Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Assessment Objectives and no "response-point" props in the LI-SaaS baseline #597

Open
1 of 12 tasks
Telos-sa opened this issue May 21, 2024 · 0 comments
Open
1 of 12 tasks

Missing Assessment Objectives and no "response-point" props in the LI-SaaS baseline #597

Telos-sa opened this issue May 21, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@Telos-sa
Copy link

This relates to ...

  • the FedRAMP OSCAL Registry
  • the FedRAMP OSCAL baselines
  • the Guide to OSCAL-based FedRAMP Content
  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

What happened?

There are no "response-point" prop elements in the LI-SaaS baseline for assessment-objectives. For the 3 other baselines, there are "response-point" flags in both the control statements and assessment-objectives. These were very helpful for tailoring/aggregating the assessment objectives and I wasn't quite sure why there weren't included for LI-SaaS.

There are also a few controls that have no associated assessment-objectives in LI-SaaS: IA-02(02), IA-07, and RA-02

Additionally, AC-02 has an assessment-objective that is not defined in the NIST 800-53 catalog, and this is the only instance of an "_fr" objective in all of the baselines:

<part id="ac-2_obj_fr" name="assessment-objective">
            <prop ns="https://fedramp.gov/ns/oscal"
                  name="response-point"
                  value="Required"/>
            <prop ns="https://fedramp.gov/ns/oscal"
                  name="method"
                  class="fedramp"
                  value="EXAMINE"/>
            <prop ns="https://fedramp.gov/ns/oscal"
                  name="method"
                  class="fedramp"
                  value="INTERVIEW"/>
            <prop ns="https://fedramp.gov/ns/oscal"
                  name="method"
                  class="fedramp"
                  value="TEST"/>
            <p>Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.</p>
</part>

Relevant log output

No response

How do we replicate this issue?

Review the mentioned sections of the LI-SaaS baseline.

Where, exactly?

The OSCAL LI-SaaS baseline resolved profile:
dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.xml

Other relevant details

We are looking for "response-point" props to be added to the LI-SaaS baseline, similarly to the other 3 baselines. If these were excluded for a reason, could you help us understand why?
@Telos-sa Telos-sa added the bug Something isn't working label May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
FedRAMP Automation
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Telos-sa