Rene Tshiteya

icon indicating a website link https://www.linkedin.com/in/rene-tshiteya-6331607/

icon location Reston, VA

Results 59 comments of Rene Tshiteya

Improved Diagrams to OSCAL Rules Relationship to SDLC and DevSecOps

Per today's model review, I wonder if the "development (provider-focused)" should be described as follows: - Plan (Categorize System & Select Controls) - Develop (Implement Controls) - Test/Verify (Assess Controls)...

Publish Official Container Image for Developers

Should we add a step in the github action to scan the container images (e.g., https://github.com/snyk/actions/tree/master/docker)?

Queries for schema documentation top-down polish

For unique identifier documentation in the Metaschemas, we should check the following: 1. they contain prop fields, including "value-type", "identifier-type", "identifier-uniqueness", "identifier-scope", "identifier-persistence" 2. for each prop, it should have...

FedRAMP SSP Guide - Section 4.9 and Section 7.3.2 compared (rev 5 compared to Rev 4)

For rev5, FedRAMP has aligned with NIST which states: _When defining a **service** component where are relationship to other components is known, one or more **link** entries with **rel** values...

FedRAMP Rev 5 SSP Guide Missing Seperation of Duties guidance (User)

Workaround recommendation for the near-term (in OSCAL) is to provide the *separation of duties* as a `back-matter` `resource`. See https://github.com/GSA/fedramp-automation/blob/6518de14df4552821ad17cc93f5eeaec4b46716b/dist/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml#L3555-L3570 This will be added to the guides. Long-term, FedRAMP is...

Guidance Request for Reference # in Ports, Protocols, Services table

The **Reference \#** column in table 9.1 is intended to refer to one of the cryptographic modules in appendix Q. This concept in OSCAL is achieved by: - having a...

[Feedback]:

The document templates followed the nomenclature in NIST 800-63 (see https://pages.nist.gov/800-63-3/sp800-63-3.html#:~:text=For%20non%2Dfederated%20systems%2C%20agencies%20will%20select%20two%20components%2C%20referred%20to%20as%20Identity%20Assurance%20Level%20(IAL)%20and%20Authenticator%20Assurance%20Level%20(AAL).%20For%20federated%20systems%2C%20agencies%20will%20select%20a%20third%20component%2C%20Federation%20Assurance%20Level%20(FAL).). OSCAL has named properties that align (there is an _implicit_ mapping). For example: - OSCAL `` is the equivalent...

[Feedback]: Potential mismatch of parameters between baselines and templates for Rev5

FedRAMP OSCAL SSPs must provide the granular “ODP” level parameters. This will be clarified in the FedRAMP OSCAL SSP User Guide and sample FedRAMP OSCAL SSP template. Additionally, FedRAMP will...

[Feedback]: Potential mismatch of parameters between baselines and templates for Rev5

Attached is a proposed layout for OSCAL generated SSP control content. As illustrated in the mockup document: - The control statements must include the parameter insertion points (e.g. _[Assignment: organization-defined...

[Feedback]: Potential mismatch of parameters between baselines and templates for Rev5

We had explored an option very similar to what you posted but the review teams felt it would be difficult for (human) reviewers to track what the parameter requirements are...