[JSON] NIST 800-53 Rev 5 Extra Space between {{ insert: param, * }} ; and plus other spacing inconsistencies.

[nicpenning]

In regards to the NIST 800-53 Rev 5 catalog, it appears that there could be some inconsistencies with the spacing after the parameters that can be inserted when "and" is following the insert text that ends with a semi-colon ";". An example:

Using https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json we see this:

Line   411:                         "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"

The following are the amount of search results per variation of the insert params with "and" included:
103 hits : }} ; and"
0 hits :}}; and"
0 hits :}} ;and"
0 hits :}};and"
0 hits for all variations of any space between and "

The following are the amount of search results per variation of the insert params without "and" included:
0 hits on the text }} ; "
8 hits for }}; "
0 hits for }} ;"
389 hits for }};"

So as for the insert: param without the and and without the space we see these two variations:

Line    477:                         "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"
Line   3764:                         "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; "

The reason I noticed the spacing is primarily for the }} ; and" section because when I compare that text to the published NIST 800-53 Rev 5 Excel Spreadsheet this is the raw text:

"a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
[...cut for brevity...]
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]."

Notice there is no space between [Assignment: organization-defined events] and the ;, however, when using OSCAL and generating this control, a space gets added and doesn't align with what NIST has published here: https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r5-control-catalog.xlsx

Would it be appropriate to update the NIST 800-53 Rev 5 catalog to remove the space with the instances of }} ; and" and changing it to }};and"?

Then for final consistency change }}; " to }};"

Note: I did not look at the XML catalog to verify if these same spacing inconsistencies exist.

• One volunteer developer will demonstrate how to use the Schematron to analyze the catalog, if the assigned developer is not familiar
• Review the source of the reported problem in ( "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};") and confirm where it is present:
  • the official NIST SP 800-53 PDF
  • the official NIST SP 800-53 Excel spreadsheet
  • the source OSCAL XML catalog
  • the OSCAL JSON catalog
• Review with the team the potential root cause (source OSCAL catalog, conversion error, or both)
• Make a potential fix with the proposed change in the OSCAL catalog
• Make a potential fix with the proposed change in the relevant transformation

[Compton-US]

Just a note for future reference. This seems to be a good control statement to spot check for white space issues: SR-3(b) (from the xls of 800-53 Rev 5)

spreadsheet

[Assignment: organization-defined supply chain controls]; and
SR-3,Supply Chain Controls and Processes,"

a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];

b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and

c. Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]]."

oscal-content

./src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml:80109: (develop branch)
<p>Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: <insert type="param" id-ref="sr-03_odp.03"/> ; and</p>

[GaryGapinski]

These XPath expressions have been — thrice — edited to correct errors. Competency is at an ebb tide.

Another way to observe superfluous spacing in the oscal-content XML documents: subject https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml to the XPath expression //insert[following-sibling::text()[matches(., '\s\s$')]].

//insert[preceding-sibling::text()[matches(., '^\s\s')]] is analogous for preceding excess spaces.

I have previously been told that only the PDF versions of NIST special publications are normative — all others should be considered derivative and informative. 800-53 rev5 can be found here and it does not contain any instances of two spaces in a row.

[aj-stein-nist]

Thanks for the tip @GaryGapinski, it could be useful.

[nicpenning]

Greetings all, any updates or guidance on this?