Review of FedRAMP OSCAL Extensions and Values

[Rene2mt]

This is a ...

research - something needs to be investigated

This relates to ...

• [X] the FedRAMP OSCAL Registry
• [ ] the FedRAMP OSCAL baselines
• [X] the Guide to OSCAL-based FedRAMP Content
• [X] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• [X] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• [X] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• [X] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• [X] the FedRAMP SSP OSCAL Template (JSON or XML Format)
• [X] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [X] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [X] the FedRAMP POA&M OSCAL Template (JSON or XML Format)

User Story

As a FedRAMP OSCAL content generator, I need clear and consistent guidance on when to uses specialized FedRAMP OSCAL extensions versus when to use generalized core OSCAL props and values, and a clear understanding of the constraints around all extensions.

Goals

• Review each FedRAMP extension and determine which of the following treatments apply:
• [ ] Keep extension as-is (do nothing)
• [ ] Deprecate the extension (no longer needed)
• [ ] Transition to core OSCAL approach; deprecate FedRAMP extension
• [ ] Propose new OSCAL allowed value(s); deprecate FedRAMP extension

By reviewing each extension and determining the required approach, this will result in clear requirements that when implemented will:

• Eliminate namespace collisions
• Ensure consistency across all artifacts (e.g., extensions registry, values, validations rules, OSCAL guides, and OSCAL templates)

Dependencies

No response

Acceptance Criteria

• Comprehensive listing of all FedRAMP extensions including
  • Model(s) the extension applies to
  • Name
  • Description
  • Approach (keep, deprecate, transition, transition w/ proposed change
  • Constraints
  • Where changes are required (registry, values file, OSCAL guides, OSCAL templates, other)

Other information

This issue is focused on conducting the analysis so that the requirements are clarified. Subsequent issue(s) will implement the necessary updates.

[Rene2mt]

Related to issue #587

[aj-stein-gsa]

@Rene2mt can we discuss what we will be doing with this issue and #587 moving forward?

[aj-stein-gsa]

@brian-ruf and @Rene2mt is it possible we discuss this in the Thursday constraint meeting to her team viewpoints and move ahead with this?

[brian-ruf]

@aj-stein-gsa there is no constraints meeting this Thursday due to stand-down day. I'm also on a plan a good chunk of tomorrow. Happy to discuss Friday.

[aj-stein-gsa]

@aj-stein-gsa there is no constraints meeting this Thursday due to stand-down day. I'm also on a plan a good chunk of tomorrow. Happy to discuss Friday.

🤦 I forgot today is Wednesday .... 😆 Thanks for the update!

[Rene2mt]

@aj-stein-gsa and @brian-ruf lets discuss Friday