Skip to content
This repository was archived by the owner on Jul 1, 2025. It is now read-only.
This repository was archived by the owner on Jul 1, 2025. It is now read-only.

Add LI-SaaS constraints #1195

Open
Task
#1205
Open
Add LI-SaaS constraints#1195
Task
#1205
Assignees
Gabeblis
Labels
constraint: completenessmodel: sspscope: constraintstype: task
Milestone
v3.0.0-milestone1
@Rene2mt

Description

@Rene2mt
Rene2mt
opened on Mar 6, 2025

Constraint Task

Consistent with issues #1194 and #803, this issue focuses on defining constraints related to specifically to LI-SaaS.

Intended Outcome

Ensure that an "LI-SaaS" SSP meets the following conditions:

  • The SSP must import the LI-SaaS baseline (profile or resolved profile catalog)
  • The SSP must have the cloud service model set to “saas”:
  • The SSP must have the authorization type set accordingly:
    • Allowed values are “fedramp-agency” and “fedramp-li-saas”. This is address in "authorization-type" allowed-value constraint.
    • NOTE that "fedramp-jab" is/should be deprecated.
  • The SSP must have the security sensitivity level set to “fips-199-low”
  • The SSP must have all the security impact levels set to “fips-199-low”

Syntax Type

This is a mix of required, optional, and/or extended syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

TBD

Purpose of the OSCAL Content

No response

Dependencies

No response

Acceptance Criteria

  • All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
    • Explanation is present and accurate
    • sample content is present and accurate
    • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
  • All constraints associated with the review task have been created
  • The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
  • The constraint conforms to the FedRAMP Constraint Style Guide.
    • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
  • Known good test content is created for unit testing.
  • Known bad test content is created for unit testing.
  • Unit testing is configured to run both known good and known bad test content examples.
  • Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
  • A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
  • This issue is referenced in the PR.

Other information

Note that these constraints will require development of an example LI-SaaS SSP as content for unit testing.

Metadata

Metadata

Assignees

Labels

constraint: completenessmodel: sspscope: constraintstype: task

Type

Task

Projects

FedRAMP Automation

Status

🚢 Ready to Ship

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions