What determines the value of <prop> name="marking" under <metadata>? Is marking supported for <back-matter> resources?

[telosBA]

• This is a ...

  • [ ] concern - I think something needs to be different.
  • [x] question - I didn't understand something.
  • [ ] kudos - I found something helpful and want to encourage it in future FedRAMP publications.
  • [ ] request - I would like to see something additional provided.

• This relates to ...

  • [ ] the FedRAMP OSCAL Registry (Excel File)
  • [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
  • [x] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
  • [x] the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • [ ] General/Overall
  • [ ] Other

NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

• Where, exactly?
  • For the registry, please indicate the tab and cell, or other clear identifier
  • For the guide, please indicate the section number and printed page number (lower right corner)
  • For the OSCAL XML or JSON files, please indicate XML or JSON; and indicate the line number, field id, or other clear location identifier

FedRAMP-SSP-OSCAL-Template.xml Line 24

• What is your feedback?

• What version of OSCAL are you using? (Check our info on supported OSCAL versions) 1.0.2

• What action would you like to see from the FedRAMP PMO?

What determines the value of <prop> name="marking" under <metadata>? Is this the marking assigned to the entire SSP?

Is <prop> name="marking" supported for resources in <back-matter> as NIST documentation implies? If so, how do resource markings impact the overall marking found in <metadata>? Would the value be the highest assigned marking among all props? See NIST OSCAL Schema for reference to <prop> name="marking" in back-matter resource.

• Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc)

[david-waltermire]

What determines the value of name="marking" under <metadata>? Is this the marking assigned to the entire SSP?

In core OSCAL, "marking" is allowed for all places where a property is allowed. The value to use will be based on the marking system.

You can use the @class to identify the marking system. Core OSCAL isn't prescriptive about marking systems at the moment.

The marking in <metadata> applies to the entire document.

Is name="marking" supported for resources in as NIST documentation implies?

Yes.

If so, how do resource markings impact the overall marking found in ? Would the value be the highest assigned marking among all props?

This depends on the rules of the marking system. Core OSCAL just provides a way to define markings. It isn't prescriptive about how to interpret them. This requires understanding the marking system.