AC-8 REQ does not have a response point in Baseline profile. How to address?

[Telos-sa]

Action Item

This is a ...

• [ X] investigation - Something needs to be investigated further.

This relates to ...

• [X ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
• [ X] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
• [ X] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)

NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement

In manual SSP process, FedRAMP specific REQs were included in the base line and had sections to answer, like NIST CONTROL STATEMENTS. In FedRAMP HIGH Baseline Profile, Example: AC-8 Req.

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

 

Additional FedRAMP Requirements and Guidance

Requirement 1: The service provider shall determine elements of the cloud environment that require the System Use Notification control.  The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

Requirement 2: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check.  The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.  If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

Requirement 3: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider.  The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

 

AC-8 Req. | Control Summary Information -- | -- Responsible Role: Implementation Status (check all that apply): ☐ Implemented ☐ Partially implemented ☐ Planned ☐ Alternative implementation ☐ Not applicable Control Origination (check all that apply): ☐ Service Provider Corporate ☐ Service Provider System Specific ☐ Service Provider Hybrid (Corporate and System Specific) ☐ Configured by Customer (Customer System Specific) ☐ Provided by Customer (Customer System Specific) ☐ Shared (Service Provider and Customer Responsibility) ☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization

 

However, they do not have response points in OSCAL High baseline profile. Need to confirm that they have just rolled into AC-8 in general, or should they have response points (And a catalog specific to FedRAMP Requirements that are not included in the NIST catalog?)

Goals:

Determine how systems are supposed to handle control statements that were part of manual process, and do not have a counterpart in the new process. Where should that response data previously captured go?
If requirements need response points, requesting also objectives to be able to fully handle requirement through the models.

Dependencies:

Manual Process

Acceptance Criteria

• [X] All FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.
• [X] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

Other Comments

FedRAMP HIGH

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

     </part>

[Telos-sa]

@Telos-sa this needs additional PMO review.

[volpet2014]

This issue will be left open. In speaking with the PMO review team. These requirements currently do not have response points in Rev 4 or Rev 5 OSCAL and they recognize that this is a issue from an automation standpoint. There was much discussion as to the term Guidance vs. Requirement in the current Word SSP templates as some of these are written in such a way that the requirement applies to all control parts (except where specifically noted) and some do not. The language will need to be clarified for each Requirement to specify the intent that the requirement will need a specific response point in the OSCAL and the Word SSP templates. This will be undertaken for a future release of the baselines (profiles). For now, they will be reviewing the SSP as currently is done via an analyst looking at the control responses to determine if the Guidance/Requirements were applied appropriately in the part responses in the Word template.