Open TonyCiceroUS opened 2 months ago
Concur with regards to requiring description
on inherited
control implementations. This will align with core NIST OSCAL.
With regards to the validation, we may need to split into two separate validations:
description
field exits AND is non-empty. A failure of either condition would result in an "error"description
field length meets arbitrary length requirement (e.g. 32 characters). A failure would result in a "warning". This is a crude approach but it is generally unlikely that a control inheritance description would be so succinct, and a "warning" is not as severe as an "error" as it is meant to provide the content creator (or content consumer) feedback that a problem might exist.The OSCAL guides, validations, and templates will need to be updated.
In previous discussions with NIST and FedRAMP, we came up with a model during rev 4, where the by-component matching a leveraged component would suffice, and only that description would be required.
Has FedRAMP determined what information from a Leveraged authorization package is going to be provided to support the creation of the inherited description? How is this different than the description of the leveraged authorization component?
What content should be provided if the CSP is leveraging another package, but does not have access to the oscal SSP, or the CIS/CRM?
This relates to ...
What happened?
According to the Guide to OSCAL-based FedRAMP System Security Plans (SSP), an inherited control implementation description is optional, however according to NIST a description property is required on an 'inherited' object. Furthermore, the FedRAMP validations requires that an inherited control implementation description must contain at least 32 words.
Relevant log output
No response
How do we replicate this issue?
Where, exactly?
FedRAMP validation rule: https://github.com/GSA/fedramp-automation/blob/master/src/validations/rules/rev5/ssp.sch#L3514-L3521
NIST reference: https://pages.nist.gov/OSCAL-Reference/models/v1.0.4/system-security-plan/json-reference/#/system-security-plan/control-implementation/implemented-requirements/by-components/inherited
Guide to OSCAL-based FedRAMP System Security Plans (SSP):
Other relevant details
FedRAMP should follow the NIST OCSAL guidance for inherited controls descriptions making them required. FedRAMP should then remove the requirement for a minimum of 32 words in the control implementation description for inherited controls (even the example provided is not 32 words in length).