Summary

The latest OSCAL 1.1.2 is a patch release.

What's Changed

• Catalog constraints added in oscal_catalog_metaschema.xml - see issue #1949 OSCAL#1952 into develop.
• Remove with-parent-controls from implementation OSCAL#1843 into develop.
• Bump actions/setup-java from 3 to 4 OSCAL#1963 into develop.
• CI Automation enhancements

Full Changelog: v1.1.1...v1.1.2

Appendix

Detailed Commit Log

git log v1.1.1..v1.1.2 --pretty=oneline --abbrev-commit

e36c374e0 Remove with-parent-controls from implementation (#1843)
7c47f2303 Bump actions/setup-java from 3 to 4 (#1963)
6df1a6b34 Updated version in the release a patch guidance (#1964)
09435aaa3 Catalog constraints added in oscal_catalog_metaschema.xml - see issue #1949  (#1952)
f4785f28a Flatten codeowners (#1962)
77caaeee5 Add tutorials system lifecycle ADR (#1959)
d1706a0dd Bump build/metaschema-xslt from `bd4359a` to `7d9fbfa` (#1955)
3b6edd9c6 Bump actions/checkout from 4.1.0 to 4.1.1 (#1950)
3dc4f6220 Bump org.apache.maven.plugins:maven-dependency-plugin in /build (#1953)
36e2f67e0 Bump actions/setup-node from 3.8.1 to 4.0.0 (#1954)
a3978d6d1 Bump actions/github-script from 6.4.1 to 7.0.1 (#1961)
cf852454e [skip ci] Update status, date before merge. Clarify content is still backwards compatible.
02ba255bb [skip ci] Add missing link to oscal-content per review feedback.
c048d293e [skip ci] Add ADR-0008 for usnistgov/oscal-content#116.
b8633b538 Implementation Agnostic Testing (#1946)
0294ee8d7 Integrate PR feedback and merge updated enum value.
441f6e528 Added hybrid cloud
8cac71b7f Make schema paths react to directory restructuring
5b7cf8e2e Bug fix for selected children of unselected parent
f9415874e Fix expected content of resolving merge-keep_profile.xml
ef2a78933 Bump build/metaschema-xslt from `034e92b` to `bd4359a`
5d17717be Bump actions/checkout from 4.0.0 to 4.1.0
4ff2c922c Updated link for profile resolution
6787fced7 Bump actions/checkout from 3.6.0 to 4.0.0
95f2e89f1 Add transferred issue status
65bc5ea7a Update automation to centralized triage board
90679e6c2 Ignore xmllint man docs on man page mirror for #1926.
f159b2894 Add transferred issue status
52d81d6ee Update automation to centralized triage board
6d7efe0a1 Ignore xmllint man docs on man page mirror for #1926.

Summary

OSCAL 1.1.1 is a patch release with minor model improvements, documentation, and artifact release changes that are backwards compatible.

Changes: Key Take-aways

Models

1. Allow non-FISMA/RMF use cases for SSP information type impact levels.
2. Remove obsolete model documentation for biblio elements in back-matter/resources.

Profile Resolution and Process Specs

1. Change spec for more practical definition of metadata/last-modified.

Other

1. Update schema validation links in OSCAL model definitions.
2. Generate OSCAL model definitions with and without external XML entities (XXEs).

Details

1. ac6397d68 Produce Metaschemas without XXEs (#1665) (#1901)
2. 563ecb305 Adjusted language for metadata:last-modified (#1900)
3. e78291b87 Bump build/metaschema-xslt from ac4bd7e to 10f72aa (#1886)
4. bb454ed44 Adjusted information-type/*-impact constraints (#1888)
5. 1680e13ff Corrects references identified in #1883 (#1884)

Appendix

Detailed Commit Log

Note for NIST developers: the output below is from executing the following command against the release branch (main) on a developer workstation: git log origin/main..origin/develop --pretty=oneline --abbrev-commit.

1. 8bc3c0045 Bump build/metaschema-xslt from 10f72aa to 034e92b (#1902)
2. ac6397d68 Produce Metaschemas without XXEs (#1665) (#1901)
3. 563ecb305 Adjusted language for metadata:last-modified (#1900)
4. 5b187b26b Bump actions/checkout from 3.5.3 to 3.6.0 (#1903)
5. 53cbe3d00 Bump org.apache.maven.plugins:maven-dependency-plugin in /build (#1878)
6. e78291b87 Bump build/metaschema-xslt from ac4bd7e to 10f72aa (#1886)
7. 01a985003 Add --quiet to the resolver test mvn download (#1898)
8. 54f25db65 Bump actions/setup-node from 3.7.0 to 3.8.1 (#1894)
9. bb454ed44 Adjusted information-type/*-impact constraints (#1888)
10. 1680e13ff Corrects references identified in #1883 (#1884)
11. e5b6e790b Bump markdown-link-check from 3.10.2 to 3.11.2 in /build (#1864)
12. 948e88ad0 Bump actions/checkout from 3.3.0 to 3.5.3 (#1863)
13. 2a908809d Bump actions/setup-node from 3.6.0 to 3.7.0 (#1854)

Summary

1.1.0 will be a minor release with important backwards-compatible enhances and bug-fixes around SSP, POA&M, profile, and cross-model metadata. Many of these feature enhancements have been pending release for over 12 months with neutral or positive community support.

Key takeaways and full details are below.

Changes: Key Takeaways

Models

1. SSP: Change certain elements from required to optional for non-RMF use cases.
2. SSP: improve constraints of links for cross-referencing components and indicating where components were imported from.
3. POAM: add related-findings assembly.
4. Profile: Remove with-parent-controls from the profile model.
5. Metadata: add group attribute to props
6. Metadata: add resource fragment to links (very useful for deep-linking into elements by UUID and point to sub-element UUID)
7. Metadata: add actions assembly to track approvals or request for changes status.
8. Metadata: correct how cross-references between controls and their parts are handled.
9. ⚠️ Mapping: re previous discussion, mapping, by itself or within catalog, has been moved out of the v1.1.0 release.

Profile Resolution and Process Specs

1. Aligning with model, remove with-parent-controls feature from Profile Resolution spec and unit tests.

Other

1. Website updates to reference model docs to improve performance.
2. ⚠️ We are going to include the website migration as part of the release (because of how GitHub works).

Details

Below is a list of every change that will be promoted from develop to a 1.1.0 release branch. The changes to models, docs, and code can be reviewed. All dependency changes from Dependabot and auto-committed website changes are excluded.

