Open Telos-sa opened 1 year ago
Telos Solutions Architects have completed comparative analysis between the Assessment procedures and the OSCAL response points. Created three new tickets. Please review the attached document, which should provide the framework for mapping. It also identifies where naming conventions do not align, and need source of truth resource to validate for mapping.
The Test Case Workbook template in many cases aggregates multiple sp800-53a test case identifiers into a single one. For example:
Generally, for assessment-objective
parts, the contained label prop (e.g., <prop name="label" class="sp800-53a" value="..."/>
) in the resolved profile catalog should be used to trace back to a specific test case and provides a 1-to-1 mapping. There is also a link to the specific control part that this assessment is for (e.g. <link rel="assessment-for" href="#ac-7_smt.a"/>
).
However, this doesn't work for the numerous aggregated test cases. The attached provides a normalized mapping between the test cases and the sp800-53a labels from the source catalog that can be used in the interim (see FR-High-TWCW-R5-procedure-to-part-mapping.xlsx).
FedRAMP is determining whether this mapping should simply be added to the TCW template or if there is great value by adding the mapping directly into the profiles.
Thanks Rene, just to confirm. We should be leveraging the OSCAL baseline-profile response points, which have been updated to that level of granularity. For legacy conversion, can we maintain the OSCAL level of granularity, or do we need to map backwards to the statement level to match what is in the current Legacy test case?
Action Item
This is a ...
This relates to ...
NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.
Describe the problem or enhancement
Requesting the inclusion of a new prop in the FedRAMP baseline profile that includes the previous assessment procedures from the FedRAMP Security Test Case Procedures template to support users who are transitioning from the manual submission process to the OSCAL method.
Goals:
Modify the Baseline profile to include a new prop, locally defined by fedRAMP that maps backward to the manual process. Will allow users to transition back and forth between manual submission and OSCAL SAP and SAR submission.
Acceptance Criteria