Document OSCAL Assessment Plan Support

[jpower432]

Summary

This issue outline the proposal to add support for OSCAL Assessment Plan and track implementation.
Related to #5

Proposed Implementation

Below outlines the creation of an Assessment Task and associated Activities from OSCAL Components and RuleSet property information.

Components can be added through the imported OSCAL SSP or in the local definitions. The Assessment Task would provide an aggregated view of all Rule related Assessment Activities.

Each activity corresponds to a RuleSet defined in properties in the OSCAL System Component. It also include the related controls defined in the Control Implementation properties.

flowchart LR
Rule["Defined Rule Set"]
Parameter["Rule Parameter"]
Check["Check Implementation"]
Activity["Assessment Activity"]
Property["Activity Parameter Property"]
Step["Individual Assessment Step"]
Observation["Result Observation"]
Rule --transforms--> Activity
Check --transforms--> Step
Parameter --transforms--> Property
Step --transforms--> Observation
Activity --has--> Step
Rule --has-->Parameter
Rule --has--> Check

Loading

The use of Associated Activities can provide linkage the Task and Assessment Subject (the component in this case).

Example output

Relevant Issues

oscal-compass/oscal-sdk-go#32
oscal-compass/oscal-sdk-go#34
oscal-compass/oscal-sdk-go#33

Relevant Work

oscal-compass/oscal-sdk-go#36 - Merged
oscal-compass/oscal-sdk-go#45
oscal-compass/oscal-sdk-go#48

Use Cases

Assessment Results are created by C2P and policy artifact generation is created from Component Definitions. The below issue proposes that artifact generation is guided by an ingested Assessment Plan.
oscal-compass/compliance-to-policy-go#43