Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIST will not release changes in NIST OSCAL models that conflict with FedRAMP constraints #908

Open
aj-stein-gsa opened this issue Nov 15, 2024 · 2 comments
Open

NIST will not release changes in NIST OSCAL models that conflict with FedRAMP constraints #908

aj-stein-gsa opened this issue Nov 15, 2024 · 2 comments
Assignees
@aj-stein-gsa
Labels
risk: mitigate scope: constraints type: risk An item for the risk register.

Comments

@aj-stein-gsa
Copy link
Contributor

aj-stein-gsa commented Nov 15, 2024
edited
Loading

Risk Summary

As summarized most recently in usnistgov/OSCAL#2072, there are instances where the FedRAMP Automation Team discovers overly generic, specific, or incorrect model requirements in the core NIST OSCAL models. In most cases, FedRAMP constraints can extend core model requirements more specifically. In unique cases, as evidenced by specific items in #2072, the incorrect constraints in core NIST OSCAL models will still remain errors for conformant Metaschema-based processors that process an OSCAL document. FedRAMP cannot override those requirements. They are inherently in conflict. If NIST does not release a new version of the models with the recommended fix, FedRAMP stakeholders will never have correct OSCAL content in packages that conform to core NIST OSCAL and FedRAMP requirements at the same time.

Risk Mitigation Strategy

Strategy: Mitigation

The FedRAMP Automation Team will continue to work with NIST maintainers of the core OSCAL models to report and fix bugs in latest stable release of OSCAL models and create new major, minor, and patch releases as appropriate. FedRAMP is developing more precise constraints to correlate FedRAMP requirements to a minimally required OSCAL version per #847 and #833 to ensure FedRAMP can have more agility in evaluating and pinning a reliable minimally required OSCAL version.
@aj-stein-gsa aj-stein-gsa added bug Something isn't working type: risk An item for the risk register. labels Nov 15, 2024
@aj-stein-gsa aj-stein-gsa moved this from 🆕 New to 📋 Backlog in FedRAMP Automation Nov 15, 2024
@aj-stein-gsa aj-stein-gsa removed the bug Something isn't working label Nov 15, 2024
@david-waltermire david-waltermire changed the title NIST will not release changes NIST OSCAL models that conflict with FedRAMP constraints NIST will not release changes in NIST OSCAL models that conflict with FedRAMP constraints Nov 15, 2024
@aj-stein-gsa aj-stein-gsa mentioned this issue Nov 21, 2024
Open
@aj-stein-gsa aj-stein-gsa moved this from 📋 Backlog to 🏗 In progress in FedRAMP Automation Nov 21, 2024
@aj-stein-gsa aj-stein-gsa self-assigned this Nov 21, 2024
@aj-stein-gsa
Copy link
Contributor Author

aj-stein-gsa commented Dec 2, 2024
edited
Loading

NIST release v1.1.3 during the last week. We found other bugs and important fixes that will soon block current and upcoming constraint development in the near future. Initial feedback on inconsistent application of unwritten policies in usnistgov/OSCAL#2080 regarding which upstream schemas and software NIST does or does not support is cause for concern on this risk again. It would seem we need to monitor this and go from accepting the risk to planning a mitigation if a possible move to improve Metaschema specs and the fork is rejected by NIST, with or without clear reasoning.

@wandmagic
Copy link

usnistgov/OSCAL#2084
this PR attempts to introduce an integration testing framework so that these bugs can be squashed in a way that we can verify before proceeding with another release. I am curious to see how nist responds

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aj-stein-gsa aj-stein-gsa

Labels
risk: mitigate scope: constraints type: risk An item for the risk register.
Projects
FedRAMP Automation
Status: 🏗 In progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wandmagic @aj-stein-gsa