Skip to main content

Comments Summary

Generated: 2026-04-08 14:46:06  ·  19 open  ·  9 archived  ·  4 in recycle bin

Contents

Open Comments 19

FedRAMP
Supporting Resources and Valid Content
Baselines 4 open · 1 archived
Open Comments
# 6 Brian Ruf 2026-04-08 12:35:04 Open

Discussed in today's TFG. We agree that that resolved profiles allow an easy quick-start. Verified that we show it initially in the adoption and moving to proper profile processing by the "Normalized" phase.. Considering this closed.

# 4 Brian Ruf 2026-04-02 15:20:29 Open

While I completely agree that multi-layer profile resolution is the the preferred approach and the only way to handle overlays and multi-frameworks, we are looking to initially reduce complexity to the greatest degree practical for MVP/Core adoption, then allow organizations to mature their capabilities over time based on their needs and priorities.

# 3 Brian Ruf 2026-02-25 13:16:08 Open

In the TFG meeting, highlighted the need to verify FedRAMP has not changed the baselines since these were drafted in Jan 2025.

# 1 Valinder Mangat 2026-02-18 20:49:21 Open

The SSP OSCAL guidance for “import-profile” specifically discourages the use of a “resolved profile catalog” for good reasons.

It makes sense to create the “tailoring-profile” and have the other profiles pull from the tailoring-profile, while this approach is useful from authoring effort perspective, it adds runtime burden for having to resolve multiple layers of profiles.

Is there an approach to resolve “multiple stacked profiles” into single profiles so that they can be referenced directly in the SSP?

The baselines are not likely to change very often, so perhaps a more efficient runtime solution bears better.

# 4 Brian Ruf 2026-04-08 01:16:28

I didn't completely respond to your comment in my last response, and it's a fair question.

I'd prefer to keep the three levels (IAL, FAL, AAL) separate even though the historic guidance is that all three are the same for a given baseline. If that guidance ever changes, I don't want people to have to change the props they use. Also, I believe the three separate props we are using are recognized as core OSCAL whereas a single prop would need to be a FedRAMP extension.

# 5 Brian Ruf 2026-04-02 15:20:40

This is complete.

# 4 Brian Ruf 2026-03-26 18:40:04

This page is now part of a larger adoption topic that covers both retrofit and new adoptions.

# 3 Brian Ruf 2026-03-11 19:13:45

It's actually covered in Appendix E, but should be linked from this page. I'll make that update.
I haven't yet converted the example to YAML, but you can see it with XML here:

Archived Comments
# 2 Brian Ruf 2026-02-25 13:15:28 (edited 2026-04-02 15:20:44) Archived

In the TFG meeting we discussed putting more content at the top to clarify tools should be using the profiles and performing the resolution themselves. Tools may cache as appropriate depending on frequency of updates to these profiles and any overlays. @Brian Ruftaking action to draft content.


Clarify this is important to ensure baselines remain fresh.

Examples 1 open · 0 archived
Open Comments
# 1 Brian Ruf 2026-02-25 13:19:06 (edited 2026-04-08 14:32:29) Open

Needs end-to-end review for alignment with FedRAMP templates and defined OSCAL patterns.

FedRAMP Common
Roles 1 open · 1 archived
Open Comments
# 2 Brian Ruf 2026-04-08 01:09:41 Open

Good catch. I'm more inclined to remove this from the validator, but we should discuss either way.

Archived Comments
# 1 Erik Cass 2026-03-17 16:28:16 (edited 2026-04-08 14:32:43) Archived

According to the fedramp-automation validator, the following additional role appears to be required:
- fedramp-pmo: FedRAMP Project Management Office (PMO)

Title Pages 1 open · 1 archived
Open Comments
# 2 Brian Ruf 2026-04-08 01:19:45 Open

I like the catch and addition of `marking`. Thank you!

I removed the `fedramp-version` prop as that was tied to the validation file version, which is no longer relevant as PMO is no longer maintaining or publishing validation files. If we end up maintaining validation files and want to address that with a prop, it will need to be a different prop name.

Archived Comments
# 1 Erik Cass 2026-03-26 02:11:43 (edited 2026-04-08 12:48:24) Archived

@Brian Ruf I added an additional prop reference based upon the guidance formally found on the FedRAMP documentation website (since decomissioned). I preserved it mostly as is, but change the verb from "must" to "should" since the implied reference no longer exists. However, it seems like a useful addition. If not, my edit should be reverted.

FedRAMP System Security Plan (SSP)
11. Seperation of Duties Matrix 1 open · 0 archived
Open Comments
# 1 Brian Ruf 2026-02-25 13:21:53 Open

@Brian Rufto add content.

3. System Information 1 open · 2 archived
Open Comments
# 5 Brian Ruf 2026-04-08 14:33:18 Open

Per TFG discussion, we are not including paths/pointers in the documentation at this time.

Archived Comments
# 2 Erik Cass 2026-03-10 22:31:43 (edited 2026-04-08 14:33:07) Archived

There doesn't seem to be a pattern for the Digital Identity Level (DIL) Determination (folliow Service Model). As much a test of my own understanding as it is a recommendation, but what about this?

