[Feedback]: How to handle Packages not FedRAMP Authorized in the OSCAL SSP

[JoseGHdz]

This is a ...

question - need to understand something

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What is your feedback?

Hey FedRAMP Team,

I noticed that items in the leveraged-authorizations section require an authorization date in date-authorized.

My question is about packages that aren’t FedRAMP Authorized, but are still used in the system.

Since they don’t have an authorization date, what’s the best way to represent them in the SSP?

• Should we include them without an authorization date (even though that causes a validation error), and just note “Not FedRAMP Authorized” in remarks?
• Or should we leave them out of leveraged-authorizations completely, and only list the FedRAMP-authorized ones?

Just want to make sure we’re handling this the right way.

Where, exactly?

OSCAL SSP leveraged-authorizations

Other information

No response