Open brian-ruf opened 4 years ago
THIS COMMENT WAS MOVED TO ISSUE #722, WHICH IS A MORE APPROPRIATE LOCATION https://github.com/usnistgov/OSCAL/issues/722#issuecomment-705615973
Is there support for generating a CRM via transform for any of these three scenarios: full SSP access, CRM only access, or legacy CRM?
@pburkholder Short answer: It's in-plan.
Longer answer: The plan is to complete the CRM modeling in issue #722. This will become a priority later October and into November.
Once that is complete, NIST intend to create and publish a transform to automatically extract the leveraged authorization content from the SSP and generate the CRM file.
Is there example code of this CRM transform that was drafted for this or #722? We (FedRAMP) and NIST haD begun work in GSA/fedramp-automation on the CIS and CRM tooling and it appears @wendellpiez maintains a WIP copy of this code in his fork of our code. Is this related or a pure NIST-only CIS/CRM effort?
/cc @GaryGapinski
@ohsh6o it looks like work on presenting a POA&M would be in an XSLT here: https://github.com/wendellpiez/fedramp-automation/blob/oscal-presentation/resources/oscal_poam_html.xsl - it appears to accept POA&M input along with an associated SSP?
However, this is only presentation: a "view". Generating an OSCAL POA&M is a different matter.
@wendellpiez Sorry I'm confused, what does the CRM have to do with the POA&M?
@wendellpiez and @ohsh6o The Customer Responsibility Matrix (FedRAMP's approach) or the broader System Security Responsibility Matrix concept are different from the question raised in issue #945 over the potential use of POA&M model to document the system's risks during the categorization, selection, and implementation during the implementation phase, pre-assessment. The CRM transformation should 'export' information related to controls that can be inherited and the customers' responsibilities to complete the inherited controls' implementation.
Now that I heard in today's model meeting, I have a better sense of this work and the implications. Like I said in #722 let me know how I can help out, I have an active need for this tooling!
User Story:
As an OSCAL SSP Author, I need to extract customer responsibilities from my OSCAL-based SSP and provide an OSCAL file to customers using the component model syntax.
Two common use cases include:
Background
We are considering three possible scenarios for leveraged authorizations:
In other words, this issue assumes:
Goals:
Create a transform to extract customer responsibility statements from an SSP and transform them to component syntax suitable for delivery to customers. This means the resulting file must:
Dependencies:
This is related to issue #572.
Acceptance Criteria