OSCAL Import Examiner: An OSCAL analysis tool

OSCAL Import Examiner

Checking your OSCAL profile with reference to the NIST SP 800-53 (revision 5) control catalog

(Coming soon - not just profiles but other OSCAL models as well)

Load your OSCAL profile XML file(s) here for instant analysis of its control catalog imports (in your browser)...

Explanation

The Import Examiner reads an arbitrary XML document and reports back:

If it is (not) a profile XML document in the OSCAL namespace (i.e., represented to be an OSCAL profile)
For an OSCAL profile, we examine its imports. We are interested in two things:
- Does the import make reference to a file whose name indicates SP800-53 in some form?
- How do its controls appear in reference to SP800-53 or to other control selections including baselines made from it?
Included is support for checking your control selections against four sources: the (full) SP 800-53 control catalog; and three control sets derived from it, i.e. the NIST HIGH, MODERATE and LOW control baselines.
In later versions we plan support of testing imports in other OSCAL documents as well as testing constraints over OSCAL data in general, with respect to their imports.

Note: this analysis does not examine the documents actually linked (imported) by your profile. Instead, it examines every import directive as if the SP800-653 Rev 5 catalog (or other selected baseline) were its intended source, and as such can be provided by a known and trusted proxy (document). For reference and comparison, please see the SP 800-53 Rev 5 catalog (copy) in this repository. (It then proceeds, in part, to test this premise.)

Using this analysis you can quickly and easily determine whether your OSCAL profile, considered as a baseline or overlay of Rev 5 or of its overlays (such as the NIST or FedRAMP HIGH, MODERATE or LOW baselines), will resolve correctly into a control selection for an OSCAL processor according to OSCAL profile semantics.

Provided with further back end infrastructure (in the form of appropriate file sets, metadata, and match criteria between import statements and upstream catalogs), this tool can offer the same analysis against arbitrary catalogs. NIST SP 800-53 and its baselines are selected for this demonstration for their ubiquity and ready availability in OSCAL.

A subsequent version of this tool could provide similar import-based analysis of other OSCAL document types including System Security Plans (SSPs) and POA&Ms (Plans of Action and Milestones).

Limitations / tbd:

Supports import-control/with-id only, not import-control/matches
Does not support import-control/@with-child-controls