[X] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
[X] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
[X] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
[X] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
[X] the FedRAMP SSP OSCAL Template (JSON or XML Format)
[X] the FedRAMP SAP OSCAL Template (JSON or XML Format)
[X] the FedRAMP SAR OSCAL Template (JSON or XML Format)
[X] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
User Story
As a FedRAMP OSCAL content generator, I need clear and consistent guidance on when to uses specialized FedRAMP OSCAL extensions versus when to use generalized core OSCAL props and values, and a clear understanding of the constraints around all extensions.
Goals
Review each FedRAMP extension and determine which of the following treatments apply:
[ ] Keep extension as-is (do nothing)
[ ] Deprecate the extension (no longer needed)
[ ] Transition to core OSCAL approach; deprecate FedRAMP extension
[ ] Propose new OSCAL allowed value(s); deprecate FedRAMP extension
By reviewing each extension and determining the required approach, this will result in clear requirements that when implemented will:
Eliminate namespace collisions
Ensure consistency across all artifacts (e.g., extensions registry, values, validations rules, OSCAL guides, and OSCAL templates)
Dependencies
No response
Acceptance Criteria
Comprehensive listing of all FedRAMP extensions including
This is a ...
research - something needs to be investigated
This relates to ...
User Story
As a FedRAMP OSCAL content generator, I need clear and consistent guidance on when to uses specialized FedRAMP OSCAL extensions versus when to use generalized core OSCAL props and values, and a clear understanding of the constraints around all extensions.
Goals
By reviewing each extension and determining the required approach, this will result in clear requirements that when implemented will:
Dependencies
No response
Acceptance Criteria
Other information
This issue is focused on conducting the analysis so that the requirements are clarified. Subsequent issue(s) will implement the necessary updates.