-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Technical walkthroughs of FedRAMP Automation Tools #653
Comments
@kyhu65867, @Rene2mt, and I reviewed the feedback and will use that to drive a game plan and next steps I will document here and breakout task issues over this evening and tomorrow morning. /cc @david-waltermire for awareness |
@aj-stein-gsa this should include consideration for using the tools within a FedRAMP authorized environment (i.e what controls are covered, any customer compliance responsibilities) |
I love this feedback! This request is actually much in line with previous "dogfooding" strategies on building OSCAL components for the CLI tooling elsewhere. Combining the various components could also be interesting because of the modular nature of the tooling pieces (see the associated branch with PR 638; it has a diagram for developers to understand the various pieces, of which only the constraint and testing files are actually in "this code base"). I also think the automation team should have a deeper think about this because I am not sure how much of the "developer tooling" would live in authorized environment (there is a lot of detail there and what we consider "staff workstations" but I would be very ... surprised ... if production automation systems used the full CLI and our test harness and not the underlying liboscal-java to build much less flexible REST services on purpose). That said, let me jot down some notes for an issue to add this consideration as part of the epic on building better experience for the walkthrough. Before only Dave and I had mused to each other about this, I love seeing the larger staff rightfully ask about this. Thanks for commenting here! |
Of course! Thanks for responding so thoughtfully. I’m thinking about the overall industry use case, and it definitely makes sense to address general NIST 800-53/171 compliance as DOD IL5, SSDF, CMMC may apply to dev environments that support FedRAMP offerings. |
@david-waltermire and @Rene2mt I have done much of the epic updates and we can build out from our discussion earlier today. |
This is a ...
improvement - something could be better
This relates to ...
User Story
As a FedRAMP stakeholder that will make or use tools to create OSCAL content for FedRAMP, I would like technical walkthroughs of the current tools they offer that I can integrate in my own work environment.
Breakdown
--version
output (Update or create necessary installation documentation #659)--stack-trace
argument for more detailed errors+ NOTE: oscal-cli has the ability to implement JSON pointers for matching error output on JSON/YAML or XML different for SARIF output. The issues with this marker are subject to change as these features are possibly released, review the plan once metaschema-framework/oscal-cli#32 is complete and its status is marked closed.. Some may be changed or removed after release.
++NOTE: oscal-cli maintainers are considering runtime configuration of the location for batch processing of constraints and other configuration options. The issues with this marker are subject to change as these features are possibly released, review the plan once metaschema-framework/oscal-cli#27 is complete and its status is marked closed. Some may be changed or removed after release.
Goals
Dependencies
No response
Acceptance Criteria
Other information
No response
The text was updated successfully, but these errors were encountered: