Create FedRAMP OSCAL content for SP 800-53 rev5

[delnaweil]

Extended Description

• As a FedRAMP PMO manager, in order to accommodate the fifth revision of NIST SP 800-53, I want OSCAL content created analogous to that created for the fourth revision of NIST SP 800-53.

Preconditions

• [ ] Determine if FedRAMP has already manufactured OSCAL content for rev5.
• [ ] Familiarity with NIST SP 800-53 version 5.
• [ ] Familiarity with NIST SP 800-53B (there was no version 4).
• [ ] Familiarity with NIST SP 800-53A version 5.
• [ ] Familiarity with NIST OSCAL Content, particularly rev5.
• [ ] Familiarity with FedRAMP OSCAL rev 4 Content.
• [ ] Familiarity with NIST OSCAL Catalog and Profile concepts.
• [ ] Familiarity with NIST OSCAL Profile Resolution Specification.
• [ ] Familiarity with SP 800-53 OSCAL comparison, particularly the rev4 to rev5 ODP mapping.
• [ ] Familiarity with NIST OSCAL XML to JSON Converters.

Acceptance Criteria

• [ ] Story tasks are complete.

Story Tasks

• [ ] Create an OSCAL XML catalog via one or more XSLT transforms using input from NIST OSCAL SP 800-53 rev5 content.
• [ ] Create one OSCAL XML profile via one or more XSLT transforms for each SP 800-53B Low, Moderate, and High baseline using input from v1.0.0 NIST OSCAL SP 800-53 rev5 content, corresponding FedRAMP OSCAL rev4 profiles , and the rev4 to rev5 ODP mapping. Map FedRAMP rev4 profile customization artifacts to the corresponding rev5 profile customization artifacts. Prepare a composite list of novel (rev5) ODPs for FedRAMP to identify any FedRAMP-desired constraints.
• [ ] Create OSCAL XML "resolved profile catalog" catalog documents for each baseline using the OSCAL profile resolution transform(s).

Definition of Done

• [ ] Acceptance criteria met
• [ ] Unit test coverage of our code > 95%
• [ ] Automated code quality checks passed
• [ ] Security reviewed and reported
• [ ] Reviewed against plain language guidelines
• [ ] Code must be self-documenting
• [ ] No local tech debt
• [ ] Load/performance tests passed – needs to be created/automated
• [ ] Documentation updated
• [ ] Architectural Decision Record completed as necessary for significant design choices
• [ ] PR reviewed & approved
• [ ] Source code merged

[GaryGapinski]

Waiting for confirmation from FedRAMP PMO.

[GaryGapinski]

See branch issue-478.

[delnaweil]

FedRAMP is handling independently