I have a question that will help shape the requirement for recommended authorization in OSCAL SAR.
In the 3PAO office does not recommend authorization, has there ever been an instance where they gave a result that did not recommend authorization? Or did they regularly omit the data, because they cannot provide the desired recommendation. If it’s not recommended, what happens?
In its current state, the OSCAL “recommended-authorization” prop being yes/no assumes that the 3PAO will ever give that “no” value to represent in the attestation. Therefore, the value will always be “yes.”
{A clear and concise description of the problem or enhancement.}
Goals:
The goal is for the attesation requirement to be lifted on account of no authorization recommendation resulting in no attestation. Or, if it can be confirmed that 3PAO's do submit results regardless of the recommendation status, that supports the need for an attestation's reccomend-authorization even if the value is "no"
{A clear and concise description of what you want to happen. This should be outcome focused. Include concise description of any alternative solutions or features you've considered. Feel free to include screenshots or examples about the feature request here.}
Dependencies:
{Describe any previous issues or related work that must be completed to start or complete this issue.}
[ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}
Action Item
This is a ...
This relates to ...
NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.
Describe the problem or enhancement
I have a question that will help shape the requirement for recommended authorization in OSCAL SAR.
In the 3PAO office does not recommend authorization, has there ever been an instance where they gave a result that did not recommend authorization? Or did they regularly omit the data, because they cannot provide the desired recommendation. If it’s not recommended, what happens?
In its current state, the OSCAL “recommended-authorization” prop being yes/no assumes that the 3PAO will ever give that “no” value to represent in the attestation. Therefore, the value will always be “yes.”
{A clear and concise description of the problem or enhancement.}
Goals:
The goal is for the attesation requirement to be lifted on account of no authorization recommendation resulting in no attestation. Or, if it can be confirmed that 3PAO's do submit results regardless of the recommendation status, that supports the need for an attestation's reccomend-authorization even if the value is "no" {A clear and concise description of what you want to happen. This should be outcome focused. Include concise description of any alternative solutions or features you've considered. Feel free to include screenshots or examples about the feature request here.}
Dependencies:
{Describe any previous issues or related work that must be completed to start or complete this issue.}
Acceptance Criteria
{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}
Other Comments
{Add any other context about the problem here.}