Defined additional allowed values for the control 'status' property#2202
Defined additional allowed values for the control 'status' property#2202
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
| <enum value="withdrawn">The control is no longer used.</enum> | ||
| <enum value="Withdrawn" deprecated="1.0.0">**(deprecated)*** Use 'withdrawn' | ||
| instead.</enum> | ||
| <enum value="active">[Default] This control is currently in force.</enum> |
There was a problem hiding this comment.
@brian-ruf - The proposed new allowed values appear reasonable. However, I have two specific recommendations:
-
Status Context: The value
activemay cause confusion since all controls are implicitly active by default. We should consider defining this status more precisely, perhaps it should indicate that a parameter has been set by an authoritative entity and that permissions to override that parameter have been revoked. This would give the status a functional purpose beyond the default state. -
Case normalization: To ensure robust validation, we should include both lowercase and capitalized versions of these values (e.g., 'withdrawn' and 'Withdrawn') to accommodate different data entry styles."
There was a problem hiding this comment.
In regards to # 2: personally I think we should just normalize to lowercase instead of allowing both uppercase and lowercase.
There was a problem hiding this comment.
On 1. Status Context I may not have been clear enough about my intention. I was only trying to have an explicit status that is the moral equivalent of a control with no explicit status (as 99% exist now). I selected active somewhat arbitrarily and am open to a different value.
When I read "permissions to override that parameter have been revoked", I interpret it as "you are not allowed to tailor this control", which sounds like it has implications for profile resolution. I am open to the idea of a status value with this semantic meaning. Since such a status would/should impact profile resolution, are you OK with addressing it as a separate issue that can receive more attention?
That said, I am absolutely open to changing the value from active to something else that better represents the moral equivalent of normal controls in a catalog with no status.
On 2. Case normalization, 98% of the allowed values in OSCAL are strictly lower case. There are a few exceptions that are strictly upper case. (I personally don't agree with even those exceptions.) The existence of "Withdrawn" with a capital "W" was an error from the release candidates, which is why it is marked depreciated, after version 1.0.0.
If anything, we should remove the capital-W "Withdrawn" from the metaschema since it is explicitly invalid after 1.0.0 anyway. If you agree, I am happy to make that change.
There was a problem hiding this comment.
@brian-ruf - In principle, I agree with you to simplify and use only sentence case (lower case). I am concerned over the accuracy some catalog owners require/expect in the OSCAL representation. How will we accommodate it, if you have to do so?
The list of non-exhaustive keywords I collected:
- Withdrawn: Used heavily by NIST (SP 800-53) and ISO. It means the control is no longer a standalone requirement.
- Retired: Common in CIS Benchmarks and OWASP. It indicates the control or project is no longer maintained or relevant to modern threats.
- Deprecated: Often used in IETF (RFCs) and OWASP. It means the control/method is still available but discouraged and will likely be removed in future versions.
- Obsolescent: Occasionally seen in ISO standards to describe a process that is being phased out.
- Incorporated: Primarily used by NIST. This means the specific requirements of Control A have been folded into Control B (e.g., "AC-17 is now incorporated into AC-1").
- Superseded: Used by IETF and NIST. This indicates that a newer version of the control or document has replaced the old one entirely.
- Consolidated: Frequently used during major version jumps (like the transition to ISO/IEC 27001:2022). It means multiple specific controls were merged into one broader, more functional control.
- Modified / Enhanced/Renamed: Used across all frameworks (especially NIST and CSA CCM) to show that while the ID remains the same, the underlying requirements have been updated.
- Simplified: Seen in CIS v8, where controls were restructured to be more manageable for smaller organizations.
- Split: When one complex control is broken down into two or more distinct parts for better clarity.
NIST is using all capital letters or "Title Case": "WITHDRAWN" or "Withdrawn"
ISO, IETF, CIS: are using Title Case: "Merged", "Deleted"
iMichaela
left a comment
iMichaela
left a comment
There was a problem hiding this comment.
Please see the inline comment.
selenaxiao-nist
left a comment
selenaxiao-nist
left a comment
There was a problem hiding this comment.
Thank you for your contribution!
For these additional status prop allowed values, could this cause confusion/introduce the opportunity for inconsistencies?
If a control is withdrawn and incorporated into another control, there are 3 potential ways to represent this:
- both the "withdrawn" and "incorporated" props, and "incorporated-into" link
- the "withdrawn" status prop and "incorporated-into" link
- the "incorporated" status prop and "incorporated-into" link
@selenaxiao-nist raises a good point. OSCAL needs to be flexible and allow a catalog owner to represent the data they have . This brings forward the definitions the PR provides. I don't think we should define the meaning of any status value. The meaning of a term is defined in each catalog and we should not overwrite it with our definitions. OSCAL only facilitates data representation. In this context, my comment on the definitions @brian-ruf provided is obsolete. However, the term "active" is not something I encountered. In all catalogs I reviewed, the default status of a control is not documented. |
@selenaxiao-nist this is a fair point. Perhaps we should drop the "incorporated" and "moved" allowed values for status and just stick with the "incorporated-into" and "moved-to" links to represent those concepts. I would still expect a control to be withdrawn if "incorporated-into" or "moved-to" links are present, but am reluctant to enforce that in a constraint until it is better exercised in the wild. NOTE: I edited this comment after posting to remove an incorrect assertion. |
|
@iMichaela I made updates and pushed changes last week following our exchange above. Wanted to ensure there are no other concerns. |
|
+1 to the changes in general, expanding the natively defined values for props that allow-others is (IMO) typically a strict improvement - users that don't want to use these values are still free to continue using anything else instead. As an optional (at least, I think its optional) it seems like the default behavior of the model should be that if it doesn't appear then it simply means nothing. Either setting the default to something like "unspecified" or instead setting no default at all seems to make more sense to me. |
|
In the OSCAL Foundation TWG meeting on March 24th, @iMichaela verbally stated that this PR and associated issue were "controversial" and that NIST would not move forward until the OSCAL Foundation resolved the controversy. @iMichaela, it would of great help if you could please::
Alternatively, please suggest other possible approaches to the original issue #2195 Thank you! |
The following values are listed in the updated PR: @brian-ruf - The PR has not been reviewed by the foundation or by any other community.
