├── .github ├── labels.json └── workflows │ ├── issue-triage.yml │ ├── labels.yml │ └── website-deploy.yml ├── .gitignore ├── .gitmodules ├── README.md ├── csx ├── NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.xml ├── NIST_SP-800-53_rev5_HIGH-baseline_profile.xml ├── NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.xml ├── NIST_SP-800-53_rev5_LOW-baseline_profile.xml ├── NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml ├── NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml ├── NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml ├── NIST_SP-800-53_rev5_catalog.xml ├── baseline-composer │ ├── index.html │ └── readme.md ├── baseline-matrix │ ├── AT-others.xml │ ├── AT-some.xml │ ├── _index.md │ ├── baseline-matrix.css │ ├── hello.xsl │ ├── index.html │ ├── key-test.xsl │ ├── profile-matrix.sef.json │ ├── profile-matrix.xsl │ └── readme.md ├── baseline-reviewer │ ├── _index.md │ ├── baseline-reviewer-ui.css │ ├── catalog-with-profile-ui.sef.json │ ├── catalog-with-profile-ui.xsl │ ├── catalog-with-profile-ui2.sef.json │ ├── index-archive.html │ ├── index.html │ ├── readme.md │ └── runface.xsl ├── format-converter │ ├── _index.md │ ├── convert-json2xml.html │ ├── convert-xml2json.html │ ├── example-ssp.xml │ ├── fromJSON │ │ ├── _index.md │ │ ├── convert-json2xml.html │ │ ├── oscal-catalog_JSONtoXML_converter.sef.json │ │ └── oscal-catalog_JSONtoXML_converter.xsl │ ├── fromXML │ │ ├── _index.md │ │ ├── oscal-catalog_XMLtoJSON_converter.sef.json │ │ └── oscal-catalog_XMLtoJSON_converter.xsl │ ├── index-archive.html │ ├── index.html │ ├── lib │ │ ├── oscal_catalog_json-to-xml-converter.sef.json │ │ ├── oscal_catalog_json-to-xml-converter.xsl │ │ ├── oscal_catalog_xml-to-json-converter.sef.json │ │ ├── oscal_catalog_xml-to-json-converter.xsl │ │ └── readme.md │ ├── mixedgroups.xml │ ├── oscal-catalog_JSONtoXML_converter.sef.json │ ├── oscal-catalog_JSONtoXML_converter.xsl │ ├── oscal-catalog_XMLtoJSON_converter.sef.json │ ├── oscal-catalog_XMLtoJSON_converter.xsl │ ├── oscal-catalog_converter.sef.json │ ├── oscal-catalog_converter.xsl │ ├── playtest.xml │ └── readme.md ├── import-examiner │ ├── _index.md │ ├── index-old.html │ ├── index.html │ ├── oscal_profile_schema.xsd │ ├── profile-checker.sef.json │ ├── profile-checker.xsl │ ├── readme.md │ └── test-profile.xml ├── lib │ └── Saxon-JS-2.2 │ │ ├── LICENSE.txt │ │ ├── SaxonJS2.js │ │ └── SaxonJS2.rt.js ├── nist-emulation.css ├── oscal-examples │ ├── AT-others-profile.xml │ ├── AT-some-profile.xml │ ├── cat-catalog.json │ ├── cat-catalog.xml │ ├── dog-catalog.xml │ └── missing-profile.xml ├── profile-resolver │ ├── backmatter-reduce.xsl │ ├── produce-oscal-profile-resolver.xsl │ ├── punchlist.md │ └── testing │ │ ├── as-is-test_profile.xml │ │ ├── control-picker.xsl │ │ ├── custom-grouping-test_profile.xml │ │ ├── micro_catalog.xml │ │ ├── popular-controls_profile.xml │ │ ├── split-test_profile.xml │ │ └── tester.xml ├── readme.md └── validator │ ├── apply-validator.sef.json │ ├── apply-validator.xsl │ ├── catalog-rc2-validate.xsl │ ├── catalog-validate-mockup.xsl │ ├── catalog-validate.xsl │ ├── catalog.html │ ├── generators │ ├── generate-datatype-functions.xsl │ ├── generate-validator.xsl │ ├── oscal_catalog_metaschema-COMPOSED.xml │ └── oscal_complete_metaschema-COMPOSED.xml │ ├── loveiii.xml │ ├── readme.md │ ├── test-catalog.xml │ └── validate-datatypes.xsl ├── demo ├── SP800-53-rev4-MODERATE-baseline.xml ├── SP800-53-rev4-catalog.xml ├── SP800-53-rev4-declarations.xml ├── SP800-53-rev5-catalog.xml ├── SP800-53-rev5-declarations.xml └── custom-profile.xml ├── docs ├── .dockerignore ├── .gitignore ├── README.md ├── assets │ ├── css │ │ └── csx │ │ │ ├── baseline-matrix.css │ │ │ ├── baseline-reviewer.css │ │ │ ├── converters.css │ │ │ ├── csx-validator.css │ │ │ ├── import-examiner.css │ │ │ └── nist-emulation.css │ └── scss │ │ └── hugo-uswds-custom.scss ├── config.yaml ├── content │ ├── README.md │ ├── _index.md │ ├── about │ │ └── _index.md │ ├── adjustable-wrench.jpg │ ├── automated.png │ ├── automation-hero.png │ ├── dataCentric.png │ ├── demos │ │ ├── _index.md │ │ └── csx │ │ │ ├── NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.xml │ │ │ ├── NIST_SP-800-53_rev5_HIGH-baseline_profile.xml │ │ │ ├── NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.xml │ │ │ ├── NIST_SP-800-53_rev5_LOW-baseline_profile.xml │ │ │ ├── NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml │ │ │ ├── NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml │ │ │ ├── NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml │ │ │ ├── NIST_SP-800-53_rev5_catalog.xml │ │ │ ├── _index.md │ │ │ ├── baseline-matrix │ │ │ ├── _index.md │ │ │ └── profile-matrix.sef.json │ │ │ ├── baseline-reviewer │ │ │ ├── _index.md │ │ │ └── catalog-with-profile-ui.sef.json │ │ │ ├── format-converter │ │ │ ├── _index.md │ │ │ ├── converters.css │ │ │ ├── fromJSON │ │ │ │ ├── index.md │ │ │ │ └── oscal-catalog_JSONtoXML_converter.sef.json │ │ │ └── fromXML │ │ │ │ ├── index.md │ │ │ │ └── oscal-catalog_XMLtoJSON_converter.sef.json │ │ │ ├── import-examiner │ │ │ ├── _index.md │ │ │ └── profile-checker.sef.json │ │ │ ├── lib │ │ │ └── Saxon-JS-2.2 │ │ │ │ ├── LICENSE.txt │ │ │ │ ├── SaxonJS2.js │ │ │ │ └── SaxonJS2.rt.js │ │ │ ├── oscal-examples.zip │ │ │ └── validator │ │ │ ├── _index.md │ │ │ └── apply-validator.sef.json │ ├── extensible.png │ ├── integrated.png │ ├── oscal-tools-hero.svg │ ├── projects │ │ ├── _index.md │ │ ├── csx.md │ │ ├── oscal-deep-diff.md │ │ └── xslt.md │ ├── wrench-icon.svg │ └── wrench-splashscreen.png ├── deploy.sh ├── docker-compose.yml ├── layouts │ ├── _default │ │ ├── devlunch.html │ │ ├── reference-index.html │ │ └── reference-release.html │ ├── html.html │ ├── partials │ │ ├── components │ │ │ └── banner.html │ │ ├── foot.html │ │ ├── head.html │ │ └── note-to-developers-uuid.html │ └── shortcodes │ │ ├── partial.html │ │ ├── partialCached.html │ │ ├── rawhtml.html │ │ └── todo.html ├── run-server.sh └── static │ └── img │ ├── favicon-32x32.png │ ├── oscal-gears-icon-140.png │ ├── oscal-gears-icon-32.png │ ├── oscal-page-icon-180.png │ └── wrench-icon.svg └── xslt └── readme.md /.github/labels.json: -------------------------------------------------------------------------------- 1 | [ 2 | { "name": "bug", "color":"d73a4a", "description":"A bug or defect report"}, 3 | { "name": "duplicate", "color":"cfd3d7", "description":"Duplicates another issue or pull request"}, 4 | { "name": "enhancement", "color":"a2eeef", "description":"Requests a new feature, capability, or artifact to the repository"}, 5 | { "name": "EPIC", "color":"00004c", "description":"Represents a collection of issues to be worked on over a series of sprints"}, 6 | { "name": "good first issue", "color":"7057ff", "description":"Good for newcomers"}, 7 | { "name": "help wanted", "color":"008672", "description":"Needs help from the community"}, 8 | { "name": "invalid", "color":"e4e669", "description":"Not resolvable in any way"}, 9 | { "name": "question", "color":"d876e3", "description":"Contains a question that needs to be answered"}, 10 | { "name": "wontfix", "color":"ffffff", "description":"This will not be worked on"}, 11 | 12 | { "name": "closable", "color":"0E8A16", "description":"Can be closed by the repository maintainers."}, 13 | { "name": "discussion required", "color":"b30ecc", "description":"Needs more discussion to be considered"}, 14 | { "name": "review required", "color":"ccb60e", "description":"Needs more review to be considered"}, 15 | { "name": "action required", "color":"cc540e", "description":"Requires the assignee to take some action described in the comments"}, 16 | { "name": "user story", "color":"a103fc", "description":"User story for a development task"}, 17 | 18 | { "name": "Scope: CI/CD", "color":"11cc0e", "description":"Related to maintaining repo's continuous integration and continuous deployment environment"}, 19 | { "name": "Scope: Documentation", "color":"bfdadc", "description":"Related to maintaining repo documentation"}, 20 | { "name": "Scope: Repository", "color":"0eccc6", "description":"Related to maintenance and configuration of the repository"}, 21 | { "name": "Scope: Tooling and APIs", "color":"71ddb7", "description":"Related to developing tooling and APIs"}, 22 | { "name": "Scope: Website", "color":"0e24cc", "description":"Related to the repo's associated website"} 23 | ] 24 | -------------------------------------------------------------------------------- /.github/workflows/issue-triage.yml: -------------------------------------------------------------------------------- 1 | name: Triage Board Management 2 | 3 | on: 4 | issues: 5 | types: 6 | - opened 7 | - closed 8 | jobs: 9 | createCard: 10 | runs-on: ubuntu-latest 11 | if: github.event.action == 'opened' 12 | steps: 13 | - name: Add New Issues to Issue Triage Board 14 | uses: peter-evans/create-or-update-project-card@866533e2ae61f13c35fd1d374049713fab43c729 # current tag: v2 15 | with: 16 | project-name: Issue Triage 17 | column-name: Needs Triage 18 | removeCard: 19 | runs-on: ubuntu-latest 20 | if: github.event.action == 'closed' 21 | steps: 22 | - uses: alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488 #current tag: v0.8.1 23 | with: 24 | project: Issue Triage 25 | column: Done 26 | action: delete 27 | repo-token: ${{ secrets.COMMIT_TOKEN }} 28 | -------------------------------------------------------------------------------- /.github/workflows/labels.yml: -------------------------------------------------------------------------------- 1 | on: 2 | label: 3 | types: [created,deleted,edited] 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - '.github/labels.json' 9 | name: Sync Issue & PR Labels 10 | jobs: 11 | labels: 12 | name: Update Labels 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: read 16 | issues: write 17 | steps: 18 | - uses: actions/checkout@1.0.0 19 | - uses: lannonbr/issue-label-manager-action@2.0.0 20 | env: 21 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 22 | -------------------------------------------------------------------------------- /.github/workflows/website-deploy.yml: -------------------------------------------------------------------------------- 1 | on: 2 | push: 3 | branches: 4 | - main 5 | paths: 6 | - 'docs/**' 7 | - '.github/workflows/website-deploy.yml' 8 | workflow_dispatch: 9 | branches: 10 | - main 11 | pull_request: 12 | types: [opened, synchronize, reopened] 13 | paths: 14 | - 'docs/**' 15 | - '.github/workflows/website-deploy.yml' 16 | name: Publish Website 17 | env: 18 | # the name of the repo 19 | HOME_REPO: usnistgov/oscal-tools 20 | HOME_BRANCH: main 21 | # dependency versions 22 | HUGO_VERSION: 0.83.1 23 | # build-specific environment 24 | OSCAL_HOME: git-content/oscal-tools 25 | OSCAL_WEBSITE_PATH: git-content/oscal-tools/docs 26 | jobs: 27 | build-and-publish-website: 28 | name: Build and Publish Website 29 | runs-on: ubuntu-20.04 30 | steps: 31 | # use this for main repo builds on branches 32 | - name: Checkout main branch 33 | uses: actions/checkout@v2 34 | if: ${{ github.repository == env.HOME_REPO && github.ref == format('refs/heads/{0}',env.HOME_BRANCH) }} 35 | with: 36 | path: ${{ env.OSCAL_HOME }} 37 | submodules: recursive 38 | token: ${{ secrets.GITHUB_TOKEN }} 39 | - name: Get latest from repo 40 | if: ${{ github.repository == env.HOME_REPO && github.event_name == 'push' }} 41 | # This will ensure that any files committed by the previous job, will be updated 42 | run: | 43 | git pull --ff-only 44 | working-directory: ${{ env.OSCAL_HOME }} 45 | # use this for pull request builds where checkout uses the builtin token 46 | - name: Checkout PR 47 | uses: actions/checkout@v2 48 | if: ${{ github.repository != env.HOME_REPO || github.event_name != 'push' }} 49 | with: 50 | path: ${{ env.OSCAL_HOME }} 51 | submodules: recursive 52 | # Setup runtime environment 53 | # ------------------------- 54 | # Operating System packages 55 | - name: Update APT package metadata 56 | run: | 57 | sudo rm -rf /var/lib/apt/lists/* && sudo apt-get update 58 | # # Ruby and Bundler 59 | # - name: Install Ruby and Bundler 60 | # uses: ruby/setup-ruby@v1 61 | # with: 62 | # ruby-version: 2.6 # Not needed with a .ruby-version file 63 | # bundler-cache: true # runs 'bundle install' and caches installed gems automatically 64 | # working-directory: ${{ env.OSCAL_WEBSITE_PATH }} 65 | # Install Hugo 66 | - name: Install Hugo 67 | run: | 68 | wget https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb 69 | sudo apt-get install ./hugo_extended_${HUGO_VERSION}_Linux-64bit.deb 70 | - name: Run Hugo 71 | run: | 72 | cd "${OSCAL_WEBSITE_PATH}" 73 | hugo -v --debug --minify 74 | - name: Check internal links 75 | uses: untitaker/hyperlink@0.1.15 76 | with: 77 | args: ${{ env.OSCAL_WEBSITE_PATH }}/public/ --sources ${{ env.OSCAL_WEBSITE_PATH }}/content --check-anchors 78 | - uses: actions/upload-artifact@v2 79 | with: 80 | name: website 81 | path: | 82 | ${{ env.OSCAL_WEBSITE_PATH }}/public 83 | retention-days: 5 84 | # - name: Run HTMLProofer 85 | # run: | 86 | # cd "${OSCAL_WEBSITE_PATH}" 87 | # bundle exec htmlproofer public/ --check-external-hash --url-swap "https\://pages.nist.gov/OSCAL/:/" --assume-extension --log-level :debug --url-ignore "\/reference\//,/pages.nist.gov\/(?:nist-header-footer|leaveNotice)\/.+/" 88 | - name: Run deploy script 89 | if: ${{ github.repository == env.HOME_REPO && github.ref == format('refs/heads/{0}',env.HOME_BRANCH) }} 90 | run: | 91 | cd "$OSCAL_WEBSITE_PATH" 92 | git config user.name "Deployment Bot" 93 | bash ./deploy.sh --push-only -v -m "Deploying website [ci deploy skip]" 94 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled class file 2 | *.class 3 | 4 | # Log file 5 | *.log 6 | 7 | # BlueJ files 8 | *.ctxt 9 | 10 | # Mobile Tools for Java (J2ME) 11 | .mtj.tmp/ 12 | 13 | # Package Files # 14 | *.jar 15 | *.war 16 | *.ear 17 | *.zip 18 | *.tar.gz 19 | *.rar 20 | 21 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 22 | hs_err_pid* 23 | 24 | # Eclipse and Maven 25 | .classpath 26 | .project 27 | .settings 28 | target 29 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "docs/themes/uswds"] 2 | path = docs/themes/uswds 3 | url = https://github.com/usnistgov/hugo-uswds.git 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCAL Tools 2 | 3 | ## Project Status 4 | 5 | The code in this repository and its related website is no longer under active development. At this time, the NIST OSCAL Team does not maintain the code or update dependencies. We do not review issues for feature requests or bug fixes. The repository is archived: it can be reactivated, but may be deleted at any time. 6 | 7 | Are you interested in feature requests or bug fixes in the future? Please [let us know](https://pages.nist.gov/OSCAL/contact/) and we may consider this repo again for future prioritization. 8 | 9 | For NIST-sponsored OSCAL Tools: 10 | 11 | - https://pages.nist.gov/OSCAL/tools/ 12 | 13 | For community-maintained list of tools 14 | 15 | - https://github.com/oscal-club/awesome-oscal 16 | 17 | 18 | -------------------------------------------------------------------------------- /csx/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 6 | NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE 7 | 2021-06-08T13:57:34.707994-04:00 8 | Final 9 | 1.0.0 10 | 11 | Document Creator 12 | 13 | 14 | Contact 15 | 16 | 17 | Joint Task Force, Transformation Initiative 18 | sec-cert@nist.gov 19 |
20 | National Institute of Standards and Technology 21 | Attn: Computer Security Division 22 | Information Technology Laboratory 23 | 100 Bureau Drive (Mail Stop 8930) 24 | Gaithersburg 25 | MD 26 | 20899-8930 27 |
28 | 29 | 30 | 11f1de66-89ba-499d-903e-56418e95af9d 31 | 32 | 33 | 11f1de66-89ba-499d-903e-56418e95af9d 34 | 35 | 36 | 37 | 38 | ac-1 39 | ac-3.14 40 | at-1 41 | at-2 42 | at-3 43 | at-3.5 44 | at-4 45 | au-1 46 | au-2 47 | au-3.3 48 | au-11 49 | ca-1 50 | ca-2 51 | ca-5 52 | ca-6 53 | ca-7 54 | ca-7.4 55 | cm-1 56 | cm-4 57 | ir-1 58 | ir-2 59 | ir-2.3 60 | ir-3 61 | ir-4 62 | ir-5 63 | ir-6 64 | ir-7 65 | ir-8 66 | ir-8.1 67 | mp-1 68 | mp-6 69 | pe-8.3 70 | pl-1 71 | pl-2 72 | pl-4 73 | pl-4.1 74 | pl-8 75 | pl-9 76 | pm-3 77 | pm-4 78 | pm-5.1 79 | pm-6 80 | pm-7 81 | pm-8 82 | pm-9 83 | pm-10 84 | pm-11 85 | pm-13 86 | pm-14 87 | pm-17 88 | pm-18 89 | pm-19 90 | pm-20 91 | pm-20.1 92 | pm-21 93 | pm-22 94 | pm-24 95 | pm-25 96 | pm-26 97 | pm-27 98 | pm-28 99 | pm-31 100 | ps-6 101 | pt-1 102 | pt-2 103 | pt-3 104 | pt-4 105 | pt-5 106 | pt-5.2 107 | pt-6 108 | pt-6.1 109 | pt-6.2 110 | pt-7 111 | pt-7.1 112 | pt-7.2 113 | pt-8 114 | ra-1 115 | ra-3 116 | ra-7 117 | ra-8 118 | sa-1 119 | sa-2 120 | sa-3 121 | sa-4 122 | sa-8.33 123 | sa-9 124 | sa-11 125 | sc-7.24 126 | si-1 127 | si-12 128 | si-12.1 129 | si-12.2 130 | si-12.3 131 | si-18 132 | si-18.4 133 | si-19 134 | 135 | 136 | 137 | true 138 | 139 | 140 | -------------------------------------------------------------------------------- /csx/baseline-composer/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | OSCAL Profile Maker 4 | 5 | 6 | 8 | 17 | 18 | 19 |
20 |

OSCAL Profile Maker

21 | 22 |
23 |
26 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /csx/baseline-composer/readme.md: -------------------------------------------------------------------------------- 1 | # Profile maker 2 | 3 | Application to be developed 4 | 5 | o fill (checks all) o wipe (unchecks all) 6 | o with-children (toggles with-children behavior) 7 | 8 | 9 | ## Project purposes 10 | 11 | 1. Close the loop on (some) OSCAL functionalities 12 | 1. Further demo/test SaxonJS including, here 13 | - UI features 14 | - pushing boundaries of resource management/document load 15 | - pushing performance 16 | 1. Demonstrate / test CSX-based data acquisition for meaningful data 17 | 18 | ### Defects/limitations 19 | 20 | Data throughput (see above); partiality of support of OSCAL profile model; does not produce files that are usable without enhancement (you have to add your own metadata). 21 | 22 | ### Blank 23 | 24 | A catalog is displayed with none of its controls selected ('wiped'). 25 | 26 | 27 | ### Maker 28 | 29 | By checking boxes and filling in values, selections can be made and parameters set. 30 | 31 | Use the UI to make a selection of controls, with parameter settings and notes, *eh voila*. 32 | 33 | A profile can be serialized and saved out representing the current selection. 34 | 35 | ### Sniffer 36 | 37 | Fill out a text box with a list of control identifiers. Let the Profile Maker produce an OSCAL profile indicating those controls. Import this list from a plain text file. 38 | 39 | Or, drop your ODS spreadsheet onto the sniffer, and it offers a mapping grid, permitting you to designate the columns where identifiers and values appear. Using this information the sniffer can produce an OSCAL profile with a button push, populating the Maker. 40 | 41 | ### Editor 42 | 43 | When you load a profile instead of a spreadsheet, the Maker becomes a rudimentary profile editor. 44 | 45 | ## Architecture 46 | 47 | Much of the display logic should already be available in the `control-reviewer` application. The essence of this application is to add interactivity to this, then read it back (out of the modified page) and write an OSCAL profile. To be added are (a) the ability to select controls (via checkbox or dynamic tag/load) and (b) writing it back out. 48 | 49 | The XSLT reads a catalog and accepts a profile as a runtime parameter to display its controls and parameters with selections, settings and modifications. The selections, settings and modifications are editable on the page. 50 | 51 | Most of the UI is implemented as SaxonJS templates including page refills. 52 | 53 | A set of templates can also read the HTML and produce an OSCAL profile back again, writing it to a "Download" button. 54 | 55 | The 'blank' is produced by processing the catalog with no profile. 56 | 57 | page load: read catalog and present (interactive) blank 58 | 59 | 'make OSCAL' button builds the profile from current page state and injects a Save As Profile button 60 | 61 | 'read controls' reads a textbox and 62 | 'load ODS' re-initiates the transformation reading an ODS spreadsheet 63 | - template load-ODS 64 | - exposes mapping grid w/ interface 65 | - with button to 'populate profile' using the assigned mapping 66 | 67 | 'load profile' re-initiates the transform 68 | - template load-profile 69 | - presenting the selections and patches of a profile read in 70 | - limits: no restructuring; only limited alteration 71 | 72 | interactive features of browser 73 | - control parts activate/deactivate with selection 74 | - deactivate 'quiets' but does not wipe settings 75 | - active permits parameter value setting (textfields) 76 | - this can dynamically inject into control content 77 | -------------------------------------------------------------------------------- /csx/baseline-matrix/AT-others.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | Demo profile 6 | 2021-07-05T11:58:41.005-04:00 7 | 0.1 8 | 1.0.0 9 | 10 | 11 | 12 | at-1 13 | at-2 14 | at-2.2 15 | at-2.3 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /csx/baseline-matrix/AT-some.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | Demo profile 6 | 2021-07-05T11:59:33.693-04:00 7 | 0.1 8 | 1.0.0 9 | 10 | 11 | 12 | at-1 13 | at-2 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /csx/baseline-matrix/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Baseline Matrix: An SP800-53B Emulator" 3 | custom_css: 4 | - "css/csx/nist-emulation.css" 5 | --- 6 | 7 | {{< rawhtml >}} 8 | 9 | 36 | 40 |
41 |

SP-800-53 Baseline Control Matrix

42 |

Load your OSCAL profile XML file(s) here ...

46 |
47 |
48 | 49 |
50 |
51 | 52 |
53 |
54 | 55 |
56 |
57 |

SP-800-53 Baseline Control Matrix is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

58 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

59 |
60 | {{< /rawhtml >}} 61 | -------------------------------------------------------------------------------- /csx/baseline-matrix/baseline-matrix.css: -------------------------------------------------------------------------------- 1 | a { color: inherit; text-decoration: none } 2 | 3 | a:hover { text-decoration: underline } 4 | 5 | .family-item label { padding-left: 0.5em } 6 | 7 | input:not([disabled]):focus { outline: none } 8 | 9 | table.control-matrix th { font-weight: bold } -------------------------------------------------------------------------------- /csx/baseline-matrix/hello.xsl: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | World! 9 | 10 | -------------------------------------------------------------------------------- /csx/baseline-matrix/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Baseline Matrix: An SP800-53B Emulator 4 | 5 | 6 | 7 | 8 | 33 | 34 | 35 | 36 |
37 |

SP-800-53 Baseline Control Matrix

38 |

Load your OSCAL profile XML file(s) here ...

42 |
43 |
44 | 45 |
46 |
47 | 48 |
49 |
50 | 51 |
52 |
53 |

SP-800-53 Baseline Control Matrix is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

54 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

55 |
56 | 57 | 58 | -------------------------------------------------------------------------------- /csx/baseline-matrix/key-test.xsl: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 |

12 |

13 |

14 |

15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /csx/baseline-matrix/readme.md: -------------------------------------------------------------------------------- 1 | # Baseline Matrix CSX Demonstration 2 | 3 | `_index.md` for Hugo consumption is made by trimming down `index.html`. 4 | 5 | `index.html` is available for local testing (from a web server serving up the static page). 6 | 7 | Note that the paths to CSS (in the header) and SaxonJS (in the script) are not the same. 8 | 9 | ## To compile the XSLT into SEF: 10 | 11 | Requires `xslt3` under `npm` (with `SaxonJS`). 12 | 13 | ``` 14 | $ xslt3 -xsl:profile-matrix.xsl -export:profile-matrix.sef.json -nogo 15 | ``` 16 | 17 | Also notice the XSLT has a different name from the application. 18 | 19 | ## To test 20 | 21 | Run `http-server` or the equivalent. Examine the `index.html` as served to the browser. 22 | 23 | ## To publish under Hugo 24 | 25 | Into ../../docs/content/demos/csx/baseline-matrix 26 | 27 | - `_index.md` (compare with `index.html` for adjustments) 28 | - `profile-matrix.sef.json` 29 | 30 | Into ../../docs/assets/css/csx/ 31 | 32 | - `baseline-matrix.css` 33 | 34 | The application also depends on `../NIST_SP-800-53_rev5_catalog.xml` in the next directory up. 35 | -------------------------------------------------------------------------------- /csx/baseline-reviewer/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "OSCAL Baseline Reviewer" 3 | description: An OSCAL analysis tool 4 | custom_css: 5 | - "css/csx/nist-emulation.css" 6 | - "css/csx/baseline-reviewer-ui.css" 7 | --- 8 | 9 | 10 | {{< rawhtml >}} 11 | 12 | 13 | 42 |

43 |

OSCAL Baseline Reviewer

44 |

Surveying SP800-53 controls as modified by your OSCAL profile

45 |
46 | Explanation 47 |

The Control Reviewer is an enhanced OSCAL catalog viewer designed to present 48 | the selections and adjustments made to the SP 800-53 control catalog by a baseline (described as an OSCAL profile), either as 49 | selected, or as loaded by the user. (Currently it only shows control selection, not control alterations or parameter settings; those are next.)

50 |

It can also be used plain, as a simple browser for the SP 800-53 control catalog.

51 |

Note: this analysis does not examine the documents actually linked (imported) by your profile. Instead, it examines every import directive as if the SP800-653 Rev 5 catalog were its intended source. For reference and comparison, please see the SP 800-53 Rev 5 catalog (copy) in this repository.

52 |

Limitations / tbd:

53 |
    54 |
  • Does not validate profiles - GIGO applies
    • 55 |
  • Conformance with OSCAL profile spec is work-in-progress as the spec evolves
    • 56 |
  • The (entire) SP800-53 control catalog is assumed for any and all imports. In other words, this viewer is safe to use only with 57 | profiles that call only the SP 800-53 catalog (no other or subordinate catalogs), and only once. In fact this application does not offer a view of a profile (yours or any) but of this catalog, using a profile as a point of reference for filtering.
    • 58 |
  • Supports import-control/with-id only, not import-control/matches. (Let us know if you need this or any of these features.)
    • 59 |
  • Similarly does not yet support import-control/@with-child-controls so control enhancements must be included explicitly.
    • 60 |
61 |
62 |
63 | 64 |
65 |
66 | 67 |
68 |
69 |

The SP 800-53 Baseline Reviewer is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

70 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

71 |
72 | 73 | {{< /rawhtml >}} 74 | 75 | -------------------------------------------------------------------------------- /csx/baseline-reviewer/baseline-reviewer-ui.css: -------------------------------------------------------------------------------- 1 | 2 | 3 | body * { margin: 0em } 4 | 5 | button { margin: 0.2em 0em; font-size: 75% } 6 | 7 | div#bxheader * { margin-top: 0.6em } 8 | #overview { font-size: 90%; max-width: 48em; padding-left: 2em } 9 | #overview summary { text-indent: -2em } 10 | 11 | a { color: inherit; text-decoration: none } 12 | a:hover { text-decoration: underline } 13 | 14 | details.group { margin-top: 1em; padding: 0.5em; border: thin solid black; background-color: gainsboro; padding-right: 6vw } 15 | 16 | .showing-selected div.control:not(.selected) { display: none } 17 | 18 | .deck div.control-group { display: flex; flex-wrap: wrap } 19 | /* .deck div.control-enhancements { display: flex; flex-wrap: wrap; gap: 0.2em; justify-content: space-evenly } */ 20 | 21 | .deck div.control { max-width: 15vw; margin-top: 0.5rem; margin-right: 0.5rem } 22 | .deck div.control div.control { margin-top: 0.2rem; margin-left: 0rem; overflow: none } 23 | 24 | .control-title { font-weight: normal } 25 | 26 | details:not(.deck) { max-width: 44rem } 27 | details:not(.deck) div { max-width: 44rem } 28 | details:not(.deck) .control .control .controlbx { padding-left: 2em } 29 | 30 | /* .overview { padding: 0.8em; background-color: #e8eaf6; border: thin solid black } 31 | .overview * { margin-top: 0.6em } 32 | .overview *:first-child { margin-top: 0em } */ 33 | 34 | /* 35 | details:not(.deck) .control { max-width: 44rem; max-height: 1.6em; overflow: clip; transition: max-height 1s ease-out } 36 | details:not(.deck) .control:hover { max-height: 100vh; transition: max-height 0.5s ease-in } */ 37 | 38 | .control-title { display: none } 39 | .deck .controlbx h4:hover .control-title { display: block; z-index: 2; position: absolute; 40 | background-color: white; padding: 0.3em; border: medium outset black; margin-left: 0.5em } 41 | 42 | details.statement { display: none } 43 | details:not(.deck) details.statement { display: block } 44 | div.part.statement { margin-left: 4vw } 45 | 46 | .deck button.expander { display: none } 47 | 48 | .deck .part { display: none } 49 | div.item { margin-left: 1em } 50 | 51 | 52 | .insert { font-size: 90%; font-weight: bold } 53 | 54 | td { vertical-align: text-top } 55 | 56 | td p { margin: 0em; margin-top: 0.5em } 57 | 58 | td p:first-child { margin-top: 0em } 59 | 60 | 61 | code.ctrl { background-color: white; padding: 0.1em; display: inline-block; border: thin outset black } 62 | 63 | .controlbx { padding: 0.2em; border: thin dotted black; background-color: gainsboro; min-width: 5em } 64 | .controlbx .controlbx { padding: 0.2em; border: thin dotted black; min-width: 4em } 65 | .control.selected .controlbx { border: thin solid black; background-color: white } 66 | 67 | .control.withdrawn .controlbx { background-color: lightgrey } 68 | .control.selected .control:not(.selected) .controlbx { border: thin dotted black } 69 | .control.selected .control:not(.selected):not(.withdrawn) .controlbx { background-color: gainsboro } 70 | 71 | .control .control h4 { font-size: smaller } 72 | 73 | .enhancement-title { text-transform: uppercase } 74 | 75 | div.control:not(.selected) h4 { color: grey } 76 | 77 | details:not(.deck) .control .label { float: left; padding-right: 0.5em; line-height: 1.2rem; min-width: 4em } 78 | 79 | 80 | .control .control .control-listing { font-size: smaller } 81 | .withdrawn .title-text, .withdrawn .control-listing { text-decoration:line-through } 82 | 83 | -------------------------------------------------------------------------------- /csx/baseline-reviewer/catalog-with-profile-ui2.sef.json: -------------------------------------------------------------------------------- 1 | {"N":"package","version":"30","packageVersion":"1","saxonVersion":"Saxon-JS 2.1","target":"JS","targetVersion":"2","name":"TOP-LEVEL","relocatable":"true","buildDateTime":"2021-09-08T14:06:47.379-04:00","ns":"xml=~ xsl=~ =http://www.w3.org/1999/xhtml html=http://www.w3.org/1999/xhtml xs=~ math=~ ixsl=~ XJS=http://github.com/wendellpiez/XMLjellysandwich map=~ oscal=http://csrc.nist.gov/ns/oscal/1.0","defaultElementNS":"http://csrc.nist.gov/ns/oscal/1.0","C":[{"N":"co","binds":"","id":"0","uniform":"true","C":[{"N":"template","flags":"os","baseUri":"file:///mnt/c/Users/wap1/Documents/OSS/XMLjellysandwich/docs/oscal/control-reviewer/catalog-with-profile-ui.xsl","module":"catalog-with-profile-ui.xsl","slots":"200","name":"Q{}display-catalog","line":"30","xpath-default-namespace":"http://csrc.nist.gov/ns/oscal/1.0","sType":"0 ","C":[{"N":"resultDoc","sType":"0 ","role":"body","line":"32","local":"method=Q{http://saxonica.com/ns/interactiveXSLT}replace-content\n","global":"","C":[{"N":"str","sType":"1AS ","val":"#bxbody","role":"href"},{"N":"elem","name":"div","sType":"1NE nQ{http://www.w3.org/1999/xhtml}div ","nsuri":"http://www.w3.org/1999/xhtml","namespaces":"","role":"content","line":"33","C":[{"N":"empty","sType":"0 "}]}]}]}]},{"N":"co","binds":"","id":"1","C":[{"N":"mode","onNo":"TC","flags":"","patternSlots":"0","prec":""}]},{"N":"overridden"},{"N":"output","C":[{"N":"property","name":"Q{http://saxon.sf.net/}stylesheet-version","value":"30"}]},{"N":"decimalFormat"}],"Σ":"6d78a812"} -------------------------------------------------------------------------------- /csx/baseline-reviewer/readme.md: -------------------------------------------------------------------------------- 1 | # Baseline Reviewer 2 | 3 | For viewing a profile in reference to an imported catalog or baseline 4 | 5 | Complements the import inspector and the baseline matrix. 6 | 7 | Assumes SP 800-53 controls. 8 | 9 | View toggles 10 | 11 | - 'deck' and 'list' (directory) views per family 12 | - top level pulldown runs transform fresh with $profile parameter 13 | - full SP800-53 catalog 14 | - NIST baselines 15 | - \+ privacy 16 | - drop your profile 17 | - control view: all \| selected (deactivate for entire catalog) 18 | 19 | Show view of entire catalog with selections highlighted 20 | 21 | # To come - Profile Mod Inspector 22 | 23 | Shows parameters and expanded text in selected controls 24 | 25 | shows control text with patches 26 | - add/remove pairs (before/after) 27 | - parameter inserts expanded 28 | 29 | does not resolve catalog! 30 | does not support merging/restructuring 31 | assumes SP800-53 Rev 5 32 | 33 | only good for showing a preview of how SP800-53 would be tailored by a particular profile. 34 | 35 | v2 - permit loading catalog(s) as well as a profile? 36 | 37 | -------------------------------------------------------------------------------- /csx/baseline-reviewer/runface.xsl: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | You hit the 'from-json' initial template. 10 | 11 | 12 | 13 | You matched the root node of the input, which contains an element named { /*/name() } 14 | 15 | 16 | -------------------------------------------------------------------------------- /csx/format-converter/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: OSCAL Format Converters 3 | description: Making your OSCAL XML into JSON or your OSCAL JSON into XML 4 | --- 5 | 6 | These rely on the public XSLTs released on the OSCAL web site, packaged and compiled to run in your browser. 7 | 8 | As described in the Metaschema repository, OSCAL formats (in XML, JSON and YAML) can be defined as alternative serializations from a unified data model, described and constrained by an abstract, declarative set of definitions. Given sufficient formal rigor, this set of definitions can be used as a "backbone" for production of a number of different processing artifacts and productions, including not only documentation and faithful renderings in the form of operationally-ready schema languages (XSD or JSON Schema, for example) -- but also converter scripts. 9 | 10 | In these pages, the converter scripts in XSLT generated from the OSCAL Catalog Metaschema are harnessed to provide for conversion of your OSCAL catalog dynamically, in the browser. 11 | 12 | -------------------------------------------------------------------------------- /csx/format-converter/convert-json2xml.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | OSCAL Format Converter 4 | 5 | 6 | 18 | 19 | 53 | 54 | 80 | 81 | 82 |
83 |

OSCAL Catalog XML|JSON Format Converter - JSON

84 |

Converting your OSCAL JSON catalog into OSCAL XML

85 |

(Coming soon - not just catalogs but other OSCAL models as well)

86 |
87 | Explanation 88 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

89 |

Use with caution accordingly.

90 |
91 |
92 |
93 |
94 |
95 | 98 |

Load or paste your OSCAL catalog JSON ... and good luck!

99 | 100 |
101 | 102 |
103 | 104 |
105 |
106 |
107 |

The SP 800-53 Catalog XML|JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

108 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

109 |
110 | 111 | 112 | -------------------------------------------------------------------------------- /csx/format-converter/convert-xml2json.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | OSCAL XML to JSON Format Converter 4 | 5 | 6 | 17 | 18 | 53 | 54 | 55 | 56 |
57 |

OSCAL Catalog XML|JSON Format Converter - XML

58 |

Converting your OSCAL XML catalog into OSCAL JSON

59 |

(Coming soon - not just catalogs but other OSCAL models as well)

60 | 61 |
62 | Explanation 63 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

64 |

Use with caution accordingly.

65 |
66 |
67 |
68 |
69 |
70 | 73 |

Load or paste your OSCAL catalog XML ... and good luck!

74 | 75 |
76 |
77 | 78 |
79 |
80 |
81 |
82 |

The SP 800-53 Catalog XML to JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

83 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

84 |
85 | 86 | 87 | -------------------------------------------------------------------------------- /csx/format-converter/example-ssp.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/csx/format-converter/example-ssp.xml -------------------------------------------------------------------------------- /csx/format-converter/fromJSON/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "OSCAL Catalog JSON-to-XML Converter" 3 | custom_css: 4 | - "css/csx/nist-emulation.css" 5 | --- 6 | 7 | {{< rawhtml >}} 8 | 9 | 43 | 44 |
45 |

OSCAL Catalog XML|JSON Format Converter - JSON

46 |

Converting your OSCAL JSON catalog into OSCAL XML

47 |

(Coming soon - not just catalogs but other OSCAL models as well)

48 |
49 | Explanation 50 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

51 |

Use with caution accordingly.

52 |
53 |
54 |
55 |
56 |
57 | 60 |

Load or paste your OSCAL catalog JSON ... and good luck!

61 | 62 |
63 | 64 |
65 | 66 |
67 |
68 |
69 |

The SP 800-53 Catalog XML|JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

70 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

71 |
72 | 73 | {{< /rawhtml >}} 74 | 75 | -------------------------------------------------------------------------------- /csx/format-converter/fromJSON/convert-json2xml.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | OSCAL Format Converter 4 | 5 | 6 | 18 | 19 | 53 | 54 | 80 | 81 | 82 |
83 |

OSCAL Catalog XML|JSON Format Converter - JSON

84 |

Converting your OSCAL JSON catalog into OSCAL XML

85 |

(Coming soon - not just catalogs but other OSCAL models as well)

86 |
87 | Explanation 88 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

89 |

Use with caution accordingly.

90 |
91 |
92 |
93 |
94 |
95 | 98 |

Load or paste your OSCAL catalog JSON ... and good luck!

99 | 100 |
101 | 102 |
103 | 104 |
105 |
106 |
107 |

The SP 800-53 Catalog XML|JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

108 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

109 |
110 | 111 | 112 | -------------------------------------------------------------------------------- /csx/format-converter/fromJSON/oscal-catalog_JSONtoXML_converter.xsl: -------------------------------------------------------------------------------- 1 | 2 | 16 | 17 | 18 | text here 19 | 20 | 21 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | MATCHED / 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | Data provided does not appear to be JSON 43 | { $err:description } 44 | { $oscal-data} 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | Data provided does not appear to be XML 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 |
67 |

Input is not JSON

68 | 69 | 70 |

It appears to be OSCAL XML (please try the XML converter)

71 | 72 | 
{ $oscal-data  }
73 |
74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 |

This produces XML

82 | 
{ serialize($result-xml, $indented) }
83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /csx/format-converter/fromXML/_index.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | OSCAL XML to JSON Format Converter 4 | 5 | 6 | 17 | 18 | 53 | 54 | 55 | 56 |
57 |

OSCAL Catalog XML|JSON Format Converter - XML

58 |

Converting your OSCAL XML catalog into OSCAL JSON

59 |

(Coming soon - not just catalogs but other OSCAL models as well)

60 | 61 |
62 | Explanation 63 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

64 |

Use with caution accordingly.

65 |
66 |
67 |
68 |
69 |
70 | 73 |

Load or paste your OSCAL catalog XML ... and good luck!

74 | 75 |
76 |
77 | 78 |
79 |
80 |
81 |
82 |

The SP 800-53 Catalog XML to JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

83 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

84 |
85 | 86 | 87 | -------------------------------------------------------------------------------- /csx/format-converter/index-archive.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | OSCAL Format Converter 4 | 5 | 6 | 14 | 25 | 26 | 51 | 52 | 53 | 54 |
55 |

OSCAL Catalog XML|JSON Format Converter

56 |

Converting your OSCAL XML catalog into OSCAL JSON, or your OSCAL JSON catalog into XML

57 |

(Coming soon - not just catalogs but other OSCAL models as well)

58 | 59 |
60 | Explanation 61 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

62 |

Use with caution accordingly.

63 |
64 |
65 |
66 |
67 |
68 | 71 |

Load or paste your OSCAL catalog (XML or JSON format) ... and good luck!

72 |

Expecting XML elements bound to namespace http://csrc.nist.gov/ns/oscal/1.0.

73 | 74 |
75 |
76 | 77 |
78 | 79 |
80 | 81 |
82 |
83 |

The SP 800-53 Catalog XML|JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

84 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

85 |
86 | 87 | 88 | -------------------------------------------------------------------------------- /csx/format-converter/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | OSCAL Format Converter 4 | 5 | 6 | 14 | 25 | 26 | 51 | 52 | 53 | 54 |
55 |

OSCAL Catalog XML|JSON Format Converter

56 |

Converting your OSCAL XML catalog into OSCAL JSON, or your OSCAL JSON catalog into XML

57 |

(Coming soon - not just catalogs but other OSCAL models as well)

58 | 59 |
60 | Explanation 61 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

62 |

Use with caution accordingly.

63 |
64 |
65 |
66 |
67 |
68 | 71 |

Load or paste your OSCAL catalog (XML or JSON format) ... and good luck!

72 |

Expecting XML elements bound to namespace http://csrc.nist.gov/ns/oscal/1.0.

73 | 74 |
75 |
76 | 77 |
78 | 79 |
80 | 81 |
82 |
83 |

The SP 800-53 Catalog XML|JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

84 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

85 |
86 | 87 | 88 | -------------------------------------------------------------------------------- /csx/format-converter/lib/readme.md: -------------------------------------------------------------------------------- 1 | # OSCAL Converters 2 | 3 | https://github.com/usnistgov/OSCAL/blob/main/json/convert/oscal_catalog_json-to-xml-converter.xsl 4 | 5 | https://github.com/usnistgov/OSCAL/blob/main/json/convert/oscal_catalog_xml-to-json-converter.xsl -------------------------------------------------------------------------------- /csx/format-converter/mixedgroups.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | data 10 | 11 | 12 | 13 | data 14 | 15 | 16 | R 17 | 18 | 19 | 20 | 21 | 22 |

p1

23 | q1 24 | r1 25 |

p2

26 |

p3

27 | q2 28 | r2 29 | 30 | 31 | { "pqr-seq": [ 32 | { "_n": "p", "data": "p1", "pv": "x" }, 33 | { "_n": "q", "data": "q1", "qv": true }, 34 | { "_n": "R", "data": "r1" }, 35 | { "_n": "p", "data": "p2" }, 36 | { "_n": "p", "data": "p3" }, 37 | { "_n": "q", "data": "q2" }, 38 | { "_n": "R", "data": "r2" } ] } 39 | 40 | 41 | We can validate the XML by casting to XSD (or other preferred schema language) 42 | We can validate the JSON if we infer 43 | - if choice/@minOccurs=1 then an object 'pqr-seq' is required (array or singleton-or-array) 44 | - choice/@maxOccurs governs the cardinality of the entire array: note that child fields do not have @minOccurs|@maxOccurs (which is interesting) 45 | - each member of this array is an object with an "_n" property with value one of 'p', 'q', 'R' (metaschema defined) 46 | - other validations of each node must be keyed to those node names (defined in the 'pqr-seq' context) keeping use-name in mind 47 | (Can JSON Schema even do something like that?) 48 | This model leaves out namespaces, assuming all XML is in the same namespace 49 | 50 | 51 | -------------------------------------------------------------------------------- /csx/format-converter/oscal-catalog_JSONtoXML_converter.xsl: -------------------------------------------------------------------------------- 1 | 2 | 16 | 17 | 18 | text here 19 | 20 | 21 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | MATCHED / 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | Data provided does not appear to be JSON 43 | { $err:description } 44 | { $oscal-data} 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | Data provided does not appear to be XML 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 |
67 |

Input is not JSON

68 | 69 | 70 |

It appears to be OSCAL XML (please try the XML converter)

71 | 72 | 
{ $oscal-data  }
73 |
74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 |

This produces XML

82 | 
{ serialize($result-xml, $indented) }
83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /csx/format-converter/playtest.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | Text and (inline) markup 6 | 2021-09-23T15:06:57.725-04:00 7 | string 8 | string 9 |

10 | 11 | 12 | -------------------------------------------------------------------------------- /csx/format-converter/readme.md: -------------------------------------------------------------------------------- 1 | # The format converter is experimental! 2 | 3 | XSLT reads two catalogs and writes a delta 4 | assumes families, controls and enhancements (one level) 5 | 6 | Family by family 7 | Control by control 8 | Matched by ID and title 9 | showing withdrawn controls w/ incorporated/moveto 10 | run on rev4 + rev5 11 | producing tabular view that can be annotated by baselines 12 | 13 | to do: exhaustively test 14 | 15 | XML-to-JSON and JSON-to-XML 16 | raw text not XML/JSON 17 | JSON not OSCAL 18 | XML not OSCAL 19 | OSCAL JSON 20 | OSCAL XML 21 | cosmetics of results 22 | Save As functionality 23 | 24 | NB: XSLTs in `lib` need to be aligned with upstream. 25 | 26 | Lots of testing is still needed to gauge performance and handling. 27 | 28 | Needs more work on look/feel / styling outputs. 29 | 30 | Don't know how it will work under load. 31 | 32 | Unexposed bugs in conversion may not be detected, and GIGO is a feature! so do not rely on your converted data without reviewing and checking the conversion for correctness and accuracy. 33 | 34 | **Validate your input data** before even trying it! Valid inputs should work (there should be no data loss). Inputs that are not schema-valid are guaranteed to produce invalid outputs, even if correct. 35 | 36 | All this is subject to testing, and miscellaneous issues such as whitespace handling remain to be addressed.... 37 | -------------------------------------------------------------------------------- /csx/import-examiner/readme.md: -------------------------------------------------------------------------------- 1 | # OSCAL Profile Checker 2 | 3 | A client-side validation utility for OSCAL Profiles 4 | 5 | The utility loads the SP800-53 rev 5 catalog and checks your profile against it 6 | 7 | checking a profile against SP800-53 catalog 8 | 9 | it assumes a schema-valid OSCAL profile instance, although some defensiveness is provided against inputs that are invalid, mainly for demonstration. 10 | 11 | In a second pass, results can be assessed for a summary view / analytic conclusion 12 | (green check box if no red results are found!) 13 | 14 | A Metaschema-driven XSLT validator will come in another project. This validator 15 | is written entirely by hand to demonstrate the concept. 16 | 17 | - [ ] Is SP800-53 imported? 18 | - [ ] Any orphan / dangling references? controls, parameters, patches 19 | 20 | - [ ] Import check (per import) 21 | - [ ] the import appears to call SP800-53 ... 22 | - [ ] the import actually calls ... 23 | - [ ] none of the controls call controls in SP 800-53 rev 5 (by control-id) 24 | - [ ] all control-ids match up 25 | - [ ] no replicates or redundancy among calls (by control-id) 26 | - [ ] Add support for @match 27 | - [ ] Render - inputs and results of selection (control listing) 28 | - [ ] Merge inspection 29 | - [ ] Show structure of result (profile when resolved) 30 | - [ ] Were any controls dropped 31 | - [ ] Parameters 32 | - [ ] param-ids match up 33 | - [ ] parameters referenced in the control that are *not* addressed in the profile 34 | - [ ] Render - collapsed (rendered) parameters in the contexts of their use 35 | - [ ] Patches 36 | - [ ] target IDs match up 37 | - [ ] show control text before and after patch 38 | -------------------------------------------------------------------------------- /csx/import-examiner/test-profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | Ugly Profile 7 | 2021-02-13T13:54:06.778-05:00 8 | 0 9 | 1.0.0-rc1 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /csx/lib/Saxon-JS-2.2/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Version 1.0, June 2020 2 | 3 | Software: This license applies to the packages "xslt3" and "saxon-js" 4 | distributed via npm (https://www.npmjs.com) and to the modules SaxonJS2.js 5 | and SaxonJS2.rt.js available for download from the Saxonica web site 6 | (https://www.saxonica.com/). 7 | 8 | Copyright: The copyright in the Software belongs to Saxonica Ltd, except 9 | for third-party components listed in the documentation that are distributed 10 | under license. 11 | 12 | Binary form: In this license, "binary form" means the form in which the 13 | Software is issued (this is technically a set of obfuscated Javascript files). 14 | 15 | Deployment and use. The Software may be copied to any computer where the 16 | primary purpose is the execution of the software on that computer, or on 17 | connected client computers. 18 | 19 | Redistribution. Redistribution in binary form, without 20 | modification, is permitted as part of an application that makes use 21 | of the Software, provided that the following conditions are 22 | met: 23 | 24 | 1) Redistributions must reproduce the above copyright notice and the 25 | following disclaimer in the documentation and/or other materials 26 | provided with the distribution. 27 | 28 | 2) Except to the extent explicitly permitted by law, no reverse 29 | engineering, decompilation, or disassembly of this software is 30 | permitted. 31 | 32 | 3) Neither the name of the copyright holder nor the names of its 33 | contributors may be used to endorse or promote products derived from 34 | this software without specific prior written permission. 35 | 36 | 4) Copying the software to a site whose primary purpose is to make 37 | it available to third parties is not permitted without specific 38 | prior written permission. 39 | 40 | If you institute patent litigation against any entity (including a 41 | cross-claim or counterclaim in a lawsuit) alleging that the software 42 | itself infringes your patent(s), then your rights granted under this 43 | license shall terminate as of the date such litigation is filed. 44 | 45 | DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND 46 | CONTRIBUTORS "AS IS." ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT 47 | NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 48 | FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 49 | HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 50 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 51 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 52 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 53 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 54 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 55 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 56 | -------------------------------------------------------------------------------- /csx/nist-emulation.css: -------------------------------------------------------------------------------- 1 | html, body { font-family: Calibri, Arial, sans-serif } 2 | 3 | code { font-family: Consolas, monospace } 4 | 5 | #bxbody { margin-top: 1em; padding-top: 1em; border-top: medium solid black } 6 | 7 | table.control-matrix { border-collapse: collapse; 8 | border-bottom: 1.4em solid #1f497d } 9 | 10 | table.control-matrix td, 11 | table.control-matrix th { border: thin solid black; padding: 0.2em 0.6em } 12 | 13 | table.control-matrix th { background-color: #b8cce4 } /* dark dusky blue*/ 14 | 15 | table.control-matrix td { background-color: #dbe5f1 } /* lighter dusky blue */ 16 | 17 | tr.control-matrix-header > * { text-transform: uppercase } 18 | tr.control-matrix-header > th.controlno { font-size: 80% } 19 | 20 | #directory { columns: auto 2 } 21 | #directory div { break-inside: avoid } 22 | 23 | #directory input[type='checkbox'] + label { color: grey } 24 | #directory input[type='checkbox']:checked + label { color: black } 25 | 26 | #file-roster { display: grid; grid-auto-columns: max-content; 27 | grid-auto-rows: auto; grid-auto-flow: column; 28 | grid-gap: 0.5em; margin-bottom: 1em 29 | } 30 | 31 | .filelisting { margin-top: 0.8em; padding: 0.2em; border: thin outset gainsboro; background-color: oldlace; } 32 | 33 | .filelisting * { margin: 0em } 34 | 35 | span.profilecode { text-transform: uppercase; font-size: 80%; 36 | font-weight: normal; padding: 0.2em; background-color: #b8cce4 } 37 | 38 | .withdrawn { color: grey } 39 | 40 | .withdrawnnotice { font-size: 90% } 41 | 42 | .import { color: darkgrey } 43 | .importing { color: forestgreen; font-weight: bold } 44 | .ineligible { color: darkred; font-style: italic } 45 | 46 | .family { margin-top: 1em } 47 | 48 | .family .h2.title { text-transform: uppercase; font-size: 140%; font-weight: bold } 49 | 50 | .family > * { margin-bottom: 1em } 51 | 52 | .control .title { font-weight: bold } 53 | .enhancement .title { font-size: 80%; font-weight: normal; text-transform: uppercase } 54 | 55 | .control .label { font-weight: bold } 56 | 57 | .occur { text-align: center; max-width: 4em } 58 | 59 | #bxfooter { margin-top: 1em; border-top: thin solid black; 60 | border-bottom: 0.4em solid #1f497d } 61 | 62 | -------------------------------------------------------------------------------- /csx/oscal-examples/AT-others-profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | Demo profile 6 | 2021-07-05T11:58:41.005-04:00 7 | 0.1 8 | 1.0.0 9 | 10 | 11 | 12 | at-1 13 | at-2 14 | at-2.2 15 | at-2.3 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /csx/oscal-examples/AT-some-profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | Demo profile 6 | 2021-07-05T11:59:33.693-04:00 7 | 0.1 8 | 1.0.0 9 | 10 | 11 | 12 | at-1 13 | at-2 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /csx/oscal-examples/cat-catalog.json: -------------------------------------------------------------------------------- 1 | { 2 | "catalog": { 3 | "uuid": "abe474a5-26aa-426d-8221-a0508c62dce3", 4 | "metadata": { 5 | "title": "OSCAL CATalog", 6 | "last-modified": "2021-07-30T14:54:06.481-04:00", 7 | "version": "0.1", 8 | "oscal-version": "1.0.0" 9 | }, 10 | "controls": [ 11 | { 12 | "id": "dry.food", 13 | "title": "Crunchies aka \"dry food\"", 14 | "parts": [ 15 | { 16 | "name": "statement", 17 | "prose": "Shelf-stable, dry feline nutriments (\"dry cat food\" or \"crunchies\") must be available at all times in an accessible location, with only such wrapping or packaging to make it entertaining to extract (using only teeth and claws), or preferably, open in a bowl. Flavors based on chicken or fish are preferred." 18 | } 19 | ] 20 | }, 21 | { 22 | "id": "canned.food", 23 | "title": "Wet cat food", 24 | "parts": [ 25 | { 26 | "name": "statement", 27 | "prose": "Delicious tasty morsels of canned cat food should be provided at regular intervals in sufficient quantities for all cats to be satisfied." 28 | }, 29 | { 30 | "name": "guidance", 31 | "prose": "Wet cat food may be referred to as \"cat fud\" on shopping lists. When not otherwise qualified, \"cat fud\" should be taken to refer to wet (i.e., canned) cat food, not dry.\n\nTable scraps are not acceptable as wet cat food (or acceptable in general). Prey animals also do not count, although they may also be enjoyed." 32 | } 33 | ] 34 | }, 35 | { 36 | "id": "kitchen.cabinets", 37 | "title": "Kitchen Cabinets and drawers", 38 | "parts": [ 39 | { 40 | "name": "statement", 41 | "prose": "Kitchen drawers and cabinets should be kept closed to prevent feline incursion." 42 | } 43 | ] 44 | }, 45 | { 46 | "id": "boxes", 47 | "title": "Boxes", 48 | "links": [ 49 | { 50 | "href": "#toys", 51 | "rel": "related" 52 | } 53 | ], 54 | "parts": [ 55 | { 56 | "name": "statement", 57 | "prose": "Cardboard or other disposable delivery boxes may be left in the living room as temporary cat fortresses." 58 | } 59 | ] 60 | }, 61 | { 62 | "id": "treats", 63 | "title": "Treats", 64 | "params": [ 65 | { 66 | "id": "p1", 67 | "label": "maximum treat allowance", 68 | "guidelines": [ 69 | {"prose": "A natural language description of how many treats are permitted within a given period, to be determine by the cat's \"owner\" given appropriate veterinary advice."} 70 | ] 71 | } 72 | ], 73 | "parts": [ 74 | { 75 | "name": "statement", 76 | "prose": "Treats may be given freely by a feline's caretaker or companion on demand, up to a maximum of {{ insert: param, p1 }}." 77 | } 78 | ] 79 | }, 80 | { 81 | "id": "toys", 82 | "title": "Toys", 83 | "links": [ 84 | { 85 | "href": "#boxes", 86 | "rel": "related" 87 | } 88 | ], 89 | "parts": [ 90 | { 91 | "name": "statement", 92 | "prose": "Any small objects or objects of any size with holes, passages, hatches or flaps may be considered cat toys, defined as objects designated for feline play. Store-bought cat toys are acceptable but a cat may select its own toys such as string, rubber bands or jewelry." 93 | } 94 | ] 95 | } 96 | ] 97 | } 98 | } -------------------------------------------------------------------------------- /csx/oscal-examples/cat-catalog.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 6 | OSCAL CATalog 7 | 2021-07-30T14:54:06.481-04:00 8 | 0.1 9 | 1.0.0 10 | 11 | 12 | Crunchies aka <q>dry food</q> 13 | 14 |

Shelf-stable, dry feline nutriments (dry cat food or crunchies) must be available at all times in an accessible location, with only such wrapping or packaging to make it entertaining to extract (using only teeth and claws), or preferably, open in a bowl. Flavors based on chicken or fish are preferred.

15 | 16 | 17 | 18 | Wet cat food 19 | 20 |

Delicious tasty morsels of canned cat food should be provided at regular intervals in sufficient quantities for all cats to be satisfied.

21 | 22 | 23 |

Wet cat food may be referred to as cat fud on shopping lists. When not otherwise qualified, cat fud should be taken to refer to wet (i.e., canned) cat food, not dry.

24 |

Table scraps are not acceptable as wet cat food (or acceptable in general). Prey animals also do not count, although they may also be enjoyed.

25 | 26 | 27 | 28 | Kitchen Cabinets and drawers 29 | 30 |

Kitchen drawers and cabinets should be kept closed to prevent feline incursion.

31 | 32 | 33 | 34 | Boxes 35 | 36 | 37 |

Cardboard or other disposable delivery boxes may be left in the living room as temporary cat fortresses.

38 | 39 | 40 | 41 | Treats 42 | 43 | 44 | 45 |

A natural language description of how many treats are permitted within a given period, to be determine by the cat's owner given appropriate veterinary advice.

46 | 47 | 48 | 49 |

Treats may be given freely by a feline's caretaker or companion on demand, up to a maximum of .

50 | 51 | 52 | 53 | Toys 54 | 55 | 56 |

Any small objects or objects of any size with holes, passages, hatches or flaps may be considered cat toys, defined as objects designated for feline play. Store-bought cat toys are acceptable but a cat may select its own toys such as string, rubber bands or jewelry.

57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /csx/oscal-examples/dog-catalog.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | OSCAL DOG catalog 8 | 2021-17-30T16:04:17.734 9 | 0.1 10 | 1.0.0 11 | 12 | 13 | Dinner 14 | 15 | 16 | 17 |

A natural language description of how many dinners are to be provided per day.

18 | 19 | 20 | 21 |

All dogs together should be provided with dinner at regular intervals, at least . Dinner can be any of the categories described below, or a combination.

22 | 23 | 24 | Crunchies aka <q>dry food</q> 25 | 26 | 27 |

Shelf-stable, dry canine nutriments (dry dog food or crunchies) must be made available at regular intervals in an accessible location, in a bowl. More or less any dry food is acceptable especially if odoriferous.

28 | 29 | 30 | 31 | Canned food 32 | 33 |

Delicious tasty morsels of canned dog food can be provided in popular flavors including beef, kidney and liver.

34 | 35 | 36 | 37 | 38 |

Basically anything that human companions have enjoyed can be offered as table scraps. Care should be taken, however, when administering alcoholic beverages to dogs.

39 | 40 | Table scraps 41 | 42 | 43 | 44 | Kitchen Cabinets and drawers 45 | 46 | 47 |

Kitchen drawers and doors should be kept closed to prevent incursion by inquisitive or hungry animals.

48 | 49 | 50 | 51 | Treats 52 | 53 | 54 | 55 |

A natural language description of how many treats are permitted within a given period

56 | 57 | (no maximum if dog will roll over) 58 | 59 | 60 | 61 |

Treats may be given freely by a canine companion on demand, up to a maximum of .

62 | 63 | 64 | 65 | 66 | Broken resource 67 |

The given UUID is syntactically invalid as a v6 UUID

 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /csx/oscal-examples/missing-profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | Demo profile 7 | 2021-07-05T11:58:41.005-04:00 8 | 0.1 9 | 1.0.0 10 | 11 | 12 | 13 | at-1 14 | at-2 15 | at-2.2 16 | at-2.3 17 | aaa-111 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /csx/profile-resolver/backmatter-reduce.xsl: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 20 | 21 | 22 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /csx/profile-resolver/punchlist.md: -------------------------------------------------------------------------------- 1 | # Profile resolver punchlist 2 | 3 | This folder contains is an experimental profile resolver, to be developed and unit tested. 4 | 5 | It works by generating an XSLT transformation from a profile, and then applying it to the imported catalogs. 6 | -------------------------------------------------------------------------------- /csx/profile-resolver/testing/as-is-test_profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 8 | 9 | Test Profile 10 | 2019-10-13T13:41:58.548-04:00 11 | 1.0 12 | 1.0-MR2 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | true 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /csx/profile-resolver/testing/control-picker.xsl: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /csx/profile-resolver/testing/custom-grouping-test_profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 8 | 9 | Test Profile 10 | 2019-10-13T13:41:58.548-04:00 11 | 1.0 12 | 1.0-MR2 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | Group A of B 29 | 30 | 31 | 32 | Group B of B 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 |

Only one of the three should be allowed in the boat.

 43 | 48 | 49 | 50 | 51 | 52 | EXTRA SPECIAL PROPERTY 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /csx/profile-resolver/testing/popular-controls_profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 8 | Popular Controls Profile 9 | 2019-10-21T10:12:33.06-04:00 10 | 1.0 11 | 1.0-MR2 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | NIST SP 800-53 rev 4 catalog in OSCAL 41 | 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /csx/profile-resolver/testing/split-test_profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 8 | 9 | Test Profile 10 | 2019-10-13T13:41:58.548-04:00 11 | 1.0 12 | 1.0-MR2 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | Group A of B 33 | 34 | 35 | 36 | Group B of B 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 |

Only one of the three should be allowed in the boat.

48 | 49 | 54 | 55 | 56 | 57 | 58 | EXTRA SPECIAL PROPERTY 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /csx/profile-resolver/testing/tester.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |

Paragraph One

5 |

Paragraph Two

6 |

Paragraph Three

7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /csx/readme.md: -------------------------------------------------------------------------------- 1 | # Client-side XSLT (CSX) Demonstrations 2 | 3 | Published versions of these demonstrations are hosted at http://pages.nist.gov/oscal-tools/demos/csx. 4 | 5 | For convenience and clarity, the code base is maintained here with the actual demo runtimes copied out (as operational subsets) to the docs/content/demos/csx directories for processing by Hugo and delivery through the Pages site. 6 | 7 | So maintenance has two tiers: 8 | 9 | - Each application should operate standalone when served (by a plain web server) from a development directory in this folder. 10 | 11 | - Additionally, a subset of this application file set, mirrored into docs/content/demos/csx, should function within the static web site built by Hugo and posted on Pages. 12 | 13 | Test an application standalone before providing (and documenting) its mirroring (publishing) procedure. An application can be prototyped here and not copied, before a public demonstration is ready. 14 | 15 | Run a web server such as nodejs `http-server` from this directory to serve the applications from `localhost`. 16 | 17 | ## Deployment Model 18 | 19 | Currently each demo is maintained in its own directory, where it can also be served for preview (outside Hugo or Pages). 20 | 21 | For pages.nist.gov integration, an application (or an operational subset) must be copied (echoed) to the /docs folder where the Hugo site is configured and stocked. 22 | 23 | Note that migration is typically not simply copying, but also sometimes rewiring or resetting configuration. For example, the location of the SaxonJS distribution changes. These divergences help ensure that deployment is not done without due care and deliberation. 24 | Typically this means that the analogous folder in /docs must be examined to see that things are accounted for properly. Typically either file headers or links can be impacted. 25 | 26 | ### Baseline Matrix 27 | 28 | - stable 29 | - 20211006 updated to current SP800-53 catalog 30 | 31 | ### Baseline Reviewer 32 | 33 | - retest and write up readme 34 | 35 | ### Format Converter 36 | 37 | - retest and write up readme 38 | - extend to support profile 39 | 40 | ### Import Examiner 41 | 42 | - retest and write up readme 43 | 44 | ### Validator 45 | 46 | - retest and write up readme 47 | - extend to support other models? 48 | 49 | ### OSCAL Mapper 50 | 51 | Reads spreadsheet (ODS) in, emits OSCAL 52 | 53 | user designs an (XML) template with queries into the spreadsheet 54 | an XSLT is derived from this and executed over the spreadsheet contents 55 | emitting the required XML 56 | which can be saved 57 | 58 | ### Further demos 59 | 60 | See project directories for more.... 61 | 62 | ### Ideas 63 | 64 | -------------------------------------------------------------------------------- /csx/validator/generators/generate-datatype-functions.xsl: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 11 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | Generated from { document-uri(/) => replace('.*/','') } running on itself 26 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | string 44 | string 45 | NCName 46 | { $nominal-type } 47 | 48 | 49 | 50 | {$value} 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true() 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /csx/validator/loveiii.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Love III 4 | George Herbert 5 | The Temple (1633) 6 | 21 | 22 | 23 | Love bade me welcome, yet my soul drew back, 24 | Guilty of dust and sin. 25 | But quick-eyed Love, observing me grow slack 26 | From my first entrance in, 27 | Drew nearer to me, sweetly questioning 28 | If I lacked anything. 29 | 30 | 31 | A guest, I answered, worthy to be here; 32 | Love said, You shall be he. 33 | I, the unkind, the ungrateful? ah my dear, 34 | I cannot look on thee. 35 | Love took my hand and smiling did reply, 36 | Who made the eyes but I? 37 | 38 | 39 | Truth, Lord, but I have marred them; let my shame 40 | Go where it doth deserve. 41 | And know you not, says Love, who bore the blame? 42 | My dear, then I will serve. 43 | You must sit down, says Love, and taste my meat. 44 | So I did sit and eat. 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /csx/validator/readme.md: -------------------------------------------------------------------------------- 1 | 2 | # hints 3 | 4 | See the OSCAL Catalog Validator (or Metaschema Emulator) run [here](catalog.html) 5 | 6 | These notes are for maintenance. 7 | 8 | ## produce updated composed metaschema 9 | 10 | This presently can't be done under SaxonJS due to no support for external parsed entities (a current requirement). 11 | 12 | But runs fine under Saxon in Java, etc. It invoked code from the OSCAL Metaschema repository[OSCAL Metaschema repository](https://github.com/usnistgov/metaschema) to compose a single metaschema entity from its modules. Run it like this (in this case to produce a validator for the catalog format): 13 | 14 | ``` 15 | $ xslt3 -s:https://raw.githubusercontent.com/usnistgov/OSCAL/master/src/metaschema/oscal_catalog_metaschema.xml -xsl:https://raw.githubusercontent.com/usnistgov/metaschema/master/toolchains/xslt-M4/nist-metaschema-COMPOSE.xsl -o:generators/oscal_catalog_metaschema-COMPOSED.xml 16 | ``` 17 | 18 | ## update validator from metaschema 19 | 20 | For example, for the OSCAL catalog: 21 | 22 | ``` 23 | $ xslt3 -s:generators/oscal_catalog_metaschema-COMPOSED.xml -xsl:generators/generate-validator.xsl -o:catalog-validate-new.xsl 24 | ``` 25 | 26 | ## compile for SaxonJS 27 | 28 | Likewise -- 29 | 30 | ``` 31 | $ xslt3 -export:apply-validator.sef.json -xsl:apply-validator.xsl -nogo 32 | ``` 33 | 34 | 35 | -------------------------------------------------------------------------------- /csx/validator/test-catalog.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | Test Catalog 7 | 2021-04-17T16:01:47.575-04:00 8 | 0 9 | 1.0.0-rc2 10 | 11 | 12 | 00 13 | 14 | 15 | 16 | 17 | 18 | A group 19 | 20 | Control A 21 | boo 22 | 23 |

A control designates a policy, practice, procedure, mechanism, protocol or rule intended to promote transparent and smooth operation.

24 | 25 |

A statement can have items.

26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /demo/SP800-53-rev4-declarations.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)[\d\.\-]*$ 9 | 10 | 11 | 12 | P1 13 | P2 14 | P0 15 | P3 16 | 17 | 18 | LOW 19 | MODERATE 20 | HIGH 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | (1) 40 | 41 | 42 | LOW 43 | MODERATE 44 | HIGH 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | a. 74 | (a) 75 | 76 | 77 | 1. 78 | (1) 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | EXAMINE 103 | INTERVIEW 104 | TEST 105 | 106 | 107 | 108 | 109 | 110 | 111 | -------------------------------------------------------------------------------- /demo/SP800-53-rev5-declarations.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | ^(AC|AT|AU|CA|CM|CP|IA|IP|IR|MA|MP|PA|PE|PL|PM|PS|RA|SA|SC|SI)[\d\.\-]*$ 11 | 12 | 13 | 14 | 15 | 16 | P1 17 | P2 18 | P0 19 | P3 20 | 21 | 22 | LOW 23 | MODERATE 24 | HIGH 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | (1) 44 | 45 | 46 | LOW 47 | MODERATE 48 | HIGH 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | a. 78 | (a) 79 | 80 | 81 | 1. 82 | (1) 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | EXAMINE 107 | INTERVIEW 108 | TEST 109 | 110 | 111 | 112 | 113 | 114 | 115 | -------------------------------------------------------------------------------- /demo/custom-profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | SP800-53 Custom Profile 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /docs/.dockerignore: -------------------------------------------------------------------------------- 1 | public/ 2 | resources/ 3 | docker-compose.yml 4 | deploy.sh 5 | Gemfile* 6 | README.md 7 | -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | /resources 2 | /public 3 | .hugo_build.lock 4 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # OSCAL Website 2 | 3 | This subdirectory contains source code for the OSCAL website at https://pages.nist.gov/OSCAL. Below are instructions for building the site for local development if making any contributions to the documentation. 4 | 5 | The website is built using the [Hugo](https://gohugo.io/) static site generator and the [United States Web Design System](https://designsystem.digital.gov/) (USWDS). 6 | 7 | ## Prerequisites 8 | 9 | If using Docker: 10 | 11 | - [Saxon-HE for Java](http://saxon.sourceforge.net/#F9.9HE) 12 | - [Docker 20.10+](https://docs.docker.com/install/) 13 | 14 | If not using Docker: 15 | 16 | - macOS, Linux or Windows Subsystem for Linux (WSL) (model doc build scripts don't support Windows natively at this time) 17 | - [Saxon-HE for Java](http://saxon.sourceforge.net/#F9.9HE) 18 | - [Hugo](https://gohugo.io/) 19 | 20 | ## Generating the model documentation 21 | 22 | Before you can build and serve the site using Hugo directly or Docker, you must generate the OSCAL model documentation using the provided shell scripts. This step assumes that you've already downloaded Saxon-HE for Java and that you've set the `$SAXON_HOME` environment variable in your shell to the directory in which you extracted Saxon-HE. 23 | 24 | From the root directory of the repository, execute the following command to generate the model documentation: 25 | 26 | ``` 27 | ./build/ci-cd/generate-model-documentation.sh 28 | ``` 29 | 30 | ## Using Hugo 31 | 32 | [Hugo](https://gohugo.io/) is a popular open source static site generator that is used to develop all of the content for the OSCAL website. It is a general-purpose framework that builds pages when the content is created or updated. 33 | 34 | Instructions for installing the Hugo CLI on your OS can be found [here](https://gohugo.io/getting-started/installing). 35 | 36 | The website's visual styling is also backed by the U.S. Web Design System (USWDS) via an open source Hugo theme at https://github.com/usnistgov/hugo-uswds. 37 | 38 | The USWDS framework is documented here: https://designsystem.digital.gov/. 39 | 40 | ### Building the site with LiveReload 41 | 42 | Hugo provides built-in LiveReload which watches for any changes to the source content and automatically reloads the site when changes are detected. 43 | 44 | 1. Pull the currently used USWDS Hugo theme revision to your locally cloned copy of the OSCAL repo by executing the following command from within the folder of the git repo 45 | 46 | ``` 47 | git submodule update --init 48 | ``` 49 | 50 | 2. Verify that Hugo is installed 51 | 52 | ``` 53 | hugo version 54 | ``` 55 | NOTE: The extended version of Hugo is required. The reported version should include the word "extended". 56 | 57 | 3. Navigate into the `docs/` directory 58 | 59 | ``` 60 | cd docs 61 | ``` 62 | 63 | 4. Start the Hugo server 64 | 65 | ``` 66 | hugo server -v --debug --minify 67 | ``` 68 | 69 | alternatively, you may bind Hugo to a network adapter on your workstation using its assigned IP address 70 | 71 | ``` 72 | hugo server -v --debug --minify --bind [ipv4-address] -b http://[ipv4-address]:1313/OSCAL 73 | ``` 74 | 75 | 5. Open your browser and navigate to `http://localhost:1313/OSCAL` to view the locally built site. 76 | 77 | If you bound Hugo to an IP address, navigate to `http://[ipv4-address]:1313/OSCAL` either locally or with another device on the network. 78 | 79 | Whenever you make any changes to the content with the Hugo server running, you'll notice that the site automatically updates itself to reflect those changes. 80 | 81 | 82 | ## Developing with Docker 83 | 84 | The website can also be developed and built using the included Docker resources. 85 | 86 | Assuming you've [installed Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/) for your system, you can build and serve the site using Docker Compose as follows: 87 | 88 | ``` 89 | docker compose build 90 | docker compose up 91 | ``` 92 | 93 | Once the site is running, it can be accessed at http://localhost:1313/OSCAL. Whenever you make any changes to the content with the Hugo server running, you'll notice that the site automatically updates itself to reflect those changes. 94 | -------------------------------------------------------------------------------- /docs/assets/css/csx/baseline-matrix.css: -------------------------------------------------------------------------------- 1 | a { color: inherit; text-decoration: none } 2 | 3 | a:hover { text-decoration: underline } 4 | 5 | .family-item label { padding-left: 0.5em } 6 | 7 | input:not([disabled]):focus { outline: none } 8 | 9 | table.control-matrix th { font-weight: bold } -------------------------------------------------------------------------------- /docs/assets/css/csx/baseline-reviewer.css: -------------------------------------------------------------------------------- 1 | 2 | 3 | body * { margin: 0em } 4 | 5 | button { margin: 0.2em 0em; font-size: 75% } 6 | 7 | div#bxheader * { margin-top: 0.6em } 8 | #overview { font-size: 90%; max-width: 48em; padding-left: 2em } 9 | #overview summary { text-indent: -2em } 10 | 11 | a { color: inherit; text-decoration: none } 12 | a:hover { text-decoration: underline } 13 | 14 | details.group { margin-top: 1em; padding: 0.5em; border: thin solid black; background-color: gainsboro; padding-right: 6vw } 15 | 16 | .showing-selected div.control:not(.selected) { display: none } 17 | 18 | .deck div.control-group { display: flex; flex-wrap: wrap } 19 | /* .deck div.control-enhancements { display: flex; flex-wrap: wrap; gap: 0.2em; justify-content: space-evenly } */ 20 | 21 | .deck div.control { max-width: 15vw; margin-top: 0.5rem; margin-right: 0.5rem } 22 | .deck div.control div.control { margin-top: 0.2rem; margin-left: 0rem; overflow: none } 23 | 24 | .control-title { font-weight: normal } 25 | 26 | details:not(.deck) { max-width: 44rem } 27 | details:not(.deck) div { max-width: 44rem } 28 | details:not(.deck) .control .control .controlbx { padding-left: 2em } 29 | 30 | /* .overview { padding: 0.8em; background-color: #e8eaf6; border: thin solid black } 31 | .overview * { margin-top: 0.6em } 32 | .overview *:first-child { margin-top: 0em } */ 33 | 34 | /* 35 | details:not(.deck) .control { max-width: 44rem; max-height: 1.6em; overflow: clip; transition: max-height 1s ease-out } 36 | details:not(.deck) .control:hover { max-height: 100vh; transition: max-height 0.5s ease-in } */ 37 | 38 | .control-title { display: none } 39 | .deck .controlbx h4:hover .control-title { display: block; z-index: 2; position: absolute; 40 | background-color: white; padding: 0.3em; border: medium outset black; margin-left: 0.5em } 41 | 42 | details.statement { display: none } 43 | details:not(.deck) details.statement { display: block } 44 | div.part.statement { margin-left: 4vw } 45 | 46 | .deck button.expander { display: none } 47 | 48 | .deck .part { display: none } 49 | div.item { margin-left: 1em } 50 | 51 | 52 | .insert { font-size: 90%; font-weight: bold } 53 | 54 | td { vertical-align: text-top } 55 | 56 | td p { margin: 0em; margin-top: 0.5em } 57 | 58 | td p:first-child { margin-top: 0em } 59 | 60 | 61 | code.ctrl { background-color: white; padding: 0.1em; display: inline-block; border: thin outset black } 62 | 63 | .controlbx { padding: 0.2em; border: thin dotted black; background-color: gainsboro; min-width: 5em } 64 | .controlbx .controlbx { padding: 0.2em; border: thin dotted black; min-width: 4em } 65 | .control.selected .controlbx { border: thin solid black; background-color: white } 66 | 67 | .control.withdrawn .controlbx { background-color: lightgrey } 68 | .control.selected .control:not(.selected) .controlbx { border: thin dotted black } 69 | .control.selected .control:not(.selected):not(.withdrawn) .controlbx { background-color: gainsboro } 70 | 71 | .control .control h4 { font-size: smaller } 72 | 73 | .enhancement-title { text-transform: uppercase } 74 | 75 | div.control:not(.selected) h4 { color: grey } 76 | 77 | details:not(.deck) .control .label { float: left; padding-right: 0.5em; line-height: 1.2rem; min-width: 4em } 78 | 79 | 80 | .control .control .control-listing { font-size: smaller } 81 | .withdrawn .title-text, .withdrawn .control-listing { text-decoration:line-through } 82 | 83 | -------------------------------------------------------------------------------- /docs/assets/css/csx/converters.css: -------------------------------------------------------------------------------- 1 | #converter-grid { display: grid; grid-template-columns: 1fr 1fr; grid-gap: 2vh } 2 | #converter-grid textarea { box-sizing: border-box; width: 100% } 3 | 4 | #resultbox h4:first-child { margin-top: 0em } 5 | 6 | .codedump { white-space: pre-wrap; border: thin solid black; padding: 0.5em } 7 | .inxml { background-color: aliceblue } 8 | .injson { background-color: mintcream } 9 | -------------------------------------------------------------------------------- /docs/assets/css/csx/csx-validator.css: -------------------------------------------------------------------------------- 1 | #overview { border: thin inset grey; padding: 0.5em; margin: 0em 0.5em } 2 | 3 | a { color: inherit; text-decoration: none } 4 | a:hover { text-decoration: underline } 5 | 6 | section.examination { display: grid; grid-template-columns: 1fr auto; grid-gap: 1em } 7 | 8 | section.notifications > section { margin-top: 1em; padding: 0.5em; border: thin dotted black } 9 | section.notifications > section > *:first-child { margin-top: 0em } 10 | 11 | section.map p { margin: 0em } 12 | section.map div div.element { margin-left: 1em; margin-top: 0.2em } 13 | section.map p.tag { display: inline-block; background-color: midnightblue; color: aliceblue; padding: 0.2em } 14 | section.map p.tag.ON { background-color: deepskyblue } 15 | p.tag span.flag { display: inline-block; background-color: aliceblue; color: black; padding: 0.1em; margin-left: 0.5em } 16 | 17 | .xml-source { border: thin solid black; padding: 0.5em; margin: 0.5em; } 18 | 19 | code { background-color: gainsboro; font-family: monospace; font-weight: bold } 20 | 21 | 22 | section.validation { border-top: thin solid black; margin-top: 1em } 23 | 24 | 25 | div.report { display: grid; grid-template-columns: 1fr 2fr 1fr; 26 | background-color: aliceblue; border: thin solid black; padding: 0.4em; margin-top: 1em } 27 | div.report > * { margin: 0em; padding: 0.2em } 28 | div.report .title { grid-column: 1; font-weight: normal } 29 | div.report .msg { grid-column: 2 } 30 | div.report .path { grid-column: 3 } 31 | 32 | div.control-list { display: grid; grid-template-columns: auto auto } 33 | div.control-list > * { margin: 0em; padding: 0.2em } 34 | 35 | .msg { background-color: lightgreen; border: thin solid green } 36 | .problematic { background-color: pink; border: thin solid red } 37 | .remarkable { background-color: yellow; border: thin solid orange } 38 | .path { font-family: monospace; padding-left: 0.2em } 39 | 40 | .xpath { font-family: monospace; font-size: 95%; background-color: white } 41 | 42 | code.ctrl { background-color: white; padding: 0.1em; display: inline-block; border: thin outset black } 43 | 44 | .outline { display: flex; flex-flow: row; margin-top: 0em } 45 | .outline div { flex-grow: 0; margin: 0.1rem } 46 | .outline div:first-child { margin-top: 0rem } 47 | .outline div:last-child { margin-bottom: 0rem } 48 | 49 | .oll { font-size: 80%; background-color: gold; padding: 0.2em } 50 | 51 | .outline div.olt { border: thin solid cadetblue; background-color: ivory; 52 | padding: 0.1rem; font-size: 60%; font-family: "Open Sans", sans-serif } 53 | 54 | -------------------------------------------------------------------------------- /docs/assets/css/csx/import-examiner.css: -------------------------------------------------------------------------------- 1 | 2 | #overview { border: thin inset grey; padding: 0.5em; margin: 0em 0.5em } 3 | 4 | a { color: inherit; text-decoration: none } 5 | a:hover { text-decoration: underline } 6 | 7 | section.examination { display: grid; grid-template-columns: 1fr auto; grid-gap: 1em } 8 | 9 | section.notifications > section { margin-top: 1em; padding: 0.5em; border: thin dotted black } 10 | section.notifications > section > *:first-child { margin-top: 0em } 11 | 12 | section.map p { margin: 0em } 13 | section.map div div.element { margin-left: 1em; margin-top: 0.2em } 14 | section.map p.tag { display: inline-block; background-color: midnightblue; color: aliceblue; padding: 0.2em } 15 | section.map p.tag.ON { background-color: deepskyblue } 16 | p.tag span.flag { display: inline-block; background-color: aliceblue; color: black; padding: 0.1em; margin-left: 0.5em } 17 | 18 | h3 code { background-color: gainsboro } 19 | 20 | div.report { display: grid; grid-template-columns: 1fr 2fr 1fr; 21 | background-color: aliceblue; border: thin solid black; padding: 0.4em; margin-top: 1em } 22 | div.report > * { margin: 0em; padding: 0.2em } 23 | div.report .title { grid-column: 1; font-weight: normal } 24 | div.report .msg { grid-column: 2 } 25 | div.report .path { grid-column: 3 } 26 | 27 | div.control-list { display: grid; grid-template-columns: auto auto } 28 | div.control-list > * { margin: 0em; padding: 0.2em } 29 | 30 | 31 | .msg { background-color: lightgreen; border: thin solid green } 32 | .problematic { background-color: pink; border: thin solid red } 33 | .remarkable { background-color: yellow; border: thin solid orange } 34 | .path { font-family: monospace; padding-left: 0.2em } 35 | 36 | code.ctrl { background-color: white; padding: 0.1em; display: inline-block; border: thin outset black } 37 | 38 | -------------------------------------------------------------------------------- /docs/assets/css/csx/nist-emulation.css: -------------------------------------------------------------------------------- 1 | html, body { font-family: Calibri, Arial, sans-serif } 2 | 3 | code { font-family: Consolas, monospace } 4 | 5 | #bxbody { margin-top: 1em; padding-top: 1em; border-top: medium solid black } 6 | 7 | 8 | #bxfooter { margin-top: 1em; border-top: thin solid black } 9 | 10 | table.control-matrix { border-collapse: collapse; 11 | border-bottom: 1.4em solid #1f497d } 12 | 13 | table.control-matrix td, 14 | table.control-matrix th { border: thin solid black; padding: 0.2em 0.6em } 15 | 16 | table.control-matrix th { background-color: #b8cce4 } /* dark dusky blue*/ 17 | 18 | table.control-matrix td { background-color: #dbe5f1 } /* lighter dusky blue */ 19 | 20 | tr.control-matrix-header > * { text-transform: uppercase } 21 | tr.control-matrix-header > th.controlno { font-size: 80% } 22 | 23 | #directory { columns: auto 2 } 24 | #directory div { break-inside: avoid } 25 | 26 | #directory input[type='checkbox'] + label { color: grey } 27 | #directory input[type='checkbox']:checked + label { color: black } 28 | 29 | #file-roster { display: grid; grid-auto-columns: max-content; 30 | grid-auto-rows: auto; grid-auto-flow: column; 31 | grid-gap: 0.5em; margin-bottom: 1em 32 | } 33 | 34 | .filelisting { margin-top: 0.8em; padding: 0.2em; border: thin outset gainsboro; background-color: oldlace; } 35 | 36 | .filelisting * { margin: 0em } 37 | 38 | span.profilecode { text-transform: uppercase; font-size: 80%; 39 | font-weight: normal; padding: 0.2em; background-color: #b8cce4 } 40 | 41 | .withdrawn { color: grey } 42 | 43 | .withdrawnnotice { font-size: 90% } 44 | 45 | .import { color: darkgrey } 46 | .importing { color: forestgreen; font-weight: bold } 47 | .ineligible { color: darkred; font-style: italic } 48 | 49 | .family { margin-top: 1em } 50 | 51 | .family .h2.title { text-transform: uppercase; font-size: 140%; font-weight: bold } 52 | 53 | .family > * { margin-bottom: 1em } 54 | 55 | .control .title { font-weight: bold } 56 | .enhancement .title { font-size: 80%; font-weight: normal; text-transform: uppercase } 57 | 58 | .control .label { font-weight: bold } 59 | 60 | .occur { text-align: center; max-width: 4em } 61 | 62 | 63 | #bxbody input:not([disabled]):focus { outline: none } 64 | #bxbody button:not([disabled]):focus { outline: none } 65 | #bxbody select:not([disabled]):focus { outline: none } 66 | #bxbody textarea:not([disabled]):focus { outline: none } 67 | 68 | /* for baseline-reviewer */ 69 | details.group table td, details.group table th { border: none; padding: 0em } 70 | 71 | -------------------------------------------------------------------------------- /docs/assets/scss/hugo-uswds-custom.scss: -------------------------------------------------------------------------------- 1 | 2 | .nist-footer { 3 | font-family: inherit; 4 | } 5 | 6 | @media print { 7 | .nist-header { 8 | display: none; 9 | } 10 | 11 | .nist-footer { 12 | display: none; 13 | } 14 | } 15 | 16 | .usa-nav__secondary-links { 17 | @include at-media($theme-header-min-width) { 18 | float: inherit; 19 | } 20 | } 21 | 22 | .usa-site-alert--info .usa-alert:before { 23 | -webkit-mask: url(https://pages.nist.gov/oscal-tools/img/usa-icons/info.svg) no-repeat center 24 | } 25 | 26 | .usa-alert--info:before { 27 | -webkit-mask: url(https://pages.nist.gov/oscal-tools/img/usa-icons/info.svg) no-repeat center 28 | } 29 | 30 | .usa-banner__button { 31 | @include at-media("tablet") { 32 | &:after { 33 | -webkit-mask: url(https://pages.nist.gov/oscal-tools/img/usa-icons/expand_more.svg) no-repeat center 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /docs/config.yaml: -------------------------------------------------------------------------------- 1 | title: "OSCAL Tools" 2 | baseURL: https://pages.nist.gov/oscal-tools 3 | relativeURLs: true 4 | canonifyURLs: true 5 | defaultContentLanguage: en 6 | disableAliases: false 7 | languages: 8 | en: 9 | lang: en 10 | languageName: English 11 | weight: 1 12 | MetaDataFormat: "yaml" 13 | theme: "uswds" 14 | googleAnalytics: UA-66610693-1 15 | enableGitInfo: true 16 | pygmentsCodeFences: true 17 | pygmentsCodefencesGuessSyntax: true 18 | pygmentsUseClasses: true 19 | markup: 20 | goldmark: 21 | extensions: 22 | typographer: false 23 | parser: 24 | autoHeadingID: true 25 | # autoHeadingIDType: blackfriday 26 | renderer: 27 | unsafe: true 28 | highlight: 29 | guessSyntax: true 30 | params: 31 | header: 32 | project_shortname: "OSCAL Tools" 33 | project_name: "OSCAL: the Open Security Controls Assessment Language - Tools" 34 | page_repo_path: https://github.com/usnistgov/oscal-tools/tree/main/docs/content 35 | searchAffiliate: oscal 36 | sidenav: 37 | # debug: true 38 | 39 | menu: 40 | primary: 41 | - name: "OSCAL" 42 | url: "https://pages.nist.gov/OSCAL" 43 | weight: 99 44 | secondary: 45 | - name: Github 46 | url: https://github.com/usnistgov/oscal-tools 47 | weight: 90 48 | module: 49 | mounts: 50 | # - source: content 51 | # target: content 52 | - source: static 53 | target: static 54 | # - source: ../xml 55 | # target: static/artifacts/xml 56 | # - source: ../json 57 | # target: static/artifacts/json 58 | # - source: ../content 59 | # target: static/artifacts/content 60 | # - source: layouts 61 | # target: layouts 62 | # - source: data 63 | # target: data 64 | # - source: assets 65 | # target: assets 66 | # - source: i18n 67 | # target: i18n 68 | - source: archetypes 69 | target: archetypes 70 | -------------------------------------------------------------------------------- /docs/content/README.md: -------------------------------------------------------------------------------- 1 | # OSCAL Examples 2 | 3 | All OSCAL content examples have been moved to the [OSCAL content GitHub repository](https://github.com/usnistgov/oscal-content). 4 | -------------------------------------------------------------------------------- /docs/content/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "OSCAL Tools" 3 | usabanner: true 4 | --- 5 | {{% usa-hero image="/wrench-splashscreen.png" calloutAltText="OSCAL Tools" calloutText="Take Control" buttonURL="/about/" buttonText="Learn More" %}} 6 | Software for the Open Security Controls Assessment Language (OSCAL) 7 | 8 | Demonstrations, project documentation and links from the NIST (ITL/CSD) OSCAL Team 9 | 10 | {{% /usa-hero %}} 11 | 12 | {{% usa-tagline caption="Tools supporting OSCAL processing." %}} 13 | NIST, in collaboration with industry, is developing the [Open Security Controls Assessment Language (OSCAL)](http://pages.nist.gov/OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines and overlays, system security plans, and assessment plans and results. 14 | 15 | This site documents and presents some of the OSCAL tooling developed by NIST project members and released for public use, testing and emulation. Source code for projects and demonstrations described here is maintained (and can be examined, cloned or copied) in the [public Github repository](https://github.com/usnistgov/oscal-tools "Github repo"). 16 | 17 | For more tools produced by OSCAL community members including independent developers, vendors, and user groups, see the [OSCAL Tools](https://pages.nist.gov/OSCAL/tools/ "OSCAL Tools") listing on the main OSCAL site. 18 | {{% /usa-tagline %}} 19 | 20 | {{}} 21 | -------------------------------------------------------------------------------- /docs/content/adjustable-wrench.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/adjustable-wrench.jpg -------------------------------------------------------------------------------- /docs/content/automated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/automated.png -------------------------------------------------------------------------------- /docs/content/automation-hero.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/automation-hero.png -------------------------------------------------------------------------------- /docs/content/dataCentric.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/dataCentric.png -------------------------------------------------------------------------------- /docs/content/demos/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: OSCAL Demonstrations 3 | description: Assorted demonstrations and proofs of concept for OSCAL applications 4 | menu: 5 | primary: 6 | name: Demos 7 | weight: 15 8 | toc: 9 | enabled: true 10 | usabanner: true 11 | --- 12 | 13 | Some of the software available in the repository is also capable of demonstration in your browser, as served by this site. 14 | -------------------------------------------------------------------------------- /docs/content/demos/csx/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 6 | NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE 7 | 2021-06-08T13:57:34.707994-04:00 8 | Final 9 | 1.0.0 10 | 11 | Document Creator 12 | 13 | 14 | Contact 15 | 16 | 17 | Joint Task Force, Transformation Initiative 18 | sec-cert@nist.gov 19 |
20 | National Institute of Standards and Technology 21 | Attn: Computer Security Division 22 | Information Technology Laboratory 23 | 100 Bureau Drive (Mail Stop 8930) 24 | Gaithersburg 25 | MD 26 | 20899-8930 27 |
28 | 29 | 30 | 11f1de66-89ba-499d-903e-56418e95af9d 31 | 32 | 33 | 11f1de66-89ba-499d-903e-56418e95af9d 34 | 35 | 36 | 37 | 38 | ac-1 39 | ac-3.14 40 | at-1 41 | at-2 42 | at-3 43 | at-3.5 44 | at-4 45 | au-1 46 | au-2 47 | au-3.3 48 | au-11 49 | ca-1 50 | ca-2 51 | ca-5 52 | ca-6 53 | ca-7 54 | ca-7.4 55 | cm-1 56 | cm-4 57 | ir-1 58 | ir-2 59 | ir-2.3 60 | ir-3 61 | ir-4 62 | ir-5 63 | ir-6 64 | ir-7 65 | ir-8 66 | ir-8.1 67 | mp-1 68 | mp-6 69 | pe-8.3 70 | pl-1 71 | pl-2 72 | pl-4 73 | pl-4.1 74 | pl-8 75 | pl-9 76 | pm-3 77 | pm-4 78 | pm-5.1 79 | pm-6 80 | pm-7 81 | pm-8 82 | pm-9 83 | pm-10 84 | pm-11 85 | pm-13 86 | pm-14 87 | pm-17 88 | pm-18 89 | pm-19 90 | pm-20 91 | pm-20.1 92 | pm-21 93 | pm-22 94 | pm-24 95 | pm-25 96 | pm-26 97 | pm-27 98 | pm-28 99 | pm-31 100 | ps-6 101 | pt-1 102 | pt-2 103 | pt-3 104 | pt-4 105 | pt-5 106 | pt-5.2 107 | pt-6 108 | pt-6.1 109 | pt-6.2 110 | pt-7 111 | pt-7.1 112 | pt-7.2 113 | pt-8 114 | ra-1 115 | ra-3 116 | ra-7 117 | ra-8 118 | sa-1 119 | sa-2 120 | sa-3 121 | sa-4 122 | sa-8.33 123 | sa-9 124 | sa-11 125 | sc-7.24 126 | si-1 127 | si-12 128 | si-12.1 129 | si-12.2 130 | si-12.3 131 | si-18 132 | si-18.4 133 | si-19 134 | 135 | 136 | 137 | true 138 | 139 | 140 | -------------------------------------------------------------------------------- /docs/content/demos/csx/baseline-matrix/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Baseline Matrix: An SP800-53B Emulator" 3 | usabanner: true 4 | custom_css: 5 | - "css/csx/nist-emulation.css" 6 | - "css/csx/baseline-matrix.css" 7 | --- 8 | 9 | {{< rawhtml >}} 10 | 11 | 38 |
39 |

SP-800-53 Baseline Control Matrix

40 |

Load your OSCAL profile XML file(s) here ...