1. defe67ee0 Mapping model relocation 1/2: delete from develop (#1850)
2. 2d502f9b1 Added changes for #1798 (#1842)
3. bc7efd38b 1797 allow local definition of asset type prop values (#1821)
4. e5d24f910 Remove with-parent-controls developmental feature (#1819)
5. be98b429c Removed default-mode to avoid apply-template loop when the stylesheet is applied to a document. (#1804)
6. 7f5bf8051 Validating the current SP 800-53 catalog in oscal-content results in a missing key violation. This fixes that. (#1808)
7. 7e43b9a92 Only build and test with container on upstream (#1817)
8. 10c5efbb9 Add missing $ in Linux build setup steps (#1779)
9. 97dcbc1ac Update Style for Generating Reference Model Anchors at Build Time (#1789)
10. ff951bd00 Feature profile resolution unittesting a (#1770)
11. d43713a59 Specify classpath for Saxon under XSpec for #1743. (#1744)
12. 574def6d0 Remove optional leveraged-authorization prop on implemented req. (#1729)
13. e1861c198 Add the with-parent-controls for #1662. (#1717)
14. adfae0828 Fix CSS for choice elements in outline docs (#1687)
15. d54cf495c Profile resolution how-to readmes (#1666)
16. 59ef15d23 Compatibility with Saxon 10 and 11 (#1685)
17. b267c6a0f Require (Warn) port start and end when protocol is specified. (#1674)
18. fb8a0833c Fix Docker container build for local dev and debugging (#1598)
19. 95461753e Fix rel path from XSLT transform source issue, fix #1603. (#1604)
20. d92a3b0cd Fixed improper use of allowed-values/allow-other. Ensured that all props in the OSCAL namespace are properly closed and all link rels are open for extension. (#1579)
21. 49ba917ad Fixed syntax errors in metapaths (#1574)
22. 48a24583a Adds a constraint and index of by-component objects to support provided-by relation in links #1022 (#1452)
23. 0889a5a0c Added resource-fragment flag to link. (#1527)
24. 30fae9d13 Add possible Schematron documentation checks (#1501)
25. 9a1583e25 reduced the amount of 'OSCAL' references in data type documentation. (#1531)
26. 354fe57ea Add profile checks with Schematron for usnistgov/oscal-content#128. (#1513)
27. a332ff061 Fix broken uri-use page links in updated reference docs of develop branch (#1518)
28. f3371cc35 POAM related finding support, fixes #1120 (#1478)
29. 9e5793701 Support additional control-origination props #784 (#1460)
30. 61e19ef6f Updated data type documentation adding a note about why NCName was deprecated. Fixes #1105 (#1480)
31. d5b66f6b0 Test modify phase, plus minor XSLT enhancements (#1321)
32. 988817c4b Updates to OSCAL Metaschema documentation and constraints (#1263)
33. e5fa65f2b Implement opr:oscal-version and v:compare functions. (#1420)
34. 22f423e7a Add actions assembly to encode an action (i.e. approval) and its role, party, and approval date. (#1052) (#1429)
35. 46e21da20 Added JSON value key for relationship type. This missing value key was discovered as part of #1458. (#1462)
36. 0ed533b5e Update metaschema submodule for #1454. (#1455)
37. e93f12bb0 Fixed errors in profile resolution top-level tests based on content errors.
38. bc7b89206 imported-from relations for #1023. (#1403)
39. b43142a80 Create <define-assembly name="impact"> (fix #1129) (#1171)
40. d3e475abc Adding link to whitelist
41. b8d5eccac More broken link fixes.
42. 6fb55e948 Fixed broken links.
43. 63b6e8688 Fixing broken links
44. b4f048501 Add assessment-assets assembly to local-definitions assembly in POAM model. #1291 (#1417)
45. 6c80f4f9a Updates mapping model documentation to fix a copy and paste error. (#1409)
46. 3a75b0f0c Add grouping construct to props for #1064. (#1412)
47. 4ef21bbd6 Added legacy Withdrawn status with deprecation entry (#1419)
48. b972ec3f9 Profile alter model adjustments (#1418)
49. 1f01b5be2 Add remarks field to Profile model modify.alter (add/remove). #1018 (#1404)
50. 3ca36fbae Follow keep instruction for back-matter resources (#1378)
51. 76ff697a6 Test finish phase, plus minor XSLT enhancements and fixes (#1377)
52. dfb56e077 Profile Resolution spec: updated names of 'remove' directives (#1381)
53. 0dcc24319 Clarify how to determine target catalog oscal-version (#1386)
54. dc6a9b5d5 Profile Resolution Spec clarification: validation of imported catalogs and profiles (#1380)
55. 35798154f Update metaschema-docs
56. 6a7375b6c Fixes to correct metaschema validation errors.
57. feec035ef Update metaschema
58. d145dfe47 Support for control mapping (#1150)
59. ef28023d2 Test merge phase, plus minor XSLT enhancements (#1207)
60. e88369d80 Profile resolver: Metadata tests and way of determining top UUID (#1175)
61. 48af7dcb3 Iterate over sequence of characters, not positions (#1163)
62. [9c0e21a](https://gith...

What's Changed

• Complete pre-release in 1.0.5 and correct datatype regex for #1703 by @aj-stein-nist in #1736
• Add updated Metaschema 0.9.0 release in #1820 to fix bugs introduced in the 1.0.5 pre-release, reported, and fixed by community contributors @kylelaker and @Telos-sa in #1773 and #1774.
• Adjustments to align with Metaschema schema bug fixes by @david-waltermire-nist in #1805

Full Changelog: v1.0.5...v1.0.6

What's Changed

• Datatype regex fixes for #1703 by @aj-stein-nist in #1736

Full Changelog: v1.0.4...v1.0.5

Note: This patch release fixes a defect in the JSON schemas released with OSCAL 1.0.3. Please use this release instead of the 1.0.3 release.

