Errors raised for not providing a FedRAMP system identifier when it is provided

[Telos-sa]

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What happened?

When validating an OSCAL SSP with the enhanced oscal-cli and fedramp-external-constraints.xml, we get the following error:
[ERROR] [/system-security-plan/system-characteristics[1]] A FedRAMP SSP must have a FedRAMP system identifier.
We are providing a valid FedRAMP system identifier - found from the FedRAMP marketplace, and it is still yielding this error.

"system-characteristics":{
            "system-ids":[
                {
                    "identifier-type":"http://fedramp.gov",
                    "id":"FR2403936773"
                }
            ]

Relevant log output

[ERROR] [/system-security-plan/system-characteristics[1]] A FedRAMP SSP must have a FedRAMP system identifier.

How do we replicate this issue?

Validate an OSCAL SSP using the fedramp external constraints. Ensure that the OSCAL SSP being validated has an accurate FedRAMP system identifier listed under system-characteristics>system-ids. Validate the model and review errors.

Where, exactly?

• enhanced oscal-cli v.2.1.0
• OSCAL SSP's - OSCAL v1.1.2
• up to date FedRAMP external constraints
• system-security-plan>system-characteristics>system-ids

Other relevant details

No response

[Rene2mt]

Thank you for reporting this bug! Per NIST documentation, the identifier-type should actually be set to "http://fedramp.gov/ns/oscal" (see https://pages.nist.gov/OSCAL-Reference/models/v1.1.2/system-security-plan/xml-reference/#/system-security-plan/system-characteristics/system-id). Both the FedRAMP constraint and documentation will be updated accordingly.

[aj-stein-gsa]

This is an excellent find and confirmed bug. We also need to fix docs. I will cross-link an issue to fix that shortly.

I had actually missed the confusion around https:// deprecation and http:// confusion.

Full disclosure: that dang @ohsh6o, a.k.a. Yours Truly, in his more junior days started something misguided with https:// for identifiers, which culturally in structured XML and beyond with JSON and others.

[Telos-sa]

Updates from testing:
The validation error is still present after updating the ns to "http://fedramp.gov/ns/oscal" and providing a valid FedRAMP package ID.

Error generated from enhanced oscal-cli v2.2.0 with fedramp-external-constraints.xml:
[ERROR] [/system-security-plan/system-characteristics[1]] A FedRAMP SSP must have a FedRAMP system identifier.

If this is a known issue then please disregard

[aj-stein-gsa]

Error generated from enhanced oscal-cli v2.2.0 with fedramp-external-constraints.xml: [ERROR] [/system-security-plan/system-characteristics[1]] A FedRAMP SSP must have a FedRAMP system identifier.

If this is a known issue then please disregard

We are going to examine the tooling as part of the review in an upcoming decision record for #774 and associated work. Stay tuned!

[aj-stein-gsa]

This report is still valid but resolution on it is blocked by a pending decision and socialization after that decision in #774. Moving the status of this bug report and work to fix to blocked until #774 is resolved.