Misalignment between level of granularity between Objective Response Points and Assessment Procedures

[Telos-sa]

Telos has begun working on the SAP and SAR models. During our investigation we have identified 52 Response points for Objectives in the OSCAL High Baseline Catalog profile that deviate from the list level / naming convention in the SAP-AA FedRAMP High Security Test Case Procedures.

This is a ...

[ X ] fix - Something needs to be different. [ X ] enhancement - Something could be better. [ X ] investigation - Something needs to be investigated further. This relates to ...

[ X ] the FedRAMP SAP OSCAL Template (JSON or XML Format) [ X ] the FedRAMP SAR OSCAL Template (JSON or XML Format) [ X ] the FedRAMP POA&M OSCAL Template (JSON or XML Format) [ X ] General/Overall [ X ] Other NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement Requesting review of the following Objectives and either additional test procedures included in the next FedRAMP Security test Case Procedures release, or guidance/details to confirm that these 3 response points are new/ additional tests.

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

FedRAMP OSCAL | Assessment Procedure -- | -- CM-2[1] |     | CM-2.a.1 CM-2[2] |     | CM-2.a.2 CM-2(1)(c) |     | CM-2(1).c.1 CM-6(b) |     | CM-6.b.1 CM-7(5)(b) |     | CM-7.5.b.1 CM-8(5) |     | CM-8(5).1 CM-10(a) |     | CM-10.a.1 CM-10(b) |     | CM-10.b.1 CM-10(c) |     | CM-10.c.1 CP-2(8) |     | CP-2(8).1 CP-3(1) |     | CP-3(1).1 CP-4(1) |     | CP-4(1).1 CP-6(1) |     | CP-6(1).1 CP-6(2) |     | CP-6(2).1 CP-7(1) |     | CP-7(1).1 CP-7(3) |     | CP-7(3).1 CP-7(4) |     | CP-7(4).1 CP-8(2) |     | CP-8(2).1 CP-8(3) |     | CP-8(3).1 CP-9(2) |     | CP-9(2).1 CP-10(2) |     | CP-10(2).1 IA-2(1) |     | IA-2(1).1 IA-2(2) |     | IA-2(2).1 IA-2(3) |     | IA-2(3).1 IA-2(4) |     | IA-2(4).1 IA-2(5) |     | IA-2(5).1 IA-2(8) |     | IA-2(8).1 IA-2(9) |     | IA-2(9).1 IA-5(6) |     | IA-5(6).1 IA-6 |     | IA-6.1 IA-7 |     | IA-7.1 IA-8(2) |     | IA-8(2).1 IA-8(4) |     | IA-8(4).1 IR-2(1) |     | IR-2(1).1 IR-2(2) |     | IR-2(2).1 IR-4(1) |     | IR-4(1).1 IR-4(4) |     | IR-4(4).1 IR-4(6) |     | IR-4(6).1 IR-7(1) |     | IR-7(1).1 PE-3(a)[2] |     | PE-3.a.2.1 PL-2(c)[2] |     | PL-2.c SA-4(1) |     | SA-4(1).1 SA-4(10) |     | SA-4(10).1 SA-10(1) |     | SA-10(1).1 SA-11(1) |     | SA-11(1).1 SA-11(8) |     | SA-11(8).1 SI-2(1) |     | SI-2(1).1 SI-3(1) |     | SI-3(1).1 SI-3(2) |     | SI-3(2).1 SI-3(7) |     | SI-3(7).1 SI-4(2) |     | SI-4(2).1 SI-4(16) |     | SI-4(16).1 SI-5(1) |     | SI-5(1).1

Goals: Updated Baseline profile catalog that matches the Manual process or

Guidance on how to submit / handle / ignore the misalignment. Dependencies: {Describe any previous issues or related work that must be completed to start or complete this issue.}

Acceptance Criteria [ X ] All FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated. [ X ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR. {The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

Other Comments Will relate to the additional tickets submitted for misaligned response points, and new response points

[volpet2014]

Confirmed similar to issue #400, we believe this is coming straight from the source NIST catalog. FR might consider creating its own prop (as Telos requested in issue #398) to make it easier to track correctly, but will require a bit of work (there are hundreds if not over a thousand of test objectives). Excalating to PMO for consideration of effort required to implement.