Skip to content

Expand Catalog Control Status Allowed Values #2195

Description

@brian-ruf

User Story

As an author of control catalogs and baselines, I need the ability to indicate specific controls are:

  1. Withdrawn (currently allowed) [NIST SP 800-53 catalog]
  2. Deprecated (currently not allowed) [Department of Education control overlays]
  3. Reserved (currently not allowed) [Department of Education control overlays]
  4. Provisional or Conditional (currently not allowed) [FedRAMP Tailored, PCI DSS]

Note that deprecated is similar to, but not morally equivalent to withdrawn. The primary difference is that withdrawn is backward looking and indicates the control is no longer valid whereas deprecated is forward looking, indicating when a control will no longer be valid, requiring a milestone event or date trigger.

There is a "status" property allowed for controls within the catalog metaschema; however, currently the only allowed values are "withdrawn" and "Withdrawn", which is a NIST RMF-specific restriction.

I recommend the following:

  • expand the //control/prop[@name='status']/@value allowed values list to include other common scenarios such as described above.
  • add allow-other="yes" to the allowed-values constraint for
  • when creating a separate RMF-specific metaschema, re-assert the requirement for "withdrawn" as the only allowed value for the "status" prop only for the RMF context.

Note the changes for the first and second bullets are relevant to this constraint in metaschema.

EDITED to change "Depreciated" to "Deprecated".

Goals

  • Allow values other than "withdrawn" for a control's "status" property.

Dependencies

No response

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions