fedramp-automation icon indicating copy to clipboard operation
fedramp-automation copied to clipboard

Published 20 hours ago verified publisher icon GSA

Investigate `implementation-status` FedRAMP extension for possible retirement

Open brian-ruf opened this issue 4 months ago • 2 comments

This is a ...

improvement - something could be better

This relates to ...

  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)

User Story

The implementation-status FedRAMP extension in the /control-implementation/implemented-requirement SSP assembly pre-dates OSCAL 1.0.0 and the by-component/implementation-status fields.

It was established to maintain fidelity with the existing FedRAMP SSP Word templates that require a control-level implementation status rather than the OSCAL-favored implementation status at the component level.

There are two competing principles that impact the continued use or retirement of this prop:

  • meeting CSPs where they are when converting legacy SSPs from Word to OSCAL
  • utilizing core OSCAL syntax whenever possible, and only using FedRAMP extensions when a use case cannot be satisfied by core OSCAL.

At the heart of these competing principles is the notion that the implementation status of a control as a whole should always be reflective of the implementation status of the individual components linked to that control. While this intuitively seems to be a fair assertion, we must be certain any possible exceptions are understood and addressed.

The real-world FedRAMP control implementation status scenarios need to be documented, and an attempt should be made to model these scenarios using core OSCAL syntax to the greatest degree practical.

Goals

  • Ensure all real-world control implementation status scenarios are understood and appropriately modeled
  • Ensure core OSCAL is used to the greatest degree practical and FedRAMP extensions are only used when necessary
  • Minimize complexity for OSCAL implementers

Dependencies

No response

Acceptance Criteria

  • All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

Other information

No response

brian-ruf avatar Oct 22 '24 16:10 brian-ruf