-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting new Component type for connections that are internal to system boundary #1922
Comments
At 9/21 Triage Meeting:
|
The related Schematron may be of interest. |
At 9/28 Triage Meeting: @iMichaela and @Arminta-Jenkins-NIST didn't have time to look at this ticket during the sprint. We will circle back next Triage. |
At 10/5 Triage meeting: No movement made. @aj-stein-nist can help on Tuesday (10/10/23) |
I am going to review the Metaschema constraints and summarize for analysis and pose some key takeaways and recommendations for the team and the @Telos-sa that reported the issue by Tuesday, so maybe before. 😎 |
10/05/2023 analysisOSCAL allows local definitions for the components' type so, if a 'connection' component is necessary, that can be locally defined. With that said, the question is deeper than the component type.
FedRAMP is asserting (see Schematron), that under To me, it makes sense that the the SSP will have the following components (locally defined or allowed values):
NOTE: more details can be captured above to demonstrate how to meet the FedRAMP's Schematron rules. This can be done once we agree this is one valid way of documenting the scenario. REFERENCE: https://pages.nist.gov/OSCAL/learn/tutorials/implementation/validation-modeling/ |
@Telos-sa - did you ask FedRAMP for clarification since the Crypto module is called using its API? Is there another proposed approach? |
User Story
There is currently a type for interconnection, defined as "A connection to something outside this system." There is also a service, which is defined as "A service that may provide APIs."
The FedRAMP OSCAL Rev 5 has added new requirement for a "validation" component to identify the approved encryption module, with additional locally defined props that denote the if it is protecting data in transit, and/or data at rest.
Would like to understand how the service component can be leveraged, and or if we need a new internal connection component, to identify the following use cases:
Is this considered a service? Or do we tie the cryptographic module to the software components on either side of the communication? What is the recommended methodology for identifying how information moves around within an accreditation boundary?
Relates to #1913
Goals
Determine the appropriate way to identify and document internal movement of data within the boundary, either locally on a single machine or to different machines and how to further link the cryptographic module components. IE should cryptography be referenced at the software level, or at the service level?
Dependencies
No response
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response
The text was updated successfully, but these errors were encountered: