[Feedback]: system-implementation/leveraged-authorizations/prop[@name=impact-level] and prop[@name=authorization-type]value options

[Telos-sa]

This is a ...

concern - something needs to be different

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What is your feedback?

The props for leveraged-authorizations seems to have the same/similar data elements based on the use of these elements in the overall ssp.

For example. In system-characteristic/prop[@name=authorization-type] FedRAMP has defined the following as allowed values:

However, for the leveraged-authorizations the 'li-saas' option seems to have switched to the prop for impact level.

The allowed values for impact level seem to be a reflection of the sources security-sensitivity-level

But the values defined in leveraged-authorizations do not follow the same format.

Where, exactly?

system-implementation/leveraged-authorizations/props

Other information

Recommendation:
system-implementation/leveraged-authorizations/prop[@name=impact-level] allowed values == OSCAL allowed values for system-characteristics/security-sensitivity-level

system-implementation/leveraged-authorizations/prop[@name=authorization-type] allowed values == system-characteristics/prop[@name=authorization-type]

Update the guide to reflect this change, with more detail in leveraged authorizations,
Update the SSP template Leveraged Services table to reflect the change in the headers.