Auto-translation of NIST controls to Controls Markdown Language for human editing and maintenance #1921
Comments
rafael5
changed the title
rafael5
changed the title
rafael5
changed the title
|
@rafael5 can you elaborate on this a bit? what advantages would such a language provide over YAML? are you referring to a superset of Markdown? And by "controls in the GitHub repository" are you referring to the OSCAL-formatted 800-53 catalog example? |
|
I'd like to link this back over to #216 (comment) because my concerns are the same. |
Does that help? |
|
Thanks @rafael5. Indeed this helps to clarify. I also forgot about @trevor-vaughan’s comments from a while back re. his similar ask. Would love to hear from @wendellpiez on this as well. I’m certainly not against this and see the value in having such a language. We’d have to keep in mind that this would add a bit of extra overhead for tool vendors in that they’ll now have to implement a parser for such a markdown language. I also imagine that the language would have to provide some sort of abstraction over the breadth of options provided by the underlying OSCAL data models. On the other hand, one has to ask to what extent folks are going to be hand-writing OSCAL, regardless of the existence of such a markdown language. At the end of the day, the actual compilation of the data which becomes OSCAL’ized is where folks will likely spend cycles. So whatever can be done to make that process easier (via tools, UIs, markdown languages, etc) I think is super important. |
|
@rafael5 would also like to see some prototypes of what you have in mind so we have something a bit more tangible to look at. |
|
We have considered producing a YAML-based version of the OSCAL models. This would be another output format of our metaschema-based production process. We could use this to autogenerate documentation and conversion scripts to and from OSCAL YAML from the XML and JSON formats in a similar way to how we autogenerate the XML and JSON schema, related documentation, and XML <> JSON conversions scripts. |
|
@david-waltermire-nist would a basic OSCAL YAML to markdown script suffice here? Or is a 2-way conversion needed. |
|
@guyzyl - you might want to see the IBM work here: https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring/... The description reads: "In summary, the catalog tools allow conversion of a Catalog to markdown for editing - and back again to a Catalog. The profile tools similarly convert a Profile's resolved profile catalog to markdown and allow conversion to a new Profile with modified additions that get applied in resolving the profile catalog. Finally, the ssp tools allow the addition of implementation prose to a resolved profile catalog, then combine that prose with the Catalog into an OSCAL System Security Plan." |
|
Perhaps a legacy documentation system such as https://www.gnu.org/software/groff/manual/groff.html#groff-Capabilities would suffice instead of implementing another Markup/Markdown language. The use of macros allow embedded formatting commands as primitive markup and provides many capabilities you have outlined. |
|
Per discussion with the team today during backlog review, I am moving this to the appropriate repository per our guidance, oscal-xslt. |
|
@aj-stein-nist I am not sure why you feel this is an oscal-xslt issue? It entails a design that is specifically scoped without an XSLT dependency. |
|
Per discussion in Element, I can move it back. |
|
... main reason being (I concur) even if this is only a tracker for now, it is best not buried altogether, mainly b/c good ideas will often come back around. FTR, I think this idea is awesome, it just needs more specification, design/development, perhaps proof-of-concept. However, the idea of what amounts to a custom bespoke grammar for OSCAL is pretty open ended and could go in many directions - to say nothing of how it should be validated, interfaced it with (canonical, metaschema-based XML- or object-notation) OSCAL. etc. |
|
@wendellpiez and @aj-stein-nist - Isn't this issue addressed, in principle (because I did not test it), by the IBM Compliance Trestle -> Authoring module? ~ The key modes of authoring are -generate and -assemble. During -generate a JSON document is converted to markdown format, allowing authors to add or edit prose and parameter values. After editing, the markdown can then be -assembled into the same or a new JSON document that captures the edit changes. |
|
I agree that it is a possible idea, but since originally reported in 2019, no recommendation for a draft specification or tool agnostic way has come up. Given that compliance-trestle has implemented their own way of doing this and not requested it be adopted by other tools, I am going to close this for now. If anyone has ideas of how to move forward with it, they can always comment or request to reopen it. |
|
👍 Indeed, Compliance Trestle may well have taken this approach: it's the kind of good idea that keeps coming back. |
User Story:
As an OSCAL {stakeholder}, I ... want to be able to read and edit the controls in human readable form on the Github respository using a Controls Markdown Language.
This is Controls Markdown Language would be similar to (and preferably compatible with ) the OpenControls YAML representation, but represent the OSCAL model. This would allow all controls to be easily readable and maintainable by humans with only simple text editor.
Goals:
Maintain all the controls in the Github repository using human-readable Controls Markdown Language. This markdown format must be interchangeable (by automated scripts) to the current OSCAL XML and JSON, but in human-readable and editable form.
Dependencies:
Acceptance Criteria
The Controls Markdown Language needs to pass
The text was updated successfully, but these errors were encountered: