or other OSCAL instances. The locally defined UUID of the mapping can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + source-resource + + + target-resource + + + + + + + From a15053fbb090dea297c9d034045d303dfce252f8 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Tue, 28 Jun 2022 09:46:56 -0400 Subject: [PATCH 3/5] Adjusted relationships based on PR #1150 discussions. Added type enumerations. --- .../oscal_mapping-common_metaschema.xml | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/metaschema/oscal_mapping-common_metaschema.xml b/src/metaschema/oscal_mapping-common_metaschema.xml index 5dcc1dda2d..ac368e9f25 100644 --- a/src/metaschema/oscal_mapping-common_metaschema.xml +++ b/src/metaschema/oscal_mapping-common_metaschema.xml @@ -24,7 +24,7 @@ - + Mapping Entry Relationship The relationship type for the mapping entry. @@ -37,11 +37,16 @@ - The source is equivalent in semantic meaning to the target. + The source is equivalent in semantic meaning to the target. The words may differ, but both mapped elements have the same effective meaning. + The source is the same as the target. Differences in capitalization, spelling, and grammar can be ignored, if these differences do not change the meaning. The source is a semantic subset of the target. The source is a semantic superset of the target. + The source and target have some semantic equivalence, but not all effective requirements from each are contained within the other. Statement level mapping using 'equivalent-to', 'subset-of', and/or 'superset-of' may provide a richer mapping that using this relationship type. + +

When establishing relationships, mapping SHOULD be done at the control statement level where possible. This approach allows for more use of 'equivalent-to', which represents a stronger relationship than the other relationship types.

+ source @@ -56,10 +61,16 @@ Mapping Entry Item (source or target) - Identfies a specific edge within a source or target that is the subject of a mapping. + Identifies a specific edge within a source or target that is the subject of a mapping. Subject Type The semantic type of the subject. + + + A control as defined by OSCAL. + A textual element of a control that defines part of the control's requirements. + + Subject Type @@ -82,6 +93,11 @@ Resource Type The semantic type of the resource. + + + The mapped resource is a control catalog. + + Catalog or Profile Reference From 8e7748bbbe6a1d58e936b603fc39429a8d481a6a Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Tue, 28 Jun 2022 09:52:23 -0400 Subject: [PATCH 4/5] updated example --- src/metaschema/examples/cis-sp-800-53-mapping.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/examples/cis-sp-800-53-mapping.xml b/src/metaschema/examples/cis-sp-800-53-mapping.xml index bff550c103..99e9dd7652 100644 --- a/src/metaschema/examples/cis-sp-800-53-mapping.xml +++ b/src/metaschema/examples/cis-sp-800-53-mapping.xml @@ -13,7 +13,7 @@ - equal-to + equivalent-to From 17d8fb9d71d4300087de7f15eed6fcc877d8b163 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 3 Jul 2022 08:57:31 -0400 Subject: [PATCH 5/5] Adjusted documentation based on feedback from @iMichaela --- src/metaschema/examples/cis-sp-800-53-mapping.xml | 7 ++++--- src/metaschema/oscal_mapping-common_metaschema.xml | 14 +++++++------- src/metaschema/oscal_mapping_metaschema.xml | 7 +++++-- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/metaschema/examples/cis-sp-800-53-mapping.xml b/src/metaschema/examples/cis-sp-800-53-mapping.xml index 99e9dd7652..c2407e36c7 100644 --- a/src/metaschema/examples/cis-sp-800-53-mapping.xml +++ b/src/metaschema/examples/cis-sp-800-53-mapping.xml @@ -7,16 +7,17 @@ Example mapping between CIS controls and SP 800-53 rev5 2022-04-13T08:37:21.323321800-04:00 0.0.1 - 1.0.3 + 1.1.0 - equivalent-to + + subset-of - + diff --git a/src/metaschema/oscal_mapping-common_metaschema.xml b/src/metaschema/oscal_mapping-common_metaschema.xml index ac368e9f25..6372a9d035 100644 --- a/src/metaschema/oscal_mapping-common_metaschema.xml +++ b/src/metaschema/oscal_mapping-common_metaschema.xml @@ -12,7 +12,7 @@ Mapping Entry - An individual entry that is part of a larger mapping. + A relationship-based mapping between a source and target set consisting of members (i.e., controls, control statements) from the respective source and target. Mapping Entry Identifier The unique identifier for the mapping entry. @@ -26,7 +26,7 @@ Mapping Entry Relationship - The relationship type for the mapping entry. + The relationship type for the mapping entry, which describes the relationship between the effective requirements of the specified source and target sets. Relationship Value Namespace A namespace qualifying the relationship's value. This allows different organizations to associate distinct semantics for relationships with the same name. @@ -37,11 +37,11 @@ - The source is equivalent in semantic meaning to the target. The words may differ, but both mapped elements have the same effective meaning. - The source is the same as the target. Differences in capitalization, spelling, and grammar can be ignored, if these differences do not change the meaning. - The source is a semantic subset of the target. - The source is a semantic superset of the target. - The source and target have some semantic equivalence, but not all effective requirements from each are contained within the other. Statement level mapping using 'equivalent-to', 'subset-of', and/or 'superset-of' may provide a richer mapping that using this relationship type. + The effective requirements of the source is equivalent in semantic meaning to the effective requirements of the target. The words may differ, but both mapped sets convey similar information with the same effective meaning. This relationship may be reversed, since `A equivalent-to B` also means that `B equivalent-to A`. + The actual requirements of the source are the same as the actual requirements target. Differences in capitalization, spelling, and grammar can be ignored, if these differences do not change the meaning. This relationship may be reversed, since `A equal-to B` also means that `B equal-to A`. + The effective requirements of the source is a semantic subset of the effective requirements of the target. This relationship may be reversed as a `superset-of`, since `A subset-of B` also means that `B superset-of A`. + The effective requirements of the source is a semantic superset of the effective requirements of the target. This relationship may be reversed as a `subset-of`, since `A superset-of B` also means that `B subset-of A`. + The effective requirements of the source and target have some semantic equivalence, but not all effective requirements from each are contained within the other. This relationship may be reversed, since `A intersects-with B` also means that `B intersects-with A`. A lower granularity mapping, such as a statement level mapping using 'equivalent-to', 'subset-of', and/or 'superset-of', may provide a more functional mapping that allows for more inference than using this relationship type. diff --git a/src/metaschema/oscal_mapping_metaschema.xml b/src/metaschema/oscal_mapping_metaschema.xml index 3b0017874b..8ba99643c8 100644 --- a/src/metaschema/oscal_mapping_metaschema.xml +++ b/src/metaschema/oscal_mapping_metaschema.xml @@ -22,7 +22,7 @@ Mapping Collection - A collection of control mappings. + A collection of relationship-based control and/or control statement mappings. mapping-collection Mapping Collection Universally Unique Identifier @@ -40,13 +40,16 @@ + +

A mapping collection affirmatively declares the relationships that exist between sets of controls and/or control statements in a source and target. It is expected that inferences can be made based on what is mapped; however, no inferences should be made based on what is not mapped, since it is impossible to quantify how complete or granular a given mapping is.

+ Control Mapping A mapping between two target resources. Mapping Universally Unique Identifier - A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mapping definition elsewhere in this or other OSCAL instances. The locally defined UUID of the mapping can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mapping definition elsewhere in this or other OSCAL instances. The locally defined UUID of the mapping can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same mapping across revisions of the document.