fedramp-automation icon indicating copy to clipboard operation
fedramp-automation copied to clipboard

Published 20 hours ago verified publisher icon GSA

OSCAL Descriptions & Manual Template Mismatch - Asset Inventory

Open lstanden opened this issue 1 year ago • 1 comments

This relates to ...

  • [ ] the FedRAMP OSCAL Registry
  • [ ] the FedRAMP OSCAL baselines
  • [ ] the Guide to OSCAL-based FedRAMP Content
  • [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • [X] the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP OSCAL Validations

What happened?

The two fields related to scans have different definitions between the FedRAMP template and the OSCAL definitions. This makes it extremely difficult for companies that wish to preemptively lean into OSCAL data, but still need to produce the standard Excel spreadsheet.

It's unclear if this is an issue in OSCAL or FedRAMP Spreadsheets, and clarity here is necessary.

Authenticated Scan FedRAMP Spreadsheet says:

Is the asset is planned for an authenticated scan?

OSCAL (allows-authenticated-scan) says:

Can the asset be check with an authenticated scan? (yes/no)

These have significantly different meanings. For example, an AWS EC2 can always be checked with an authenticated scan, but it's unclear in the context of the spreadsheet what we're supposed to answer here:

  • Is it planned because we know it exists, or
  • Is it planned because we picked it up when we kicked off our scan last

The first option makes the most sense, since I don't think there's a valid reason to know something exists and not scan it. The latter makes more sense from the perspective of do you expect to see it in scan results.

In Latest Scan FedRAMP Spreadsheet says:

Should the asset appear in the network scans and can it be probed by the scans creating the current POA&M?

OSCAL (is-scanned) says:

is the asset subjected to network scans? (yes/no)

These are also not equal either.

  • The spreadsheet version seems to indicate we should only have 'yes' here if we actually attempted to perform a scan against the host.
  • The OSCAL version seems to suggest this should be 'yes' if we would scan it. Even if it didn't exist when we actually started the process of scanning.

Relevant log output

No response

How do we replicate this issue?

Content / Meaning Difference between documents.

Where, exactly?

OSCAL Schema / Excel Template Mismatch

Other relevant details

No response

lstanden avatar Jan 27 '24 01:01 lstanden

Would like to add an additional element that needs review. prop[@name="asset-type"] does not include "software" as an option, but there are elements within the document that specifically state if it is a software or a DB, and OS is linked to infrastructure.

Recommend allowing another asset-type to include software, this way it can fall more in line with the FedRAMP Documentation template.

Telos-sa avatar Apr 15 '24 19:04 Telos-sa