[Feedback]: Guidance example for Leveraged FedRAMP Authorized services needs to be updated

[vmangat]

This is a ...

request - need something additional provided

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What is your feedback?

The XPath Queries have been updated per the Rev5 table. The example and guidance for the new props are missing.

Implementation of the CRM in a leveraged system SSP and the accessing it in the leveraging system SSP needs a comprehensive analysis and POC before this guidance can be included.

There is a reference to an 18F data artifact that needs to be explained further as to where and how do we get access to these artifacts to ensure we can meet the guidance.

Where, exactly?

https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services

Other information

No response

[aj-stein-gsa]

Thank you, these are good points. For future reference to the automation team: we should keep or adjust this issue here to discuss, plan, work, and track the modeling work alluded to (after we have some internal discussion about this). Additionally, we should make a separate issue to make necessary addtions, changes, and deletions in a separate issue on GSA/automate.fedramp.gov.

More to follow, @vmangat, thanks for reporting this issue and the others.