If you insist on having a "Default" value, and each control to have a documented status, as opposed to having a status only when a change in that control happened and needs to be documented, then the PR needs to be reviewed by the community at large (all authors and users of existing catalogs existing catalogs). The official review of the OSCAL Foundation members is expected in this case. Based on the OF's review, if a "Default" value is kept in the PR, we will discuss it with all international adopters of OSCAL which authored catalogs (NIST RMF team included) to assess the impact before moving forward with a change that includes a "Default" value. Today, no
The support, through this PR ,of a If the need for an empty control with the status "reserved" is not something needed by the catalog owners, why should we implement it and maintain it. Profile Resolution Specification is complex, difficult to implement, and has issues already. Supporting empty controls in catalogs comes with a lot of overhead and extra work that personally I do not think is needed, but if the community needs it and assists with the implementation, we will work with the interested parties. |
|
Adding links to Department of Education "Reserved Controls" examples:
For example, in the AT-02 control overlays, it appears they previously had overlays 01 through 03. They withdrew 01 and 02, but intend to re-use those identifiers if they have a reason to define other overlays for that control in the future. All I know for certain is that they explicitly depict some overlays as "Reserved" and "withdrawn" while they wish to depict other overlays as simply "Reserved". |
|
@iMichaela respectfully, perhaps "controversial" isn't the best word. Semantics aside, the clarification about a perceived breaking change is fair to question. Apologies if I am not making myself clear. First, there is no intention to make this a required property. In this PR, the All existing OSCAL catalogs would remain valid as-is. Thus no breaking change. Implied vs Explicit MeaningOSCAL aside. From a strictly language and semantics perspective there has always been an implied status when a control is present in a catalog with no explicit status (such as "withdrawn) stated. I was only attempting to define an explicit status value that was the moral equivalent of that implied status. I will remove the default value from this PR so that it can be merged. When NIST can accurately define the meaning of a control's existence in a catalog when no status is explicitly stated, we can circle back with a new PR to add an allowed value that represents that moral equivalent. Meaning of
|
Supporting 'reserved" (i.e., structurally empty) controls that may be populated later could introduce non-trivial implementation challenges for existing tools. To summarize: - You have agreed to remove the [default] value, so item (1) should be resolved. I look forward to your response on item (2): In the interim, you may continue using the "reserved" value within the Department of Education namespace, and remove the namespace once the necessary Specification and toolchain support are in place. At that time the "reserved" value can be added to the ones proposed herein. |
OSCAL FoundationMy volunteer time with the OSCAL Foundation should not result in my contributions as a small business owner being held to a different standard. I submitted this PR and its associated issue without any mention of the OSCAL Foundation because these were real-world use cases I encountered in course of my client work. This PR has no relationship to current Foundation efforts. While I welcome any feedback the Foundation elects to contribute, you have announced this PR twice in Foundation meetings and there has been no interest from them in this PR. Inconsistent Demanding/Ignoring of Foundation InvolvementThe OSCAL Foundation has existed for nearly 1.5 years. In that time you have not attempted to impose Foundation involvement on any previous PR. Indeed, you recently even pushed through a PR that added over a dozen new fields explicitly against the Foundation's wishes. Please hold my small business only to standards similar to what you imposed on PRs such as #2203 and #2206. The inconsistency is ... very disturbing. Further, there is an existing MOU between NIST leadership and the OSCAL Foundation. If you believe that MOU should require some specific involvement in PR reviews, I strongly encourage you to work though your leadership to affect that change. Until then, please stop imposing a different standard on my small business. Please make no further attempts to use a PR submitted by a small business to litigate your concerns with the OSCAL Foundation. Another Non-Typical Requirement ImposedIn addition to the non-typical insistence on OSCAL Foundation involvement, you have also imposed a NEW condition that I must demonstrate profile resolution tools will handle a "reserved" control correctly. This requirement has never been imposed on any previous catalog syntax change PR for two very good reasons:
You personally compile the NIST OSCAL-CLI after each OSCAL release. You personally KNOW it won't process this content until this PR is merged and you have updated the tool. You imposed the requirement to demonstrate through tools at this step in the process knowing the updated tool is not yet available. Valid Catalog Syntax Remains UnchangedThere are no changes to the catalog syntax to support this beyond the allowed value on an existing property. All existing catalog syntax remains as-is. Including minimum required fields. The syntax for a "reserved" control is identical to the existing NIST-published "withdrawn" controls. The only difference is the use of Here is an existing NIST SP 800-53r5 withdrawn control: - id: ac-2.10
title: Shared and Group Account Credential Change
props:
- name: label
value: AC-02(10)
class: zero-padded
- name: label
value: AC-2(10)
- name: label
value: AC-02(10)
class: sp800-53a
- name: sort-id
value: ac-02.10
- name: status
value: withdrawnSimply replace "withdrawn" with "reserved" on the last line and the above example is completely syntax-valid for "reserved". Summary
|
Committer Notes
This PR updates the allowed values for the "status" property associated with controls in catalogs and profiles.
It is intended to address #2195
All Submissions:
By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Changes to Core Features: