Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FedRAMP Rev 5 SSP Guide Missing Seperation of Duties guidance (User) #534

Open
14 tasks
Telos-sa opened this issue Nov 29, 2023 · 2 comments · May be fixed by #594
Open
14 tasks

FedRAMP Rev 5 SSP Guide Missing Seperation of Duties guidance (User) #534

Telos-sa opened this issue Nov 29, 2023 · 2 comments · May be fixed by #594
Assignees
@david-waltermire @Rene2mt
Labels
enhancement New feature or request rev5 NIST 800-53 rev 5 Scope: Guides

Comments

@Telos-sa
Copy link

Action Item

This is a ...

  • fix - Something needs to be different.
  • enhancement - Something could be better.
  • [ X] investigation - Something needs to be investigated further.

This relates to ...

  • the FedRAMP OSCAL Registry (Excel File)
  • the Guide to OSCAL-based FedRAMP Content (PDF)
  • [ X] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • General/Overall
  • Other

NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

Describe the problem or enhancement

There is no information related to how to handle the adjustments to the users section as it relates to the separation of duties SSP template changes for Rev 5 doc template. This was an overhaul from rev 4 to rev 5, and we need confirmation that specific elements are still required for OSCAL. Elements which include sensitivity, privilege-level, and type.

Goals:

Understanding of how users relates to the separation of duties table, and clear guidance on how to incorporate the different props into this table/feature. If select elements are being removed, clear descriptions and an update to the OSCAL guide so the props are no longer included.

Dependencies:

Update of FedRAMP SSP OSCAL guide to capture all elements and interdependencies. Determination if the SSP doc Template, or the OSCAL Template is the definitive source of truth (which will help with base lines and other discrepancies).

Acceptance Criteria

  • [X ] All FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

Other Comments

{Add any other context about the problem here.}
@Rene2mt Rene2mt added the rev5 NIST 800-53 rev 5 label Dec 9, 2023
@Rene2mt
Copy link
Member

Rene2mt commented Dec 22, 2023

Workaround recommendation for the near-term (in OSCAL) is to provide the separation of duties as a back-matter resource. See

fedramp-automation/dist/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml

Lines 3555 to 3570 in 6518de1

<!-- Section 11 - Separation of Duties -->
<resource uuid="49fb4631-1da2-41ca-b0b3-e1b1006d4025">
<title>Separation of Duties Matrix</title>
<description>
<p>Separation of Duties Matrix</p>
</description>
<prop ns="https://fedramp.gov/ns/oscal" name="type" value="separation-of-duties-matrix"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./documents/Sep_Matrix.docx" media-type="application/msword"/>
<base64 filename="Sep_Matrix.docx" media-type="application/msword">00000000</base64>
<remarks>
<p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
</remarks>
</resource>

This will be added to the guides. Long-term, FedRAMP is exploring potential model enhancements that would support describing the Separation of Duties in OSCAL.

@vmangat
Copy link

vmangat commented Jan 31, 2024

We would like to suggest a slightly different approach. This approach may allow the standard to be flexible for composing the user/privilege/role/functions to support different models. FedRAMP can provide guidance in one specific way the assemblies should be created for the Separation of Duties table in the template. This will also allow FedRAMP to change its guidance without impacting the model.

image

@Rene2mt Rene2mt added the enhancement New feature or request label May 7, 2024
This was referenced May 18, 2024
Closed
Open
Draft
@Rene2mt Rene2mt linked a pull request May 20, 2024 that will close this issue
DRAFT PR - separation of duties example - option 4 #594
Draft
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@david-waltermire david-waltermire

@Rene2mt Rene2mt

Labels
enhancement New feature or request rev5 NIST 800-53 rev 5 Scope: Guides
Projects
FedRAMP Automation
Status: 👀 In review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

DRAFT PR - separation of duties example - option 4 Rene2mt/fedramp-automation
5 participants
@david-waltermire @volpet2014 @Rene2mt @vmangat @Telos-sa