NIST Team: Personal Recommendations on Tutorials Roadmap

[aj-stein-nist]

Hello, fellow NISTer working on OSCAL. We are going to use this discussion board to collect team member perspectives on changes big and small to how we publish tutorials. I think there is room for improvement (isn't there always?), and I think it is good to also let the community understand our perspectives and final plan after the fact by reading this, so we will post it here. I hope to have feedback for consideration by close of business 5:00 PM ET on 7 August 2023. I likely will not be able to consider any staff feedback after that time if posted here.

By now in the sprint, you probably should have read usnistgov/OSCAL#1867. That issue will end up in a plan, not the work itself, but there are still some dependencies for that roadmap and this preparation (reading current tutorials, review example oscal-content that isn't the 800-53 catalog, and 4th conference workshop materials to understand my opinionated perspective on this). If you have not done that pre-work, read those first and come back to this.

So, re desired feedback, if you have any feedback, I would strongly encourage you to address the list of recommended steps in the current issue like below. Again, feedback should be submitted by close of business 5:00 PM ET on 7 August 2023. Thanks again!

1. Do you agree or disagree with the need to start an approach to integrated examples that are logically connected to the tutorials, not isolated? If you disagree, why? (If you agree little or no detail needed.)

Your answer here.

2. Do you agree or disagree with a need to start a simplified lifecycle based around actor-based scenario and use cases? If you disagree, why? (If you agree little or no detail needed.)

Your answer here.

3. What do you recommended re an updated list of tutorials demonstrating their usage?

Your answer here.

4. What do you recommend re a list of recommendations after reviewing existing tutorials to recommend: keep, amend, or delete?

Your answer here.

5. What do you recommend re a list of recommendations on examples in oscal-content (not official catalogs, only examples): keep, amend, or delete?

Your answer here.

6. Is there anything else worth calling out or considering that isn't address by questions above? If so, what is it and why should we consider it?

Your answer here.

[wendellpiez]

Do you agree or disagree with the need to start an approach to integrated examples that are logically connected to the tutorials, not isolated? If you disagree, why? (If you agree little or no detail needed.)

I see both advantages and disadvantages with an integrated approach. On balance however I see nothing wrong with starting this way.

However if/when people have ideas that diverge, I hope they are not blocked for that single reason - any workable strategy must be adaptable. (We don't want to discourage anyone at all from making any kind of OSCAL tutorial as long as the information is good.)

Do you agree or disagree with a need to start a simplified lifecycle based around actor-based scenario and use cases? If you disagree, why? (If you agree little or no detail needed.)

I think that's a great idea.

I also think that the same "simplified lifecycle" might be iterated with variations, later or even sooner. (For example: same task, different tools.)

What do you recommended re an updated list of tutorials demonstrating their usage?

This is difficult. We need to be dynamic, responsive and creative. This should mean frequent updates and maybe dramatic changes (so not to be skittish about that). I don't even think we have a clear idea of what it means to "use" OSCAL. The workshop curriculum so far is better than our online tutorials in this respect.

Also, I think we have a problem due to inconsistent knowledge of the rudiments, e.g. what is schema validation (or harder, what it is not). We need to think about teaching here by demonstration, since many users don't perceive their own ignorance.

What do you recommend re a list of recommendations after reviewing existing tutorials to recommend: keep, amend, or delete?

Issues I see with the current tutorials are not with their scope so much as with the perspectives they assume.

For example, almost no one would be tagging metadata by hand, as seems to be assumed in the Metadata tutorial. It should be amended/rewritten from another point of view, maybe for a developer who is surveying the model to build a UI, or the user of such a UI (even if it's a fictional mockup).

(For that matter why aren't we providing a workable front end for form-filled OSCAL Metadata production, instead of a tutorial guide for tagging a la 1995?)

What do you recommend re a list of recommendations on examples in oscal-content (not official catalogs, only examples): keep, amend, or delete?

I think we have two choices: (a) remove everything and put back what we want, or (b) survey it all (as a group/team). Since we are not aligned on plans/purposes yet, choice (a) might be easier for now. Then we take up the issue of data governance on this site.

(I assume we are talking about non-FISMA content as noted.)

Is there anything else worth calling out or considering that isn't address by questions above? If so, what is it and why should we consider it?

It's a big job and breaking it into pieces / lanes will help, as will empowering team to introduce and execute on make improvements.

I have an old war story about this, if you like.

[iMichaela]

Do you agree or disagree with the need to start an approach to integrated examples that are logically connected to the tutorials, not isolated? If you disagree, why? (If you agree little or no detail needed.)

I like the idea (I promoted it) of creating small stand-alone examples that are then integrated into a broader picture. For example, the Catalog tutorial used very simple ISO control to demonstrate OSCAL versatility, and to have controls very simple to format. Profile and profile resolution tutorial needed more complex controls to demonstrate the functionality. We can show a derived profile form both to demonstrate such functionality. We can also include the control(s) implemented in the Component Definition example, so, when working on a CDef Tutorial we reuse the example and have the 'sourced' profile ready. Each of those steps demonstrate features and can be used as stand alone but also provide some continuity.

Do you agree or disagree with a need to start a simplified lifecycle based around actor-based scenario and use cases? If you disagree, why? (If you agree little or no detail needed.)

Starting simple with fewer actors makes explanations easier.

What do you recommended re an updated list of tutorials demonstrating their usage?

• profiles aggregation/concatenation into a new one
• component definition (use existing example)
• SSP with a simple system implementing the profile aggregated above (controls can be tailored out if needed) and which has a mongoDB - the component definition we have and use for the tutorial
• AP the system in the SSP
• Simple use case (see blossom) with the automation process of this system (video in the tutorial is preferred)

What do you recommend re a list of recommendations after reviewing existing tutorials to recommend: keep, amend, or delete?

Keep and enhance with new ones

What do you recommend re a list of recommendations on examples in oscal-content (not official catalogs, only examples): keep, amend, or delete?

All examples need to be updated to OSCAL 1.1.0!
At minimum, all examples used in the tutorials should be made available. I see the catalog examples I used for the tutorial, I do not see the profile example. Many more examples are needed.

Is there anything else worth calling out or considering that isn't addressed by questions above? If so, what is it and why should we consider it?

1. Keep always in mind that OSCAL is being adopted by other non-federal entities. Create and use examples that are familiar to them as well (CIS controls, or one PCI DSS control, or HIPPA).
2. During our 2018 OSCAL workshop and hackathon, people wanted an SSP fillable form, and started working on one. Tutorials could be augmented, when possible with such editorial tools, allow users to export data and see it. It can be a major maintenance burden..

[Arminta-Jenkins-NIST]

Do you agree or disagree with the need to start an approach to integrated examples that are logically connected to the tutorials, not isolated? If you disagree, why? (If you agree little or no detail needed.)

Yes, integrated examples will help beginners to understand the tutorials.

Do you agree or disagree with a need to start a simplified lifecycle based around actor-based scenario and use cases? If you disagree, why? (If you agree little or no detail needed.)

Agree.

What do you recommended re an updated list of tutorials demonstrating their usage?

Presuming this means "How To OSCAL" tutorials, I would recommend this.

What do you recommend re a list of recommendations after reviewing existing tutorials to recommend: keep, amend, or delete?

I'll have to expand on my answer. (I'll update or reply to this comment at a later time.)

What do you recommend re a list of recommendations on examples in oscal-content (not official catalogs, only examples): keep, amend, or delete?

We should survey what we already have and build from there. First update existing content and then add/amend to fill any gaps.

Is there anything else worth calling out or considering that isn't address by questions above? If so, what is it and why should we consider it?

None.

[Compton-US]

Do you agree or disagree with the need to start an approach to integrated examples that are logically connected to the tutorials, not isolated? If you disagree, why? (If you agree little or no detail needed.)
Do you agree or disagree with a need to start a simplified lifecycle based around actor-based scenario and use cases? If you disagree, why? (If you agree little or no detail needed.)

I agree with both. I'm assuming actor-based scenarios are based on perspectives of roles similar to the workshop presentation and I think this is great for helping others understand the points where OSCAL fits in the overall workflow.

---

What do you recommended re an updated list of tutorials demonstrating their usage?

To build on the success above, based on my experience in systems and applications architecture, most conversations occurred around network diagrams and I think it would help here. I believe everyone would benefit from a few reference architectures that present common scenarios, and then we can demonstrate how the models are used to document the system.

I personally feel a bit lost with OSCAL when mentally putting together a system using the constructs we've provided. For example, the use of components seems very straight-forward to most in the community from the security perspective, but I have issues applying the concepts based on my experience developing and deploying systems. I'd chalk that up to my own brain having issues, but I know enough to know something is not quite right.

I'll also share, as a personal experience, that RMF wasn't applied until we knew what we planned to build, and often it was already in development. So when controls were selected, we generally understood what was needed, and it was much easier to reason through. Without diagrams, it's hard to conceptualize specifically how a system is "componentized" or modeled, and selection of controls feels premature.

---

What do you recommend re a list of recommendations after reviewing existing tutorials to recommend: keep, amend, or delete?

Keep building tutorials, but with the context above. Let's model systems.

---

What do you recommend re a list of recommendations on examples in oscal-content (not official catalogs, only examples): keep, amend, or delete?

I'd rather see examples as snippets integrated into the metaschema documentation. I think I'm used to reading through API documentation, and that's what I'm missing.

The end result code for the tutorials could be in oscal-content. One loss from having just the single repo would be the ability to step through using branches like we did with the case study. That seems hard to maintain on a more broad scale though.

Another option would be the case study style approach where each reference system is a repo. (Just brainstorming)

---

Is there anything else worth calling out or considering that isn't address by questions above? If so, what is it and why should we consider it?

Ultimately I think we seek to avoid writing OSCAL by hand, and encouraging others to do the same, particularly if our scenarios are centered around the composition of OSCAL.

How do we support the tools creators to build the best tools so that, generally, OSCAL is in the background doing its job?

I feel like building up OSCAL-Reference so that it is very similar to other API references will help developers. Having the reference architectures will likely help them too.

On documentation, I've said it before, but one of my favorite API sites is https://pandas.pydata.org/docs/

• A direct link to a section that has embedded examples

Others:

• https://docs.pydantic.dev/latest/api/base_model/
• https://storybook.js.org/docs/react/writing-stories/args (integrates tutorials)

[nikitawootten-nist]

I love the idea of integrating examples into the model documentation pipeline directly.

We could probably repurpose the remarks section of the metaschema, or propose separate <json-usage> and <xml-usage> elements?

[iMichaela]

I do not understand what happened to my earlier responses... after Wendells. They were even endorsed.. (+1). I refreshed the page and they re gone! I'll try to reproduce.

[iMichaela]

SO ... Maybe I did not hit send comment earlier :( ... Here it is again.

1. Do you agree or disagree with the need to start an approach to integrated examples that are logically connected to the tutorials, not isolated? If you disagree, why? (If you agree little or no detail needed.)

YES! I have been promoting the design of tutorials that provide a coherent , progressive approach from the beginning. When I created the Catalog tutorials we needed very simple controls so I selected ISO/IEC 27002 controls to also demonstrate OSCAL's versatility. A second Catalog tutorial was bringing more complex controls, but was not published. Profile tutorial demonstrated more complex controls from 800-53 so it can demonstrate also how to resolve profiles. I am hot tutorials that can be studies as independent material but which belong to a larger, comprehensive picture.

2. Do you agree or disagree with a need to start a simplified lifecycle based around actor-based scenario and use cases? If you disagree, why? (If you agree little or no detail needed.)

YES! Start simple so it is easy to follow.

