[X] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
[ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
[ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
[ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
[X] the FedRAMP SSP OSCAL Template (JSON or XML Format)
[ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
[ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
[ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
[ ] the FedRAMP OSCAL Validations
What is your feedback?
The documentation for SSP rev 5 states there must be a party identified as the CSP.
Previous requirements stated that all parties must be related to a role.
No details except for the System Owner. Following the previous requirement, what Role should the CSP be leveraging?
Should they be considered the System Owner, or should there be an additional role for the CSP?
What identifier is used to validate that a cloud service provider party was included in the metadata? Is there going to be a prop, if CSP is not a required role ID, that identifies the CSP?
Best solution may be the inclusion and requirement of a role called cloud-service-provider. then leveraging the responsible parties to link back to the csp role and the csp party.
Please provide guidance how how to handle identifying which party is the CSP.
Where, exactly?
metadata/roles/role-id - for metadata/party[@name = ]
This is a ...
concern - something needs to be different
This relates to ...
What is your feedback?
The documentation for SSP rev 5 states there must be a party identified as the CSP. Previous requirements stated that all parties must be related to a role.
No details except for the System Owner. Following the previous requirement, what Role should the CSP be leveraging?
Should they be considered the System Owner, or should there be an additional role for the CSP?
What identifier is used to validate that a cloud service provider party was included in the metadata? Is there going to be a prop, if CSP is not a required role ID, that identifies the CSP?
Best solution may be the inclusion and requirement of a role called cloud-service-provider. then leveraging the responsible parties to link back to the csp role and the csp party.
Please provide guidance how how to handle identifying which party is the CSP.
Where, exactly?
metadata/roles/role-id - for metadata/party[@name =]
Other information
No response