feat(system-security-plan): initial creation of SSP Model

[meganwolf0]

Description

Implements the OSCALModel interface on an SSP.

• Simply the library functions for this PR, follow on addressing the cmd aspect
• Additional data is going to be required to fully complete the SSP, in the meantime left "<TODO...>" remarks to try and indicate additional vetting needed on those fields

Related Issue

Fixes #797

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Checklist before merging

• Test, docs, adr added or updated as needed
• Schema Updates applied
• Contributor Guide Steps followed

[meganwolf0]

To discuss:
Are we merging validations (via backmatter) into the SSP? Or are we maintaining the original links to the validations and performing a relative path mapping (to get those links properly added to the ImplementedRequirements.ByComponents? IF we want to go that route, we need to re-tool part of the compose functionality to partially compose compdefs (e.g., get the imported ones, re-write the validation/ref relative paths)

[brandtkeller]

To discuss: Are we merging validations (via backmatter) into the SSP? Or are we maintaining the original links to the validations and performing a relative path mapping (to get those links properly added to the ImplementedRequirements.ByComponents? IF we want to go that route, we need to re-tool part of the compose functionality to partially compose compdefs (e.g., get the imported ones, re-write the validation/ref relative paths)

I do think we should discuss this! Do you see this as a blocker for this PR or simply something we should discuss ASAP (next week)?

[meganwolf0]

Do you see this as a blocker for this PR or simply something we should discuss

Yeah mostly just something to discuss - I don't think it's blocking anything here/whatever decision wouldn't invalidate anything done so far.

[brandtkeller]

No issues with the logic out-front of more implementation.

I used the go-oscal types to look at required fields at the top-level object. Reviewed what the logic performed for generation as a primary indicator of the logic.

I appreciate the consideration that went into the merge functionality. The checks establish some precedence for what is permitted for merge - will be good to document this when the implementation layer is available.

If possible I would like to see more guidance in PR's for how to review these changes. We're navigating new (to us) models and discovering how each should respond to specific actions. We're on a journey together here to learn how these models work and how to automate them.

[meganwolf0]

If possible I would like to see more guidance in PR's for how to review these changes

Agreed! I felt similarly when I was recently reviewing the profile model implementation. I can start a working doc somewhere, maybe Notion for now as we work through a process?

[brandtkeller]

If possible I would like to see more guidance in PR's for how to review these changes

Agreed! I felt similarly when I was recently reviewing the profile model implementation. I can start a working doc somewhere, maybe Notion for now as we work through a process?

Open to anything that helps spread awareness. Some of this can be self-documenting but my request is simply some information in the PR that describes or establishes context for the changes.

This PR touches the SSP OSCAL model - here is associated information to review. This work follows 'x' pattern and you can see linked documentation support the logic. Lula applies opinionation to the use of 'y' field in the SSP type for 'z' reason. etc etc

[CloudBeard]

This looks correct taking what we have with Component Definitions and getting to SSP.

The relationship between CompDef < > SSP doc could be created separate of this PR. I think that doc with deeper/refresh research from last quarter would bring up some optional prop items we could add to CompDefs and start the opinionation route.

[brandtkeller]

Approving and resolving current conversation. Believe this is setup well with follow on work identified and considerations we might be able to pull in.