Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

800-53 rev5 control title deficiencies #112

Closed
Tracked by #135
GaryGapinski opened this issue Jun 29, 2022 · 9 comments · Fixed by #137 or #143
Closed
Tracked by #135

800-53 rev5 control title deficiencies #112

GaryGapinski opened this issue Jun 29, 2022 · 9 comments · Fixed by #137 or #143
Assignees
@wendellpiez
Labels
bug The issue is a bug report.

Comments

@GaryGapinski
Copy link

Describe the bug

Errors in control titles (/catalog//control/title elements).

See attached.

Who is the bug affecting?

Users of oscal-content.

What is affected by this bug?

Use of oscal-content to present control information.

When does this occur?

As of this writing.

How do we replicate the issue?

See attached.

{What are the steps to reproduce the behavior?

Perform a text comparison of control titles amongst the sources.

Expected behavior (i.e. solution)

Corrected control titles

Other Comments

XML conversions of the spreadsheets were used.

One class of errors is mishandled abbreviations/acronyms.

There are errors not only in the OSCAL content but in the spreadsheets (the OSCAL content can/could be correct).

Comparisons to the normative SP 800-53 rev5 PDF document rendition are of course not possible (because it is PDF and as well someone chose to CAPITALIZE ALL CONTROL ENHANCEMENT TITLES).

Attachment: table.zip
@GaryGapinski GaryGapinski added the bug The issue is a bug report. label Jun 29, 2022
@wendellpiez
Copy link
Contributor

The table includes around 25 items, maybe half of which are errors in the source OSCAL.

For the others, the spreadsheet-extractor XSLTs must be examined to rectify if they are failing.

Use this opportunity also to document the spreadsheet extractor for future uses.

@david-waltermire
Copy link
Contributor

@wendellpiez Can you analyze where the errors are occurring and create a checklist in this issue identifying the classes and quantities of errors that need to be fixed. We can use this to verify the result of your fixes after the repairs are made.

@wendellpiez
Copy link
Contributor

Noting that errors, where they are found, tend to be in the neighborhood of punctuation such as / (solidus) and ( ) (parentheses).

We could do some top-down inspection to help validate that we have them all.

@wendellpiez wendellpiez mentioned this issue Sep 2, 2022
Open
7 tasks
@wendellpiez
Copy link
Contributor

To look for (at least):

  • matches(.,'\p{Ps}\p{Ll}') open bracket directly followed by lower case letter
  • matches(.,'舒\w') em dash directly followed by word character
  • matches(.,'/\w) solidus directly followed by word character

@GaryGapinski
Copy link
Author

em dash directly followed by word character

That only works if one anticipates Chicago style. The superior AP style uses spaces around the em dash..

@wendellpiez
Copy link
Contributor

Turns out that's not a problem anywhere in any case. 😎

@wendellpiez
Copy link
Contributor

wendellpiez commented Sep 6, 2022
edited
Loading

Worksheet

AC-20(3)

Should this be "Non-organizationally-owned"? Otherwise I don't see an issue. Rev 5 PDF has "NON-ORGANIZATIONALLY OWNED SYSTEMS" (all caps) for the enhancement title (revised from Rev 4 "NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES").
OSCAL catalog Use of External Systems | Non-organizationally Owned Systems — Restricted Use
800-53 spreadsheet Use of External Systems | Non-organizationally Owned Systems — Restricted Use
800-53b spreadsheet Use of External Systems | Non-organizationally Owned Systems — Restricted Use

CM-7(4)

Apparent lapse in profile spreadsheet extraction (enhancement title dropped after em dash).
OSCAL catalog Least Functionality | Unauthorized Software — Deny-by-exception
800-53 spreadsheet Least Functionality | Unauthorized Software — Deny-by-exception
800-53b spreadsheet Least Functionality | Unauthorized Software

CM-7(5)

Apparent lapse in profile spreadsheet extraction (enhancement title dropped after em dash).
OSCAL catalog Least Functionality | Authorized Software — Allow-by-exception
800-53 spreadsheet Least Functionality | Authorized Software — Allow-by-exception
800-53b spreadsheet Least Functionality | Authorized Software

CP-9(7)

Apparent lapse in profile spreadsheet extraction (enhancement title dropped after em dash).
OSCAL catalog System Backup | Dual Authorization for Deletion or Destruction
800-53 spreadsheet System Backup | Dual Authorization for Deletion or Destruction
800-53b spreadsheet System Backup | Dual Authorization

IA-2

Spreadsheet extractor un-capitalizes after open parenthesis?

The same issue recurs in 13 enhancements when title is expanded.
OSCAL catalog Identification and Authentication (Organizational Users)
800-53 spreadsheet Identification and Authentication (organizational Users)
800-53b spreadsheet Identification and Authentication (organizational Users)

IA-5(15)

Requires correction in source.
OSCAL catalog Authenticator Management | Gsa-approved Products and Services
800-53 spreadsheet Authenticator Management | GSA-approved Products and Services
800-53b spreadsheet Authenticator Management | GSA-approved Products and Services

IA-8(5)

IA-8 title in current version has (correctly) "Identification and Authentication (Non-organizational Users)".

I have no accounting for why 'PIV' might become 'PVI'.
OSCAL catalog Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials
800-53 spreadsheet Identification and Authentication (non-organizational Users) | Acceptance of PVI-I Credentials
800-53b spreadsheet Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials

PE-13(1)

Apparent collapse of em dash to hyphen in spreadsheet extraction?
OSCAL catalog Fire Protection | Detection Systems — Automatic Activation and Notification
800-53 spreadsheet Fire Protection | Detection Systems — Automatic Activation and Notification
800-53b spreadsheet Fire Protection | Detection Systems – Automatic Activation and Notification

PE-13(2)

Another apparent collapse of em dash to hyphen in spreadsheet extraction?
OSCAL catalog Fire Protection | Suppression Systems — Automatic Activation and Notification
800-53 spreadsheet Fire Protection | Suppression Systems — Automatic Activation and Notification
800-53b spreadsheet Fire Protection | Suppression Systems – Automatic Activation and Notification

PE-19(1)

Very strange variance in 800-53b spreadsheet? (A word promoted up from control text?)
OSCAL catalog Information Leakage | National Emissions Policies and Procedures
800-53 spreadsheet Information Leakage | National Emissions Policies and Procedures
800-53b spreadsheet Information Leakage | National Emissions and Tempest Policies and Procedures

PS-3(3)

Very strange variance in 800-53b spreadsheet?
OSCAL catalog Personnel Screening | Information Requiring Special Protective Measures
800-53 spreadsheet Personnel Screening | Information Requiring Special Protective Measures
800-53b spreadsheet Personnel Screening | Information with Special Protective Measures

SA-4(7)

Requires correction in source.
OSCAL catalog Acquisition Process | Niap-approved Protection Profiles
800-53 spreadsheet Acquisition Process | NIAP-approved Protection Profiles
800-53b spreadsheet Acquisition Process | NIAP-approved Protection Profiles

SA-9(8)

Currently the catalog has "Processing and Storage Location — U.S. Jurisdiction". (This looks fine in the file sent with the bug report also.)
OSCAL catalog External System Services | Processing and Storage Location — U.s. Jurisdiction
800-53 spreadsheet External System Services | Processing and Storage Location — U.S. Jurisdiction
800-53b spreadsheet External System Services | Processing and Storage Location — U.S. Jurisdiction

SA-10(2)

Variance in 800-53b spreadsheet extraction? (word dropped).
OSCAL catalog Developer Configuration Management | Alternative Configuration Management Processes
800-53 spreadsheet Developer Configuration Management | Alternative Configuration Management Processes
800-53b spreadsheet Developer Configuration Management | Alternative Configuration Management

SR-2(1)

