Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Poorly-chosen SP 800-63-3 assurance level properties #112

Closed
2 of 16 tasks
GaryGapinski opened this issue Jun 22, 2021 · 4 comments
Closed
2 of 16 tasks

Poorly-chosen SP 800-63-3 assurance level properties #112

GaryGapinski opened this issue Jun 22, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@GaryGapinski
Copy link
Contributor

GaryGapinski commented Jun 22, 2021

  • This is a ...

    • concern - I think something needs to be different.
    • question - I didn't understand something.
    • kudos - I found something helpful and want to encourage it in future FedRAMP publications.
    • request - I would like to see something additional provided.
  • This relates to ...

    • the FedRAMP OSCAL Registry (Excel File)
    • the Guide to OSCAL-based FedRAMP Content (PDF)
    • the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
    • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
    • the Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR) (PDF)
    • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
    • the FedRAMP SSP OSCAL Template (JSON or XML Format)
    • the FedRAMP SAP OSCAL Template (JSON or XML Format)
    • the FedRAMP SAR OSCAL Template (JSON or XML Format)
    • the FedRAMP POA&M OSCAL Template (JSON or XML Format)
    • General/Overall
    • Other

NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.

  • Where, exactly?
    • For the registry, please indicate the tab and cell, or other clear identifier
    • For the guide, please indicate the section number and printed page number (lower right corner)
    • For the OSCAL XML or JSON files, please indicate XML or JSON; and indicate the line number, field id, or other clear location identifier

Section 4.5 page 13 Digital Identity Determination

Properties (OSCAL <prop>)

  • security-eauth-level
  • identity-assurance-level
  • authenticator-assurance-level
  • federation-assurance-level
  • What is your feedback?

The assurance level property values indicated (i.e., 1, 2, 3) are not the same parlance as that used in SP 800-63.

The initialisms used in SP 800-63 are

  • IAL1, IAL2, IAL3
  • AAL1, AAL2, AAL3
  • FAL1, FAL2, FAL3

Those are the most likely to be recognized rather than the disembodied "1", "2", "3".

1.0.0

  • What action would you like to see from the FedRAMP PMO?

Use SP 800-63 parlance for assurance level values.

@ohsh6o
Copy link
Contributor

ohsh6o commented Jul 1, 2021

Discussed this with the NIST OSCAL devs. This will make our FedRAMP props disjoint from the standard NIST OSCAL props and the Metaschema-defined constraints. We agreed to get more feedback in a model meeting next week and follow up in usnistgov/OSCAL#985. Sorry for the delayed @GaryGapinski.

@ohsh6o
Copy link
Contributor

ohsh6o commented Jul 7, 2021

Discussed in 10x NIST developer meeting and will surface in Friday's model meeting per consultation with the NIST devs.

ohsh6o pushed a commit that referenced this issue Jul 13, 2021
Rebuild Schematron XSLT (SEF format) for UI
@volpet2014
Copy link
Contributor

Collaborated with NIST recently. Still pending change from NIST to address this.

@volpet2014
Copy link
Contributor

Will stay as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants