Add high-level API actions for POA&Ms, SAPs, and SARs #63
Conversation
Also update `$ref` for poam, sap, and sar paths
|
This is a good start! Just make sure to look over your changes in the |
nuttercd
force-pushed
the
feature/add-poams-saps-sars
branch
from
30c9f08 to
849cb0d
Compare
openapi.yaml
Outdated
| - name: OSCAL System Assessment Plan | ||
| externalDocs: | ||
| description: Find out more | ||
| url: https://pages.nist.gov/OSCAL/concepts/layer/assessment/assessment-plan/ | ||
| - name: OSCAL System Assessment Result |
There was a problem hiding this comment.
So I know this will take a little bit to change, but should we drop the "System"?
https://github.com/EasyDynamics/OSCAL/tree/main/json/schema https://pages.nist.gov/OSCAL/reference/latest/complete/json-outline/
The files are just named Assessment Plan & Assessment Result. So I wonder if it is needed? That or we should change the name to Security Assessment ...
@kylelaker & @brian-easyd what do you think?
There was a problem hiding this comment.
I'd prefer that align with the NIST terminology here; and drop the first word. "Assessment Plan" and "Assessment Results" to match the documentation and schema.
There was a problem hiding this comment.
And when people casually refer to the meaning of SAP and SAR, it is a Security Assessment Plan and Security Assessment Result(s) in my neck of the woods. Do people actually call it System Assessment Plan in your experience?
Fun fact, and I agree with Dave Waltermire on this: we call them AP and AR and don't mention the S because, in 800-53 land, they can be security assessments, privacy assessments, or other. They aren't strictly always security assessments, and labeling them that way prejudices right from the start.
Also, hi, super excited to see this PR and the discussion here. :-)
There was a problem hiding this comment.
@aj-stein-nist Thanks! I think "System Assessment Plan" was some copying from "System Security Plan" and maybe a misunderstanding of it :D One thing we have noticed is that the specification does include Security but we can open an issue upstream to discuss that if it'd be useful.
I definitely like the idea of not including the "S" to cover the fact it can be for more than one thing!
There was a problem hiding this comment.
@kylelaker @aj-stein-nist - In FedRAMP parlance (and most Agency implementations of FISMA) they are:
- Security Assessment Plan (SAP); and
- Security Assessment Report (SAR) [NOTE: Not "result", but "report".]
"System" is not typically used.
That said, Dave and I debated the AP, AR name and he made the very valid point that while these are the correct terms for government use, OSCAL is more than just for the Federal government. He asserted that "Assessment Plan" and "Assessment Result" were more friendly to all frameworks.
openapi.yaml
Outdated
| description: ID of plan of action and milestone to replace. | ||
| required: true | ||
| schema: | ||
| type: string | ||
| requestBody: | ||
| description: Plan of action and milestone object to be replaced. |
There was a problem hiding this comment.
| description: ID of plan of action and milestone to replace. | |
| required: true | |
| schema: | |
| type: string | |
| requestBody: | |
| description: Plan of action and milestone object to be replaced. | |
| description: ID of plan of action and milestone to replace | |
| required: true | |
| schema: | |
| type: string | |
| requestBody: | |
| description: Plan of action and milestone object to be replaced |
For consistency purposes, we should delete any periods in the descriptions. There are a couple other places where this occurs
There was a problem hiding this comment.
I believe prior descriptions had periods in them. Should we keep or remove periods in descriptions?
There was a problem hiding this comment.
Probably best to remove those too, even though they aren't part of this issue.
openapi.yaml
Outdated
| write:aps: modify assessment plans in your account | ||
| read:aps: read your assessment plans parties | ||
| write:ars: modify assessment results in your account | ||
| read:ars: read your assessment results in your account |
There was a problem hiding this comment.
Here and elsewhere, I'd personally prefer to see us use assessmentPlan, assessment-plan, assessmentResults, or assessment-results as appropriate. More like Component Definitions than SSPs and POA&Ms.
Thoughts?
There was a problem hiding this comment.
I like the use of assessmentPlan as it will match componentDefinitions
openapi.yaml
Outdated
| write:assessmentPlan: modify assessment plans in your account | ||
| read:assessmentPlan: read your assessment plans |
There was a problem hiding this comment.
| write:assessmentPlan: modify assessment plans in your account | |
| read:assessmentPlan: read your assessment plans | |
| write:assessmentPlans: modify assessment plans in your account | |
| read:assessmentPlans: read your assessment plans |
Fix here and wherever else it's used
Also removes periods
openapi.yaml
Outdated
| get: | ||
| tags: | ||
| - OSCAL Plan of Action and Milestone | ||
| summary: Returns all OSCAL plan of action and milestones |
There was a problem hiding this comment.
I feel like Plans of action and milestones sounds better as the plural here.
| summary: Returns all OSCAL plan of action and milestones | |
| summary: Returns all OSCAL plans of action and milestones |
openapi.yaml
Outdated
| post: | ||
| tags: | ||
| - OSCAL Plan of Action and Milestone | ||
| summary: Adds a new OSCAL plan of action and milestone |
There was a problem hiding this comment.
Should milestone always be plural? That is how it appears on the spec . At the very least, we should be consistent on this.
| summary: Adds a new OSCAL plan of action and milestone | |
| summary: Adds a new OSCAL plan of action and milestones |
|
@kylelaker Looking over everything again, things look good to me. I wanted to give you a chance to look over at things before I dismissed your old review. |
tuckerzp
dismissed
their stale review
There is some inconsistency with periods that we should address.
openapi.yaml
Outdated
| description: | | ||
| Removes the given catalog from the given profile. | ||
| Removes the given catalog from the given profile | ||
|
|
||
| This should also result in references under other parts of the schema being removed. | ||
| This should also result in references under other parts of the schema being removed |
There was a problem hiding this comment.
I do not think that every description needs to have periods removed.
laurelmay
dismissed
their stale review
I will review this again after remaining comments are addressed.
…/oscal-rest into feature/add-poams-saps-sars
This will close #56