Inconsistencies in documentation regarding required roles in <metadata>

[telosBA]

• This is a ...

  • [x] concern - I think something needs to be different.
  • [x] question - I didn't understand something.
  • [ ] kudos - I found something helpful and want to encourage it in future FedRAMP publications.
  • [ ] request - I would like to see something additional provided.

• This relates to ...

  • [ ] the FedRAMP OSCAL Registry (Excel File)
  • [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
  • [x] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
  • [x] the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • [ ] General/Overall
  • [ ] Other

NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

• Where, exactly?

  • For the registry, please indicate the tab and cell, or other clear identifier
  • For the guide, please indicate the section number and printed page number (lower right corner)
  • For the OSCAL XML or JSON files, please indicate XML or JSON; and indicate the line number, field id, or other clear location identifier FedRAMP-SSP-OSCAL-Template.xml Lines 25-179

• What is your feedback?

• What version of OSCAL are you using? (Check our info on supported OSCAL versions) 1.0.2

• What action would you like to see from the FedRAMP PMO? There are currently discrepancies between the SSP guide and XML template on required roles in <metadata>. The guide has 10 required roles while the template requires 20. What is the source of truth for required roles?

There is also an issue with role id/title standards. The current id and title values required by the template must be hard coded, as the correct id cannot be parsed from the title (e.g. Line 47-48: role id="content-approver" title="System Security Plan Approval"). Requesting consistency between role title and id.

• Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc)

[volpet2014]

There is a documentation and template update in progress and FR will be addressing this issue in the next update. We are aware of the issue and are working to resolve it.