Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Technical walkthroughs of FedRAMP Automation Tools #653

Open
40 of 57 tasks
aj-stein-gsa opened this issue Sep 5, 2024 · 5 comments
Open
40 of 57 tasks

Technical walkthroughs of FedRAMP Automation Tools #653

aj-stein-gsa opened this issue Sep 5, 2024 · 5 comments

Comments

@aj-stein-gsa
Copy link
Contributor

aj-stein-gsa commented Sep 5, 2024

This is a ...

improvement - something could be better

This relates to ...

  • Other

User Story

As a FedRAMP stakeholder that will make or use tools to create OSCAL content for FedRAMP, I would like technical walkthroughs of the current tools they offer that I can integrate in my own work environment.

Breakdown

+ NOTE: oscal-cli has the ability to implement JSON pointers for matching error output on JSON/YAML or XML different for SARIF output. The issues with this marker are subject to change as these features are possibly released, review the plan once metaschema-framework/oscal-cli#32 is complete and its status is marked closed.. Some may be changed or removed after release.

++NOTE: oscal-cli maintainers are considering runtime configuration of the location for batch processing of constraints and other configuration options. The issues with this marker are subject to change as these features are possibly released, review the plan once metaschema-framework/oscal-cli#27 is complete and its status is marked closed. Some may be changed or removed after release.

Goals

  • Documentation that explains
    • where and how you can obtain FedRAMP tools, data, and documentation
    • how to install and configure the tools, data, and documentation for my kind of environment
    • what FedRAMP tools are for and why
    • what FedRAMP data you can use with these tools and why
    • how I can use these tools with my OSCAL documents, adapt the documents, and validate my changes
    • where and how I can ask questions from FedRAMP maintainers and other community members for help when I am stuck

Dependencies

No response

Acceptance Criteria

  • All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

Other information

No response

@aj-stein-gsa aj-stein-gsa added the enhancement New feature or request label Sep 5, 2024
@aj-stein-gsa aj-stein-gsa self-assigned this Sep 5, 2024
@aj-stein-gsa aj-stein-gsa moved this from 🆕 New to Scoped to Sprint in FedRAMP Automation Sep 5, 2024
@aj-stein-gsa
Copy link
Contributor Author

@kyhu65867, @Rene2mt, and I reviewed the feedback and will use that to drive a game plan and next steps I will document here and breakout task issues over this evening and tomorrow morning.

/cc @david-waltermire for awareness

@aj-stein-gsa aj-stein-gsa moved this from Scoped to Sprint to 🏗 In progress in FedRAMP Automation Sep 5, 2024
@aj-stein-gsa aj-stein-gsa moved this from 🏗 In progress to 👀 In review in FedRAMP Automation Sep 9, 2024
@aj-stein-gsa aj-stein-gsa moved this from 👀 In review to 🏗 In progress in FedRAMP Automation Sep 9, 2024
@sam-aydlette
Copy link

@aj-stein-gsa this should include consideration for using the tools within a FedRAMP authorized environment (i.e what controls are covered, any customer compliance responsibilities)

@aj-stein-gsa
Copy link
Contributor Author

@aj-stein-gsa this should include consideration for using the tools within a FedRAMP authorized environment (i.e what controls are covered, any customer compliance responsibilities)

I love this feedback! This request is actually much in line with previous "dogfooding" strategies on building OSCAL components for the CLI tooling elsewhere. Combining the various components could also be interesting because of the modular nature of the tooling pieces (see the associated branch with PR 638; it has a diagram for developers to understand the various pieces, of which only the constraint and testing files are actually in "this code base"). I also think the automation team should have a deeper think about this because I am not sure how much of the "developer tooling" would live in authorized environment (there is a lot of detail there and what we consider "staff workstations" but I would be very ... surprised ... if production automation systems used the full CLI and our test harness and not the underlying liboscal-java to build much less flexible REST services on purpose).

That said, let me jot down some notes for an issue to add this consideration as part of the epic on building better experience for the walkthrough. Before only Dave and I had mused to each other about this, I love seeing the larger staff rightfully ask about this. Thanks for commenting here!

@sam-aydlette
Copy link

@aj-stein-gsa this should include consideration for using the tools within a FedRAMP authorized environment (i.e what controls are covered, any customer compliance responsibilities)

I love this feedback! This request is actually much in line with previous "dogfooding" strategies on building OSCAL components for the CLI tooling elsewhere. Combining the various components could also be interesting because of the modular nature of the tooling pieces (see the associated branch with PR 638; it has a diagram for developers to understand the various pieces, of which only the constraint and testing files are actually in "this code base"). I also think the automation team should have a deeper think about this because I am not sure how much of the "developer tooling" would live in authorized environment (there is a lot of detail there and what we consider "staff workstations" but I would be very ... surprised ... if production automation systems used the full CLI and our test harness and not the underlying liboscal-java to build much less flexible REST services on purpose).

That said, let me jot down some notes for an issue to add this consideration as part of the epic on building better experience for the walkthrough. Before only Dave and I had mused to each other about this, I love seeing the larger staff rightfully ask about this. Thanks for commenting here!

Of course! Thanks for responding so thoughtfully. I’m thinking about the overall industry use case, and it definitely makes sense to address general NIST 800-53/171 compliance as DOD IL5, SSDF, CMMC may apply to dev environments that support FedRAMP offerings.

@aj-stein-gsa
Copy link
Contributor Author

@david-waltermire and @Rene2mt I have done much of the epic updates and we can build out from our discussion earlier today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: 🔍 Active Objectives and Issues
Development

No branches or pull requests

2 participants