Discrepancy between FedRAMP SSP Guide and SSP Template regarding authorization-type

[telosBA]

• This is a ...

  • [x] concern - I think something needs to be different.
  • [x] question - I didn't understand something.
  • [ ] kudos - I found something helpful and want to encourage it in future FedRAMP publications.
  • [ ] request - I would like to see something additional provided.

• This relates to ...

  • [ ] the FedRAMP OSCAL Registry (Excel File)
  • [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
  • [x] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR) (PDF)
  • [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
  • [x] the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • [ ] General/Overall
  • [ ] Other

NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

• Where, exactly?
  • For the registry, please indicate the tab and cell, or other clear identifier
  • For the guide, please indicate the section number and printed page number (lower right corner)
  • For the OSCAL XML or JSON files, please indicate XML or JSON; and indicate the line number, field id, or other clear location identifier

FedRAMP SSP Guide p.10 FedRAMP-SSP-OSCAL-Template.xml Line 519

• What is your feedback?

Format of <system-characteristics> <prop> name="authorization type" differs in the SSP Guide and Template, with the Guide listing elements in order: name, ns, value while the Template lists in ns, name, value. The Template currently does not validate for this prop.

• What version of OSCAL are you using? (Check our info on supported OSCAL versions)

1.0.2

• What action would you like to see from the FedRAMP PMO?

What is the correct formatting to achieve validation? Is the validator functioning correctly in regard to this prop?

• Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc)

[david-waltermire]

Props and their attributes are essentially unordered statements of fact. This ordering inconsistency, while may be confusing, shouldn't matter in OSCAL.