Duplicate Response Points in both the Assessment Procedures and Baseline Profile

[Telos-sa]

Action Item

During Telos analysis of the SAP and SAR models, manual process and OSCAL process, identified 3 Duplicate response points. It looks like there is an error in the OSCAL model and the Assessment Procedures where response points were excluded due to naming convention inconsistencies.

This is a ...

• [ X ] fix - Something needs to be different.
• [ X ] enhancement - Something could be better.
• [ X ] investigation - Something needs to be investigated further.

This relates to ...

• [ X ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [ X ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [ X ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• [ X ] General/Overall
• [ X ] Other

NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement

The Following FedRAMP response points and assessment procedures should be updated as follows:
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

FedRAMP OSCAL | Assessment Procedure | Recommended Response Points -- | -- | -- CM-4(1)[1] | CM-4(1).1 | CM-4(1)[2][b] CM-4(1)[1] | CM-4(1).1 | CM-4(1)[2][b] CM-4(1)[1] | CM-4(1).1 | CM-4(1)[2][b]

Goals:

Address any errors within the OSCAL Baseline profile and Assessment Procedures to ensure a programmatically readable format. Recommend making the above adjustment.

Acceptance Criteria

• [ X ] All FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.
• [ X ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

[volpet2014]

Sounds like there are response point issues in either the FR rev4 profile and/or SAR template, but its not clear from the info in the ticket. Need more specific details. If submitter can specifically provide name of document(s) and line(s) # , that will be helpful

[Telos-sa]

This is referencing the FedRAMP FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog.xml from here: https://github.com/GSA/fedramp-automation/tree/master/dist/content/rev4/baselines/xml

in the objectives for cm-4.1_obj.1 there are 4 response points listed in the single objective.

and is missing the following:

This builds out automated request to answer the same objective 4 times. Instead. It should be a single response point for CM-4(1)[1] as shown in 800-53A

[Telos-sa]

Intent may also have been to build out the response points like 800.53A, in which case, this should be the structure:

So it builds out the tests with response points under each objective, instead of bunching up the response points under CM-4(1)[1] and only CM-4(1)[2][a] has a response point instead of CM-4(1)[2][b] CM-4(1)[2][c] CM-4(1)[2][d].