<system-security-plan>

<system-characteristics>

<prop ns="https://fedramp.gov/ns/oscal" name="dil-determination" value="SOME_VALUE" />

</system-characteristics>

</system-security-plan>

As indicated above must be either IAL3/FAL3/AAL3, IAL2/FAL2/AAL2, or IAL1/FAL1/AAL1.

# 1 Brian Ruf 2026-02-25 13:25:50 (edited 2026-04-08 14:33:20) Archived

Switch XML to YAML

Switch XPath to JSON Pointer (https://datatracker.ietf.org/doc/html/rfc6901)

Apply to all pattern content.

6. Leveraged FedRAMP-Authorized Services 1 open · 0 archived
Open Comments
# 1 Brian Ruf 2026-04-01 03:58:56 Open

We need to fix the link in the "Important for Leveraged Systems" callout once the controls section is complete and the location is not likely to change again.

7. External Systems and Services Not Having FedRAMP Authorization 1 open · 0 archived
Open Comments
# 1 Rene M. Tshiteya 2026-03-31 17:58:53 Open

Todo: Convert XPath queries to JSON Pointer

8. Illustratred Architecture and Narratives 1 open · 0 archived
Open Comments
# 1 Rene M. Tshiteya 2026-03-31 18:11:24 Open

Todo: Replace XPath queries with JSON Pointer

9. Services, Ports and Protocols 1 open · 1 archived
Open Comments
# 2 Brian Ruf 2026-04-08 00:51:00 Open

We have since agreed not to include paths at this time.

Archived Comments
# 1 Rene M. Tshiteya 2026-03-31 18:50:06 (edited 2026-04-08 14:31:34) Archived

To do: Replace XPath queries with JSON Pointer

Appendicies Overview 1 open · 0 archived
Open Comments
# 1 Rene M. Tshiteya 2026-03-18 03:28:40 Open

Should Separation of Duties matrix be listed as an optional attachment (e.g., for MVP) or do we have a good way to represent this in OSCAL?

Inventory: Normalized Approach 1 open · 1 archived
Open Comments
# 2 Brian Ruf 2026-04-08 14:31:10 Open

Per TFG discussion, we are not including paths/pointers in the documentation at this time.

Archived Comments
# 1 Rene M. Tshiteya 2026-03-31 19:42:57 (edited 2026-04-08 14:31:14) Archived

To do: Replace XPath queries with JSON Pointer

Prepared By/For 2 open · 0 archived
Open Comments
# 2 Brian Ruf 2026-04-08 01:11:31 Open

Looks like this was resolved. If you agree, please archive this comment.

# 1 Rene M. Tshiteya 2026-03-18 03:19:26 (edited 2026-03-18 03:20:00) Open

Typo in the page heading / title

Retrofit Adoption Path 2 open · 2 archived
Open Comments
# 6 Brian Ruf 2026-04-08 12:55:17 Open

Add note to adoption pages that anything not converted to machine readable should still be attached as a Word artifact.

# 5 Brian Ruf 2026-04-02 15:53:42 Open

This is now addressed as the New Adoption Path.

Archived Comments
# 2 Brian Ruf 2026-03-18 12:16:56 (edited 2026-04-02 15:53:02) Archived

Per today's TFG, need to clarify that this approach is focused on legacy Word SSP conversion. Need a different approach for "New" SSP authors who should likely start with components.

# 1 Rene M. Tshiteya 2026-03-18 03:05:26 (edited 2026-04-02 15:53:48) Archived

The SSP adoption strategy described on this page is well suited for systems that are already authorized / already have an SSP. However, CSPs that are early in their authorization journey may be better positioned to attempt the "advanced" / "ideal" path from the get go, especially if they have access to OSCAL-ready GRCs and tooling.

⚠ Recycle Bin 4

The following comments are attached to pages currently in the Recycle Bin. They are likely no longer relevant. You can permanently delete or restore the pages via the Recycle Bin.
Background Deleted: 2026-04-08 12:27:33  ·  2 open · 0 archived
Open Comments
# 2 Brian Ruf 2026-04-08 12:25:51 Open

Either:

- remove or background page (leaning in this direction)

- keep, but don't include links

- keep and link to oscal-foundation forks

# 1 Erik Cass 2026-04-06 16:44:32 Open

Note: the above repos have been removed as of April 6th, 2026. However, forks are available:

Use at your own discresion as they may not represent the lastest content as of source decomissioning.



System Roles Deleted: 2026-03-13 18:41:09  ·  1 open · 0 archived
Open Comments
# 1 Brian Ruf 2026-02-25 13:21:05 Open

Add Section 5 roles here. Then point section 5 here.

Document Attachments Deleted: 2026-03-11 04:05:43  ·  1 open · 0 archived
Open Comments
# 1 Erik Cass 2026-03-10 22:16:15 (edited 2026-03-10 22:17:20) Open

@Brian RufLooking at the schema, i think the correct prop name under resource is "Published" not "Publication".

No comments to display

Back to top