Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POAM > Observations > Origins > Actor > Actor-UUID #1860

Open
3 tasks
rachkim00 opened this issue Jul 20, 2023 · 3 comments
Open
3 tasks

POAM > Observations > Origins > Actor > Actor-UUID #1860

rachkim00 opened this issue Jul 20, 2023 · 3 comments
Assignees
@aj-stein-nist
Labels
enhancement User Story

Comments

@rachkim00
Copy link

User Story

As an OSCAL POAM documenter/ CSP, I need to be able to:
reference uuid from components or party in the actor field, instead of creating new actor UUID.

This may requires schema/name/guidance update in the actor-uuid field.

Goals

To be able to use already existing UUID (from system component) in the actor uuid section

OSCAL POAM schema defines actor-uuid, which sounds like a unique actor UUID should be separately defined. However, often times (especially in FedRAMP context), these actors are scanning tools (components) or 3PAO/CSP (parties) that we already define somewhere else.

Instead of defining another UUID for actor (which could lead duplicate of data, since one system component can have two UUIDs for component and actor), I suggest this field should be flexible to allow uuid-ref.

This is how FedRAMP is also guiding in their OSCAL POAM guide.

Dependencies

No response

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response
@github-actions github-actions bot added this to Needs Triage in Issue Triage Jul 20, 2023
@nikitawootten-nist
Copy link
Contributor

A simple way we could solve this is to refactor the origin-actor assembly to be an array of choice objects, between an actor and a field such as "actor-uuid".

@aj-stein-nist
Copy link
Contributor

We check and in current develop and release OSCAL models, this is currently only a flag with a UUID type, no constraints or indices. This seems reasonable to consider, scope of work is unclear if it is a documentation change or potentially a constraint enhancement or both to meet the ask.

@aj-stein-nist aj-stein-nist moved this from Needs Triage to Further Analysis Needed in Issue Triage Aug 24, 2023
@aj-stein-nist aj-stein-nist removed this from Further Analysis Needed in Issue Triage Sep 20, 2023
@aj-stein-nist aj-stein-nist self-assigned this Oct 5, 2023
@Arminta-Jenkins-NIST
Copy link
Contributor

At 10/12 Triage Meeting: @aj-stein-nist needs to come up with an example to support the hypothesis before refining this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aj-stein-nist aj-stein-nist

Labels
enhancement User Story
Projects
NIST OSCAL Work Board
Status: Further Analysis Needed
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nikitawootten-nist @aj-stein-nist @Arminta-Jenkins-NIST @rachkim00