User Story
As an author of control catalogs and baselines, I need the ability to indicate specific controls are:
- Withdrawn (currently allowed) [NIST SP 800-53 catalog]
- Deprecated (currently not allowed) [Department of Education control overlays]
- Reserved (currently not allowed) [Department of Education control overlays]
- Provisional or Conditional (currently not allowed) [FedRAMP Tailored, PCI DSS]
Note that deprecated is similar to, but not morally equivalent to withdrawn. The primary difference is that withdrawn is backward looking and indicates the control is no longer valid whereas deprecated is forward looking, indicating when a control will no longer be valid, requiring a milestone event or date trigger.
There is a "status" property allowed for controls within the catalog metaschema; however, currently the only allowed values are "withdrawn" and "Withdrawn", which is a NIST RMF-specific restriction.
I recommend the following:
- expand the
//control/prop[@name='status']/@value allowed values list to include other common scenarios such as described above.
- add
allow-other="yes" to the allowed-values constraint for
- when creating a separate RMF-specific metaschema, re-assert the requirement for "withdrawn" as the only allowed value for the "status" prop only for the RMF context.
Note the changes for the first and second bullets are relevant to this constraint in metaschema.
EDITED to change "Depreciated" to "Deprecated".
Goals
- Allow values other than "withdrawn" for a control's "status" property.
Dependencies
No response
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response
User Story
As an author of control catalogs and baselines, I need the ability to indicate specific controls are:
Note that deprecated is similar to, but not morally equivalent to withdrawn. The primary difference is that withdrawn is backward looking and indicates the control is no longer valid whereas deprecated is forward looking, indicating when a control will no longer be valid, requiring a milestone event or date trigger.
There is a "status" property allowed for controls within the catalog metaschema; however, currently the only allowed values are "withdrawn" and "Withdrawn", which is a NIST RMF-specific restriction.
I recommend the following:
//control/prop[@name='status']/@valueallowed values list to include other common scenarios such as described above.allow-other="yes"to theallowed-valuesconstraint forNote the changes for the first and second bullets are relevant to this constraint in metaschema.
EDITED to change "Depreciated" to "Deprecated".
Goals
Dependencies
No response
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response