[Feedback]: import Profile directive in SSP should be limited to the FedRAMP baseline uuid

[vmangat]

This is a ...

request - need something additional provided

This relates to ...

• [ ] the FedRAMP OSCAL Registry
• [ ] the FedRAMP OSCAL baselines
• [X] the Guide to OSCAL-based FedRAMP Content
• [X] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• [ ] the FedRAMP OSCAL Validations

What is your feedback?

The import-profile field should be limited to a uuid of an authoritative FedRAMP baseline. This will ensure that a unique FedRAMP baseline is referenced and the SSP can be validated against a specific baseline. Authoritative baselines can be downloaded and available in an air-gapped environment and a GRC tool can resolve the SSP against the baselines.

Allowing a URL creates the following issues for a GRC tool importing or validating the SSP:

1. A URL is a location, not a unique baseline identifier. If the URL of the FedRAMP moderate baseline is provided in the SSP import profile field, subsequently FedRAMP updates the moderate baseline, an updated moderate baseline will have a different UUID but will still have the same URL and this breaks the data integrity of the SSP that was provided.
2. This also opens up the additional risk that an SSP may not provide an authoritative FedRAMP baseline profile, and now this needs to be resolved, validated and ensured that the profile was not modified since a location is not authoritative.

Where, exactly?

https://automate.fedramp.gov/documentation/ssp/3-working-with-oscal-files/

Other information

No response

[Rene2mt]

Thank you for your feedback. It does appear the documentation in the "Importing the FedRAMP Baseline" section should be more specific about referencing the authoritative FedRAMP baselines.

Referencing a local copy of a FedRAMP baseline (e.g., <import-profile href="#[uuid-value]" />) is completely acceptable and may be the only way for air gapped environments. It does not guarantee that the provided profile is the authoritative one (e.g., modified locally without changing the UUID), so there are some checks that may be required for assurance (e.g. verifying file hash).

Specifying a URL for import (e.g., <import-profile href="path/to/profile.xml" />) does introduce the risks mentioned (e.g., changes to profiles), but that could be mitigated with GitHub "permalink" references to specific versions of the FedRAMP profiles. This would only work in environments that can access the FedRAMP Automation repository.

Thanks again for bringing this to our attention. We will need to provide additional / clearer guidance on importing the official FedRAMP profiles and how to verify that.