Skip to content
This repository was archived by the owner on Jul 1, 2025. It is now read-only.
This repository was archived by the owner on Jul 1, 2025. It is now read-only.

Bug in the Leveraged Authorization System Component Mapping #1236

Open
Open
Bug in the Leveraged Authorization System Component Mapping#1236
Assignees
aj-stein-gsa
Labels
bugSomething isn't working
@JoseGHdz

Description

@JoseGHdz
JoseGHdz
opened on Apr 23, 2025

This relates to ...

  • the FedRAMP OSCAL Registry
  • the FedRAMP OSCAL baselines
  • the Guide to OSCAL-based FedRAMP Content
  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

What happened?

Hey FedRAMP Team,

I'm running into an issue where the validator does not properly handle multiple leveraged authorization systems defined in the components section of the SSP.

If I have more than one leveraged authorization package (for example, Package 1, Package 2, and Package 3), I expect to be able to define a separate system component for each one. However, the validator only seems to recognize one. When multiple are defined, it throws errors instead of validating correctly.

The errors this relates to are:

frr257: Implementation point validation
frr259: Nature of agreement validation
frr260: Component linkage validation

This seems to suggest that the constraint logic does not support multiple leveraged authorizations mapping to separate components as intended.

Once I removed the other components of type system that were mapped to each leveraged-authorization package and left only one, the validator passed these constraint checks without any issues. This seems to confirm that the constraints are not currently supporting multiple leveraged authorization systems as expected.

Relevant log output



How do we replicate this issue?


Include multiple system components, one for each leveraged authorization package. Make sure the implementation point is external, and the leveraged-authorization-uuid is mapped to ONE specific package and it does not repeat.


Where, exactly?


This happens in components


Other relevant details


No response
Metadata
Metadata
Assignees
Labels
bugSomething isn't working
Type
No type
Projects
FedRAMP Automation
Status
📋 Backlog
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions