Using Leveraged Authorizations in OSCAL (PDF) presented by Brian Ruf.
Agenda
Continue to review the proposed approach for leveraging existing authorizations and composing systems. This work is being tracked by issue #572.
Open discussion.
Notes
The issue of getting access to the leveraged system’s assessment methods (examine, interview, test) information was raised and the need of providing this information in the customer responsibility matrix was discussed. This information will be used by the owner of the leveraging system to review the assessment methods used for the assessment of the leveraged system.
The leveraged system and leveraging system will have their own profiles that will indicate which assessment methods were to be used but being able to display possible deltas between these profiles was discussed and highlighted as being important.
The issue of a leveraging system occasionally requiring a higher rigor for the assessment of a particular control implementation than the documented assessment method for that inherited control implementation from the leveraged system was also discussed.
System audit and continuous assessment require other assessment methods, different than the ones listed in SP800-53A (e.g. inspection, inquiry, observation, reperformance for audit or attestation for FedRAMP tailored baselines). The need for supporting additional assessment methods, different than the ones mentioned in SP800-53A, was highlighted.
Questions were asked regarding the UUIDs and how to use them (globally or in the scope of a document). The conversation on this topic continued on Gitter after the meeting.