Requires correction in source.
OSCAL catalog Supply Chain Risk Management Plan | Establish Scrm Team
800-53 spreadsheet Supply Chain Risk Management Plan | Establish SCRM Team
800-53b spreadsheet Supply Chain Risk Management Plan | Establish SCRM Team

Summary / crunch

Requires correction in source

IA-5(15) - "GSA"
SA-4(7) - "NIAP"
SR-2(1) - "SCRM"

Variances in spreadsheet extraction

Scroll up for the details -

  • Drops stuff: CM-7(4), CM-7(5), CP-9(7), SA-10(2)
  • Uncapitalizes after open parenthesis: IA-2 and its enhancements
  • IA-8(5)? ('PVI' becomes 'PIV')?
  • Collapses em dash to hyphen PE-13(1) PE-13(2)
  • PE-19(1) adding 'Tempest' to enhancement title
  • PS-3(3) discrepancy in enhancement title

Look okay

  • IA-8 "Identification and Authentication (Non-organizational Users)"
  • SA-9(8) "Processing and Storage Location — U.S. Jurisdiction"

wendellpiez added a commit to wendellpiez/oscal-content that referenced this issue Sep 6, 2022
@wendellpiez
Small correction to capitalization in copy: see usnistgov#112. Also u…
493ac11 
…pdated Schematron name and value checker to run cleanly.
@wendellpiez wendellpiez mentioned this issue Sep 6, 2022
Merged
7 tasks
@wendellpiez
Copy link
Contributor

wendellpiez commented Sep 6, 2022
edited
Loading

Current status: the single problem identified and confirmed in source data is corrected PR #137.

With respect to reported lapses in spreadsheet extraction logic, let's make a spinoff issue to track any down? There is nothing to correct in this repository for those (and nothing to be done if we cannot confirm a cause).

@david-waltermire david-waltermire linked a pull request Sep 23, 2022 that will close this issue
Issue135 correcting acronyms in titles #137
Merged
7 tasks
david-waltermire pushed a commit that referenced this issue Sep 23, 2022
@wendellpiez @david-waltermire
Small correction to capitalization in copy: see #112. Also updated Sc…
3f66a43 
…hematron name and value checker to run cleanly.
@david-waltermire david-waltermire linked a pull request Sep 23, 2022 that will close this issue
Correcting conversion glitches in SP800-53A content #143
Merged
7 tasks
@david-waltermire
Copy link
Contributor

The OSCAL content has been corrected and the NIST RMF team has been notified about the issues in the spreadsheets.

aj-stein-nist pushed a commit to aj-stein-nist/oscal-content-forked that referenced this issue Nov 1, 2022
@wendellpiez @aj-stein-nist
Small correction to capitalization in copy: see usnistgov#112. Also u…
de9f0eb 
…pdated Schematron name and value checker to run cleanly.
aj-stein-nist pushed a commit that referenced this issue Nov 2, 2022
@wendellpiez @aj-stein-nist
Small correction to capitalization in copy: see #112. Also updated Sc…
34eb724 
…hematron name and value checker to run cleanly.
@aj-stein-nist aj-stein-nist removed this from the SP 800-53 Rev 5.2 milestone Sep 15, 2023
aj-stein-nist pushed a commit to aj-stein-nist/oscal-content-forked that referenced this issue Oct 27, 2023
@wendellpiez @aj-stein-nist
Small correction to capitalization in copy: see usnistgov#112. Also u…
9fe988f 
…pdated Schematron name and value checker to run cleanly.
aj-stein-nist pushed a commit to aj-stein-nist/oscal-content-forked that referenced this issue Oct 27, 2023
@wendellpiez @aj-stein-nist
Small correction to capitalization in copy: see usnistgov#112. Also u…
920f840 
…pdated Schematron name and value checker to run cleanly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wendellpiez wendellpiez

Labels
bug The issue is a bug report.
Projects
NIST OSCAL Work Board
Status: Done
Milestone
No milestone
4 participants
@GaryGapinski @wendellpiez @david-waltermire @aj-stein-nist