Open lstanden opened 5 months ago
Would like to add an additional element that needs review. prop[@name="asset-type"] does not include "software" as an option, but there are elements within the document that specifically state if it is a software or a DB, and OS is linked to infrastructure.
Recommend allowing another asset-type to include software, this way it can fall more in line with the FedRAMP Documentation template.
This relates to ...
What happened?
The two fields related to scans have different definitions between the FedRAMP template and the OSCAL definitions. This makes it extremely difficult for companies that wish to preemptively lean into OSCAL data, but still need to produce the standard Excel spreadsheet.
It's unclear if this is an issue in OSCAL or FedRAMP Spreadsheets, and clarity here is necessary.
Authenticated Scan FedRAMP Spreadsheet says:
OSCAL (allows-authenticated-scan) says:
These have significantly different meanings. For example, an AWS EC2 can always be checked with an authenticated scan, but it's unclear in the context of the spreadsheet what we're supposed to answer here:
The first option makes the most sense, since I don't think there's a valid reason to know something exists and not scan it. The latter makes more sense from the perspective of do you expect to see it in scan results.
In Latest Scan FedRAMP Spreadsheet says:
OSCAL (is-scanned) says:
These are also not equal either.
Relevant log output
No response
How do we replicate this issue?
Content / Meaning Difference between documents.
Where, exactly?
OSCAL Schema / Excel Template Mismatch
Other relevant details
No response