Support selection parameters

[wendellpiez]

Selection parameters were deemed out of scope in earlier sprints but they appear to be more common in SP800-53 Rev 5 than in Rev 4, while at the same time real-world users even of Rev 4 (such as FedRAMP) expect to see them.

Goals

Represent "selection" parameter assignments in OSCAL sufficiently to support them in SP800-53 (revs 4 and 5) and its profiles including FedRAMP profiles.

Background

While we can represent parameters and inject arbitrary (string) values into parameter assignments at resolution or display time, SP800-53 also includes parameters that require not string values, but selections from one or more choices.

Selections may be "one only" or "one or more" (but maybe not "n or more" or "no more than n") from among a set of enumerated or (when selection choices are further parameterized) unenumerated values.

Real examples suggest that it might be useful for profiles to be able to "remodel" simple-value parameters (in their sources) as selections and vice versa. Indeed rewriting a selection to a simple value might be a way to provide for a (single) selection.

Dependencies

• Examples in SP800-53 revs 4 and 5 e.g. CA-3 (5), RA-3
• Examples in FedRAMP
• (A poll of these and/or other available examples to find edge cases?)

Acceptance Criteria

• Produce a small demo demonstrating selections from among choices of values in parameter assignments, both in their definition (default or proposed values) and in use in profiles.
• A demo catalog offers parameter value selections, including both "select one" and "select several" cases.
• In at least one case, a selected value may be further parameterized (cf RA-3)
• A profile shows how one or more options may be selected from selections in this catalog
• A profile of that profile shows how selections may be altered again
• Selections may be overwritten by simple values, and vice-versa
• A poll of SP800-53 suggests that the model is adequate to its needs
• Optionally (nice to have) a Schematron detects when actual selections are at odds with their implicit requirements (e.g. an impermissible value is offered) - nb this is open-ended

Note that deployment or updates to example catalogs is not a criterion for acceptance. We can use the 'mini-testing' unit tests but we shouldn't impact other demonstrations (yet).

[wendellpiez]

CM-8 (4) has a "one-or-more" selection.

[gregelin]

Can we add the following acceptance criteria?

Acceptance Criteria (Recommendation)

• Parameters can be easily uniquely referenced (including same parameter that appears in multiple times) to enable organization creation and communication of machine-readable default values

Discussion

The current 800-53 control parameters have no naming convention. Often, the same parameter name is used in multiple controls where the value would be different. Sometimes the same parameter name is used in multiple (sub) parts of the same control (like organization defined frequency).

A catalog must define uniquely named parameters according to some semantic structure in order for different parties to easily share parameter values (especially in a machine-readable format). When the catalog fails to define parameters uniquely, parties wishing to document and share values for parameters are forced to create arbitrary unique parameter naming schemes (e.g., parameter scheme) which then must be communicated to other parties who must then recode their software to consume the data structure containing the documented parameters.

[wendellpiez]

👍 for this criterion, but I hasten to add, it applies to all parameters even simple string-valued ones, not only "selection" parameters.

Current extracts of SP800-53 (revs 4 and 5) assign unique IDs to parameters (and more or less all elements) according to an arbitrary (ad-hoc) naming convention intended as a placeholder for this issue. The pipelines that produce them need to be amended with logic to produce IDs in a format that has actually been designed for the purpose. See #39.

[wendellpiez]

The acceptance criteria for this Issue detail fairly exhaustive testing, which has not been done. But the models and data have been extended to support the requirement, and they look good, and are stable.

I suggest we wrap the testing requirements into testing in general, while we consider the modeling here to be as stable as the rest of the model (which it pretty much is). That would make this Issue closable.