Previous attempts to identify "automation" and "technical" control implementations were ill-advised.
See issue 18F/fedramp-automation#309 and 18F/fedramp-automation#310.
Neither of these issues cites a reference to a FedRAMP source of control identifiers. Absence of a reference precludes maintenance.
With the advent of 800-53 rev5 (and there will be successors) a problem arose. The src/content/rev4resources/xml/fedramp_values.xml document was cloned for rev5. "Technical" control AC-2(10) was subsequently found in rev5 to be withdrawn and incorporated into AC-2 statement k. That alone indicates that the concept of identifying such controls now expands to controls and control statements. These probably should have been identified in catalogs and/or profiles in a manner analogous to "response-point" designations.
But only if this provided utility. It does not appear to do so.
The actual implementation simply checked for control implementations for each set of "technical" and "automation" control identifiers. These checkes are redundant since controls are required by their presence in a (resolved) catalog. All the extra Schematron assertions accomplish is a duplicative, qualified assertion for "automation" and "technical". There is no obvious handling of control identifiers with respect to required controls relative to baseline (profile).
Unless a sponsor of the "automation" and "technical" inspection can be found, the best course of action is to remove the related code.
Were there a sponsor, that individual should have identified the rev5 "automation" and "technical" control and control statement identifier sets, and those sets should have been placed in profiles, catalogs, or "resolved profiles" (i.e., catalogs). I suspect to no avail, as "automation" and "technical" controls are essentially required controls and the required controls (in catalog/profile) should carry the "automation" and "technical" attributes.
Preconditions
None.
Acceptance Criteria
[ ] All XSpec code introduced by 18F/fedramp-automation#309 and 18F/fedramp-automation#310 is removed from rev4 and rev5.
[ ] All Schematron code introduced by 18F/fedramp-automation#309 and 18F/fedramp-automation#310 is removedfrom rev4 and rev5.
[ ] All fedramp_values.xml code introduced by 18F/fedramp-automation#309 and 18F/fedramp-automation#310 is removedfrom rev4 and rev5.
Extended Description
Previous attempts to identify "automation" and "technical" control implementations were ill-advised.
See issue 18F/fedramp-automation#309 and 18F/fedramp-automation#310.
Neither of these issues cites a reference to a FedRAMP source of control identifiers. Absence of a reference precludes maintenance.
With the advent of 800-53 rev5 (and there will be successors) a problem arose. The
src/content/rev4resources/xml/fedramp_values.xml
document was cloned for rev5. "Technical" control AC-2(10) was subsequently found in rev5 to be withdrawn and incorporated into AC-2 statement k. That alone indicates that the concept of identifying such controls now expands to controls and control statements. These probably should have been identified in catalogs and/or profiles in a manner analogous to "response-point" designations.But only if this provided utility. It does not appear to do so.
The actual implementation simply checked for control implementations for each set of "technical" and "automation" control identifiers. These checkes are redundant since controls are required by their presence in a (resolved) catalog. All the extra Schematron assertions accomplish is a duplicative, qualified assertion for "automation" and "technical". There is no obvious handling of control identifiers with respect to required controls relative to baseline (profile).
Unless a sponsor of the "automation" and "technical" inspection can be found, the best course of action is to remove the related code.
Were there a sponsor, that individual should have identified the rev5 "automation" and "technical" control and control statement identifier sets, and those sets should have been placed in profiles, catalogs, or "resolved profiles" (i.e., catalogs). I suspect to no avail, as "automation" and "technical" controls are essentially required controls and the required controls (in catalog/profile) should carry the "automation" and "technical" attributes.
Preconditions
None.
Acceptance Criteria
fedramp_values.xml
code introduced by 18F/fedramp-automation#309 and 18F/fedramp-automation#310 is removedfrom rev4 and rev5.Story Tasks
fedramp_values.xml
code introduced by 18F/fedramp-automation#309 and 18F/fedramp-automation#310 from rev4 and rev5.Definition of Done