Identify Expected Attachments in Baselines

[brian-ruf]

This is a ...

improvement - something could be better

This relates to ...

• the FedRAMP OSCAL baselines
• the FedRAMP SSP OSCAL Example
• the FedRAMP SAP OSCAL Example
• the FedRAMP SAR OSCAL Example
• the FedRAMP POA&M OSCAL Example
• the FedRAMP OSCAL Validations
• the Not sure

User Story

As a tool developer, tool user, or constraint author, I would like the expectation of attachments to be clearly specified so that I can consistently meet the expectation.

Goals

-Augment the FedRAMP OSCAL profiles with annotations that indicate which response points are expected to utilize reference a policy, process, plan or similar attachment.

• This indication should include:
  • the nature of the expected attachment (policy, procedure, plan, etc.)
  • the ability to indicate when any one of two or more attachment types are acceptable (i.e. attachment may be either a plan or a procedure)
  • whether a failure to provide the expected attachment results in an ERROR or WARNING.
    • An ERROR is used when the attachment is explicitly required.
    • A WARNING is used when an attachment is recommended or is typically part of control satisfaction, but is not strictly required.

Dependencies

No response

Acceptance Criteria

• All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

Other information

This will likely need to be accomplished with FedRAMP extensions to core OSCAL.
This is best accomplished when we are ready to perform the larger refactoring effort on the FedRAMP profiles as was intended by #604.