Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check that SSP has inventory items #881

Open
14 tasks
aj-stein-gsa opened this issue Nov 7, 2024 · 5 comments · May be fixed by #899
Open
14 tasks

Check that SSP has inventory items #881

aj-stein-gsa opened this issue Nov 7, 2024 · 5 comments · May be fixed by #899
Assignees
@DimitriZhurkin
Labels
constraint: completeness model: ssp scope: constraints type: task
Milestone
Digital Authoriza...

Comments

@aj-stein-gsa
Copy link
Contributor

aj-stein-gsa commented Nov 7, 2024
edited
Loading

Constraint Task

As a digital authorization package maintainer, to know that I have identified that I need the required inventory items in the system security plan and avoid passback, I want a check to ensure the SSP has the right amount of inventory.

Intended Outcome

Goal

Check for one or more inventory items or report an error.

Syntax

Create an expect that a inventory-item has at least one in the system security plan.

Syntax Type

This is optional core OSCAL syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

/system-security-plan/system-implementation/inventory-item >= 1

Purpose of the OSCAL Content

Automation will need to check for many items in the inventory, but there must be at least one.

Dependencies

No response

Acceptance Criteria

  • All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
    • Explanation is present and accurate
    • sample content is present and accurate
    • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
  • All constraints associated with the review task have been created
  • The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
  • The constraint conforms to the FedRAMP Constraint Style Guide.
    • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
  • Known good test content is created for unit testing.
  • Known bad test content is created for unit testing.
  • Unit testing is configured to run both known good and known bad test content examples.
  • Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
  • A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
  • This issue is referenced in the PR.

Other information

No response
@aj-stein-gsa aj-stein-gsa converted this from a draft issue Nov 7, 2024
@aj-stein-gsa aj-stein-gsa moved this from 📋 Backlog to 🔖 Ready in FedRAMP Automation Nov 7, 2024
This was referenced Nov 7, 2024
Open
Open
@DimitriZhurkin DimitriZhurkin self-assigned this Nov 8, 2024
@brian-ruf
Copy link
Collaborator

brian-ruf commented Nov 11, 2024
edited
Loading

I'd suggest this be an ERROR for less than two (2) inventory items, as FedRAMP requires at least two instances of a system.
I'd also suggest this be a WARNING for less than 20 inventory items as I've never encountered an inventory list that small, but believe it is possible. (The warning number should probably be even higher than 20, but this is a safe starting point. We can tune it upward later.)

@DimitriZhurkin
Copy link

Following @brian-ruf's first comment (Brian, thanks), modified Metapath as follows:

count(inventory-item) >= 2

As for the second comment, I have my doubts. If FedRAMP does not explicitly provision that there should be no fewer than 20 inventory items, I would hesitate to throw unnecessary warnings at users.

Thoughts?

@aj-stein-gsa
Copy link
Contributor Author

I'd suggest this be an ERROR for less than two (2) inventory items, as FedRAMP requires at least two instances of a system. I'd also suggest this be a WARNING for less than 20 inventory items as I've never encountered an inventory list that small, but believe it is possible. (The warning number should probably be even higher than 20, but this is a safe starting point. We can tune it upward later.)

Interesting, can you explain where the ballpark of 2 < x < 20 comes from?

@DimitriZhurkin DimitriZhurkin linked a pull request Nov 13, 2024 that will close this issue
Open
7 tasks
@brian-ruf
Copy link
Collaborator

brian-ruf commented Nov 13, 2024
edited
Loading

First, I feel strongly about 2 >= x, and am a lot softer on x < 20.

2 >= x because FedRAMP requires a primary and alternate site for every system. So even a system that requires just one inventory item would need at least two as a result of the redundancy requirement. That's also why this should be an ERROR. I feel strongly that this is the minimum.

x < 20 because I am unaware of any FedRAMP system with less than 10 distinct items ( x 2 locations = 20). FedRAMP inventory lists usually involve 100's or 1,000's of entries. So if there are less than 20 inventory items the most-likely reason by far is is missing inventory. (WARNING)

I can stand down on x < 20. It was just a suggestion. I was approaching it similar to the way thresholds are tuned for SOC monitoring and alerting, where 20 is an expert judgement for what is likely to be good, and then can later be tuned up or down as we get real-world data to support a more appropriate threshold.

If we were to include this threshold, there is also a case to be made that x < 20 is more of a SaaS minimum. PaaS and IaaS minimum should be more like x < 100.

@aj-stein-gsa
Copy link
Contributor Author

First, I feel strongly about 2 >= x, and am a lot softer on x < 20.

I am all about heuristics, this is good stuff, I just wanted to see it written down. 😄

@aj-stein-gsa aj-stein-gsa linked a pull request Nov 15, 2024 that will close this issue
Add has-inventory-items #899
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DimitriZhurkin DimitriZhurkin

Labels
constraint: completeness model: ssp scope: constraints type: task
Projects
FedRAMP Automation
Status: 👀 In review
Milestone
Digital Authorization Phase 1
Development

Successfully merging a pull request may close this issue.

Add has-inventory-items DimitriZhurkin/fedramp-automation
3 participants
@brian-ruf @DimitriZhurkin @aj-stein-gsa