What's Changed

• #1256 Removed duplicated text in identifier use webpage. (PR #1257) @Rene2mt
• #1260 Updated data type documentation and schema constraints to address regex issues in JSON schemas (PR #1265) @david-waltermire-nist, @wendellpiez
• Removed references to specific OSCAL releases inREADME.md (PR #1261) @guyzyl
• Added OSCAL-deep-diff content to tools page (PR #1248) @nikitawootten-nist
• Simplifed release Management in OSCAL Github repo and website (PR #1264) @david-waltermire-nist

New Contributors

• @nikitawootten-nist made their first contribution in #1248

Notable Changes

This release corrects defects in the JSON schemas released with OSCAL 1.0.3. The previously released schemas did not contain the correct regular expressions required to properly constrain data based on the specific data type for a given field. As a result, under the old schemas some data might be allowed to be provided that is invalid. The new JSON schemas in this release correct this defect by restoring the proper regular expressions.

Full Changelog: v1.0.3...v1.0.4

Note: This release contains defective JSON schemas that are missing required regular expressions. This has been corrected in the OSCAL 1.0.4 release. Please use the 1.0.4 release instead of this release.

What's Changed

• #737, #1208 Updated link checker for generate website workflow and improve workflows. (PR #1231) @aj-stein-nist
• #1062 Clarifying system security plan cross-references (PR #1167) @Rene2mt, @aj-stein-nist, @david-waltermire-nist
• #1127, #1186 Updated to latest Metaschema toolchain (PR #1161) @wendellpiez, @david-waltermire-nist, @aj-stein-nist
  • Properly encode high-order Unicode characters in schemas (PR usnistgov/metaschema#183)
  • usnistgov/metaschema#181 Rolled back token datatype to avoid problematic character references
  • usnistgov/metaschema#182 Fixed double-escaped RegEx patterns in output JSON schema causing issues with some RegEx flavors. @wendellpiez
  • usnistgov/metaschema#188 Added support for durations. @wendellpiez, @david-waltermire-nist
  • Adjusted data types in generated XML and JSON schemas. @wendellpiez, @david-waltermire-nist
  • Corrected pruning of unused definitions during XML and JSON schema generation. (PR usnistgov/metaschema#199) @wendellpiez, @aj-stein-nist, @david-waltermire-nist
• #1193 Grammar fixes to assessment-common metaschema only. (PR #1224) @guyzyl
• #1194 Clarified the semantics of implemented-requirement in a component definition as only a suggestion of how to implement. (PR #1232) @david-waltermire-nist
• #1198 Replaced master with main in the git-cheat-sheet.md file' (#1200) @iMichaela
• #1206 Clarified use of set-parameter and how to determine the effective value. (PR #1234) @david-waltermire-nist
• #1209, #1212 Added Issue Triage automation to project. (PR #1210) @aj-stein-nist
• #1211 Clarified use of profile and catalog in import-profile/@href. (PR #1227) @david-waltermire-nist
• #1216 Ensured GitHub Actions Installs Python Dependencies Like Local Docker Environment. (PR usnistgov/oscal-content#103)
• #1220 Corrected metadata/location/address/country regex (PR #1226) @david-waltermire-nist
• Bump minimist from 1.2.5 to 1.2.6 in /build (PR #1195) @dependabot
• Changed GitHub links to point to main branch instead of master branch. (PR #1225) @guyzyl
• Normalized enumerated namespace values to use http prefix consistently (PR #1233) @david-waltermire-nist
  • Normalized enumerated namespace values to use http prefix consistently; created deprecation entries where needed.
  • Updated examples to be consistent with namespace values.
  • Added deprecation entries for old values.
• Fixed typo in the word "separately" (PR #1235) @galtm
• Boolean handling workaround for workflow_call vs workflow_dispatch bug. (PR #1236) @aj-stein-nist
• Improved actions workflow and steps for package release automation. (PR #1240) @aj-stein-nist, @david-waltermire-nist
• Removed unneeded Ruby dependencies. @david-waltermire-nist
• Reordered tools listing alphabetically. @david-waltermire-nist
• Add Ignyte to tools page. (PR ##1197) @caseykulasa

Notable Changes

To fix a number of data type related issues, the underlying type system used in the generated OSCAL XML and JSON schemas was replaced. This change resulted in different names for simple and complex types for data types in XML schemas and some adjustments in data type definitions in JSON schemas. This may cause some issues with schema binding approaches that generate code from the XML or JSON schemas. In such instances, you may need to further customize your binding configurations or make some code adjustments resulting from differently generated code.

Full Changelog: v1.0.2...v1.0.3

The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.2. This patch release of OSCAL 1.0 provides bug fixes and documentation enhancements.

This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.

Looking forward, the NIST OSCAL team is excited to continue to work with the OSCAL community to enhance OSCAL through additional minor releases.

For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.

For documentation on the OSCAL models included in this release, please visit the v1.0.2 model reference.

What's Changed

The following changes were made in this patch release.

• #1035 Upgrade Saxon version used in CI/CD to 10.6 (#PR 1187) @david-waltermire-nist
• #1093 Parameterize insertion of xsi:schemaLocation attribute in the content upgrader XSLTs; this feature is disabled by default (#1162) @aj-stein-nist, @wendellpiez
  • Parameterized insertion of xsi:schemaLocation in RC2->1.0.0 content upgrader.
  • Created README for content upgraders, document schema-location param.
  • Added pointer from README.txt to content-upgrade docs, per @david-waltermire-nist's sync meeting review.
• #1121 Added embeded diagram of CI/CD workflow. (PR #1165) @aj-stein-nist
• #1130 Changed remarks fields from define-field to ref. (PR #1138) @guyzyl
• #1137 Replace define-assembly for include-all with assembly ref (PR #1144) @guyzyl, @david-waltermire-nist
• A bunch of updates to the Profile Resolution Specififcation to clarify and improve the specification. (PR #1172) @stephenbanghart, @aj-stein-nist
  • #1140 Significant improvements around resolution of internal references. Behavior is now defined for resolving resources with different combinations of "rlink" and "base64". As these /should/ all be equal to one another, there is no standardized order or priority given in the specification at this time.
  • #1141 Enhanced prose around Group handling, especially around expected behavior of the "keep always" prop.
  • #1142 Core issue obsoleted by general OSCAL requirements on valid OSCAL documents. Cleaned up prose in the formats section.
  • #1152 Added Metaschema entries for the new Mapping assembly and it's associated fields/flags. Verified the veracity of existing Profile documentation, making minor-moderate edits to bring documentation up to speed with the current specification.
  • #1155 Fixed incorrect notation in metadata section: props are now properly refereed to as such, rather than using the value of their "name" field.
• #1153 Added README explaining content validation concepts. (PR #1170) @aj-stein-nist, @wendellpiez, @david-waltermire-nist
• #1153 Added information about content well-formedness and validation to the website. (PR #1169) @aj-stein-nist, @wendellpiez, @david-waltermire-nist
• #1176 Removed stale NEW CONTENT, END NEW CONTENT, and NEW comment blocks from Metaschemas. (PR #1179) @guyzyl
• Multiple changes to the Profile Resolution Specification. (PR #1089) @stephenbanghart, @aj-stein-nist
  • Tagged Requirements (updated .rnc), Added Draft Status, several small fixes in modify section
  • Applying AJ's fixes, other various small fixes - pending larger automated formating
  • Intro purpose rewrite. Editorial fixes from comments. Small edits to "Processing" page on site.
• Added DRT Strategies Inc GRC tool to tools page (PR #1122) @vmangat
• Add Rules Presentation from January 21, 2022 Meeting (PR #1125) @aj-stein-nist
• Add tool oscal4neo4j to tools page (#1128) @Agh42, @bradh
• Remove extra > which shows in the built schemas (PRs #1133, #1147) @guyzyl
• Fix broken links to FedRAMP baselines (PR #1143) @rosskarchner
• Bumped nokogiri from 1.12.5 to 1.13.3 in /docs (PR #1154) @dependabot
• Updated core repo documentation (PR #1157) @david-waltermire-nist, @aj-stein-nist
  • Updated readmes with more current and relevant information.
  • Added CODEOWNERS to drive reviews.
  • Updated .github/PULL_REQUEST_TEMPLATE.md
• Removed duplicated risk status construct in the assessment commonm Metaschema (PR #1159) @david-waltermire-nist
• Updated Tools with Additional Open Source Projects (PR #1164) @rgauss
• Fixed broken links in README.md (PR #1181) @guyzyl
• Renamed .github/README.md file to ABOUT.md to fix the main index page in the GitHub repo (#1182) @guyzyl
• Added mailing list names to contact page.

