-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FedRAMP external constraints validating by-component at wrong layer #770
Comments
Per discussion with @david-waltermire, we need to sync offline on the following:
We received sample data and more context from the users who reported this in a FedRAMP office hours. More to follow. |
I think the FedRAMP constraint "missing-response-components" might need to be updated. The constraint should target the I am reviewing the FedRAMP documentation to see if there are scenarios where we expect |
I believe this should be replaced with a constraint that checks that for each response point, there is a statement-level by-component entry. If there are cases where no response point exists, then maybe there is a need for the 1 statement at least method. |
Yesterday a group of us confirmed that the constraint, as implemented, is a bug. This bug is largely on me, I reviewed it and did not understand the requirement. The website document is also unclear, so we will have to fix that as well. We are going to move forward with a bug fix and documentation update now that this bug is confirmed, thanks for the report @Telos-sa. /cc @Rene2mt and @brian-ruf for setting the record straight yesterday and explaining the obvious to me (Dave got it already per #770 (comment)). |
Defining them outside of a statement is syntatically valid, but outside of FedRAMP best practices and is not accepted. We must add an additional constraint to indicate this should be removed. Co-Authored-By: Kylie Hunter <[email protected]>
Defining them outside of a statement is syntatically valid, but outside of FedRAMP best practices and is not accepted. We must add an additional constraint to indicate this should be removed. Co-Authored-By: Kylie Hunter <[email protected]>
This relates to ...
What happened?
In the FedRAMP OSCAL Documentation it outlines that by-component elements should be at the statements level (control-implementation>implemented-requirements>statements).
We have our OSCAL formatted as outlined in the documentation, but when validating using the enhanced oscal-cli and the fedramp-external-constraints.xml, it flags this as an incorrect structure. It instead gives the following errors, which suggests that these by-component elements should be at the implemented-requirements level rather than statements.
We were hoping you could help us identify whether this is a bug, or a formatting issue with our OSCAL. Here is a snippet of the OSCAL that is causing these validation errors:
Relevant log output
How do we replicate this issue?
Where, exactly?
<by-component/>
SHOULD or MUST be defined in one or implemented requirementsOther relevant details
Originally posted at metaschema-framework/oscal-cli#55, but GitHub does not permit automatically transferring issues across organizations. I recreated this one manually for @Telos-sa.
The text was updated successfully, but these errors were encountered: