You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As an OSCAL POAM documenter/ CSP, I need to be able to:
reference uuid from components or party in the actor field, instead of creating new actor UUID.
This may requires schema/name/guidance update in the actor-uuid field.
Goals
To be able to use already existing UUID (from system component) in the actor uuid section
OSCAL POAM schema defines actor-uuid, which sounds like a unique actor UUID should be separately defined. However, often times (especially in FedRAMP context), these actors are scanning tools (components) or 3PAO/CSP (parties) that we already define somewhere else.
Instead of defining another UUID for actor (which could lead duplicate of data, since one system component can have two UUIDs for component and actor), I suggest this field should be flexible to allow uuid-ref.
This is how FedRAMP is also guiding in their OSCAL POAM guide.
Dependencies
No response
Acceptance Criteria
All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response
The text was updated successfully, but these errors were encountered:
A simple way we could solve this is to refactor the origin-actor assembly to be an array of choice objects, between an actor and a field such as "actor-uuid".
We check and in current develop and release OSCAL models, this is currently only a flag with a UUID type, no constraints or indices. This seems reasonable to consider, scope of work is unclear if it is a documentation change or potentially a constraint enhancement or both to meet the ask.
User Story
As an OSCAL POAM documenter/ CSP, I need to be able to:
reference uuid from components or party in the actor field, instead of creating new actor UUID.
This may requires schema/name/guidance update in the actor-uuid field.
Goals
To be able to use already existing UUID (from system component) in the actor uuid section
OSCAL POAM schema defines actor-uuid, which sounds like a unique actor UUID should be separately defined. However, often times (especially in FedRAMP context), these actors are scanning tools (components) or 3PAO/CSP (parties) that we already define somewhere else.
Instead of defining another UUID for actor (which could lead duplicate of data, since one system component can have two UUIDs for component and actor), I suggest this field should be flexible to allow uuid-ref.
This is how FedRAMP is also guiding in their OSCAL POAM guide.
Dependencies
No response
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response
The text was updated successfully, but these errors were encountered: