-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Approval/Signature Date representation in OSCAL SSP #162
Comments
@SParekh you only want clarity on only how the date and time field ought to be defined? The complexity of digital signatures has been discussed in the larger OSCAL community before. The problem is this talks about responsible parties and contact info, but the representative OSCAL on the right-hand side does not completely map 100% to the image of the relevant copy of the Word-based template on the left hand side. You will notice in fact nothing in the OSCAL models exists, by default or in current FedRAMP extensions, to show ATO status and signatures. We do, however, allow you to give the FedRAMP ID for a Do you have a more pressing need for this? |
Yes - We only want clarity only on how the date and time field ought to be defined. We did see OSCAL did not have representation of it but we assumed FedRAMP might have extension for it and it might just have been an issue with documentation. We have pressing need for this. I am not sure how FedRAMP Id for System-Identifier is going to answer the above question. |
From my perspective, @SParekh, most who are concerned with the approval status are those outside the agency system owners or engineers, i.e. external parties leveraging the authorization. In that sense, I mean you can referenced the FedRAMP package ID and confirm status through FedRAMP's website (marketplace.fedramp.gov) or its backing data (to save API calls). I presume this is not the use case you are interested in. I do understand internally system engineers or system owners of a package themselves would want that. Is that what you mean? I guess in terms of extension, one possibility would be adding information on or adjacent to |
@ohsh6o - We are leveraging this in context of an SSP. To represent a complete SSP snapshot that has been approved (by whom/when), this data would be required. By itself, there is no meaning to having "Content Approvers" and little surprising that there are "Content Approvers" role but no movement around actual Content Approvals Is there any ongoing discussion around this that I can track so I don't duplicate this question on OSCAL github. |
I remember a discussion verbally with OSCAL devs in a model meeting 2-3 months ago. I will search and check with the NIST devs if I cannot find a definitive approach or an ongoing issue to track, @SParekh. |
I am sorry it seems I was very much mistaken! @SParekh, It appears |
@ohsh6o
Not urgent but would be great if this can be represented in Guide_to_OSCAL-based_FedRAMP_Content.pdf] Thanks |
That's what we are here for!
I think content approvers really means "people in your company" (for a CSP) that review the content and sign off on it, like business owners. This is different from the agency official, the
As explained above, the only real role that matters to RMF, how FedRAMP practices RMF, and the OSCAL that represents that is the I pointed out the above in 1 to explain my answer better for point two. I will discuss with FedRAMP policy members if content approvers is a required role for a party like a CSP in FedRAMP. I think here, it was just a suggestion. Since this would imply (internal) content reviews by relevant members of a CSP, it might be best for your tools to add a custom I would argue this is a short-term solution. Properly marking it with
Thanks for explaining urgency. I would propose this as a short to medium-term solution. Longer-term, it would seem advisable to connect this information to the Does this approach make sense to you? I would like to bring this up in the NIST OSCAL Use Cases group and a relevant Github issue accordingly! :-) |
@SParekh do you have any issues or concerns with this approach? Is the short-term solution acceptable? Is the long-term approach acceptable? |
@ohsh6o - Please excuse delay in responding back to you suggestion. Our understanding is that given an SSP in OSCAL format, it should be able to reflect what current FedRAMP Word document contains (For legacy purpose) and we can generate word document if required from given OSCAL XML or JSON. As current FedRAMP word document requires a list of "SSP Content Approvals" and it has corresponding date, in long term we would assume placeholder similar to "Revision History" would be reflected in OSCAL Format. Regarding your suggestion - Adding it to Props of "System characteristics" does not align, because understanding is that this data "Content Approvals" is associated to ANY document (as you have mentioned in your long term solution). If we have to achieve a hack for now, would it be better to add it to "Metadata.Props" instead of "SystemCharacteristics.Props" Additionally, key of "Content Approvals" is tie both Content Approver and corresponding Approval Date as I am assuming content can be approved on different dates by internal Approvers. Would it be better to have following as way to reflect it ?
|
Please accept my apologies, @SParekh, for my delay in responding to you after catching up from leave. :-)
That totally makes sense, I agree with that approach.
To be clear, you mean, in the most recent version of the Word (DOCX) template, this section is before Information System / Title, correct?
Now that you have pointed me to which section of the Word-based template, I can agree with this.
I do not see why not, that makes sense.