44 |
45 |
46 | 47 |
48 |
49 | 50 |
51 |
52 | 53 |
54 |
55 |

SP-800-53 Baseline Control Matrix is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

56 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

57 |
58 | {{< /rawhtml >}} 59 | -------------------------------------------------------------------------------- /docs/content/demos/csx/baseline-reviewer/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Baseline Reviewer 3 | description: An OSCAL analysis tool 4 | usabanner: true 5 | custom_css: 6 | - "css/csx/nist-emulation.css" 7 | - "css/csx/baseline-reviewer.css" 8 | --- 9 | 10 | 11 | {{< rawhtml >}} 12 | 13 | 14 | 43 |
44 |

OSCAL Baseline Reviewer

45 |

Surveying SP800-53 controls as modified by your OSCAL profile

46 |
47 | Explanation 48 |

The Control Reviewer is an enhanced OSCAL catalog viewer designed to present 49 | the selections and adjustments made to the SP 800-53 control catalog by a baseline (described as an OSCAL profile), either as 50 | selected, or as loaded by the user. (Currently it only shows control selection, not control alterations or parameter settings; those are next.)

51 |

It can also be used plain, as a simple browser for the SP 800-53 control catalog.

52 |

Note: this analysis does not examine the documents actually linked (imported) by your profile. Instead, it examines every import directive as if the SP800-653 Rev 5 catalog were its intended source. For reference and comparison, please see the SP 800-53 Rev 5 catalog (copy) in this repository.

53 |

Limitations / tbd:

54 |
    55 |
  • Does not validate profiles - GIGO applies
    • 56 |
  • Conformance with OSCAL profile spec is work-in-progress as the spec evolves
    • 57 |
  • The (entire) SP800-53 control catalog is assumed for any and all imports. In other words, this viewer is safe to use only with 58 | profiles that call only the SP 800-53 catalog (no other or subordinate catalogs), and only once. In fact this application does not offer a view of a profile (yours or any) but of this catalog, using a profile as a point of reference for filtering.
    • 59 |
  • Supports import-control/with-id only, not import-control/matches. (Let us know if you need this or any of these features.)
    • 60 |
  • Similarly does not yet support import-control/@with-child-controls so control enhancements must be included explicitly.
    • 61 |
62 |
63 |
64 | 65 |
66 |
67 | 68 |
69 |
70 |

The SP 800-53 Baseline Reviewer is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

71 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

72 |
73 | 74 | {{< /rawhtml >}} 75 | 76 | -------------------------------------------------------------------------------- /docs/content/demos/csx/format-converter/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Catalog Converters 3 | usabanner: true 4 | description: Making your OSCAL XML Catalog into JSON or your OSCAL JSON Catalog into XML 5 | --- 6 | 7 | These rely on the public XSLTs released on the OSCAL web site, packaged and compiled to run in your browser. 8 | 9 | As described in the Metaschema repository, OSCAL formats (in XML, JSON and YAML) can be defined as alternative serializations from a unified data model, described and constrained by an abstract, declarative set of definitions. Given sufficient formal rigor, this set of definitions can be used as a "backbone" for production of a number of different processing artifacts and productions, including not only documentation and faithful renderings in the form of operationally-ready schema languages (XSD or JSON Schema, for example) -- but also converter scripts. 10 | 11 | In these pages, the converter scripts in XSLT generated from the OSCAL Catalog Metaschema are harnessed to provide for conversion of your OSCAL catalog dynamically, in the browser. 12 | 13 | -------------------------------------------------------------------------------- /docs/content/demos/csx/format-converter/converters.css: -------------------------------------------------------------------------------- 1 | #converter-grid { display: grid; grid-template-columns: 1fr 1fr; grid-gap: 2vh } 2 | #converter-grid textarea { box-sizing: border-box; width: 100% } 3 | 4 | #resultbox h4:first-child { margin-top: 0em } 5 | 6 | .codedump { white-space: pre-wrap; border: thin solid black; padding: 0.5em } 7 | .inxml { background-color: aliceblue } 8 | .injson { background-color: mintcream } 9 | -------------------------------------------------------------------------------- /docs/content/demos/csx/format-converter/fromJSON/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "OSCAL Catalog JSON-to-XML Converter" 3 | usabanner: true 4 | custom_css: 5 | - "css/csx/nist-emulation.css" 6 | - "css/csx/converters.css" 7 | --- 8 | 9 | {{< rawhtml >}} 10 | 11 | 45 | 46 |
47 |

OSCAL Catalog XML|JSON Format Converter - JSON

48 |

Converting your OSCAL JSON catalog into OSCAL XML

49 |

(Coming soon - not just catalogs but other OSCAL models as well)

50 |
51 | Explanation 52 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

53 |

Use with caution accordingly.

54 |
55 |
56 |
57 |
58 |
59 | 62 |

Load or paste your OSCAL catalog JSON ... and good luck!

63 | 64 |
65 | 66 |
67 | 68 |
69 |
70 |
71 |

The SP 800-53 Catalog XML|JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

72 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

73 |
74 | 75 | {{< /rawhtml >}} 76 | 77 | -------------------------------------------------------------------------------- /docs/content/demos/csx/format-converter/fromXML/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "OSCAL Catalog XML-to-JSON Converter" 3 | usabanner: true 4 | custom_css: 5 | - "css/csx/nist-emulation.css" 6 | - "css/csx/converters.css" 7 | --- 8 | 9 | {{< rawhtml >}} 10 | 11 | 12 | 47 |
48 |

OSCAL Catalog XML|JSON Format Converter - XML

49 |

Converting your OSCAL XML catalog into OSCAL JSON

50 |

(Coming soon - not just catalogs but other OSCAL models as well)

51 | 52 |
53 | Explanation 54 |

Warning: data dropped into the converter that is not valid OSCAL, may be dropped without notice. It depends on the nature of the issue - some near OSCAL will also come through okay.

55 |

Use with caution accordingly.

56 |
57 |
58 |
59 |
60 |
61 | 64 |

Load or paste your OSCAL catalog XML ... and good luck!

65 | 66 |
67 |
68 | 69 |
70 |
71 |
72 |
73 |

The SP 800-53 Catalog XML to JSON Format Converter is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

74 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

75 |
76 | 77 | {{< /rawhtml >}} 78 | 79 | 80 | -------------------------------------------------------------------------------- /docs/content/demos/csx/import-examiner/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Profile Import Examiner 3 | usabanner: true 4 | custom_css: 5 | - "css/csx/nist-emulation.css" 6 | - "css/csx/import-examiner.css" 7 | --- 8 | 9 | {{< rawhtml >}} 10 | 11 | 12 | 42 |
43 |

OSCAL Import Examiner

44 |

Checking your OSCAL profile with reference to the NIST SP 800-53 (revision 5) control catalog

45 |

(Coming soon - not just profiles but other OSCAL models as well)

46 |

Load your OSCAL profile XML file(s) here for instant analysis of its control catalog imports (in your browser)...

50 |
51 | Explanation 52 |

The Import Examiner reads an arbitrary XML document and reports back:

53 |
    54 |
  • If it is (not) a profile XML document in the OSCAL namespace (i.e., represented to be an OSCAL profile)
    • 55 |
  • For an OSCAL profile, we examine its imports. We are interested in two things: 56 |
      57 |
    • Does the import make reference to a file whose name indicates SP800-53 in some form?
      • 58 |
    • How do its controls appear in reference to SP800-53 or to other control selections including baselines made from it?
      • 59 |
    60 |
    • 61 |
  • Included is support for checking your control selections against four sources: the (full) SP 800-53 control catalog; and three 62 | control sets derived from it, i.e. the NIST HIGH, MODERATE and LOW control baselines.
    • 63 |
  • In later versions we plan support of testing imports in other OSCAL documents as well as testing constraints over OSCAL data in general, with respect to their imports.
    • 64 |
65 |

Note: this analysis does not examine the documents actually linked (imported) by your profile. Instead, it examines every import directive as if the SP800-653 Rev 5 catalog (or other selected baseline) were its intended source, and as such can be provided by a known and trusted proxy (document). For reference and comparison, please see the SP 800-53 Rev 5 catalog (copy) in this repository. (It then proceeds, in part, to test this premise.)

66 |

Using this analysis you can quickly and easily determine whether your OSCAL profile, considered as a baseline or overlay of Rev 5 or of its overlays (such as the NIST or FedRAMP HIGH, MODERATE or LOW baselines), will resolve correctly into a control selection for an OSCAL processor according to OSCAL profile semantics.

67 |

Provided with further back end infrastructure (in the form of appropriate file sets, metadata, and match criteria between import statements and upstream catalogs), this tool can offer the same analysis against arbitrary catalogs. NIST SP 800-53 and its baselines are selected for this demonstration for their ubiquity and ready availability in OSCAL.

68 |

A subsequent version of this tool could provide similar import-based analysis of other OSCAL document types including System Security Plans (SSPs) and POA&Ms (Plans of Action and Milestones).

69 |

Limitations / tbd:

70 |
    71 |
  • Supports import-control/with-id only, not import-control/matches
    • 72 |
  • Does not support import-control/@with-child-controls
    • 73 |
74 |
75 |
76 |
77 | 78 |
79 |
80 |

The SP 800-53 Import Examiner is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

81 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

82 |
83 | 84 | {{< /rawhtml >}} 85 | 86 | -------------------------------------------------------------------------------- /docs/content/demos/csx/lib/Saxon-JS-2.2/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Version 1.0, June 2020 2 | 3 | Software: This license applies to the packages "xslt3" and "saxon-js" 4 | distributed via npm (https://www.npmjs.com) and to the modules SaxonJS2.js 5 | and SaxonJS2.rt.js available for download from the Saxonica web site 6 | (https://www.saxonica.com/). 7 | 8 | Copyright: The copyright in the Software belongs to Saxonica Ltd, except 9 | for third-party components listed in the documentation that are distributed 10 | under license. 11 | 12 | Binary form: In this license, "binary form" means the form in which the 13 | Software is issued (this is technically a set of obfuscated Javascript files). 14 | 15 | Deployment and use. The Software may be copied to any computer where the 16 | primary purpose is the execution of the software on that computer, or on 17 | connected client computers. 18 | 19 | Redistribution. Redistribution in binary form, without 20 | modification, is permitted as part of an application that makes use 21 | of the Software, provided that the following conditions are 22 | met: 23 | 24 | 1) Redistributions must reproduce the above copyright notice and the 25 | following disclaimer in the documentation and/or other materials 26 | provided with the distribution. 27 | 28 | 2) Except to the extent explicitly permitted by law, no reverse 29 | engineering, decompilation, or disassembly of this software is 30 | permitted. 31 | 32 | 3) Neither the name of the copyright holder nor the names of its 33 | contributors may be used to endorse or promote products derived from 34 | this software without specific prior written permission. 35 | 36 | 4) Copying the software to a site whose primary purpose is to make 37 | it available to third parties is not permitted without specific 38 | prior written permission. 39 | 40 | If you institute patent litigation against any entity (including a 41 | cross-claim or counterclaim in a lawsuit) alleging that the software 42 | itself infringes your patent(s), then your rights granted under this 43 | license shall terminate as of the date such litigation is filed. 44 | 45 | DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND 46 | CONTRIBUTORS "AS IS." ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT 47 | NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 48 | FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 49 | HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 50 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 51 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 52 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 53 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 54 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 55 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 56 | -------------------------------------------------------------------------------- /docs/content/demos/csx/oscal-examples.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/demos/csx/oscal-examples.zip -------------------------------------------------------------------------------- /docs/content/demos/csx/validator/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Schema Validation Emulator" 3 | usabanner: true 4 | custom_css: 5 | - "css/csx/nist-emulation.css" 6 | - "css/csx/csx-validator.css" 7 | --- 8 | 9 | {{< rawhtml >}} 10 | 11 | 31 |
32 |

OSCAL Catalog Validator

33 |

Checking your XML document against rules defined by the OSCAL Catalog Metaschema

34 |
NB - work in progress - features and testing still to come -
35 |

(Coming soon - not just catalogs but other OSCAL models as well)

36 |
37 | 38 |
39 |
40 |

Load your OSCAL XML catalog file(s) here for instant validation...

44 |
45 | 46 |
47 | Explanation 48 |

The OSCAL Validator reads an arbitrary XML document and reports back findings from an inspection relative to rules 49 | defined for the OSCAL catalog (meta)schema:

50 |
    51 |
  • If it is (not) a catalog XML document in the OSCAL namespace (i.e., 52 | represented to be an OSCAL catalog)
    • 53 |
  • If it sees unknown element occurrences (foreign or out of place)
    • 54 |
  • On recognized elements, it reports: 55 |
    1. Unrecognized attributes
      2. 56 |
    2. Required elements and attributes (checking for elements missing)
      3. 57 |
    3. Cardinality (of elements appearing) - too many or too few
      4. 58 |
    4. Order of elements - impermissible element ordering
      5. 59 |
    5. Datatype-based lexical constraints (castable as) constraints (also tested on attributes)
      6. 60 |
    6. To come... further metaschema-based constraints (allowed-values etc.)
    • 61 |
62 |

Effectively, this feature set is intended to match that of the normative XML Schema Definition (XSD)-based expression of constraints defining the (XML) OSCAL catalog format. If you find any disparities between this tool, and a compliant application of the OSCAL catalog XSD, please let the developer know.

63 |
64 |
65 |

The SP 800-53 Catalog Validator is an OSCAL demonstration. Use with appropriate caution. Source code is available for inspection or analysis.

66 |

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

67 |
68 | 69 | {{< /rawhtml >}} 70 | -------------------------------------------------------------------------------- /docs/content/extensible.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/extensible.png -------------------------------------------------------------------------------- /docs/content/integrated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/integrated.png -------------------------------------------------------------------------------- /docs/content/oscal-tools-hero.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | OSCAL TOOLS 5 | 6 | 7 | 9 | 10 | <control> 12 | <control> 14 | <control> 16 | 17 | 18 | -------------------------------------------------------------------------------- /docs/content/projects/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Projects" 3 | heading: "Projects" 4 | menu: 5 | primary: 6 | name: Projects 7 | weight: 10 8 | toc: 9 | enabled: true 10 | usabanner: true 11 | --- 12 | 13 | The tools published on this site have been developed for the most part in the context of research and development projects with specific goals. 14 | 15 | See each project for more information regarding: 16 | 17 | - Project dates and status 18 | - Project goals and outcomes 19 | - Software architecture 20 | - Technical dependencies 21 | - Technical contracts 22 | - Inputs and outputs 23 | - functional requirements 24 | - use cases 25 | 26 | -------------------------------------------------------------------------------- /docs/content/projects/oscal-deep-diff.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "OSCAL Deep Diff" 3 | description: "OSCAL Deep Diff - compares OSCAL artifacts programmatically and consistently" 4 | heading: "OSCAL Deep Diff" 5 | toc: 6 | enabled: true 7 | usabanner: true 8 | --- 9 | 10 | OSCAL Deep Diff is an open-source command line application and library that can produce schema-agnostic comparisons of OSCAL JSON artifacts. 11 | 12 | OSCAL Deep Diff was built with the following considerations: 13 | 14 | - Document comparisons can vary wildly in intention and desired output, so reliance on an input schema is undesirable. The same tool should be able to compare any OSCAL JSON artifacts based on a customized set of comparisons. 15 | - The comparison must be configurable in order to constrain the output document to meet the user's needs. For example, a consumer comparing revisions of a control catalog may not care about capitalization differences in control names between two documents, but a catalog author may care about such differences. 16 | - Human-readable output formats such as Excel workbooks are appropriate for sharing, but are not appropriate for automated decision making such as a CI/CD system. A document comparison output format should be configurable to match the use case. 17 | - The tool must be portable and extendable so that it can be integrated into other tools, such as web applications. 18 | 19 | ## How do I use OSCAL Deep Diff? 20 | 21 | OSCAL Deep Diff is currently designed as a standalone, command line tool. For details on how to install and use OSCAL Deep Diff, see the project page [on GitHub](https://github.com/usnistgov/oscal-deep-diff). 22 | 23 | OSCAL Deep Diff can also be used as a standalone library for integration into Javascript/Typescript applications. For details, see the [example OSCAL Deep Diff web application](https://github.com/usnistgov/oscal-deep-diff/tree/master/examples/odd-example-frontend). 24 | 25 | ## How do I request support, report bugs, or file features? 26 | 27 | The developers of OSCAL Deep Diff will provide support on a best effort basis to the general community. Please identify any defects or feature requests [by opening a issue](https://github.com/usnistgov/oscal-deep-diff/issues/new) on GitHub. 28 | 29 | If you are interested in contributing to OSCAL Deep Diff, see the [contributing document](https://github.com/usnistgov/oscal-deep-diff/blob/master/CONTRIBUTING.md). 30 | -------------------------------------------------------------------------------- /docs/content/projects/xslt.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "XSLT Stylesheets" 3 | description: "XSLT 3.0 stylesheets for display (web and PDF)" 4 | heading: "XSLT for OSCAL Formatting" 5 | toc: 6 | enabled: true 7 | usabanner: true 8 | --- 9 | 10 | [XSLT](https://www.w3.org/TR/xslt-30/) is the Extensible Stylesheet Language, defined by the [World-Wide Web Consortium](https://www.w3.org/) and now in version 3.0. 11 | 12 | Applications offered from this repository include: 13 | 14 | - Rendering OSCAL catalogs in HTML and PDF 15 | - These include both generic (any OSCAL) and "NIST emulation" (tuned to SP800-53-series) stylesheets 16 | - Tested in open source tools 17 | - Suitable for adaptation and extension 18 | - "Refreshing" and generating "fresh" OSCAL documents (updating timestamps and/or UUIDs) 19 | - Miscellaneous utilities 20 | 21 | See the [directory in the repository](https://github.com/usnistgov/oscal-tools/tree/master/xslt) for current details. 22 | 23 | Users and organizations interested in helping to develop and refine this offering are invited to create [Issues in the repository](https://github.com/usnistgov/oscal-tools/issues) with ideas, needs, and feedback. 24 | -------------------------------------------------------------------------------- /docs/content/wrench-icon.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | OSCAL Tools wrench icon 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 19 | 20 | 22 | 23 | 24 | 25 | 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /docs/content/wrench-splashscreen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/content/wrench-splashscreen.png -------------------------------------------------------------------------------- /docs/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.7" 2 | 3 | services: 4 | docs: 5 | extends: 6 | file: ../build/docker-compose.yml 7 | service: cli 8 | ports: 9 | - "1313:1313" 10 | volumes: 11 | - "./:/docs" 12 | entrypoint: /docs/run-server.sh 13 | -------------------------------------------------------------------------------- /docs/layouts/_default/devlunch.html: -------------------------------------------------------------------------------- 1 | {{ define "main" }} 2 | {{ with .Params.usabanner }}{{ partialCached "components/banner.html" . }}{{ end }} 3 | {{ partialCached "components/header-basic.html" . }} 4 |
5 |
6 |
7 | {{ $firstSection := .Page.FirstSection.Pages }} 8 | 9 | {{- $gridMainWidescreenSize := 12 -}} 10 | {{- $gridMainDesktopSize := 12 -}} 11 | 12 | {{/* includeTopLevel is used to determine if the top-level section should appear 13 | in the side navigation */}} 14 | {{ $includeTopLevel := true }} 15 | {{ with .Site.Params.sidenav }} 16 | {{ if isset . "includetoplevel" }} 17 | {{ $includeTopLevel = .includetoplevel }} 18 | {{ end }} 19 | {{ end }} 20 | {{ if and .Page.FirstSection (or ($includeTopLevel) (gt (len .Page.FirstSection.Pages) 0)) }} 21 | 24 | {{- $gridMainWidescreenSize = sub $gridMainWidescreenSize 3 -}} 25 | {{- $gridMainDesktopSize = sub $gridMainDesktopSize 2 -}} 26 | {{ end -}} 27 | {{- $tocEnabled := false -}} 28 | {{- with .Page.Params.toc -}} 29 | {{- if isset . "enabled" -}} 30 | {{- $tocEnabled = .enabled -}} 31 | {{- end -}} 32 | {{- end -}} 33 | {{ if $tocEnabled }} 34 | {{- $gridMainWidescreenSize = sub $gridMainWidescreenSize 2 -}} 35 | {{- $gridMainDesktopSize = sub $gridMainDesktopSize 2 -}} 36 | {{ end -}} 37 |
38 |
39 |
40 | {{ if isset .Params "heading" }}

{{ .Params.heading }}

{{else}}

{{ .Title }}

{{ end }} 41 |
42 | {{ .Content }} 43 |
44 | {{ if gt (len .Pages) 0 }} 45 |

Meeting Archive

46 | {{ range .Pages.GroupByDate "2006" }} 47 |

{{ .Key }}

48 | {{ range .Pages.ByDate.Reverse }} 49 |
50 |
51 |

{{ .Date.Format "Jan 2, 2006" }}

52 |
53 | {{ .Summary }} 54 | 57 |
58 |
59 | {{ end }} 60 | {{ end }} 61 | {{ end }} 62 |
63 | {{ if $tocEnabled }} 64 | 67 | {{ end -}} 68 |
69 |
70 |
71 | {{ end }} 72 | -------------------------------------------------------------------------------- /docs/layouts/_default/reference-index.html: -------------------------------------------------------------------------------- 1 | {{ define "main" }} 2 | {{ with .Params.usabanner }}{{ partialCached "components/banner.html" . }}{{ end }} 3 | {{ partialCached "components/header-basic.html" . }} 4 |
5 |
6 |
7 | {{ $firstSection := .Page.FirstSection.Pages }} 8 | 9 | {{- $gridMainWidescreenSize := 12 -}} 10 | {{- $gridMainDesktopSize := 12 -}} 11 | 12 | {{/* includeTopLevel is used to determine if the top-level section should appear 13 | in the side navigation */}} 14 | {{ $includeTopLevel := true }} 15 | {{ with .Site.Params.sidenav }} 16 | {{ if isset . "includetoplevel" }} 17 | {{ $includeTopLevel = .includetoplevel }} 18 | {{ end }} 19 | {{ end }} 20 | {{ if and .Page.FirstSection (or ($includeTopLevel) (gt (len .Page.FirstSection.Pages) 0)) }} 21 | 24 | {{- $gridMainWidescreenSize = sub $gridMainWidescreenSize 3 -}} 25 | {{- $gridMainDesktopSize = sub $gridMainDesktopSize 2 -}} 26 | {{ end -}} 27 | {{- $tocEnabled := false -}} 28 | {{- with .Page.Params.toc -}} 29 | {{- if isset . "enabled" -}} 30 | {{- $tocEnabled = .enabled -}} 31 | {{- end -}} 32 | {{- end -}} 33 | {{ if $tocEnabled }} 34 | {{- $gridMainWidescreenSize = sub $gridMainWidescreenSize 2 -}} 35 | {{- $gridMainDesktopSize = sub $gridMainDesktopSize 2 -}} 36 | {{ end -}} 37 |
38 |
39 |
40 | {{ if isset .Params "heading" }}

{{ .Params.heading }}

{{else}}

{{ .Title }}

{{ end }} 41 |
42 | {{ .Content }} 43 | {{ if gt (len .Pages) 0 }} 44 |

This reference provides format documentation for the following OSCAL releases.

45 |
    46 | {{ range .Pages }} 47 | {{ if not (.Params.suppressintopiclist | default false) }} 48 |
  • {{.Summary}}
    • 49 | {{ end }} 50 | {{ end }} 51 |
52 | {{ end }} 53 |
54 |
55 | {{ if $tocEnabled }} 56 | 59 | {{ end -}} 60 |
61 |
62 |
63 | {{ end }} -------------------------------------------------------------------------------- /docs/layouts/_default/reference-release.html: -------------------------------------------------------------------------------- 1 | {{ define "main" }} 2 | {{ with .Params.usabanner }}{{ partialCached "components/banner.html" . }}{{ end }} 3 | {{ partialCached "components/header-basic.html" . }} 4 |
5 |
6 |
7 | {{ $firstSection := .Page.FirstSection.Pages }} 8 | 9 | {{- $gridMainWidescreenSize := 12 -}} 10 | {{- $gridMainDesktopSize := 12 -}} 11 | 12 | {{/* includeTopLevel is used to determine if the top-level section should appear 13 | in the side navigation */}} 14 | {{ $includeTopLevel := true }} 15 | {{ with .Site.Params.sidenav }} 16 | {{ if isset . "includetoplevel" }} 17 | {{ $includeTopLevel = .includetoplevel }} 18 | {{ end }} 19 | {{ end }} 20 | {{ if and .Page.FirstSection (or ($includeTopLevel) (gt (len .Page.FirstSection.Pages) 0)) }} 21 | 24 | {{- $gridMainWidescreenSize = sub $gridMainWidescreenSize 3 -}} 25 | {{- $gridMainDesktopSize = sub $gridMainDesktopSize 2 -}} 26 | {{ end -}} 27 | {{- $tocEnabled := false -}} 28 | {{- with .Page.Params.toc -}} 29 | {{- if isset . "enabled" -}} 30 | {{- $tocEnabled = .enabled -}} 31 | {{- end -}} 32 | {{- end -}} 33 | {{ if $tocEnabled }} 34 | {{- $gridMainWidescreenSize = sub $gridMainWidescreenSize 2 -}} 35 | {{- $gridMainDesktopSize = sub $gridMainDesktopSize 2 -}} 36 | {{ end -}} 37 |
38 |
39 |
40 | {{ if isset .Params "heading" }}

{{ .Params.heading }}

{{else}}

{{ .Title }}

{{ end }} 41 |
42 |

Release Version {{ if eq .Params.oscal.version "develop" }}Latest Development Snapshot{{ else }}OSCAL v{{ .Params.oscal.version }}{{ end }}

43 |

Github usnistgov/OSCAL {{ if eq .Params.oscal.type "tag" }}Tag{{ else }}Branch{{end}} {{ .Params.oscal.branch }}

44 | {{ .Content }} 45 | {{ if gt (len .Pages) 0 }} 46 |

The following documentation is provided for this release.

47 |
    48 | {{- range .Pages -}} 49 |
  • {{.Summary}}
    • 50 | {{ end }} 51 |
52 | {{ end }} 53 |
54 |
55 | {{ if $tocEnabled }} 56 | 59 | {{ end -}} 60 |
61 |
62 |
63 | {{ end }} -------------------------------------------------------------------------------- /docs/layouts/html.html: -------------------------------------------------------------------------------- 1 | {{ define "main" }} 2 | 3 | {{ $pages := resources.Match "collections/collection1/*.md" }} 4 | 5 | {{ printf "%#v" $pages }} 6 | 7 | {{ .Content | safeHTML }}asd 8 | 9 | {{ end }} 10 | -------------------------------------------------------------------------------- /docs/layouts/partials/components/banner.html: -------------------------------------------------------------------------------- 1 | Skip to main content 2 |
3 |
4 |

This website and its code are not currently under active development: read more details here.

5 |
6 | 7 |
8 |
9 |
10 |
11 |
12 | U.S. flag 13 |
14 |
15 |

An official website of the United States government

16 | 17 |
18 | 22 |
23 |
24 |
25 |
26 |
27 | Dot gov 28 |
29 |

30 | The .gov means it’s official. 31 |
32 | Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site. 33 |

34 |
35 |
36 |
37 | Https 38 |
39 |

40 | The site is secure. 41 |
42 | The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely. 43 |

44 |
45 |
46 |
47 |
48 |
49 |
50 | -------------------------------------------------------------------------------- /docs/layouts/partials/foot.html: -------------------------------------------------------------------------------- 1 | {{ if not .Site.IsServer }} 2 | 3 | 9 | {{ end }} 10 | 11 | {{ $generateAnchors := true }} 12 | {{- if isset .Page.Params "generateanchors" -}} 13 | {{ $generateAnchors = .Page.Params.generateanchors }} 14 | {{- end -}} 15 | {{ if $generateAnchors -}} 16 | 17 | 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /docs/layouts/partials/head.html: -------------------------------------------------------------------------------- 1 | 3 | 4 | 6 | 25 | 26 | {{ if not .Site.IsServer }} 27 | 28 | 29 | 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /docs/layouts/partials/note-to-developers-uuid.html: -------------------------------------------------------------------------------- 1 |
2 |

Important Note to Developers

3 | 4 |

Every time the content of an OSCAL file changes, the following must also change:

5 |
    6 |
  • A new UUID value must be generated and assigned to the root element's uuid.
    • 7 |
  • The last-modified field in metadata must be assigned with the date and time at the moment the file is saved with the modified content.
    • 8 |
9 | 10 |

These are two mechanisms by which tools can quickly "know" if a file has changed since it was last encountered. This document level UUID is the only UUID in OSCAL associated with version control.

11 | 12 |

When converting between formats, such as XML to JSON, these values should remain the same. This enables tools to know the content within the two formats is equivalent.

13 | -------------------------------------------------------------------------------- /docs/layouts/shortcodes/partial.html: -------------------------------------------------------------------------------- 1 | {{ partial (.Get 0) (.Get 1) }} 2 | -------------------------------------------------------------------------------- /docs/layouts/shortcodes/partialCached.html: -------------------------------------------------------------------------------- 1 | {{ partialCached (.Get 0) (.Get 1) }} 2 | -------------------------------------------------------------------------------- /docs/layouts/shortcodes/rawhtml.html: -------------------------------------------------------------------------------- 1 | 2 | {{.Inner}} -------------------------------------------------------------------------------- /docs/layouts/shortcodes/todo.html: -------------------------------------------------------------------------------- 1 | {{ if .Inner }}{{ end }} 2 | -------------------------------------------------------------------------------- /docs/run-server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /oscal/build/ci-cd/generate-specification-documentation.sh 4 | cd /docs 5 | hugo server --enableGitInfo=false -v --debug --minify --bind 0.0.0.0 -------------------------------------------------------------------------------- /docs/static/img/favicon-32x32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/static/img/favicon-32x32.png -------------------------------------------------------------------------------- /docs/static/img/oscal-gears-icon-140.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/static/img/oscal-gears-icon-140.png -------------------------------------------------------------------------------- /docs/static/img/oscal-gears-icon-32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/static/img/oscal-gears-icon-32.png -------------------------------------------------------------------------------- /docs/static/img/oscal-page-icon-180.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/oscal-tools/3bce753b76b5e200777697021a77f8dee42b2300/docs/static/img/oscal-page-icon-180.png -------------------------------------------------------------------------------- /docs/static/img/wrench-icon.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | OSCAL Tools wrench icon 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 23 | 24 | 25 | 26 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /xslt/readme.md: -------------------------------------------------------------------------------- 1 | # OSCAL XSLT tooling has MOVED 2 | 3 | See the NIST repository here: https://github.com/usnistgov/oscal-xslt 4 | 5 | Paths to resources in that repository correspond to paths to resources once kept here. 6 | 7 | ----- --------------------------------------------------------------------------------