SAP Appendix A - Test Method (G) does not Align with OSCAL

[Telos-sa]

Action Item

This is a ...

• [ X ] fix - Something needs to be different.
• [ ] enhancement - Something could be better.
• [ ] investigation - Something needs to be investigated further.

This relates to ...

• [ ] the FedRAMP OSCAL Registry (Excel File)
• [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
• [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)
• [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
• [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• [ ] General/Overall
• [ X ] Other

NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement

OSCAL resolved baseline catalog does not identify the specific methods required per objective. However, these are defined in the SAP Appendix A, and do not align with the overall assignments of the test methods allocated by NIST.

Goals:

Recommend leveraging a flag or prop to identify the specific method required for each test in OSCAL, so the corresponding methods can be allocated or associated.

[volpet2014]

Forwarding issue on to PMO legacy template and documentation team for resolution. When Rev 5 OSCAL profiles, resolved-profile catalogs are published (upcomming). Rev 4 templates will not be updated as they will retired as part of the transition to Rev 5 plan the PMO has.

[Rene2mt]

See the proposed update in PR https://github.com/GSA/fedramp-automation/pull/502

The FedRAMP SAP Appendix A has some combined assessment procedures (e.g., AC-01a.[01][02]). In such cases, the OSCAL implementation in the PR adds response points at the individual procedures (e.g., AC-01a.[01] and AC-01a.[02]), and specifies the test methods for each separately. This is shown in the snippet below:

<alter control-id="ac-1">
    <add position="starting" by-id="ac-1_obj.a-1">
        <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
        <prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="EXAMINE"/>
        <prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="INTERVIEW"/>
    </add>
    <add position="starting" by-id="ac-1_obj.a-2">
        <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
        <prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="EXAMINE"/>
        <prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="INTERVIEW"/>
    </add>
        ...
</alter>