[ ] investigation - Something needs to be investigated further.
This relates to ...
[ ] the FedRAMP OSCAL Registry (Excel File)
[ ] the Guide to OSCAL-based FedRAMP Content (PDF)
[ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
[X] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
[ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)
[ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
[ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
[ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
[ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
[ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
[ ] General/Overall
[ ] Other
Describe the problem or enhancement
There is a requirement in the SAP guide and template for the Penetration Testing Plan and Methodology - however, most of the data required of it is already in the SAP. There is no template or guidance of format and it is unclear what the significant differences are, making the required data seems redundant.
Goals:
There are a couple potential solutions. One would be to provide information on the differences in the guide for the Penetration Test Plan and a template or guidance on the expected format.
If the data is mostly or all redundant, it may not need to be a requirement and the additional information could instead be added to the OSCAL data model.
Action Item
This is a ...
This relates to ...
Describe the problem or enhancement
There is a requirement in the SAP guide and template for the Penetration Testing Plan and Methodology - however, most of the data required of it is already in the SAP. There is no template or guidance of format and it is unclear what the significant differences are, making the required data seems redundant.
Goals:
There are a couple potential solutions. One would be to provide information on the differences in the guide for the Penetration Test Plan and a template or guidance on the expected format. If the data is mostly or all redundant, it may not need to be a requirement and the additional information could instead be added to the OSCAL data model.
Dependencies:
No dependencies on previous issues.
Acceptance Criteria