Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review of FedRAMP OSCAL Extensions and Values #564

Open
10 of 15 tasks
Rene2mt opened this issue Mar 7, 2024 · 6 comments · May be fixed by #762
Open
10 of 15 tasks

Review of FedRAMP OSCAL Extensions and Values #564

Rene2mt opened this issue Mar 7, 2024 · 6 comments · May be fixed by #762
Assignees
@Rene2mt
Labels
enhancement New feature or request rev5 NIST 800-53 rev 5 scope: constraints scope: documentation scope: templates tech debt
Milestone
Digital Authoriza...

Comments

@Rene2mt
Copy link
Member

Rene2mt commented Mar 7, 2024

This is a ...

research - something needs to be investigated

This relates to ...

  • the FedRAMP OSCAL Registry
  • the FedRAMP OSCAL baselines
  • the Guide to OSCAL-based FedRAMP Content
  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)

User Story

As a FedRAMP OSCAL content generator, I need clear and consistent guidance on when to uses specialized FedRAMP OSCAL extensions versus when to use generalized core OSCAL props and values, and a clear understanding of the constraints around all extensions.

Goals

  • Review each FedRAMP extension and determine which of the following treatments apply:
  • Keep extension as-is (do nothing)
  • Deprecate the extension (no longer needed)
  • Transition to core OSCAL approach; deprecate FedRAMP extension
  • Propose new OSCAL allowed value(s); deprecate FedRAMP extension

By reviewing each extension and determining the required approach, this will result in clear requirements that when implemented will:

  • Eliminate namespace collisions
  • Ensure consistency across all artifacts (e.g., extensions registry, values, validations rules, OSCAL guides, and OSCAL templates)

Dependencies

No response

Acceptance Criteria

  • Comprehensive listing of all FedRAMP extensions including
    • Model(s) the extension applies to
    • Name
    • Description
    • Approach (keep, deprecate, transition, transition w/ proposed change
    • Constraints
    • Where changes are required (registry, values file, OSCAL guides, OSCAL templates, other)

Other information

This issue is focused on conducting the analysis so that the requirements are clarified. Subsequent issue(s) will implement the necessary updates.
@Rene2mt Rene2mt added the enhancement New feature or request label Mar 7, 2024
@Rene2mt Rene2mt self-assigned this Mar 7, 2024
@Rene2mt Rene2mt moved this from 🆕 New to 🔖 Ready in FedRAMP Automation Mar 7, 2024
@Rene2mt
Copy link
Member Author

Rene2mt commented May 1, 2024

Related to issue #587

@Rene2mt Rene2mt moved this from 🔖 Ready to 🏗 In progress in FedRAMP Automation Jul 12, 2024
@Rene2mt Rene2mt added this to the Digital Authorization Phase 1 milestone Sep 3, 2024
@Rene2mt Rene2mt linked a pull request Oct 8, 2024 that will close this issue
Draft
7 tasks
@aj-stein-gsa
Copy link
Contributor

@Rene2mt can we discuss what we will be doing with this issue and #587 moving forward?

@aj-stein-gsa aj-stein-gsa moved this from 🏗 In progress to 🔖 Ready in FedRAMP Automation Oct 24, 2024
@aj-stein-gsa
Copy link
Contributor

@brian-ruf and @Rene2mt is it possible we discuss this in the Thursday constraint meeting to her team viewpoints and move ahead with this?

@brian-ruf
Copy link
Collaborator

@aj-stein-gsa there is no constraints meeting this Thursday due to stand-down day. I'm also on a plan a good chunk of tomorrow. Happy to discuss Friday.

@aj-stein-gsa
Copy link
Contributor

@aj-stein-gsa there is no constraints meeting this Thursday due to stand-down day. I'm also on a plan a good chunk of tomorrow. Happy to discuss Friday.

🤦 I forgot today is Wednesday .... 😆 Thanks for the update!

@Rene2mt
Copy link
Member Author

Rene2mt commented Oct 31, 2024

@aj-stein-gsa and @brian-ruf lets discuss Friday

@aj-stein-gsa aj-stein-gsa moved this from 🔖 Ready to 🏗 In progress in FedRAMP Automation Oct 31, 2024
@Rene2mt Rene2mt linked a pull request Nov 4, 2024 that will close this issue
WIP - Feature issue 564 - FedRAMP Extensions Registry #762
Draft
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rene2mt Rene2mt

Labels
enhancement New feature or request rev5 NIST 800-53 rev 5 scope: constraints scope: documentation scope: templates tech debt
Projects
FedRAMP Automation
Status: 🏗 In progress
Milestone
Digital Authorization Phase 1
Development

Successfully merging a pull request may close this issue.

WIP - Feature issue 564 - FedRAMP Extensions Registry Rene2mt/fedramp-automation
3 participants
@brian-ruf @Rene2mt @aj-stein-gsa