Open Telos-sa opened 3 months ago
The document templates followed the nomenclature in NIST 800-63 (see https://pages.nist.gov/800-63-3/sp800-63-3.html#:~:text=For%20non%2Dfederated%20systems%2C%20agencies%20will%20select%20two%20components%2C%20referred%20to%20as%20Identity%20Assurance%20Level%20(IAL)%20and%20Authenticator%20Assurance%20Level%20(AAL).%20For%20federated%20systems%2C%20agencies%20will%20select%20a%20third%20component%2C%20Federation%20Assurance%20Level%20(FAL).). OSCAL has named properties that align (there is an implicit mapping). For example:
<prop name="identity-assurance-level" value="1" />
is the equivalent of IAL1 in the documented template<prop name="authenticator-assurance-level" value="2" />
is the equivalent of AAL2 in the documented template<prop name="federation-assurance-level" value="3" />
is the equivalent of FAL3 in the documented templateRemoving these props from core NIST OSCAL would be a backwards breaking / non-compatible change and adding new props would be duplicative so we do not foresee a change in the near-term.
I agree. I would recommend instead changing the requirement in the legacy SSP template to 1, 2, 3 to match OSCAL, and not changing the OSCAL to match legacy.
And/or Accept the OSCAL syntax of 1,2,3 in an SSP produced by OSCAL as opposed to IAL1,AAL1,FAL1, IAL2, AAL2,FAL2, IAL3,AAL3,FAL3.
Ticket is for consistency between the manual and OSCAL process, without requiring a processor between the two to convert the formatting back and forth.
This is a ...
question - need to understand something
This relates to ...
What is your feedback?
For the Digital Identity Level (DIL) Determination there is a discrepancy between the document templates and OSCAL with the values it accepts. In the document templates it accepts the following values: IAL3/FAL3/AAL3, IAL2/FAL2/AAL2, IAL 1/FAL1/AAL1, but in OSCAL it needs an integer: 1, 2, or 3.
Similarly, in the definitions for the SSP meta schema, it requires 1, 2, or 3:
Is there a reason for having this difference between the documents and OSCAL? Could we instead use only one of the value option types (string vs integer)?
Where, exactly?
SSP OSCAL and Document Templates
Other information
No response