SAP APPENDIX A ASSESSMENT PROCEDURES INCONSISTENT WITH OSCAL

[Telos-sa]

Action Item

This is a ...

• [ X ] fix - Something needs to be different.
• [ ] enhancement - Something could be better.
• [ ] investigation - Something needs to be investigated further.

This relates to ...

• [ ] the FedRAMP OSCAL Registry (Excel File)
• [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
• [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
• [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• [ X ] General/Overall
• [ ] Other

NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement

The assessment procedure naming convention does not align with the FedRAMP baseline profile, or the OSCAL NIST catalog.

For instance the two procedures shown here:

Are actually 4 objectives from the baseline profile.

If they were to be combined in a logical sense, FedRAMP would have to locally define the new objective AC-01a[1][2] to combine the two requirements, or set the response point above all four tests to AC-01.a to support the current convention with no change to locally defined objectives.

Goals:

Modify or update the SAP - Appendix A to align with OSCAL, or modify the OSCAL Baseline Profile Resolved Catalog for Rev 5 to include response points that indicate which objectives must be answered for based on the SAP - Appendix A requirement.

Acceptance Criteria

• [ X] All FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.
• [ X] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

[volpet2014]

Forwarding issue on to PMO legacy template and documentation team for resolution. When Rev 5 OSCAL profiles, resolved-profile catalogs are published (upcomming). Rev 4 templates will not be updated as they will retired as part of the transition to Rev 5 plan the PMO has.

[Rene2mt]

Followed the proposed approach to modify the OSCAL Baseline Profile Resolved Catalog for Rev 5 to include response points that indicate which objectives must be answered for based on the SAP - Appendix A requirement (see PR#502).

Use this XPath query to get a list of all the assessment objective that have response points:

//*/add[contains(@by-id, "_obj")]

You can use a query like the following to see the specific test methods for a given test objective:

//*/alter/add[@by-id="ac-1_obj.a-1"]/prop[@name="method"]