Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

has-required-response-points appears to be validating the wrong statement layers #1154

Open
3 of 12 tasks
Telos-sa opened this issue Feb 5, 2025 · 4 comments · Fixed by #1157
Open
3 of 12 tasks

has-required-response-points appears to be validating the wrong statement layers #1154

Telos-sa opened this issue Feb 5, 2025 · 4 comments · Fixed by #1157
Assignees
@wandmagic
Labels
bug Something isn't working constraint: completeness model: ssp scope: constraints type: task
Milestone
Digital Authoriza...

Comments

@Telos-sa
Copy link

Telos-sa commented Feb 5, 2025

This is a ...

question - need to understand something

This relates to ...

  • the FedRAMP OSCAL Registry
  • the FedRAMP OSCAL baselines
  • the Guide to OSCAL-based FedRAMP Content
  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

What is your feedback?

When validating an OSCAL SSP we are getting the following errors, stating that we are not including the necessary response-point control layers - this error shows up for 169 different controls (High Baseline). Here is an example of the error for ca-7.4_smt

[ERROR] [/catalog/group[4]/control[6]/control[2]/part[1]] has-required-response-points: All Response points defined in the baseline MUST have corresponding statements values in the SSP. Missing statement: (ca-7.4_smt).

When looking at the FedRAMP High Baseline, there is no response-point prop for ca-7.4_smt - rather the response-points are under ca-7.4_smt.a, ca-7.4_smt.b, and ca-7.4_smt.c:

<part name="statement" id="ca-7.4_smt">
   <p>Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:</p>
   <part name="item" id="ca-7.4_smt.a">
      <prop ns="https://fedramp.gov/ns/oscal"
            name="response-point"
            value="You must fill in this response point."/>
      <prop name="label" value="(a)"/>
      <p>Effectiveness monitoring;</p>
   </part>
   <part name="item" id="ca-7.4_smt.b">
      <prop ns="https://fedramp.gov/ns/oscal"
            name="response-point"
            value="You must fill in this response point."/>
      <prop name="label" value="(b)"/>
      <p>Compliance monitoring; and</p>
   </part>
   <part name="item" id="ca-7.4_smt.c">
      <prop ns="https://fedramp.gov/ns/oscal"
            name="response-point"
            value="You must fill in this response point."/>
      <prop name="label" value="(c)"/>
      <p>Change monitoring.</p>
   </part>
</part>

Is this a known issue? Or am I interpreting the requirements of this has-required-response-points rule incorrectly?
I've updated the telos-fedramp-pilot repository with the OSCAL SSP that generates these errors.

Where, exactly?

  • oscal-cli v2.4.0
  • up-to-date fedramp-external-allowed-values.xml and fedramp-external-constraints.xml
  • OSCAL SSP v1.1.3
  • FedRAMP Rev 5 High Baseline - version:fedramp2.1.0-oscal1.0.4

Other information

No response
@aj-stein-gsa aj-stein-gsa moved this from 🆕 New to 📋 Backlog in FedRAMP Automation Feb 11, 2025
@aj-stein-gsa aj-stein-gsa added the bug Something isn't working label Feb 11, 2025
@aj-stein-gsa aj-stein-gsa changed the title [Question]: has-required-response-points appears to be validating the wrong statement layers has-required-response-points appears to be validating the wrong statement layers Feb 11, 2025
@aj-stein-gsa aj-stein-gsa moved this from 📋 Backlog to 🔖 Ready in FedRAMP Automation Feb 11, 2025
@wandmagic
Copy link

I'll take a look at this and add some unit tests to cover this case to assure the constraint is made correctly

@wandmagic wandmagic mentioned this issue Feb 11, 2025
Merged
7 tasks
@wandmagic
Copy link

once this PR is merged and you're able to test with the new version we can close this

@Rene2mt Rene2mt moved this from 🔖 Ready to 🏗 In progress in FedRAMP Automation Feb 11, 2025
@Rene2mt Rene2mt moved this from 🏗 In progress to 👀 In review in FedRAMP Automation Feb 11, 2025
@aj-stein-gsa aj-stein-gsa linked a pull request Feb 12, 2025 that will close this issue
improve has response points constraint #1157
Merged
7 tasks
@aj-stein-gsa aj-stein-gsa moved this from 👀 In review to 🚢 Ready to Ship in FedRAMP Automation Feb 12, 2025
@aj-stein-gsa
Copy link
Contributor

@Telos-sa, can you please test the updated version of this constraint in develop and confirm before an upcoming release that the change resolves the bug you had reported prior? Thanks!

@wandmagic
Copy link

Once the fix has been confirmed to work, please close this issue @Telos-sa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wandmagic wandmagic

Labels
bug Something isn't working constraint: completeness model: ssp scope: constraints type: task
Projects
FedRAMP Automation
Status: 🚢 Ready to Ship
Milestone
Digital Authorization Phase 1
Development

Successfully merging a pull request may close this issue.

improve has response points constraint wandmagic/fedramp-automation
3 participants
@Telos-sa @wandmagic @aj-stein-gsa