Template FedRAMP-SSP-OSCAL-Template.json does not validate with OSCAL CLI

[JoseGHdz]

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What happened?

I setup the OSCAL CLI environment and wanted to test the environment with multiple files. The
FedRAMP-SSP-OSCAL-Template.json file did not pass the tests.

Relevant log output

[ERROR] [/system-security-plan/metadata[1]] Index 'index-metadata-property-uuid' has duplicate key for items at paths '/system-security-plan/metadata[1]/revision[1]/prop[1]' and '/system-security-plan/metadata[1]/revision[2]/prop[1]'

[ERROR] [/system-security-plan/system-implementation[1]] Index 'index-system-implementation-component-uuid' has duplicate key for items at paths '/system-security-plan/system-implementation[1]/component[6]' and '/system-security-plan/system-implementation[1]/component[15]'

[ERROR] [/system-security-plan/system-implementation[1]/component[4]/prop[2]/@name] Value 'isa-title' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[2]/@name'

[ERROR] [/system-security-plan/system-implementation[1]/component[4]/prop[3]/@name] Value 'isa-date' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[3]/@name'

[ERROR] [/system-security-plan/system-implementation[1]/component[4]/prop[5]/@name] Value 'ipv4-address' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[5]/@name'

[ERROR] [/system-security-plan/system-implementation[1]/component[4]/prop[6]/@name] Value 'ipv6-address' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[6]/@name'

[ERROR] [/system-security-plan/system-implementation[1]/component[4]/prop[7]/@name] Value 'direction' doesn't match one of 'allows-authenticated-scan, asset-id, asset-tag, asset-type, baseline-configuration-name, function, implementation-point, inherited-uuid, label, leveraged-authorization-uuid, marking, model, network-id, patch-level, public, release-date, sort-id, validation-reference, validation-type, version, virtual, or vlan-id' at path '/system-security-plan/system-implementation[1]/component[4]/prop[7]/@name'

[WARNING] [/system-security-plan/system-implementation[1]/component[14]/protocol[1]/port-range[1]] A start port exists, but an end point does not. To define a single port, the start and end should be the same value.

[WARNING] [/system-security-plan/system-implementation[1]/component[14]/protocol[1]/port-range[1]] An end point exists, but a start port does not. To define a single port, the start and end should be the same value.

[WARNING] [/system-security-plan/system-implementation[1]/component[14]/protocol[2]/port-range[1]] A start port exists, but an end point does not. To define a single port, the start and end should be the same value.

[WARNING] [/system-security-plan/system-implementation[1]/component[14]/protocol[2]/port-range[1]] An end point exists, but a start port does not. To define a single port, the start and end should be the same value.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[1]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[3]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[4]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[5]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[6]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[7]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[8]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[9]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

[WARNING] [/system-security-plan/back-matter[1]/resource[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'rlink|base64'.

[ERROR] [/system-security-plan/back-matter[1]/resource[1]/prop[1]/@name] Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[1]/@name'
[ERROR] [/system-security-plan/back-matter[1]/resource[1]/prop[2]/@name] Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[2]/@name'
[ERROR] [/system-security-plan/back-matter[1]/resource[1]/prop[3]/@name] Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[3]/@name'
[ERROR] [/system-security-plan/back-matter[1]/resource[1]/prop[4]/@name] Value 'dataset' doesn't match one of 'marking, published, type, or version' at path '/system-security-plan/back-matter[1]/resource[1]/prop[4]/@name'

[ERROR] [/system-security-plan/system-implementation[1]] Key reference not found in index 'index-system-implementation-component-uuid-software' for item at path '/system-security-plan/system-implementation[1]/component[14]/link[2]':

How do we replicate this issue?

1. Run the OSCAL CLI
2. Validate the Template File
3. Get the errors

Where, exactly?

Too many validation errors to point at the exact lines.

Other relevant details

No response

[Rene2mt]

Are you using this version of the OSCAL SSP template?

Also, can you confirm which version of the OSCAL-CLI you are using?

[JoseGHdz]

For the version of the OSCAL CLI, I was using 1.0.3. As for the template, the one you linked is the one that gave me errors.

[iMichaela]

Please also note, neither of the JSON or XML templates are valid, and also, that AC-1 has errors in the template. There is no AC-1.b.1 and AC-1.b.2, there is AC-1.b and AC-1.c

[JoseGHdz]

Please also note, neither of the JSON or XML templates are valid, and also, that AC-1 has errors in the template. There is no AC-1.b.1 and AC-1.b.2, there is AC-1.b and AC-1.c

I am aware of the issues. I posted on Gitter a while back about the issues and I was notified that a different version of the template would be in the works in the next couple of months due to errors in the template.

Do you have any examples of valid OSCAL SSP's that I might be able to use?

[iMichaela]

@JoseGHdz - my note was more of a reminder. I do not represent FedRAMP team - I represent NIST OSCAL team but we all want to support FedRAMP team that works very hard to cover all those gaps. The examples we (NIST) have in the oscal-content repo are not based on this FedRAMP template, but I am working on a sample that started with the FedRAMP template and got a little simplified to get faster to a valid structure. One thing I did that might not help you, was to remove the long list of controls because we are focusing on a shorter list. Please feel free to email directly at oscal@nist.gov and I can share what I have now and the progress we make.