-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax component protocol constraint for #1913 #2063
Relax component protocol constraint for #1913 #2063
Conversation
6751aaa
to
ef71276
Compare
I would request this change be considered for a potential patch release, perhaps 1.1.3, to resolve this issue and unblocking FedRAMP work in our backlog. I am more than willing to discuss further than #1913 to motivate that recommendation or support another release. Let me know. |
@iMichaela, against the documented guidance and my recommendations, per your request I rebased and this PR now targets develop. I would welcome the following.
|
This change also relates to usnistgov#1922. FedRAMP staff have analyzed the progression of this constraint as it pertains FedRAMP's tailored use of NIST SP 800-53 controls customized for FedRAMP processes. Previously, it was believed with a representation of a SSP prior to the "this-system" component construct that limiting the protocol assembly usage to _only_ components of service type was feasible. However, this does not allow homogenous this-system-based SSPs to have the same requirement. Moreover this limits the ability of understandbly different sub-component of components approaches with complex multi-layered architecture to have non-service components document their ports and have it filter up into later transformation and processing by OSCAL-enabled tools. For both reasons, we recommend removing this constraint. Staff reviewed historical documentation and believed this constraint to be an overreach of a previous business rule recommended by FedRAMP staff during collaboration with NIST.
ef71276
to
48f0546
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
Committer Notes
This change fixes #1913 and relates partially to #1922. FedRAMP staff have analyzed the progression of this constraint as it pertains to FedRAMP's tailored use of NIST SP 800-53 controls customized for FedRAMP processes. Previously, it was believed with a representation of a SSP prior to the "this-system" component construct that limiting the protocol assembly usage to only components of service type was feasible. However, this does not allow homogenous this-system-component-based SSPs to have the same requirement. Moreover, this limits the ability of understandably different sub-component of components approaches with complex multi-layered architecture to have non-service components (those of type software, hardware, etc.) document their ports and have it filter up into later transformation and processing by OSCAL-enabled tools. For both reasons, we recommend removing this constraint. Staff reviewed historical documentation and believed this constraint to be an overreach of a previous business rule recommended by FedRAMP staff during collaboration with NIST.
All Submissions:
By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Changes to Core Features:
Have you written new tests for your core changes, as applicable?Have you included examples of how to use your new feature(s)?Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.If CI/CD hasn't changed, this change will be automatically propagated by a new release.