[Feedback]: import Profile directive in SSP should be limited to the FedRAMP baseline uuid #745
Open
2 of 12 tasks
Labels
documentation
Improvements or additions to documentation
This is a ...
request - need something additional provided
This relates to ...
What is your feedback?
The import-profile field should be limited to a uuid of an authoritative FedRAMP baseline. This will ensure that a unique FedRAMP baseline is referenced and the SSP can be validated against a specific baseline. Authoritative baselines can be downloaded and available in an air-gapped environment and a GRC tool can resolve the SSP against the baselines.
Allowing a URL creates the following issues for a GRC tool importing or validating the SSP:
Where, exactly?
https://automate.fedramp.gov/documentation/ssp/3-working-with-oscal-files/
Other information
No response
The text was updated successfully, but these errors were encountered: