OSCAL Compliance and Additional Formats

[brian-ruf-ezd]

The catalog was not passing validation of the OSCAL-CLI tool, which enforces the full range of core OSCAL rules. To resolve this, the updated catalog has the following changes:

• Changed the non-core-OSCAL properties to use http://tech.gov.sg/ns/oscal for the namespace.

  • The properties present in each control do not have names that are allowed by core OSCAL.
  • Non-core-OSCAL properties have to be put in an organization's namespace.
  • The XML and OSCAL de facto standard for organizational namespaces is http://[org-owned-domain]/ns/oscal

• Added placeholders for 20 missing resources

  • There were approximately 200 links within the controls that referenced resources; however, no resources were present in the catalog back-matter.
  • Of the ~200 links, there were 20 unique resources cited
  • Used the link/text content to extrapolate what resources were expected
  • Created a resource entry for each missing resource
  • Added rlink/@href values where a resource was easily identified on the public Internet
    • Provided a best guess when no direct link was discoverable

• Added XML and YAML formats

All three formats pass OSCAL-CLI validation with no warnings or errors.

[spaceraccoon]

Thanks @brian-ruf-ezd ! This repo is a masked version of our internal repository which includes removing links due to the presence of some intranet links. We're updating our build/dist CI to make the masking remain schema-compliant. Will review this PR.