The UUID of the resource does not point to inventory from SAP, instead, the rule is pointing to a backmatter reference in the SAR.
Recommend instead that the scope of the observation references an inventory or component item, as with control objectives in the SSP and/or SAP. This way it can be associated directly to the Security Test Procedures result that was developed during the SAR creation.
SAR /observations/subject[@subject-uuid] and backmatter.
{Describe the impact the bug is having.}
Causes an error when the subject-uuid is referencing the data from the SSP and SAP instead.
When does this occur?
Any time a subject is associated to the observation
{Describe the conditions under which the bug is occurring.}
Describe the bug
The UUID of the resource does not point to inventory from SAP, instead, the rule is pointing to a backmatter reference in the SAR.
Recommend instead that the scope of the observation references an inventory or component item, as with control objectives in the SSP and/or SAP. This way it can be associated directly to the Security Test Procedures result that was developed during the SAR creation.
Who is the bug affecting?
Generation of the SAR
Is this report specifically related to the Word or Excel files from fedramp.gov?
NO
What version of OSCAL are you using? (Check our info on supported OSCAL versions)
1.1.10
What is affected by this bug?
SAR /observations/subject[@subject-uuid] and backmatter.
{Describe the impact the bug is having.} Causes an error when the subject-uuid is referencing the data from the SSP and SAP instead.
When does this occur?
Any time a subject is associated to the observation {Describe the conditions under which the bug is occurring.}
How do we replicate the issue?
FedRAMP---Major-System-Boundary_OSCAL-export_20230829(2).zip
Expected behavior (i.e. solution)
There should be a logical connection between the SSP > SAP > SAR with the uuids maintained throughout, not not replicated in an arbitrary way.
Other Comments
{Add any other context about the problem here.}