Documentation for implemented-requirement prop leveraged-authorization in SSP is unclear #1552
Comments
aj-stein-nist
added
bug
Scope: Website
|
This relates to |
|
To address this we need a clear understanding of how to document, in OSCAL, that a given requirement is implemented using a leveraged authorization. This should involve the |
|
Community member collaborating with FedRAMP says they will update with examples soon enough. |
|
@aj-stein-nist I claimed this for the sprint, but if we are expecting someone else to still deliver content, let me know. |
|
It appears the first commit this prop was introduced, not just relocated or modified, is 284e56f. |
|
So there is no constraint for this prop and the documentation string has been there as-is, albeit it with some typo improvements, since 2+ years ago. It appears to have come after the addition of the Since the only report we received from users is a clarifying question about how to use it, and presumably it is unclear how and if to use it, and removing it is not a backwards breaking change, I will open a PR to consult the team for final review and approval. /cc @Compton-NIST (I know you had picked this up and have looked at related work, I would like your feedback on the PR if you have time for it.) |
Per #1552 analysis, the original analysis and provenance for this is unclear and the name indicates its intended use overlaps with more accurate mechanisms available for the implemented requirement. I cannot find a way to write clearer documentation better that cannot explain it, so I opt to remove it.
|
|
Per #1552 analysis, the original analysis and provenance for this is unclear and the name indicates its intended use overlaps with more accurate mechanisms available for the implemented requirement. I cannot find a way to write clearer documentation better that cannot explain it, so I opt to remove it.
Per usnistgov/OSCAL#1552 analysis, the original analysis and provenance for this is unclear and the name indicates its intended use overlaps with more accurate mechanisms available for the implemented requirement. I cannot find a way to write clearer documentation better that cannot explain it, so I opt to remove it.
Per usnistgov/OSCAL#1552 analysis, the original analysis and provenance for this is unclear and the name indicates its intended use overlaps with more accurate mechanisms available for the implemented requirement. I cannot find a way to write clearer documentation better that cannot explain it, so I opt to remove it.
…istgov#1729) Per usnistgov#1552 analysis, the original analysis and provenance for this is unclear and the name indicates its intended use overlaps with more accurate mechanisms available for the implemented requirement. I cannot find a way to write clearer documentation better that cannot explain it, so I opt to remove it.
Describe the bug
As an OSCAL tool developer, in order to understand when and how to annotate a control implementation with a property to indicate the control implementation requirement is fulfilled in whole or in part by control implementations from a leveraged authorization, I want clear documentation of the intended value for that prop.
Who is the bug affecting
OSCAL tool developers implementing SSPs leveraging a leveraged authorization, specifically @telosBA and their colleagues as reported on a feedback call.
What is affected by this bug
Documentation
How do we replicate this issue
implemented-requirement/prop[@name='leveraged-authorization'].propin this context of the SSP model.Expected behavior (i.e. solution)
Documentation clearly explains what the intended value of this prop in this particular context of the SSP model.
Other comments
Thanks to @telosBA and company for the verbal report when providing feedback to us.
The text was updated successfully, but these errors were encountered: