SSP Completeness Checks: Appendices C, D, F, G, H, I, N, P

[brian-ruf]

This is a ...

fix - something needs to be different

This relates to ...

• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

• Every -1 control should have at least one link to a policy
• Every -1 control should have at least one link to a procedure
• Need to identify which other controls (in the FedRAMP baselines) specific procedure, guides, RoB, and plans.
• Then check for attachments to each of those controls
• Linking to an item, includes verifying that the resource has either a base64 or rlink.
• If an rlink, the href should be reachable

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

• [ ] All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] all constraints associated with the review task have been converted/created
• [ ] automate.fedramp.gov content has been updated accordingly
• [ ] the metaschema help prop has an appropriate link to the constraint
• [ ] the template has an content that models the desired OSCAL presentation
• [ ] the constraint runs against the example template
• [ ] known-bad content has been created
• [ ] the constraint appropriately flags the known-bad content as invalid

Other information

No response

Tasks

• [ ] Determine the file attachment pattern
• [ ] identify the controls that require each of these attachments
• [ ] #798
• [ ] Check that at least one User's Guide is attached
• [ ] Check that the Rules of Behavior is attached
• [ ] Check that the ICSP is attached
• [ ] Check that the IRP is attached
• [ ] Check that the CM Plan is attached
• [ ] Check that the SCRMP is attached

[brian-ruf]

Analysis

• Appendix C Information Security Policies and Procedures
  • Policy: AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PS-1, RA-1, SA-1, SC-1, SI-1, SR-1
  • Procedure: AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PS-1, RA-1, SA-1, SC-1, SI-1, SR-1
• Appendix D User Guide
• Appendix F Rules of Behavior (RoB): Required by PL-4
• Appendix G Information System Contingency Plan (ISCP):
  • Plan required by CP-2
  • Rest Report required by CP-4
• Appendix H Configuration Management Plan (CMP): Required by CM-9
• Appendix I Incident Response Plan (IRP): Required by IR-8
• Appendix N Continuous Monitoring Plan: Required by CA-7
• Appendix P Supply Chain Risk Management Plan (SCRMP): Required by SR-2

Additional Considerations

• Separation of Duties Matrix may be attached to AC-5 (INFO on presence/absence)
• IR-3 should have an Incident Response Test Report attached (WARN if not)
• Additional controls that SHOULD have one or more procedures or plans attached (WARN if not): AC-2, CM-2, 3, 4, 5, 6, CP-10, IR-5, IR-6 (Incident Communications Procedure), IR-9 (info spill procedure or plan), MA-2, MP-6, PE-2, PE-8, PL-2, PS-3, 4, 5, SA-4, SI-2, SR-3, SR-10, SR-12
• Appendix O POA&M: CA-5 [Out of scope for this issue Included here for completeness of the analysis.]

[brian-ruf]

Important Consideration

There are several possible ways policies, plans and procedures may be attached to security controls:

1. the control includes a link that points directly to the document
2. the control includes a link with a URI fragment that points to a back-matter resource representing the document
3. the control includes a by-component assembly that points to a component representing the document; the component could: a. have a link directly to the document b. have a link with a URI fragment that points to a back-matter resource

[aj-stein-gsa]

Important Consideration

There are several possible ways policies, plans and procedures may be attached to security controls:

Thanks for the brief today, let's soon discuss how we should act with recommendations on 2 and 3b as the preferred recommendations and how to design constraints around them ASAP.

[brian-ruf]

@aj-stein-gsa I've reached this issue in our priorities. We've both been very focused on other work and haven't resolved the above question of how best to model attachments.

As with other areas this is something where we should have a preferred approach as well as accepting a simpler approach in support of legacy Word -> OSCAL SSP conversions.

Further, we have allowed other attachments and links to be either a URI fragment or a direct external link.

As a result, I believe we should establish 3b as our preferred approach, but accept any of the above (1, 2, 3a and 3b). I think our team has become well skilled at writing xapth that supports these scenarios.

I will defer any further analysis on this until you return. Hope to have a clear direction by COB Monday, Dec 2nd

@Rene2mt FYSA