Aren't these errors? (SP800-53A encoding issues)

[wendellpiez]

To Do: break down this list and allocate. Some are content issues. Some have to do with data enhancement or features not yet implemented.

Not even writing notes here, just reformatting. These were submitted through channels by a helpful user.

Errors uncovered:

1. There are a number of cases where < and > made it in instead of <>

<part id="ca-1_obj.a.1.a.2" name="assessment-objective">
  <prop name="label" class="sp800-53a" value="CA-01a.01(a)[02]"/>
  <p>the  <insert type="param" id-ref="ca-01_odp.03"/>  assessment, authorization, and monitoring policy addresses scope;[03] SELECTED PARAMETER(S)&gt; assessment, authorization, and monitoring policy addresses scope;</p>
</part>
<part id="ca-1_obj.a.1.a.3" name="assessment-objective">
  <prop name="label" class="sp800-53a" value="CA-01a.01(a)[03]"/>
  <p>the  <insert type="param" id-ref="ca-01_odp.03"/>  assessment, authorization, and monitoring policy addresses roles;[03] SELECTED PARAMETER(S)&gt; assessment, authorization, and monitoring policy addresses roles;</p>
</part>

<param id="ps-03.04_odp.01">
   <prop name="alt-identifier" value="ps-3.4_prm_1"/>
   <prop name="label" class="sp800-53a" value="PS-03(04)_ODP[01]"/>
   <label>information types</label>
   <guideline>
      <p>information types that are processed, stored, or transmitted by a system that require individuals accessing the system to meet &lt;PS-03(04)_ODP[02] citizenship requirements&gt; are defined;</p>
   </guideline>
</param>

<param id="sa-09.05_odp.03">
   <prop name="alt-identifier" value="sa-9.5_prm_3"/>
   <prop name="alt-label"
         class="sp800-53"
         value="requirements or conditions"/>
   <prop name="label" class="sp800-53a" value="SA-09(05)_ODP[03]"/>
   <label>requirements</label>
   <guideline>
      <p>requirements or conditions for restricting the location of &lt;SA-09(05)_ODP[01] SELECTED PARAMETER VALUE(S)&gt; are defined;</p>
   </guideline>
</param>

<param id="sa-11_odp.02">
  <prop name="alt-identifier" value="sa-11_prm_2"/>
  <prop name="alt-label" class="sp800-53" value="frequency"/>
  <prop name="label" class="sp800-53a" value="SA-11_ODP[02]"/>
  <label>frequency to conduct</label>
 <guideline>
     <p>frequency at which to conduct &lt;SA-11_ODP[01] SELECTED PARAMETER VALUE(S)&gt; testing/evaluation is defined;</p>
  </guideline>
</param>
<param id="sa-11_odp.03">
  <prop name="alt-identifier" value="sa-11_prm_3"/>
  <prop name="label" class="sp800-53a" value="SA-11_ODP[03]"/>
  <label>depth and coverage</label>
  <guideline>
     <p>depth and coverage of &lt;SA-11_ODP[01] SELECTED PARAMETER VALUE(S)&gt; testing/evaluation is defined;</p>
  </guideline>
</param>

2. The following is missing the [xx]:

<param id="pe-06.02_odp.03">
   <prop name="alt-identifier" value="pe-6.2_prm_3"/>
   <prop name="label" class="sp800-53a" value="PE-06(02)_ODP[03]"/>
   <label>automated mechanisms</label>
   <guideline>
      <p>automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in PE-06(02)_ODP) are defined;</p>
   </guideline>
</param>

3. In AC-16, the same ODP is used for two different parameters (c trying a minor content update #2 and f Initial setup of CI/CD #1). AC-16_ODP[07] + AC-16_ODP[08]

4. In AC-4: the parameters and assurance procedures still combine "within the system" and "between connected systems", even though they could have different policies.

5. In SC-12: Why for every other parameter is it broken up, but here there are NOT separate ODS for generation, distribution, storage, access, and destruction.

6. In SC-42(2), the parameter for sensors is actually a reference into a different enhancement. This is a problem as the two are not dependent on each other.

[david-waltermire]

@wendellpiez There are some other issues relating to the content production pipeline. See #93 (#95). Perhaps these can be fixed at the same time?

[aj-stein-nist]

We need to determine if the issue is in the source material or a result of the pipeline. If it is source material, we should use the comments site to formally submit the feedback and follow up with once it is registered.

[wendellpiez]

To sort out:

(1a) Apparently due to paste errors in the source, these could be cleaned up by hand.

(1b-d) Our process does not infer ODP references made inside parameter guidelines. Confirm these should be inserts, then convert.

(2) Issue? Missing anchor?

(3-6) appear to be content issues to be raised for discussion.

[wendellpiez]

In PR #110 along with other changes (#108), I expect to have corrections addressing 1a-d.

3-6 need to be floated up.

2 is under discussion. It is clearly weak but the exact nature of the error is TBD. One problem is that PE 6(2) has three (3) distinct ODPs, and it is not clear if all three, or which of them, is (are) to be referenced.

Let's discuss in Issues Triage? @david-waltermire-nist @aj-stein-nist

[wendellpiez]

For discussion, I have corrections to 1a-d and a potential correction for 2.

[wendellpiez]

Just committed an XSLT that provides for some of the patches behind a draft PR (see above). It can be modified and extended until we wish to apply it.

Next steps:

• Shake this out and diff with current updated catalog
• Go through issues list punchlist above and note coverage (in comments below)
• Make a finish list, cycling back as necessary

[wendellpiez]

Noting error in title of IA-8(3): "Ficam" should be all capitals. Let's correct this also.

[wendellpiez]

Rundown:

• Issues 1a-d - addressed by content patches Correcting conversion glitches in SP800-53A content #143
• Issue 2 - addressed by duplicate alt-identifier prop elements in NIST_SP-800-53_rev5_catalog.xml #113
• Issues 3 - 6 are modeling issues potentially to be floated up, not data conversion issues