Multiple actions in OSCAL Assessment Plan

[dockery24]

This is a repeat from the gitter chat but here is the rundown:

I am working within my organization to utilize OSCAL, and I am running into a simple issue but one I am not having much luck resolving based on the OSCAL Assessment Plan outline. When I am trying to test multiple controls based off of my AP, how would I separate the actions (via multiple activities and/or tasks) so each control would utilize a separate script to assess that control. I thought maybe an activity for each control would be the obvious answer, but that would then require another task to associate for every activity, and I just wanted to make sure I was approaching this correctly before I go too deep and add a ton of new lines when the answer might be much simpler.

[Telos-sa]

Our focus for SAP has been on creating an MVP for the schema and FedRAMP use-case first. For the FedRAMP use-case, they have identified specific objectives with response points, which should be the focus for the test plan (think their document SRTM).

The local definitions allows activities to be related to controls and/or objectives and tied to tasks, included in the mockup below. However, for predefined response points and assessment objectives, there is no easy way to link the activities without creating local definitions.

Would love to be able to associate the objectives to the specific assessment subjects in the SAP without having to create specific procedures beyond what was defined in the baseline-profile. Below, created the links to tasks with props, but a defined element would be ideal. It should be optional to cover the multitude of use cases, but that would be a great element to show the planned coverage of the test objectives/controls across the different subjects.

"local-definitions": { 
            "activities": [
                {
                    "uuid": "method 5 based on description and control ID.",
                    "description": "Description of the activity",
                    "props": [
                        {
                            "name": "type", ##hardcoded 
                            "value": "manual" ##hardcoded
                        },
                        {
                            "name": "label",
                            "value": "Test ID from tseting field"
                        }
                    ],
                    "related-controls": {
                        "control-selections": [
                            {
                                "include-controls": [
                                    {
                                        "control-id": "selection of control from controls included in baseline-profile"
                                    }
                                ]
                            }
                        ]
                    }
                }
            ]
        },
....

"tasks": [ 
            {
                "uuid": "method 4",
                "type": "action",
                "title": "Conduct Interviews of CSP Staff",
                "description": "Conducting Interviews for CSP staff for phyiscal security and access controls.",
                "timing": {
                    "within-date-range": {
                        "start": "date from start date field"
                        "end": "date from end date field"
                    }
                },
                "associated-activities":[
                    {
                        "activity-uuid": "method 4 if associated to the pre-defined objectives from baseline-profile response points",
                        "props": [Would want the objectives and controls associated without nesting in a prop to make this a cleaner link for the pre-defined requirements 
                            {
                                "name": "include-objectives",
                                "value": "objective-id"
                            },
                            {
                                "name": "include-controls",
                                "value": "control-id"
                            }
                        ],
                        "subjects": [
                            "include-subjects": [
                                {
                                    "subject-uuid": "same as subject ID from assessment subjects",
                                    "type": "Location"
                                }
                            ]
                        ]
                    },
                    { 
                        "activity-uuid": "uuid from locally defined activities associated with the task.  Since the activity is already associated with the control-ID, do not need the props.",
                        "subjects": [
                            "include-subjects": [
                                {
                                    "subject-uuid": "same as subject ID from assessment subjects",
                                    "type": "Location"
                                }
                            ]
                        ]
                    }
                ], 
                "responsible-roles": [
                    {
                        "role-id": "role-id from metadata",
                        "party-uuids": [
                            "uuid", 
                            "uuid2"
                        ]
                    }
                ]
            }
        ],

[dockery24]

Thanks for the quick response.

So just to verify then. Currently the only way to associate multiple controls but with separate tests (commands/scipts/etc.) in the current outline would be to create a separate activity under "local-definitions" associated to a specific control/control objective and then associate a task for each "associated-activities"?

Would that format match below?

assessment-plan:
  uuid: 
  metadata:
    title: 
    last-modified: 
    version:
    oscal-version: 

  import-ssp:
    href: 

  local-definitions:
    activities:
      - uuid: control_a_uuid
        title:
        description: 
        props:
          - name: 
            value: 
        related-controls:
          description:
          control-selections:
            - include-controls:
              - control-id: control_a
          control-objective-selections:
            - include-objectives:
              - objective-id: control_a_obj.1
  
      - uuid: control_b_uuid
        title:
        description: 
        props:
          - name: 
            value: 
        related-controls:
          description:
          control-selections:
            - include-controls:
              - control-id: control_b
          control-objective-selections:
            - include-objectives:
              - objective-id: control_b_obj.1

  assessment-subjects:
    - type:
      description:
      include-all:

  reviewed-controls:
    control-selections:
      - include-controls:
          - control-id: control_a
          - control-id: control_b
    control-objective-selections:
      - include-objectives:
          - objective-id: control_a_obj.1
          - objective-id: control_b_obj.1

  tasks:
    - uuid: 
      title: 'control_a (Test)'
      description:
      type:
      associated-activities:
        - activity-uuid: control_a_uuid
          subjects:
            - type: 
              include-all:
              
    - uuid: 
      title: 'control_b (Test)'
      description: 
      type: 
      associated-activities: 
        - activity-uuid: control_b_uuid
          subjects:
            - type: 
              include-all: