Pre-Schematron Structured Validation Rule Data

[mike-stern]

As as ASAP p3 developer, I would like a machine consumable list of fedRAMP authorization rules that will eventually manifest as OSCAL rules, so that I can ensure traceability from business process to automation framework.

Context:

Onboarded 10x developers and FedRAMP stakeholders have discussed a need for more structured information than what was provided previously to the 10x ASAP P2 Team last year in the form of the Agency Review Report Template. The current developers would like a more intentional, structured precursor document with a listing of rules that can be reviewed and modified over time. Once this precursor document is established, the developers would like to investigate more directly mapping it to the code outputs (in later development efforts, perhaps after Sprint 2), perhaps using it to programmatically generate tests and/or the validation code itself.

Nice to have: A rendition of this structured precursor document into HTML or an alternative presentation format with the FART and JAB team would be ideal.

Acceptance:

Acceptance Criteria:

• FedRAMP policy team approves of format
• FedRAMP team has the ability to maintain the spreadsheet
• Understand the nature of change (i.e. what drives FedRAMP rule changes):
  • NIST baseline changes (OMB mandates this adoption)
  • OSCAL releases? Is this just a cascade effect to NIST change, specimen SSP
  • internal process improvement

Dependencies:

• [ ] A working agreement with FedRAMP FART and JAB contacts to align on this structured data

[ohsh6o]

Before reformatting this, this seems to be a dupe of 18F/fedramp-automation#83, which is now in sprint. This might have been a blooper on my part. Will discuss with Mike in next backlog review meeeting.

[ohsh6o]

Was confused and flipped since #85 was in Sprint 2 closing this one as discussed in review.