fedramp-automation icon indicating copy to clipboard operation
fedramp-automation copied to clipboard

Published 20 hours ago verified publisher icon GSA

Discrepancy between FedRAMP Guide and SSP Baseline for <security-sensitivity-level>

Open telosBA opened this issue 2 years ago • 1 comments

  • This is a ...

    • [x] concern - I think something needs to be different.
    • [ ] question - I didn't understand something.
    • [ ] kudos - I found something helpful and want to encourage it in future FedRAMP publications.
    • [ ] request - I would like to see something additional provided.

  • This relates to ...

    • [ ] the FedRAMP OSCAL Registry (Excel File)
    • [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
    • [x] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
    • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
    • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR) (PDF)
    • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
    • [x] the FedRAMP SSP OSCAL Template (JSON or XML Format)
    • [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
    • [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
    • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
    • [ ] General/Overall
    • [ ] Other

NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

  • Where, exactly?
    • For the registry, please indicate the tab and cell, or other clear identifier
    • For the guide, please indicate the section number and printed page number (lower right corner)
    • For the OSCAL XML or JSON files, please indicate XML or JSON; and indicate the line number, field id, or other clear location identifier

FedRAMP-SSP-OSCAL-Template.xml Lines 542-593

  • What is your feedback?

  • What version of OSCAL are you using? (Check our info on supported OSCAL versions) 1.0.2

  • What action would you like to see from the FedRAMP PMO?

The FedRAMP Guide and Template naming standard for <security-sensitivity-level> differs from that of the SSP Baseline. The FedRAMP Guide and Template include the prefix "fips-199-" while the SSP Baseline naming convention is "High (H), Moderate (M), Low (L)" Which is considered correct for validation purposes?

SSP Baseline Screenshot: Security Sensitivity Level Discrepancy

  • Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc)

telosBA avatar May 04 '22 19:05 telosBA

The intent here was to map the human readable values to the core OSCAL values:

Human-oriented Core OSCAL value
Low (L) fips-199-low
Moderate (M) fips-199-moderate
High (H) fips-199-high

This is indicated in section 4.4 of the guide.

david-waltermire avatar May 09 '22 12:05 david-waltermire