-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expansion of Protocol Tag to other components #1913
Comments
@Telos-sa, you have expressed two requests:
I had asked the FedRAMP Automation Team if there was a historical or outstanding current reason protocol is only for Re 2, is there any other type of component you are asking about to support protocol without error or warning? Can you give examples of a software component? If you recommend others, can you provide examples of those? |
During the 9/21 Triage Meeting, we decided to mark this ticket as |
@Arminta-Jenkins-NIST I meant feedback from @Telos-sa, not FedRAMP, sorry I didn't catch this sooner. Regarding FR PMO and Automation Team feedback from my previous comment #1913 (comment):
|
Thanks AJ. One of the new ones that may leverage the protocol tag for FedRAMP is their "Validations" for encryption. Since there are some, openSSL for instance, that should have their specific port or ports identified to support their use case. IE, how they are going to use the validation. Another use case, and the one that kicked this off, would be "Interconnection". If data is flowing via an interconnection, should it identify the specific port and protocol. If the overall goal is to leverage the service component as the owner of "protocol" then we may need some additional guidance on how to leverage the used by and provided by links, to demonstrate how the service is being leveraged by the interconnection. How the service is using the validation and/or software to support the connection. It may be that we leverage the "depends-on" and "uses-service" tags to support the components. In that case, would the depends on be owned by the service component as well, to identify the different validations/software that is required to make the service work? Then would the "uses-service" need to be used by the interconnection to show the upstream dependencies? If this is the case, and may be the best use case to support edge cases, then is the demonstration of the relationship owned solely by the down stream dependencies? |
For a https://pages.nist.gov/OSCAL/learn/tutorials/implementation/validation-modeling/
Does this make sense? Given our current documentation, I am not sure adding protocol here is sensible. Can you give an example as to why beyond what was said before?
This recommendation around |
@aj-stein-nist and @Telos-sa -- All comments above are addressing more than what the issue is calling for: "how information is flowing throughout the accreditation boundary and how these ports and protocols are being leveraged.". The FIPS 140 validation certificate is addressed in #1922. Continuing discussion the validation component type and the FIPS 140 validation certificate as component in two places is counter productive and risks providing inconsistent conclusions/outcomes. |
This change also relates to usnistgov#1922. FedRAMP staff have analyzed the progression of this constraint as it pertains FedRAMP's tailored use of NIST SP 800-53 controls customized for FedRAMP processes. Previously, it was believed with a representation of a SSP prior to the "this-system" component construct that limiting the protocol assembly usage to _only_ components of service type was feasible. However, this does not allow homogenous this-system-based SSPs to have the same requirement. Moreover this limits the ability of understandbly different sub-component of components approaches with complex multi-layered architecture to have non-service components document their ports and have it filter up into later transformation and processing by OSCAL-enabled tools. For both reasons, we recommend removing this constraint. Staff reviewed historical documentation and believed this constraint to be an overreach of a previous business rule recommended by FedRAMP staff during collaboration with NIST.
This change also relates to usnistgov#1922. FedRAMP staff have analyzed the progression of this constraint as it pertains FedRAMP's tailored use of NIST SP 800-53 controls customized for FedRAMP processes. Previously, it was believed with a representation of a SSP prior to the "this-system" component construct that limiting the protocol assembly usage to _only_ components of service type was feasible. However, this does not allow homogenous this-system-based SSPs to have the same requirement. Moreover this limits the ability of understandbly different sub-component of components approaches with complex multi-layered architecture to have non-service components document their ports and have it filter up into later transformation and processing by OSCAL-enabled tools. For both reasons, we recommend removing this constraint. Staff reviewed historical documentation and believed this constraint to be an overreach of a previous business rule recommended by FedRAMP staff during collaboration with NIST.
This change also relates to usnistgov#1922. FedRAMP staff have analyzed the progression of this constraint as it pertains FedRAMP's tailored use of NIST SP 800-53 controls customized for FedRAMP processes. Previously, it was believed with a representation of a SSP prior to the "this-system" component construct that limiting the protocol assembly usage to _only_ components of service type was feasible. However, this does not allow homogenous this-system-based SSPs to have the same requirement. Moreover this limits the ability of understandbly different sub-component of components approaches with complex multi-layered architecture to have non-service components document their ports and have it filter up into later transformation and processing by OSCAL-enabled tools. For both reasons, we recommend removing this constraint. Staff reviewed historical documentation and believed this constraint to be an overreach of a previous business rule recommended by FedRAMP staff during collaboration with NIST.