The following compatibility breaking change was made:

• In all JSON schemas, the name "props" is used to signify the list of metadata properties. There was one case where the name prop is used instead of props. Fixes this obvious typo in the assessment results metaschema. (PR #1148) @guyzyl

New Contributors

• @vmangat made their first contribution in #1122
• @rgauss made their first contribution in #1164

Full Changelog: v1.0.1...v1.0.2

The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.1. This first patch release of OSCAL 1.0 provides bug fixes and documentation enhancements.

This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.

Looking forward, the NIST OSCAL team is excited to continue to work with the OSCAL community to enhance OSCAL through additional minor releases.

For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.

For documentation on the OSCAL models included in this release, please visit the v1.0.1 model reference.

The following changes were made in this patch release.

• #635, #966 Cleaned up src/utils directory and added documentation (PR #970, #1014) @wendellpiez
• #956 Enhanced the schema production pipeline to ensure that high-order Unicode characters are properly escaped (PR usnistgov/ metaschema#165) @wendellpiez
• #958 Fixed an issue in the content upconverter used for updating OSCAL content from 1.0.0 RC2 to 1.0.0 (PR #960) @wendellpiez
• #983 Fix Dockerfile entrypoint using best practices for entrypoint. (PR #984) @ohsh60
• #986 Updated dependency versions for Saxon and AJV in the Docker config. Added dependencies for yargs. (PR #987) @ohsh60
• #1001 Fixed bad metapath. @david-waltermire-nist
• #1004 Refactored dockerfiles for the build and docs folders. Updated use documentation. Added missing dependency for calabash. (PR #1005) @david-waltermire-nist
• #1020 Updated documentation around using the content converters. (PR #1027, #1055) @wendellpiez
• #1025 Fixed SyntaxWarning for content validator oscal-content-validator.py (PR #1026) @bradh, @david-waltermire-nist
• #1037 Clarify data types docs for param insert (PR #1112)
• #1039, #1040, #1041, #1042, #1046 Updated the profile resolution specification (PR #1014, #1017) @stephenbanghart
• #1044 Added warnings for non-required UUID flags. @david-waltermire-nist
• #1053 Make @control-id for alter statements in profile required (PR #1111) @aj-stein-nist
• #1067 Fix enum typo from inteneral->internal (PR #1110) @aj-stein-nist
• #1102 Some Docker container improvements for local web development and testing for PRs (PR #1103) @aj-stein-nist
• #1107 Incorporating processing directives that support schematron validation of Metaschema-based models (#1108) @aj-stein-nist
• usnistgov/oscal-content/#59 Convert File Type for Files or Remote Hyperlinks in Continuous Deployment (PR #1010, 1070) @ohsh6o, @david-waltermire-nist
• Fixed broken branch configuration for the metaschema submodule (PR #991) @ohsh60
• Fixed OSCAL constraints in Metaschemas. Fixing Metapath syntax errors. (PR #1012, #1065) @david-waltermire-nist
• Repaired a bug report on a missed control; adding test files (PR #1013) @wendellpiez
• Removed duplicate json import in oscal-content-validator.py (PR #1077) @flickerfly
• Improvements to XSLT-based profile resolver (PR #1071) @wendellpiez
• Added requirements.txt for oscal-content-validator.py (PR #1077) @guyzyl
• Add support for yaml OSCAL files validation (PR #1091) @guyzyl, @aj-stein-nist
• Updated contributing and pull request documentation for External Developers (#1094) @aj-stein-nist
• Bump addressable from 2.7.0 to 2.8.0 in /docs (PR #994) @dependabot
• Bump nokogiri from 1.11.5 to 1.12.5 in /docs (PR #1029) @dependabot
• Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python (PR #1096) @dependabot

The following additional changes were made that affect the OSCAL website.

• #739 Fixed 404 error when using the "Improve this page" link. (PR #995) @kylelaker, @david-waltermire-nist
• #854 Added a Component Tutorial to Website (PR #935, #1015) @Rene2mt, @david-waltermire-nist
• #860 Updated model reference documentation to better clarify the scope and uniqueness of identifiers used within the OSCAL models. (PR #941) @Rene2mt, @david-waltermire-nist, @aj-stein-nist
• #947 Fixed a number of typos (PR #955) @david-waltermire-nist
• #968 Fixed broken and stale links in model documentation. (PR #973) @david-waltermire-nist
• #993 Updating tools page to use a table. Added Compliance Tressle. @iMichaela, @david-waltermire-nist
• #996 Added blogs to website. @david-waltermire-nist
• #1049 Added control freak to the OSCAL tools page (PR #1104) @aj-stein-nist
• Fixed prop syntax in validation component tutorial. (PR #999) @ohsh60
• Added link to EasyDynamics OSCAL tools (PR #1009) @afeld
• Adding link to XML Jelly Sandwich OSCAL demos (PR #1016) @wendellpiez
• Updated the Lunch with Devs meeting info and Tools page to include new meeting info (PR #1045) @iMichaela, @david-waltermire-nist

New Contributors

• @afeld made their first contribution in #1009
• @aj-stein-nist made their first contribution in #1094
• @flickerfly made their first contribution in #1077
• @guyzyl made their first contribution in #1082
• @kylelaker made their first contribution in #995

We deeply appreciate all the contributions made by these and other community members.

Full Changelog: v1.0.0...v1.0.1

We are pleased to announce the publication of OSCAL 1.0.0 Release Candidate (RC) 2. This is the second full draft release of OSCAL 1.0.0 which is made available for public review and feedback before releasing the final OSCAL 1.0.0.

Please provide feedback by May 7, 2021 by emailing the NIST OSCAL team at oscal@nist.gov or by creating an issue on our GitHub repository.

The OSCAL 1.0.0 RC 2 includes:

• Updated stable versions of catalog and profile models which provide a structured representation of control catalogs and baselines or overlays.
• Updated stable version of the system security plan model which provides a structured representations of a system's control-based implementation.
• Updated stable version of the component definition model which provides a stand-alone structured representation of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
• Updated stable versions of the assessment plan, assessment results, plan of action and milestones (POA&M) models, which support the structured representation of information used for planning for and documenting the results of an information system assessment or continuous monitoring activity.
• Updated tools to convert between OSCAL XML and JSON formats, and to up convert content from previous releases to RC2.

Changes in this release are focused on the following major areas:

• Simplification of key OSCAL features
  • Properties and annotations have been merged into a single prop that now allows an optional remarks and uuid.
  • In the assessment plan and assessment results models, the concepts of a task and action have been combined.
  • Use of local-definitions in the assessment plan, assessment results, and POA&M models has been simplified and made more consistent.
• Model documentation improvements
  • Some usage descriptions were enhanced to provide more detail and to be more consistent overall.
  • Formal names were updated in some places where the names did not match the data element.
  • Many spelling errors were corrected.
• Removed the use of XML <any> and JSON additonalProperties for arbitrary extensions based on community discussion. Extended data can still be provided using link declarations to external content. This decision can be revisited in future revisions once there is more implementation experience with the OSCAL models.
• Added the following link relations: latest-version, predecessor-version, and successor-version to allow an OSCAL document to link to latest, previous, and next document revisions.
• Fixed a few bugs in the profile resolver code and updated the resolver to work with new profile import/insert structures.
• Provided support for data insertion points for data other than parameters in markup content.

To download this release, click on Assets below and download either the .zip or the *.tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.

These changes were made based on all the excellent feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.