OSCAL SSP, AP, and AR examples of using an existing (e.g. FedRAMP) OSCAL A-ATO or P-ATO package, when not all services are needed.

[iMichaela]

User Story:

As an OSCAL user and system owner or authorizing official, I need to understand through an example how to use an existing (e.g. FedRAMP) OSCAL A-ATO or P-ATO package available for a limited time, to document the implementation, assess, and authorize a system comprised of a subset of components (capabilities or services) offered by the system that obtained the A-ATO or P-ATO.

Goals:

Develop an example and tutorial that demonstrates how to generate a new SSP, new AP, and new AR in OSCAL as part of the new ATO process for the use of capabilities like Exchange and Teams that are components of a larger system like Office 365. The larger system (O365) obtained an A-ATO and hte package is aassumed available in OSCAL. The process my agency employs in such use case is listed below, and has restrictions imposed by FedRAMP. There might be other similar processes employed by other agencies that will benefit from this example. This example is using Office 365 only to better understand and describe the concept and the process used for such use case scenarios, and it is not intended to show any real data pertaining to the O365 ATO package.

Through this example and tutorial I would like to also understand how to best use OSCAL to expend at a later time the services used from the O365 A-ATO package. For example how will I add OneDrive to the set of O365 capabilities previously authorized in the easiest, more flexible way, with minimal impact to the previously authorized services ( Exchange and Teams).

Dependencies:

If the example needs to addres the customer esponsibility matrix, then the CRM model development planned for OSCAL 1.1.0 (issues: #713 #722) need to be addresed first.

Other Related Issues:

Issue #1024 covers a broader use case scenario.

Acceptance Criteria

• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[iMichaela]

The following diagram aims to reproduce the new SSP generation process and highlight the constraints.

A well-structured ATO package in OSCAL could decompose the CSP's monolithic SSP into common controls and offered capabilities that inherit those controls.

This approach could allow for more manageable data:

[sunstonesecure-robert]

would one also need to review and include the POA&M items that might be associated with the component I am using? associated 3rd party connected systems, and maybe even SBOM?

[david-waltermire]

@iMichaela We will need narrative relating to a subset of controls for the upstream cloud system. Can you select a few controls and start drafting the narrative for them? This can be done in text/markdown to start.