This change also relates to #1922. FedRAMP staff have analyzed the progression of this constraint as it pertains FedRAMP's tailored use of NIST SP 800-53 controls customized for FedRAMP processes. Previously, it was believed with a representation of a SSP prior to the "this-system" component construct that limiting the protocol assembly usage to _only_ components of service type was feasible. However, this does not allow homogenous this-system-based SSPs to have the same requirement. Moreover this limits the ability of understandbly different sub-component of components approaches with complex multi-layered architecture to have non-service components document their ports and have it filter up into later transformation and processing by OSCAL-enabled tools. For both reasons, we recommend removing this constraint. Staff reviewed historical documentation and believed this constraint to be an overreach of a previous business rule recommended by FedRAMP staff during collaboration with NIST.
I am encountering similar challenges with the "direction" property in components. @aj-stein-gsa / @iMichaela / @Telos-sa - Thoughts? |
So can we clarify the issue with the constraint in question, is it one or more of the following?
I just want to be clear because I definitely mislabeled my PR to be "mostly about 1913 and somewhat about 1922," when it was the inverse (it is actually "is mostly about 1922, and somewhat related to 1913"). For that I apologize, so I wanted to make sure I completely understood the the issue with direction. |
The second one! The fundamental issue is to identify all component types that need to capture details about communication that crosses the boundary. I believe that means "interconnection", "service", and "software". Possibly also "validation" (I agree with @iMichaela's assertion that "validation" is a different conversation, but want to leave room for the possibility that "validation" has not yet been settled.) The documentation requirements for any communication that crosses the boundary include:
I believe we need to:
NOTE "service" and "software" are not lumped into the "interconnection" constraint because "interconnection" has additional allowed values that do not pertain to the other two. |
Cool. Are we saying we want that change or need it in the short-term? I did not necessarily include this in the scope of my proposal #2072 and did not know if it is blocking downstream constraint work. Are we saying the issue is significant and we want to amend that proposal? |
I believe there is an error in the description for 'direction" in the enumeration above. And the value fro the "direction" should be constrained to |
@iMichaela currently, "direction" as a property name is only in the allowed values list for component type "interconnection". I am suggesting that it belongs anyplace As for the allowed values for the "direction" property, they are currently configured in metaschema as "incoming" and "outgoing" with the intention of having it twice when bi-directional. It has been this way since before 1.0.0. <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='direction']/@value">
<enum value="incoming">Data from the remote system flows into this system.</enum>
<enum value="outgoing">Data from this system flows to the remote system.</enum>
</allowed-values> While I don't personally care if they are incoming/outgoing or ingress/egress/bidirectional, I'm reluctant to make this change as it's currently working in its current sate. So it would be a breaking change for something that is not a bug fix. |
I think we are option 5. I am comfortable with the current syntax and structure, I think the challenge is determining the different user stories to be able to showcase the relationships. IE if we are treating service as a component and it is services and a collection of protocols (like ports protocols and services), that need to be referenced and used by other services, interconnections, and components. The question is really how complex should these relationships be? Would love to see if we can brainstorm how to deomonstrate PPSM in an OSCAL way, and do it better than the manually generated documentation. |
@Telos-sa I've been re-modeling Table 6.1 (Leveraged Authorizations) and 7.1 (External Systems and Services Not Having FedRAMP Authorization) from the Rev 5 FedRAMP SSP template here:
I've decomposed the template instructions to use cases and fully re-modeled LAs. I'm still working on the remodeling of 7.1, but have a fair amount of analysis and thoughts in those two issues and their related task issues. In particular, I think you are touching on this THIS COMMENT where I attempted to lay out the five scenarios that need to be clearly modeled and documented from an OSCAL perspective. Please let me know if these scenarios align with your thoughts on user stories. |
I agree with you it should be supported in other models too, but addressing this issue is beyond the scope of a patch. Alos, there is no need to change the allowed values and using 2 props for bi-directional through composition is OK. |
Per @aj-stein-gsa's note in the PR #2063, this initial issue should have addressed by that PR. Are we saying it si not because there are additional findings, or because the PR is not addressing it as expected? |
@brian-ruf, so we are saying service and software, but not |
The information appears to repeat information about a related prop name regarding IPv6 connectivity.
This adds the prop constraint as requested in usnistgov#1913 feedback. Also align enum doc strings to be consistent in the props for future refactoring entity file refactoring in the following commit.
As there will duplicate values when they really need to be identical and the enum documentation strings were previously aligned, it is prudent to refactor the reused enum values and doc strings using the shared entity file pattern per other shared allowed-values enum sets in this model definition and others.
For review by interested parties, I opened #2077. |
User Story:
As a project {stakeholder}, I need to be able to understand how information is flowing throughout the accreditation boundary and how these ports and protocols are being leveraged.
Communication via API
Software that leverage services:
Communication between two inventory items (Web server and DB):
Are cryptographic modules considered a component?
Goals:
Expand the use case of Components and protocols to meet the edge use cases of many interconnections, or support guidance for how to define edge.
Dependencies:
Link usnistgov/oscal-cli#186
Acceptance Criteria
The text was updated successfully, but these errors were encountered: