[Feedback]: Additional props (?) for "Validated By CSP" and "Validated by IA" in legacy template SAP (6.1 Security Assessment Team)

[Telos-sa]

This is a ...

request - need something additional provided

This relates to ...

• [ ] the FedRAMP OSCAL Registry
• [ ] the FedRAMP OSCAL baselines
• [ ] the Guide to OSCAL-based FedRAMP Content
• [ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• [X] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP OSCAL Validations

What is your feedback?

In the legacy SAP document, under 6.1 Security Assessment Team, there are fields in the Parties table for "Validated by CSP" and "Validated by IA".

The documentation for the OSCAL SAP does not provide specific guidance on how to encode this information in OSCAL. This information could be encoded in the OSCAL SAP in the party assembly using props.

<metadata>
    <!-- cut: title, published, last-modified, version, oscal-version, prop -->
    <role id="assessment-team">
        <title>Assessment Team</title>
        <desc>The individual or individuals performing the assessment.</desc>
    </role>
    <party id="sap-person-2"  type="person">
        <person-name>[SAMPLE]Person Name 2</person-name>
        <org-id>assessment-org</org-id>
        <location-id>sap-location-1</location-id>
        <email>name@org.domain</email>
        <phone>202-000-0000</phone>
        <prop name="validated-by-csp" value="yes"/>
        <prop name="validated-by-ia" value="yes"/>
    </party>
    <!-- Repeat party for each person 3 - 5 -->
    <responsible-party role-id="assessment-team">
        <party-uuid>sap-person-2</party-uuid>
        <party-uuid>sap-person-3</party-uuid>
        <party-uuid>sap-person-4</party-uuid>
        <party-uuid>sap-person-5</party-uuid>
    </responsible-party>
</metadata>

Could you provide guidance on whether to include this information as a prop (or some other method), or whether this information is not recommended to encode in the OSCAL SAP?

Where, exactly?

SAP Test Plan - Security Assessment Team

Other information

No response

[aj-stein-gsa]

Thanks for this report, @Telos-sa. We will review and consider what changes are possible and/or mandatory to subsequently brief the larger community at a later date. We appreciate the concise explanation and value proposition explanations.