-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feedback]: CSP Authorization PLaybook Cloud Deployment Models Deviate From OSCAL Requirements #590
Open
1 of 12 tasks
Labels
Comments
Validations will be based on the tokenized values, not the human-readable aliases in the CSP Authorization Playbook or the legacy document template. The expected deployment model values in OSCAL for FedRAMP are:
|
Rene2mt
added
documentation
Improvements or additions to documentation
Scope: Validation
labels
May 14, 2024
That is perfect! I would recommend updating the FedRAMP CSP Playbook, Volume I, Section 7 document to reflect the updated requirements, and they can be in string format. As we want the highest level of Data integrity, ensuring that the requirements on either side prevents the GRC tools in the middle from having to convert customer data one way or another. Converting to token does not impact integrity, because the content is not changing, but using the current formats as defined in the guide would result in a failed validation.
Playbook
Playbook Token
Government-Only
Community
government-only-community
Public
public
Private
private
Hybrid
Hybrid
Recommend guidance Should incorporate the String Versions of the tokens. With instructions for them to list all that apply, and if multiple are selected, to provide a reason (this would turn into the remarks). This will also support the OSCAL messaging, and create consistency between the requirements, especially as more CSPs begin to convert to OSCAL.
Also, FedRAMP should update the OSCAL guidance for the SSP, to state which cloud-deployment-models will not be accepted, since OSCAL also accepts community-cloud and other. This would be similar to the FedRAMP restriction of Operational Status.
Update Playbook Token
Government Only Cloud
government-only-cloud
Public Cloud
public-cloud
Private Cloud
private-cloud
Hybrid Cloud
hybrid-cloud
Lacy
Stephanie Lacy | Senior Solutions Architect
***@***.*** | www.telos.com<http://www.telos.com/>
[signature_19392405]
…________________________________
From: Rene Tshiteya ***@***.***>
Sent: Tuesday, May 14, 2024 2:26 PM
To: GSA/fedramp-automation
Cc: Telos Solutions Architects; Author
Subject: [Caution: External] Re: [GSA/fedramp-automation] [Feedback]: CSP Authorization PLaybook Cloud Deployment Models Deviate From OSCAL Requirements (Issue #590)
Validations will be based on the tokenized values, not the human-readable aliases in the CSP Authorization Playbook or the legacy document template. The expected deployment model values in OSCAL for FedRAMP are:
* public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing.
* private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing.
* hybrid-cloud: The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing.
* government-only-cloud: A specific type of community-cloud for use only by government services.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https://github.com/GSA/fedramp-automation/issues/590*issuecomment-2110855196__;Iw!!OIEPfio!QDUYjmsVsrDc5K0Ng0i3OWuVpNzKUesdnsZaXz5aOWGzR1WpRT95GAoyewo6RdMhI1agPL1e674lqCj5V_U9wHc$>, or unsubscribe<https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/A6KF2RP7XELDF6ZBVNRUSBTZCJJPFAVCNFSM6AAAAABHPBTQOCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHA2TKMJZGY__;!!OIEPfio!QDUYjmsVsrDc5K0Ng0i3OWuVpNzKUesdnsZaXz5aOWGzR1WpRT95GAoyewo6RdMhI1agPL1e674lqCj5cv1ud3s$>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a ...
request - need something additional provided
This relates to ...
What is your feedback?
The Cloud Deployment Models in the Guide and Playbook do not align with OSCAL.
Where, exactly?
From the OSCAL SSP guide Section 3 Instructions, the list of Deployment models recommends to reference the CSP Authorization playbook.
The authorization Playbook Section 7: https://www.fedramp.gov/assets/resources/documents/CSP_Authorization_Playbook.pdf
Defines these options:
and states that it references and adheres to NIST SP 800-145. However the requirements and references are different:
the NIST SP 800-145 aligns with OSCAL once data is converted to token.
Other information
Recommendation:
Update the Authorization Playbook to match NIST SP 800-145.
Create validation based on the tokenized representation of these options.
The text was updated successfully, but these errors were encountered: