Resolved profile catalogs are missing props

[Rene2mt]

This relates to ...

• [ ] the FedRAMP OSCAL Registry
• [X] the FedRAMP OSCAL baselines
• [ ] the Guide to OSCAL-based FedRAMP Content
• [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP OSCAL Validations

What happened?

The FedRAMP rev 5 resolved profile catalogs parameters are missing the "aggregate" props. The props are in the source catalog but were likely omitted during profile resolution.

Relevant log output

No response

How do we replicate this issue?

Compare FedRAMP baseline to source catalog. For example,

         <param id="ac-1_prm_1">
            <label>organization-defined personnel or roles</label>
         </param>

whereas the source catalog has

         <param id="ac-1_prm_1">
            <prop name="aggregates"
                   ns="http://csrc.nist.gov/ns/rmf"
                   value="ac-01_odp.01"/>
            <prop name="aggregates"
                   ns="http://csrc.nist.gov/ns/rmf"
                   value="ac-01_odp.02"/>
            <label>organization-defined personnel or roles</label>
         </param>

Where, exactly?

For the high baseline:

• ac-1_prm_1
• ac-6.1_prm_2
• ac-17.4_prm_1
• at-1_prm_1
• at-2_prm_1
• at-2_prm_2
• at-3_prm_1
• au-1_prm_1
• au-2_prm_2
• ca-1_prm_1
• ca-7_prm_4
• ca-7_prm_5
• cm-1_prm_1
• cm-3.4_prm_1
• cm-6.1_prm_2
• cm-7_prm_2
• cm-7.1_prm_2
• cm-8.2_prm_1
• cm-8.3_prm_1
• cp-1_prm_1
• cp-2_prm_1
• cp-2_prm_2
• cp-2_prm_4
• cp-4_prm_2
• cp-8.4_prm_1
• cp-9.1_prm_1
• cp-9.5_prm_1
• cp-10_prm_1
• ia-1_prm_1
• ir-1_prm_1
• ir-5.1_prm_1
• ir-8_prm_5
• ma-1_prm_1
• ma-2.2_prm_1
• mp-1_prm_1
• mp-2_prm_1
• mp-2_prm_2
• mp-4_prm_1
• mp-4_prm_2
• mp-5_prm_2
• mp-6_prm_1
• mp-6_prm_2
• mp-6.2_prm_1
• pe-1_prm_1
• pe-3_prm_9
• pe-8.1_prm_1
• pe-16_prm_1
• pl-1_prm_1
• ps-1_prm_1
• ps-3_prm_1
• ra-1_prm_1
• ra-5_prm_1
• sa-1_prm_1
• sa-8_prm_1
• sa-15_prm_2
• sa-15.3_prm_2
• sc-1_prm_1
• si-1_prm_1
• si-4.4_prm_1
• si-4.4_prm_2
• si-6_prm_1
• si-7_prm_1
• si-7_prm_2
• si-7.1_prm_1
• si-7.1_prm_2
• si-7.1_prm_3
• si-7.1_prm_4
• sr-1_prm_1

Likely the same param for applicable controls in the moderate and low baselines.

Other relevant details

No response

[Rene2mt]

This error is due to the profile resolver which is part of a submodule used by this repository's CI/CD pipeline see XSLT profile resolver v1.0.6. Upgrading the submodule from version 1.0.* to 1.1.* will will fix profile resolution (including missing labels on props) BUT will break the other FedRAMP CI/CD pipeline workflows.

This fix is blocked by issue #592.

As workaround:

• OSCAL CLI approach - Use OSCAL CLI (v1.0.3 or newer) to resolve the FedRAMP profiles locally.
• XSLT Profile Resolver approach - Alternatively, use the OSCAL XSLT profile resolver (v1.1.2 or newer).

[Rene2mt]

PR # https://github.com/GSA/fedramp-automation/pull/604 will fix this issue. Additionally, it makes other changes ensure the catalog alterations in the FedRAMP profiles will produce resolved profile catalogs that are valid.