search

GSA / fedramp-automation

FedRAMP Automation
https://www.fedramp.gov/using-the-fedramp-oscal-resources-and-templates/
Other
292 stars 90 forks source link

[Feedback]: Not clear how to represent Appendix Q: Cryptographic Modules #606

Open devbytyler opened 4 months ago

devbytyler commented 4 months ago

This is a ...

request - need something additional provided

This relates to ...

What is your feedback?

image image

The guide for OSCAL-based FedRAMP SSPs is unclear how to represent several concepts of Appendix Q, namely:

For the last two item mentioned, the template language implies that "usage" and "notes" is commentary on the row itself, meaning that the "row" would require some type of data structure to capture the details.

Currently, the only direction given is to link validation and product components together, but that leaves the rest of the data unrepresented.

Internally, we've discussed representing the row as a "data-flow" component to capture the details, but we try to avoid going wild west as much as possible and would appreciate some official direction.

Talked this over with @david-waltermire and @Rene2mt a few weeks back and we agreed this required further discussion.

Where, exactly?

Pages 34 and 35 of the Guide to OSCAL-based FedRAMP System Security Plans (SSP)

Other information

No response

aj-stein-gsa commented 1 month ago

Thanks for the feedback. Constraints, and most importantly clearer documentation and examples, should come in tasks from the upcoming #809 epic. Stay tuned for more details.

UPDATE: Apologies, I made a typo slip up, edited from 807 tracker to 809 as intended.