We are interested in reworking the System Security Plan (SSP)'s system characteristics to support categorization frameworks other then fips-199. Currently the system characteristics assemblies expect users to record categorization data for a given information-type following the CIA triad of impacts and expects the user to respond with fips-199-low, -moderate, or -high. This design does not allow for users to record impacts that do not fit into the CIA triad, such as having dedicated privacy impact values. Additionally, authors writing additional OSCAL constraints would benefit from a field communicating the system categorization framework.
Problem Statement
We are interested in reworking the System Security Plan (SSP)'s system characteristics to support categorization frameworks other then
fips-199
. Currently the system characteristics assemblies expect users to record categorization data for a giveninformation-type
following the CIA triad of impacts and expects the user to respond withfips-199-low
,-moderate
, or-high
. This design does not allow for users to record impacts that do not fit into the CIA triad, such as having dedicated privacy impact values. Additionally, authors writing additional OSCAL constraints would benefit from a field communicating the system categorization framework.This issue was originally raised during the OSCAL Workshop, and in the issue https://github.com/usnistgov/OSCAL/issues/1795.