GSA / fedramp-automation

FedRAMP Automation
https://www.fedramp.gov/using-the-fedramp-oscal-resources-and-templates/
Other
280 stars 87 forks source link

[Question]: How to attach Separation of Duties Matrix to OSCAL SSP #777

Open Telos-sa opened 2 weeks ago

Telos-sa commented 2 weeks ago

This is a ...

request - need something additional provided

This relates to ...

What is your feedback?

When validating an OSCAL SSP with the enhanced oscal-cli (v2.2.0) and the fedramp-external-constraints.xml, the oscal-cli yields the following validation error: [ERROR] [/system-security-plan/back-matter[1]] A FedRAMP SSP must have a Separation of Duties Matrix attached.

We were under the impression that the separation of duties is defined in system-implementation>users>authorized-privileges>functions-performed like so:

"authorized-privileges":[
    {
        "title":"Student Privileges",
        "description":"What functions students can perform",
        "functions-performed":[
            "Learn New Skills",
            "Make Friends",
            "Get House Points"
        ]
    }
]

Is there a Separation of Duties document that is supposed to be linked in back-matter? Or how is this supposed to be attached?

Where, exactly?

Other information

No response

Rene2mt commented 1 week ago

In the near term, separation of duties needs to be attached via back-matter. FedRAMP documentation will be updated to clarify this.

Longer term, there is a proposal for modifications to support representing separation of duties in the OSCAL models: