Initial model office: Oscalate Systems

README.md

@@ -1 +1,64 @@
-# Pattern-Library
+# OSCAL Foundation — Pattern Library
+
+A curated collection of high-quality, realistic [OSCAL](https://pages.nist.gov/OSCAL/) example artifacts published by the **OSCAL Foundation** to serve as patterns and practices for the community.
+
+## About OSCAL Foundation
+
+The Open Security Controls Assessment Language (OSCAL) is a machine-readable language that simplifies and standardizes information system security assessments through the exchange of information via automation.
+
+Originally developed by the National Institute of Standards and Technology (NIST) in collaboration with FedRAMP and industry, OSCAL aims to improve the efficiency, timeliness, accuracy, and consistency of system security assessments.
+
+The **OSCAL Foundation** is dedicated to furthering the development and adoption of the OSCAL standards. The Foundation is a nonprofit organization seeking 501(c)(3) tax-exempt status recognition.
+
+## Purpose
+
+There are few high-quality, representative examples of what an actual compliance package in OSCAL looks like. This Pattern Library fills that gap by providing complete, realistic model office examples that demonstrate proper use of all seven OSCAL models working together.
+
+## Examples
+
+| System | Organization | Description |
+|--------|-------------|-------------|
+| [**Summit**](summit/) | Oscalate Systems | A complete model office example covering all 7 OSCAL models |
+
+## OSCAL Models Covered
+
+Each example in this library aims to include artifacts for all seven OSCAL models:
+
+1. **Catalog** — Security control definitions
+2. **Profile** — Baseline selection and tailoring
+3. **Component Definition** — Component-level security capabilities
+4. **System Security Plan (SSP)** — System security documentation
+5. **Assessment Plan (SAP)** — Security assessment planning
+6. **Assessment Results (SAR)** — Assessment findings
+7. **Plan of Action & Milestones (POA&M)** — Remediation tracking
+
+## Repository Structure
+
+```
+Pattern-Library/
+├── README.md
+└── summit/                          # Model Office: Summit by Oscalate Systems
+    ├── README.md
+    ├── diagrams/                    # Architecture and system diagrams
+    ├── catalog/                     # OSCAL Catalog artifacts
+    ├── profile/                     # OSCAL Profile (Baseline) artifacts
+    ├── component-definition/        # OSCAL Component Definition artifacts
+    ├── system-security-plan/        # OSCAL SSP artifacts
+    ├── assessment-plan/             # OSCAL SAP artifacts
+    ├── assessment-results/          # OSCAL SAR artifacts
+    └── poam/                        # OSCAL POA&M artifacts
+```
+
+## Contributing
+
+Contributions of high-quality OSCAL examples are welcome. Please ensure examples are realistic, well-structured, and follow OSCAL best practices.
+
+## License
+
+See [LICENSE](LICENSE) for details.
+
+## Resources
+
+- [OSCAL Official Documentation](https://pages.nist.gov/OSCAL/)
+- [OSCAL GitHub Repository](https://github.com/usnistgov/OSCAL)
+- [OSCAL Foundation](https://oscalfoundation.org)

summit/README.md

@@ -0,0 +1,50 @@
+# Summit — Model Office Example
+
+**Organization:** Oscalate Systems  
+**System Name:** Summit
+
+## Overview
+
+Summit is a representative model office system created by Oscalate Systems to serve as a high-quality example of a complete compliance package expressed in [OSCAL](https://pages.nist.gov/OSCAL/). This example demonstrates how all seven OSCAL models work together to document and assess the security posture of an information system.
+
+## Technical Architecture
+
+![Summit Technical Architecture](diagrams/Oscalate_Systems-Summit_Diagram-Technical.svg)
+
+## OSCAL Models
+
+Summit includes complete example artifacts for all seven OSCAL models, representing the full lifecycle from control definition through assessment and remediation:
+
+| # | Model | Directory | Description |
+|---|-------|-----------|-------------|
+| 1 | **Catalog** | [`catalog/`](catalog/) | Security control catalog defining available controls |
+| 2 | **Profile** | [`profile/`](profile/) | Baseline selection and tailoring of controls |
+| 3 | **Component Definition** | [`component-definition/`](component-definition/) | Security capabilities of individual system components |
+| 4 | **System Security Plan (SSP)** | [`system-security-plan/`](system-security-plan/) | Comprehensive system security documentation |
+| 5 | **Assessment Plan (SAP)** | [`assessment-plan/`](assessment-plan/) | Plan for assessing security controls |
+| 6 | **Assessment Results (SAR)** | [`assessment-results/`](assessment-results/) | Findings from security assessments |
+| 7 | **POA&M** | [`poam/`](poam/) | Plan of Action & Milestones for remediation tracking |
+
+## Model Relationships
+
+The seven OSCAL models form a connected workflow:
+
+```
+Catalog ──► Profile ──► SSP ──► SAP ──► SAR ──► POA&M
+                         ▲                        │
+                         │                        │
+               Component ┘              (feeds back into SSP)
+              Definitions
+```
+
+1. **Catalog** defines the universe of available controls
+2. **Profile** selects and tailors controls from the catalog into a baseline
+3. **Component Definitions** describe how components implement controls
+4. **SSP** documents the system and how controls are implemented (importing both the profile and component definitions)
+5. **AP** defines the plan for assessing the controls documented in the SSP
+6. **AR** captures findings and evidence from the assessment
+7. **POA&M** tracks remediation of identified weaknesses, feeding back improvements to the SSP
+
+## File Format
+
+All examples in this library are provided in **JSON** (`.oscal.json`).

summit/assessment-plan/README.md

@@ -0,0 +1,28 @@
+# Assessment Plan (SAP)
+
+## OSCAL Model: Security Assessment Plan
+
+The **Security Assessment Plan (SAP)** model defines the plan for assessing the security controls of an information system. It describes the scope, methodology, schedule, and resources required for a security assessment.
+
+### Summit Context
+
+This directory contains the OSCAL Assessment Plan artifacts for the **Summit** system by **Oscalate Systems**. These files define how the Summit system's security controls will be assessed.
+
+### What Belongs Here
+
+- OSCAL Assessment Plan files (JSON, XML, or YAML)
+- Assessment scope and methodology definitions
+- Assessment schedules and resource assignments
+- Test case definitions
+
+### Key Concepts
+
+- **Import SSP**: Reference to the SSP being assessed
+- **Assessment Subjects**: Components, inventory items, and users in scope
+- **Assessment Activities**: Specific test methods and procedures
+- **Tasks**: Scheduled assessment activities and milestones
+- **Reviewed Controls**: Controls selected for assessment
+
+### OSCAL Reference
+
+- [OSCAL Assessment Plan Model Documentation](https://pages.nist.gov/OSCAL/reference/latest/assessment-plan/json-outline/)

summit/assessment-results/README.md

@@ -0,0 +1,28 @@
+# Assessment Results (SAR)
+
+## OSCAL Model: Security Assessment Results
+
+The **Security Assessment Results (SAR)** model captures the findings from a security assessment. It documents the observations, risks, and determinations made during the assessment of an information system's security controls.
+
+### Summit Context
+
+This directory contains the OSCAL Assessment Results artifacts for the **Summit** system by **Oscalate Systems**. These files capture the outcomes of security assessments conducted against the Summit system.
+
+### What Belongs Here
+
+- OSCAL Assessment Results files (JSON, XML, or YAML)
+- Assessment findings and observations
+- Risk determinations and evidence references
+
+### Key Concepts
+
+- **Import AP**: Reference to the Assessment Plan that guided the assessment
+- **Results**: Container for assessment findings from a specific assessment run
+- **Findings**: Individual control assessment outcomes
+- **Observations**: Evidence and observations supporting findings
+- **Risks**: Identified risks resulting from assessment findings
+- **Attestations**: Assessor statements about the assessment
+
+### OSCAL Reference
+
+- [OSCAL Assessment Results Model Documentation](https://pages.nist.gov/OSCAL/reference/latest/assessment-results/json-outline/)

summit/catalog/README.md

@@ -0,0 +1,27 @@
+# Catalog
+
+## OSCAL Model: Catalog
+
+The **Catalog** model defines a structured collection of security and privacy controls. It serves as the foundational source of truth for all controls that may be selected and applied in profiles and system security plans.
+
+### Summit Context
+
+This directory contains the OSCAL Catalog artifacts for the **Summit** system by **Oscalate Systems**. The catalog defines the complete set of controls available for selection and implementation.
+
+### What Belongs Here
+
+- OSCAL Catalog files (JSON, XML, or YAML)
+- Custom control definitions specific to the Summit system
+- Control group and family structures
+
+### Key Concepts
+
+- **Controls**: Individual security requirements or guidelines
+- **Groups**: Logical groupings of related controls (e.g., families)
+- **Parameters**: Configurable values within controls (e.g., password length)
+- **Parts**: Sub-sections of controls (e.g., statements, guidance)
+
+### OSCAL Reference
+
+- [OSCAL Catalog Model Documentation](https://pages.nist.gov/OSCAL/reference/latest/catalog/json-outline/)
+- [OSCAL Catalog Tutorial](https://pages.nist.gov/OSCAL/learn/tutorials/catalog/)

summit/component-definition/README.md

@@ -0,0 +1,26 @@
+# Component Definition
+
+## OSCAL Model: Component Definition
+
+The **Component Definition** model describes the security capabilities and control implementations provided by reusable components. Components can represent software, hardware, services, policies, procedures, or other elements that contribute to the security posture of a system.
+
+### Summit Context
+
+This directory contains the OSCAL Component Definition artifacts for the **Summit** system by **Oscalate Systems**. These files define the individual components that make up the Summit system and their respective security control implementations.
+
+### What Belongs Here
+
+- OSCAL Component Definition files (JSON, XML, or YAML)
+- Vendor-provided component definitions
+- Reusable capability descriptions for system components
+
+### Key Concepts
+
+- **Components**: Individual elements (software, hardware, services, policies)
+- **Control Implementations**: How a component satisfies specific controls
+- **Capabilities**: Groupings of related control implementations
+- **Responsibility**: Whether control satisfaction is provided, shared, or inherited
+
+### OSCAL Reference
+
+- [OSCAL Component Definition Model Documentation](https://pages.nist.gov/OSCAL/reference/latest/component-definition/json-outline/)