[Feedback]: CSP Authorization PLaybook Cloud Deployment Models Deviate From OSCAL Requirements

[Telos-sa]

This is a ...

request - need something additional provided

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What is your feedback?

The Cloud Deployment Models in the Guide and Playbook do not align with OSCAL.

Where, exactly?

From the OSCAL SSP guide Section 3 Instructions, the list of Deployment models recommends to reference the CSP Authorization playbook.

The authorization Playbook Section 7: https://www.fedramp.gov/assets/resources/documents/CSP_Authorization_Playbook.pdf
Defines these options:

and states that it references and adheres to NIST SP 800-145. However the requirements and references are different:
the NIST SP 800-145 aligns with OSCAL once data is converted to token.

Other information

Recommendation:
Update the Authorization Playbook to match NIST SP 800-145.
Create validation based on the tokenized representation of these options.

[Rene2mt]

Validations will be based on the tokenized values, not the human-readable aliases in the CSP Authorization Playbook or the legacy document template. The expected deployment model values in OSCAL for FedRAMP are:

• public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing.
• private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing.
• hybrid-cloud: The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing.
• government-only-cloud: A specific type of community-cloud for use only by government services.

[Telos-sa]

That is perfect! I would recommend updating the FedRAMP CSP Playbook, Volume I, Section 7 document to reflect the updated requirements, and they can be in string format. As we want the highest level of Data integrity, ensuring that the requirements on either side prevents the GRC tools in the middle from having to convert customer data one way or another. Converting to token does not impact integrity, because the content is not changing, but using the current formats as defined in the guide would result in a failed validation. Playbook Playbook Token Government-Only Community government-only-community Public public Private private Hybrid Hybrid Recommend guidance Should incorporate the String Versions of the tokens. With instructions for them to list all that apply, and if multiple are selected, to provide a reason (this would turn into the remarks). This will also support the OSCAL messaging, and create consistency between the requirements, especially as more CSPs begin to convert to OSCAL. Also, FedRAMP should update the OSCAL guidance for the SSP, to state which cloud-deployment-models will not be accepted, since OSCAL also accepts community-cloud and other. This would be similar to the FedRAMP restriction of Operational Status. Update Playbook Token Government Only Cloud government-only-cloud Public Cloud public-cloud Private Cloud private-cloud Hybrid Cloud hybrid-cloud Lacy Stephanie Lacy | Senior Solutions Architect ***@***.*** | www.telos.com<http://www.telos.com/> [signature_19392405]

…

________________________________ From: Rene Tshiteya ***@***.***> Sent: Tuesday, May 14, 2024 2:26 PM To: GSA/fedramp-automation Cc: Telos Solutions Architects; Author Subject: [Caution: External] Re: [GSA/fedramp-automation] [Feedback]: CSP Authorization PLaybook Cloud Deployment Models Deviate From OSCAL Requirements (Issue #590) Validations will be based on the tokenized values, not the human-readable aliases in the CSP Authorization Playbook or the legacy document template. The expected deployment model values in OSCAL for FedRAMP are: * public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing. * private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing. * hybrid-cloud: The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing. * government-only-cloud: A specific type of community-cloud for use only by government services. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https://github.com/GSA/fedramp-automation/issues/590*issuecomment-2110855196__;Iw!!OIEPfio!QDUYjmsVsrDc5K0Ng0i3OWuVpNzKUesdnsZaXz5aOWGzR1WpRT95GAoyewo6RdMhI1agPL1e674lqCj5V_U9wHc$>, or unsubscribe<https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/A6KF2RP7XELDF6ZBVNRUSBTZCJJPFAVCNFSM6AAAAABHPBTQOCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHA2TKMJZGY__;!!OIEPfio!QDUYjmsVsrDc5K0Ng0i3OWuVpNzKUesdnsZaXz5aOWGzR1WpRT95GAoyewo6RdMhI1agPL1e674lqCj5cv1ud3s$>. You are receiving this because you authored the thread.Message ID: ***@***.***>