3. What do you recommended re an updated list of tutorials demonstrating their usage?

Here is what I would do:

1. Profile tutorial showing aggregation/concatenation of other profiles to bring together current controls from the Catalog tutorial with the ones from the existing Profile tutorial and with the controls used ib the mongoDB Component Definition example.
2. Component Definition tutorial reusing the example we have and sourcing the profile created in 1)
3. SSP for a simple system (use example) but include also the mongoDB component from 2) into the system
4. AP using the SSP from 3) and following Bloss@m's simple use case approach
5. AR tutorial with video segments demonstrating it, similar to the Bloss@m's simple use case
6. POAM tutorial with some findings form 5), for the SSP from 3)

4. What do you recommend re a list of recommendations after reviewing existing tutorials to recommend: keep, amend, or delete?

Keep, add new ones, update them to OSCAL 1.1.0. Save the OSCAL content to examples. The Catalog has the example saved, the Profile does not.

5. What do you recommend re a list of recommendations on examples in oscal-content (not official catalogs, only examples): keep, amend, or delete?

Update them to OSCAL 1.1.0, reuse them as described above. Add more examples.

6. Is there anything else worth calling out or considering that isn't address by questions above? If so, what is it and why should we consider it?

During our first OSCAL workshop, during the hackathon, people were trying to create fillable forms for SSP. I thought is would be a cool idea but maintain such editorial tool(s) could turn into a nightmare for us.

[nikitawootten-nist]

Submitting this a bit later as I was out on AL.

Do you agree or disagree with the need to start an approach to integrated examples that are logically connected to the tutorials, not isolated? If you disagree, why? (If you agree little or no detail needed.)

I agree that we should move towards a set of "integrated" tutorials, however I do not think it should be a hard rule.
Some tutorials will naturally not fit into a series.

Do you agree or disagree with a need to start a simplified lifecycle based around actor-based scenario and use cases? If you disagree, why? (If you agree little or no detail needed.)

Role-centric tutorials should help users get a clearer understanding not only of what OSCAL is, but how they and their team will interact with the models.

What do you recommended re an updated list of tutorials demonstrating their usage?

I think that a new set of tutorials will need to account for two different "modes":

1. A unified set of tutorials modeled after the workshop with the goal of demonstrating OSCAL's usage by different parties with a consistent control-set (start with a tutorial creating a basic non-federal-specific catalog, move on to a tutorial showing how an organization may tailor that catalog, etc)
2. One-off tutorials that do not fit into the workshop model (such as tutorials focusing on a specific catalog, tool, or methodology)

With both of these types of tutorials in mind, it may make sense to create a "tutorial landing page" that offers curriculums (or tutorial playlists) centered around different roles and use-cases.
These playlists would then allow us to incorporate both the unified tutorials and one-offs (and even external documentation/tutorials as appropriate).

What do you recommend re a list of recommendations after reviewing existing tutorials to recommend: keep, amend, or delete?

It may make sense to keep the existing tutorials as they still serve as good introductions to the profile and catalog models and are pretty self-contained.
Once the "integrated" tutorials are created they may be made a bit redundant at which point they could be retired to reduce upkeep.

What do you recommend re a list of recommendations on examples in oscal-content (not official catalogs, only examples): keep, amend, or delete?

I'm not sure that the examples are useful outside of the context of the tutorials they are built out of.
The OSCAL Workshop took the approach of keeping the models and the tutorial close to each other.

Is there anything else worth calling out or considering that isn't address by questions above? If so, what is it and why should we consider it?

However we approach tutorials we should ensure that we are not creating a maintenance burden.
Although not a replacement for tutorials, we should also look at ways we can improve the generated documentation to make it more approachable to beginners.
As Chris said, integrated examples embedded within the OSCAL metaschemas could make the documentation generation pipeline produce much richer documentation.

[wendellpiez]

@aj-stein-nist @nikitawootten-nist the Metaschema model already has support for inline examples. 😎

However, for the sake of Metaschema maintenance these need to be kept lightweight -- and it would also support linking to examples out of line, which could be transcluded (sucked in) in the documentation display, or linked to.

At one point -- briefly, a long long time ago -- the OSCAL Metaschema XSD had a hook enabling you to connect another XSD to it, to validate example content. But since examples are not typically rooted at the root, this is not always useful. But example is still there, it still has a flag to identify the syntax, and it still permits ANY tmk.