Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FedRAMP external constraints validating by-component at wrong layer #55

Closed
Telos-sa opened this issue Oct 8, 2024 · 3 comments
Closed

FedRAMP external constraints validating by-component at wrong layer #55

Telos-sa opened this issue Oct 8, 2024 · 3 comments
Labels
question Further information is requested

Comments

@Telos-sa
Copy link

Telos-sa commented Oct 8, 2024

In the FedRAMP OSCAL Documentation it outlines that by-component elements should be at the statements level (control-implementation>implemented-requirements>statements).
Screenshot 2024-10-08 at 4 31 55 PM
We have our OSCAL formatted as outlined in the documentation, but when validating using the enhanced oscal-cli and the fedramp-external-constraints.xml, it flags this as an incorrect structure. It instead gives the following errors, which suggests that these by-component elements should be at the implemented-requirements level rather than statements.
Screenshot 2024-10-08 at 4 41 48 PM
We were hoping you could help us identify whether this is a bug, or a formatting issue with our OSCAL. Here is a snippet of the OSCAL that is causing these validation errors:

"implemented-requirements":[
  {
    "uuid":"5b55e601-fa5c-58fc-9596-f8e4ee1cccfc",
    "control-id":"ac-3",
    "props":[
        {
            "name":"control-origination",
            "ns":"https://fedramp.gov/ns/oscal",
            "value":"sp-corporate"
        },
        {
            "name":"control-origination",
            "ns":"https://fedramp.gov/ns/oscal",
            "value":"sp-system"
        },
        {
            "name":"control-origination",
            "ns":"https://fedramp.gov/ns/oscal",
            "value":"customer-configured"
        },
        {
            "name":"implementation-status",
            "ns":"https://fedramp.gov/ns/oscal",
            "value":"implemented"
        }
    ],
    "statements":[
        {
            "statement-id":"ac-3_smt",
            "uuid":"554572df-8a52-54da-803c-170d246f6c3b",
            "by-components":[
                {
                    "component-uuid":"c0e9b4ab-7f2e-54da-9cb3-72894240cc3f",
                    "uuid":"f9086f0c-a65d-597c-9c59-88cf02b30c27",
                    "description":"Private Implementation details and description for the following control statement: AC-03",
                    "implementation-status":{
                        "state":"implemented"
                    },
                    "export":{
                        "provided":[
                            {
                                "uuid":"c39e10b2-28ae-586c-9a2a-93c2983d57c7",
                                "description":"<p>This is what is shared with the customer on export, and what the customer configures<br />\n</p>"
                            }
                        ]
                    }
                }
            ]
        }
    ]
  }
]
@Telos-sa Telos-sa added the question Further information is requested label Oct 8, 2024
@david-waltermire
Copy link
Contributor

This looks like a potential FedRAMP constraints issue. @Rene2mt or @aj-stein-gsa any feedback?

@aj-stein-gsa
Copy link
Contributor

This looks like a potential FedRAMP constraints issue. @Rene2mt or @aj-stein-gsa any feedback?

Agreed. Seems like we can transfer issues across repos. I will have to manually recreate this issue in GSA/fedramp-automation. Apologies. I will close this once I copy-paste it to "transfer" the issue.

@aj-stein-gsa aj-stein-gsa mentioned this issue Oct 10, 2024
Closed
1 task
@aj-stein-gsa
Copy link
Contributor

Closing this issue, replacing it with GSA/fedramp-automation#770 in the appropriate location.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@david-waltermire @Telos-sa @aj-stein-gsa