SSP Completeness Checks: 4 System Owner / 5 Assignment of Security Responsibility / Document Prep #805
Comments
|
@brian-ruf please review this analysis of data needs relative to core OSCAL syntax and FedRAMP OSCAL requirements:
Per @brian-ruf comment below, need to ensure the |
What does FedRAMP do with |
|
Some CSPs outsource some of the security documentation, which is fine. In those cases, it may be helpful for independent assessors and/or FedRAMP reviewers know who prepared the documents as they may need to have them participate in the authorization process (interviews during assessment, documentation deficiencies that need to be addressed, etc.). Some documents (such as the SAR), should be On the JAB, we'd occasionally get inquiries about what 3PAO did an assessment (for an initial authorization, annual assessment, or a significant change). In those cases, knowing the |
|
@Rene2mt for all of the data needs, you are pointing to the name, which is the most important field, but we also need to check for contact information for each of those parties, consistent with the template data requirements for those fields. Otherwise, these look right. @aj-stein-gsa it's not always about consequences or even the ability to detect accuracy. This information is considered to be an assertion by the SSP author as validated by the executive who signed off on the SSP. If we need to reach the appropriate parties for those roles and the contact information turns out to be wrong, it can cause delays in resolving issues, and reflects negatively on the CSP. As an isolated incident, not much happens beyond having the CSP correct the data, but as part of a larger pattern of inaccurate information in an SSP, the CSP could be put on a corrective action plan. |
All good points.
Fair enough, I was unclear if we are suggesting here it is a simple completeness check or something more comprehensive. I wanted to understand if there are deeper requirements and what is a positive requirement beyond the obvious (is this really your email; is this your phone number). That lends itself to later checks, but you are still right about the foundational ones. |
aj-stein-gsa
moved this from 🔖 Ready
to 🔍 Active Objectives and Issues
in FedRAMP Automation
|
One other note on party address. OSCAL accepts two approaches for associating an address with a party. The first is to use the address assembly within the party itself. The other is to use the location-uuid to link a party with an address. The former is more typical with a one-off address, which the latter is more used for situations where 10 parties may all be housed at the same corporate office. Both should be acceptable for FedRAMP. |
Somehow I missed this while rushing through looking at the core models in web form and not doing my usual "I am in the Matrix, I read raw Metaschema approach" approach late in the evening. This is a failure on my part, I am going to update the requirements in the respective issues #861 and #862. Thanks again to you and @Rene2mt for reminding me in the chat. |
|
Example SSP content is being updated HERE.
Prepared By/For require:
System Owner and ISSO require:
|
This is a ...
fix - something needs to be different
This relates to ...
User Story
As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:
Goals
SSP Completeness checks are defined, tested and documented
Dependencies
No response
Acceptance Criteria
Other information
No response
Tasks
The text was updated successfully, but these errors were encountered: