Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a FedRAMP 'prop' with name="published" for back-matter>resources #778

Closed
3 tasks done
Telos-sa opened this issue Oct 15, 2024 · 4 comments
Closed
3 tasks done

Add a FedRAMP 'prop' with name="published" for back-matter>resources #778

Telos-sa opened this issue Oct 15, 2024 · 4 comments
Assignees
@kyhu65867
Labels
constraint: completeness enhancement New feature or request scope: constraints type: task

Comments

@Telos-sa
Copy link

Telos-sa commented Oct 15, 2024
edited by aj-stein-gsa
Loading

This is a ...

improvement - something could be better

This relates to ...

  • the Guide to OSCAL-based FedRAMP Content
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

User Story

When linking Laws & Regulations in back-matter resources, there is a NIST 'prop' with name="published" which validates the value against the date-time-with-timezone data type.

[ERROR] [/system-security-plan/back-matter[1]/resource[11]/prop[2]/@value] Value '1994' did not conform to the data type '{http://csrc.nist.gov/ns/metaschema/metapath}date-time-with-timezone' at path '/system-security-plan/back-matter[1]/resource[11]/prop[2]/@value'

There are a number of Laws & Regulations from the FedRAMP Laws, Regulations, Standards and Guidance Reference found on FedRAMP Documents & Templates which have the date as just "Month YYYY" or sometimes a string: "As amended".
Screenshot 2024-10-15 at 3 39 58 PM

We are proposing that FedRAMP add a 'prop' with name="published" and ns="https://fedramp.gov/ns/oscal" for back-matter>resources that validates differently than the NIST prop, and allows these shortened date formats and strings such as "As amended".

Goals

Add a FedRAMP 'prop' with name="published" and ns="https://fedramp.gov/ns/oscal" for back-matter>resources that validates differently than the NIST prop, and allows shortened date formats and strings such as "As amended".

Dependencies

No response

Acceptance Criteria

Other information

No response
@Telos-sa Telos-sa added the enhancement New feature or request label Oct 15, 2024
@aj-stein-gsa
Copy link
Contributor

Thank you for the report, @Telos-sa. We will have to review this request and update it accordingly. If you export this information about the relevant law regulation, how do your staff or users, with your tools or others, use this information on important and analysis? It would seem "1994" or especially "As amended" does not have a meaningful impact to import and subsequent analysis, but I would like to hear more detail on that front before accepting the work item and working it into the backlog.

@aj-stein-gsa aj-stein-gsa self-assigned this Oct 16, 2024
@Telos-sa
Copy link
Author

Telos has identified two user stories for this workflow

  1. CSP has not identified any additional laws and regulations - beyond what is scoped and provided by FedRAMP. In this scenario, Telos recommends that CSPs use the FedRAMP provided document as a backmatter resource, without defining each of the laws and regulations (as there are not leveraged).

  2. CSP has identified additional laws/regulations/standards/guidance, that they leverage when leveraged components do NOT have a current FedRAMP Accreditation package. In this user story, we recommend that the law/regulation/guidance is identified, and in the component section, a link is created to tie back to the specific external requirement.

Is this what you are looking for? Do you see any other alternative user stories that may need to be taken into consideration before establishing rules and requirements?

@aj-stein-gsa
Copy link
Contributor

In an office hours, with more context provided, I would propose we add a property of prop[@name="accessed"] or prop[@name="last-accessed"] to identify when a resource was last reviewed, irrespective of a specific publication version and date for relevant laws, regulations, and standards (one example provided in the meeting for the latter were ISO 2700x:20yz variant of standards as well, but the former two were really the case of "as amended.")

Most importantly, per @david-waltermire, we should clarify in guidance on automate.fedramp.gov to clearly indicate that digital authorization package owners MUST not resend information as-is in the legacy Word-based templates that apply to FedRAMP. We know those already, but it is not explicit on our website documentation.

@aj-stein-gsa aj-stein-gsa moved this from 🆕 New to 🔖 Ready in FedRAMP Automation Nov 15, 2024
@aj-stein-gsa
Copy link
Contributor

Note to @aj-stein-gsa: we need to update this to new constraint issue template.

@aj-stein-gsa aj-stein-gsa mentioned this issue Dec 9, 2024
Closed
14 tasks
@aj-stein-gsa aj-stein-gsa moved this from 🔖 Ready to 👀 In review in FedRAMP Automation Dec 27, 2024
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in FedRAMP Automation Jan 3, 2025
@aj-stein-gsa aj-stein-gsa moved this from ✅ Done to 🚢 Ready to Ship in FedRAMP Automation Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kyhu65867 kyhu65867

Labels
constraint: completeness enhancement New feature or request scope: constraints type: task
Projects
FedRAMP Automation
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Telos-sa @aj-stein-gsa @kyhu65867