I like this approach, but I think remarks would have to be nested, like so. <metadata>
<prop ns="https://sparekh.github.io/ns/oscal" name="content-approved-by" value="#01226254-84f1-4045-8195-aceda74ca962">
<remarks>2021-02-01</remarks>
</prop>
<prop ns="https://sparekh.github.io/ns/oscal" name="content-approved-by" value="#93226254-74f1-1345-2222-aceda74ca962">
<remarks>2021-02-04</remarks>
</prop>
</metadata> Making it <metadata>
<prop ns="https://sparekh.github.io/ns/oscal" name="content-approval" class="approver-id" value="#01226254-84f1-4045-8195-aceda74ca962"/>
<prop ns="https://sparekh.github.io/ns/oscal" name="content-approval" class="approver-date" value="2021-01-02"/>
<prop ns="https://sparekh.github.io/ns/oscal" name="content-approval" class="approver-id" value="#93226254-74f1-1345-2222-aceda74ca962"/>
<prop ns="https://sparekh.github.io/ns/oscal" name="content-approval" class="approver-date" value="2021-01-04"/>
</metadata> I only recommend this because |
@ohsh6o Thanks for detailed feeback.
The issue with above approach is that there is no way to associate approver-date = "2021-01-02" to approver-id="#01226254-84f1-4045-8195-aceda74ca962", you just have to assume based on order. |
@ohsh6o - Any guidance on above response ? |
Sorry for the delayed reply, @SParekh. I intended to bring this up at least week's OSCAL model meeting but there were a serious of presentations that ran over and I did not get to bring it up. Why bring it up? I agree my approach misses that key organizational piece you need on mapping who signed to a date and I feel there must be a "better way" than what both of us proposed in this thread. Can I discuss briefly with NIST OSCAL developers and get back too you? |
@ohsh6o - Thanks for response. Yes, definitely agree there can be better approach and right way to represent this. Will wait for your feedback. |
Why not use Something like:
The problem here is supporting more than one party. You can do this with multiple distict roles (i.e., reviewer, approver, etc). |
@david-waltermire-nist, the problem here is that if you look at the above image of the current Word-based templates: logically FedRAMP supports multiple distinct approvers, so that means I could also suggest a role of |
@SParekh, I thought more about what @david-waltermire-nist recommended last week, and retract my previous comments. It does not really make sense. There are many other constructs with I recommend we move forward with that approach. List in that comment. Do you need fuller examples or is it clear? |
@ohsh6o / @david-waltermire-nist Our understanding is that there is 1-1 Relationship between when a Party i.e. a "Content Approver", approved the content. E.g. there can be 2 parties that are content approvers i.e. assigned "content-approver" role under "responsible-party". If we go with the following construct
Which approver does the prop "approval-date" apply to ? |
@SParekh, that looks correct, yes. |
@ohsh6o |
Discuss this in the NIST OSCAL model meeting today, but this this seems to be a micro-example of the need for the larger macro-goal of better governance in OSCAL models to have a layer of approval/review data outside the models. Linking to usnistgov/OSCAL#640 for reference. |
@SParekh we discussed this in the NIST OSCAL model meeting this morning and Dave agrees I was a bit hasty in my immediate response. I had not immediately responded with my view of "how dates would work" but I later realized it was not going to be sufficient. I missed something important. During the meeting, they asked I make an issue to build out an approval metadata block to make this use case explicitly support with better structure in the next release. I will be linking requested issues shortly and will begin working with NIST on a more explicit approach. |
I apologize for the delays in follow-up @SParekh. I have drafted a PR to better address this gap in functionality with the NIST OSCAL devs (usnistgov/OSCAL#1038) and will update you once I hear more. |
@ohsh6o Thank you so much for following up and helping resolve this missing data representation. |
Consulted with NIST on this issue. NIST will support this in upcoming release. See usnistgov/oscal-content#139 Once the NIST Team reviews and merges this for inclusion in a tagged release, FR PMO can consider updating our code and content to that release |
This is a ...
This relates to ...
Where, exactly?
Guide_to_OSCAL-based_FedRAMP_Content.pdf
Guide Version: fedramp1.0.1-oscal1.0.0
Section: 4.7. Document Approval
Page: 38
What?
The sample provided details on how to represent "Content Approver" (Party/Role), however there is no detail around how to represent the Approval/Signature "date". Would be helpful to have an example on how the same would be represented.
The text was updated successfully, but these errors were encountered: