Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review of FedRAMP OSCAL Extensions and Values #564

Open
10 of 15 tasks
Rene2mt opened this issue Mar 7, 2024 · 1 comment
Open
10 of 15 tasks

Review of FedRAMP OSCAL Extensions and Values #564

Rene2mt opened this issue Mar 7, 2024 · 1 comment
Assignees
@Rene2mt
Labels
documentation Improvements or additions to documentation enhancement New feature or request rev4 NIST 800-53 rev 4 rev5 NIST 800-53 rev 5 Scope: Guides Scope: Templates Scope: Validation tech-debt

Comments

@Rene2mt
Copy link
Member

Rene2mt commented Mar 7, 2024

This is a ...

research - something needs to be investigated

This relates to ...

  • the FedRAMP OSCAL Registry
  • the FedRAMP OSCAL baselines
  • the Guide to OSCAL-based FedRAMP Content
  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)

User Story

As a FedRAMP OSCAL content generator, I need clear and consistent guidance on when to uses specialized FedRAMP OSCAL extensions versus when to use generalized core OSCAL props and values, and a clear understanding of the constraints around all extensions.

Goals

  • Review each FedRAMP extension and determine which of the following treatments apply:
  • Keep extension as-is (do nothing)
  • Deprecate the extension (no longer needed)
  • Transition to core OSCAL approach; deprecate FedRAMP extension
  • Propose new OSCAL allowed value(s); deprecate FedRAMP extension

By reviewing each extension and determining the required approach, this will result in clear requirements that when implemented will:

  • Eliminate namespace collisions
  • Ensure consistency across all artifacts (e.g., extensions registry, values, validations rules, OSCAL guides, and OSCAL templates)

Dependencies

No response

Acceptance Criteria

  • Comprehensive listing of all FedRAMP extensions including
    • Model(s) the extension applies to
    • Name
    • Description
    • Approach (keep, deprecate, transition, transition w/ proposed change
    • Constraints
    • Where changes are required (registry, values file, OSCAL guides, OSCAL templates, other)

Other information

This issue is focused on conducting the analysis so that the requirements are clarified. Subsequent issue(s) will implement the necessary updates.
@Rene2mt Rene2mt added the enhancement New feature or request label Mar 7, 2024
@Rene2mt Rene2mt self-assigned this Mar 7, 2024
@Rene2mt Rene2mt added documentation Improvements or additions to documentation tech-debt rev4 NIST 800-53 rev 4 rev5 NIST 800-53 rev 5 Scope: Guides Scope: Templates Scope: Validation labels Mar 7, 2024
@Rene2mt
Copy link
Member Author

Rene2mt commented May 1, 2024

Related to issue #587

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rene2mt Rene2mt

Labels
documentation Improvements or additions to documentation enhancement New feature or request rev4 NIST 800-53 rev 4 rev5 NIST 800-53 rev 5 Scope: Guides Scope: Templates Scope: Validation tech-debt
Projects
FedRAMP Automation
Status: 🔖 Ready
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Rene2mt