You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
the FedRAMP SSP OSCAL Template (JSON or XML Format)
the FedRAMP SAP OSCAL Template (JSON or XML Format)
the FedRAMP SAR OSCAL Template (JSON or XML Format)
the FedRAMP POA&M OSCAL Template (JSON or XML Format)
the FedRAMP OSCAL Validations
What happened?
There are no "response-point" prop elements in the LI-SaaS baseline for assessment-objectives. For the 3 other baselines, there are "response-point" flags in both the control statements and assessment-objectives. These were very helpful for tailoring/aggregating the assessment objectives and I wasn't quite sure why there weren't included for LI-SaaS.
There are also a few controls that have no associated assessment-objectives in LI-SaaS: IA-02(02), IA-07, and RA-02
Additionally, AC-02 has an assessment-objective that is not defined in the NIST 800-53 catalog, and this is the only instance of an "_fr" objective in all of the baselines:
<part id="ac-2_obj_fr" name="assessment-objective">
<prop ns="https://fedramp.gov/ns/oscal"
name="response-point"
value="Required"/>
<prop ns="https://fedramp.gov/ns/oscal"
name="method"
class="fedramp"
value="EXAMINE"/>
<prop ns="https://fedramp.gov/ns/oscal"
name="method"
class="fedramp"
value="INTERVIEW"/>
<prop ns="https://fedramp.gov/ns/oscal"
name="method"
class="fedramp"
value="TEST"/>
<p>Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.</p>
</part>
Relevant log output
No response
How do we replicate this issue?
Review the mentioned sections of the LI-SaaS baseline.
Where, exactly?
The OSCAL LI-SaaS baseline resolved profile:
dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.xml
Other relevant details
We are looking for "response-point" props to be added to the LI-SaaS baseline, similarly to the other 3 baselines. If these were excluded for a reason, could you help us understand why?
The text was updated successfully, but these errors were encountered:
This relates to ...
What happened?
There are no "response-point" prop elements in the LI-SaaS baseline for assessment-objectives. For the 3 other baselines, there are "response-point" flags in both the control statements and assessment-objectives. These were very helpful for tailoring/aggregating the assessment objectives and I wasn't quite sure why there weren't included for LI-SaaS.
There are also a few controls that have no associated assessment-objectives in LI-SaaS: IA-02(02), IA-07, and RA-02
Additionally, AC-02 has an assessment-objective that is not defined in the NIST 800-53 catalog, and this is the only instance of an "_fr" objective in all of the baselines:
Relevant log output
No response
How do we replicate this issue?
Review the mentioned sections of the LI-SaaS baseline.
Where, exactly?
The OSCAL LI-SaaS baseline resolved profile:
dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.xml
Other relevant details
We are looking for "response-point" props to be added to the LI-SaaS baseline, similarly to the other 3 baselines. If these were excluded for a reason, could you help us understand why?
The text was updated successfully, but these errors were encountered: