Penetration Test Plan Requirement

[Telos-sa]

Action Item

This is a ...

• [ ] fix - Something needs to be different.
• [X] enhancement - Something could be better.
• [ ] investigation - Something needs to be investigated further.

This relates to ...

• [ ] the FedRAMP OSCAL Registry (Excel File)
• [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
• [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
• [X] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
• [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• [ ] General/Overall
• [ ] Other

Describe the problem or enhancement

There is a requirement in the SAP guide and template for the Penetration Testing Plan and Methodology - however, most of the data required of it is already in the SAP. There is no template or guidance of format and it is unclear what the significant differences are, making the required data seems redundant.

Goals:

There are a couple potential solutions. One would be to provide information on the differences in the guide for the Penetration Test Plan and a template or guidance on the expected format. If the data is mostly or all redundant, it may not need to be a requirement and the additional information could instead be added to the OSCAL data model.

Dependencies:

No dependencies on previous issues.

Acceptance Criteria

• [X] All FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.