fedramp-automation icon indicating copy to clipboard operation
fedramp-automation copied to clipboard

Published 20 hours ago verified publisher icon GSA

[Feedback]: CSP Authorization PLaybook Cloud Deployment Models Deviate From OSCAL Requirements

Open Telos-sa opened this issue 9 months ago • 2 comments

This is a ...

request - need something additional provided

This relates to ...

  • [ ] the FedRAMP OSCAL Registry
  • [ ] the FedRAMP OSCAL baselines
  • [ ] the Guide to OSCAL-based FedRAMP Content
  • [X] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP OSCAL Validations

What is your feedback?

The Cloud Deployment Models in the Guide and Playbook do not align with OSCAL.

Where, exactly?

From the OSCAL SSP guide Section 3 Instructions, the list of Deployment models recommends to reference the CSP Authorization playbook. image

The authorization Playbook Section 7: https://www.fedramp.gov/assets/resources/documents/CSP_Authorization_Playbook.pdf Defines these options: image

and states that it references and adheres to NIST SP 800-145. However the requirements and references are different: the NIST SP 800-145 aligns with OSCAL once data is converted to token.
image

Other information

Recommendation: Update the Authorization Playbook to match NIST SP 800-145.
Create validation based on the tokenized representation of these options.

Telos-sa avatar May 09 '24 15:05 Telos-sa

Validations will be based on the tokenized values, not the human-readable aliases in the CSP Authorization Playbook or the legacy document template. The expected deployment model values in OSCAL for FedRAMP are:

  • public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • hybrid-cloud: The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • government-only-cloud: A specific type of community-cloud for use only by government services.

Rene2mt avatar May 14 '24 18:05 Rene2mt

That is perfect! I would recommend updating the FedRAMP CSP Playbook, Volume I, Section 7 document to reflect the updated requirements, and they can be in string format. As we want the highest level of Data integrity, ensuring that the requirements on either side prevents the GRC tools in the middle from having to convert customer data one way or another. Converting to token does not impact integrity, because the content is not changing, but using the current formats as defined in the guide would result in a failed validation.

Playbook Playbook Token

Government-Only Community

    government-only-community

Public public

Private private

Hybrid Hybrid

Recommend guidance Should incorporate the String Versions of the tokens. With instructions for them to list all that apply, and if multiple are selected, to provide a reason (this would turn into the remarks). This will also support the OSCAL messaging, and create consistency between the requirements, especially as more CSPs begin to convert to OSCAL.

Also, FedRAMP should update the OSCAL guidance for the SSP, to state which cloud-deployment-models will not be accepted, since OSCAL also accepts community-cloud and other. This would be similar to the FedRAMP restriction of Operational Status.

Update Playbook Token

Government Only Cloud

    government-only-cloud

Public Cloud public-cloud

Private Cloud private-cloud

Hybrid Cloud hybrid-cloud

Lacy

Stephanie Lacy | Senior Solutions Architect

@.*** | www.telos.comhttp://www.telos.com/

[signature_19392405]

From: Rene Tshiteya @.***> Sent: Tuesday, May 14, 2024 2:26 PM To: GSA/fedramp-automation Cc: Telos Solutions Architects; Author Subject: [Caution: External] Re: [GSA/fedramp-automation] [Feedback]: CSP Authorization PLaybook Cloud Deployment Models Deviate From OSCAL Requirements (Issue #590)

Validations will be based on the tokenized values, not the human-readable aliases in the CSP Authorization Playbook or the legacy document template. The expected deployment model values in OSCAL for FedRAMP are:

  • public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • hybrid-cloud: The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • government-only-cloud: A specific type of community-cloud for use only by government services.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/GSA/fedramp-automation/issues/590*issuecomment-2110855196__;Iw!!OIEPfio!QDUYjmsVsrDc5K0Ng0i3OWuVpNzKUesdnsZaXz5aOWGzR1WpRT95GAoyewo6RdMhI1agPL1e674lqCj5V_U9wHc$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/A6KF2RP7XELDF6ZBVNRUSBTZCJJPFAVCNFSM6AAAAABHPBTQOCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHA2TKMJZGY__;!!OIEPfio!QDUYjmsVsrDc5K0Ng0i3OWuVpNzKUesdnsZaXz5aOWGzR1WpRT95GAoyewo6RdMhI1agPL1e674lqCj5cv1ud3s$. You are receiving this because you authored the thread.Message ID: @.***>

Telos-sa avatar May 14 '24 19:05 Telos-sa