FedRAMP Rev 5 SSP Guide Missing Seperation of Duties guidance (User)

[Telos-sa]

Action Item

This is a ...

• fix - Something needs to be different.
• enhancement - Something could be better.
• [ X] investigation - Something needs to be investigated further.

This relates to ...

• the FedRAMP OSCAL Registry (Excel File)
• the Guide to OSCAL-based FedRAMP Content (PDF)
• [ X] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• General/Overall
• Other

NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement

There is no information related to how to handle the adjustments to the users section as it relates to the separation of duties SSP template changes for Rev 5 doc template. This was an overhaul from rev 4 to rev 5, and we need confirmation that specific elements are still required for OSCAL. Elements which include sensitivity, privilege-level, and type.

Goals:

Understanding of how users relates to the separation of duties table, and clear guidance on how to incorporate the different props into this table/feature. If select elements are being removed, clear descriptions and an update to the OSCAL guide so the props are no longer included.

Dependencies:

Update of FedRAMP SSP OSCAL guide to capture all elements and interdependencies. Determination if the SSP doc Template, or the OSCAL Template is the definitive source of truth (which will help with base lines and other discrepancies).

Acceptance Criteria

• [X ] All FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

Other Comments

{Add any other context about the problem here.}

[Rene2mt]

Workaround recommendation for the near-term (in OSCAL) is to provide the separation of duties as a back-matter resource. See

fedramp-automation/dist/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml

Lines 3555 to 3570 in 6518de1

	<!-- Section 11 - Separation of Duties -->
	<resource uuid="49fb4631-1da2-41ca-b0b3-e1b1006d4025">
	<title>Separation of Duties Matrix</title>
	<description>
	<p>Separation of Duties Matrix</p>
	</description>
	<prop ns="https://fedramp.gov/ns/oscal" name="type" value="separation-of-duties-matrix"/>
	<prop name="published" value="2023-01-01T00:00:00Z"/>
	<!-- document date -->
	<prop name="version" value="Document Version"/>
	<rlink href="./documents/Sep_Matrix.docx" media-type="application/msword"/>
	<base64 filename="Sep_Matrix.docx" media-type="application/msword">00000000</base64>
	<remarks>
	<p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
	</remarks>
	</resource>

This will be added to the guides. Long-term, FedRAMP is exploring potential model enhancements that would support describing the Separation of Duties in OSCAL.

[vmangat]

We would like to suggest a slightly different approach. This approach may allow the standard to be flexible for composing the user/privilege/role/functions to support different models. FedRAMP can provide guidance in one specific way the assemblies should be created for the Separation of Duties table in the template. This will also allow FedRAMP to change its guidance without impacting the model.

[aj-stein-gsa]

@Rene2mt are we still working on this CRM OSCAL modeling work in the fedramp-automation repo (not options 1-3) now? Should we close the PR, leave the branch, and revisit accordingly?

[aj-stein-gsa]

I am just going to close the related PR #594 (branch will stay put) and move the issue to Ready (for when work can be continued). The PR can be opened at any time. The work is good, but I can tell we have other things going on right now.

[Rene2mt]

Moving this to blocked. We iterated with community feedback and came up with a backwards compatible, minimalist approach (see #594 (comment) ), however this would require a model update (see example in draft PR GSA/OSCAL#3 .

I think this is on hold for now, but we'll need to resolve in the near or mid-term so we can finalize guidance on how to represent separation of duties in an OSCAL SSP.