SAP, SAR and POA&M Sample Files #639
Comments
brian-ruf
changed the title
|
FedRAMP sample files are HERE, but still subject to change. The SSP file is out of date. |
Status 25-June-2020In a meeting between @brianrufgsa, @david-waltermire-nist, and @wendellpiez we agreed that if the FedRAMP Automation repository is setup such that NIST can trust the validity of the OSCAL templates FedRAMP generated for SAP, SAR, and POA&M, that NIST would point to those as a FedRAMP use-case example. Later NIST may generate more simplified examples of specific features included in the assessment plan, assessment results, and POA&M models. |
|
In a meeting between @brianrufgsa and Cisco, it became apparent that the mitigating-factor assembly could benefit from prop/annotation fields to allow for extensions. We should also evaluate the addition of a link/@href field, which could be used as a pointer to vendor support articles and other online information to consider when adjusting risk. This can currently be accomplished using a resource in the back-matter and linked using the subject-reference field; however, a direct link/@href field may be more appropriate in this instance. |
david-waltermire
added
Scope: Modeling
david-waltermire
changed the title
|
@david-waltermire-nist will create a new issue tracking the FedRAMP repo CI/CD work that needs to be done, and a separate issue for updating the content readmes to point to the FedRAMP examples. |
|
Added GSA/fedramp-automation#45 to track FedRAMP repo CI/CD work as described in @david-waltermire-nist status above. |
|
This work depends on deployment of the CI/CD build in the FedRAMP Automation Repo, which is now complete. This wortk will continue in the next sprint. |
|
The CI/CD build is complete and examples can be found in the FedRAMP automation repository, |
david-waltermire
modified the milestones:
OSCAL 2.0 Milestone 1,
OSCAL 1.0.0 (Full Release)
User Story:
As an OSCAL syntax modeler, I need to verify and demonstrate the validity and viability of the OSCAL represent the information models for the security assessment plan (SAP), security assessment report (SAR), and plan of actions and milestones (POA&M), so that examples can be provided and the syntax usage can be demonstrated when applied to known scenarios.
Goals:
Dependencies:
Issue #621 SAP, SAR, and POA&M Syntax Modeling in Metaschema
Acceptance Criteria
All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
All examples are complete and work with upstream OSCAL files, including FedRAMP SSP, FedRAMP Baseline/Profile, and NIST 800-53r4 Catalog.
Syntax is updated to reflect any issues or gaps
Examples are added to metaschema for assemblies, at a level appropriate to demonstrate usage in documentation.
Ensure FedRAMP extensions are removed from core OSCAL syntax and instead addressed in FedRAMP materials.
Notes:
These sample files will be developed in parallel to the development of OSCAL-based SAP, SAR, and POA&M guidance documents for FedRAMP, such that the files serve as NIST OSCAL examples, and support the guidance documents.
The text was updated successfully, but these errors were encountered: