Translation support between Assessment Procedure and Objective Label

[Telos-sa]

Action Item

This is a ...

• [ ] enhancement - Something could be better.

This relates to ...

• [ ] Other

NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement

Requesting the inclusion of a new prop in the FedRAMP baseline profile that includes the previous assessment procedures from the FedRAMP Security Test Case Procedures template to support users who are transitioning from the manual submission process to the OSCAL method.

Goals:

Modify the Baseline profile to include a new prop, locally defined by fedRAMP that maps backward to the manual process. Will allow users to transition back and forth between manual submission and OSCAL SAP and SAR submission.

Acceptance Criteria

              <part id="ac-1.a.1_obj.2" name="objective">
                 <prop ns="https://fedramp.gov/ns/oscal"
                       name="response-point"
                       value="You must fill in this response point."/>
                 <prop name="method" class="fedramp" value="EXAMINE"/>
                 <prop name="label" value="AC-1(a)(1)[2]"/>
                 <prop name="assessment procedure" ns="fedramp.gov" value="AC-1.a.1.2"
                 <p>defines personnel or roles to whom the access control policy are to be disseminated;</p>
              </part>

[Telos-sa]

Telos Solutions Architects have completed comparative analysis between the Assessment procedures and the OSCAL response points. Created three new tickets. Please review the attached document, which should provide the framework for mapping. It also identifies where naming conventions do not align, and need source of truth resource to validate for mapping.

FedRAMP_Response-to-Procedure.xlsx

[Rene2mt]

The Test Case Workbook template in many cases aggregates multiple sp800-53a test case identifiers into a single one. For example:

• AC-01a.[01][02] actually corresponds to AC-01a.[01] and AC-01a.[02]
• AC-01a.[03][04] actually corresponds to AC-01a.[03] and AC-01a.[04]
• AC-02a.[01][02] actually corresponds to AC-02a.[01] and AC-02a.[02]
• AC-02a.[01][02] actually corresponds to AC-02a.[01] and AC-02a.[02]
• AC-02(03)(a)(b)(c)(d) actually corresponds to AC-02(03)(a), AC-02(03)(b), AC-02(03)(c), and AC-02(03)(d)

Generally, for assessment-objective parts, the contained label prop (e.g., <prop name="label" class="sp800-53a" value="..."/>) in the resolved profile catalog should be used to trace back to a specific test case and provides a 1-to-1 mapping. There is also a link to the specific control part that this assessment is for (e.g. <link rel="assessment-for" href="#ac-7_smt.a"/>).

However, this doesn't work for the numerous aggregated test cases. The attached provides a normalized mapping between the test cases and the sp800-53a labels from the source catalog that can be used in the interim (see FR-High-TWCW-R5-procedure-to-part-mapping.xlsx).

FedRAMP is determining whether this mapping should simply be added to the TCW template or if there is great value by adding the mapping directly into the profiles.

[Telos-sa]

Thanks Rene, just to confirm. We should be leveraging the OSCAL baseline-profile response points, which have been updated to that level of granularity. For legacy conversion, can we maintain the OSCAL level of granularity, or do we need to map backwards to the statement level to match what is in the current Legacy test case?