Skip to content

Add documentation for "authorization-type" #1194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
11 tasks
Rene2mt opened this issue Mar 6, 2025 · 1 comment
Open
11 tasks

Add documentation for "authorization-type" #1194

Rene2mt opened this issue Mar 6, 2025 · 1 comment
Assignees
@Rene2mt
Labels
enhancement New feature or request scope: documentation type: task
Milestone
v3.0.0-milestone1

Comments

@Rene2mt
Copy link

Rene2mt commented Mar 6, 2025
edited
Loading

This is a ...

fix - something needs to be different

This relates to ...

  • the FedRAMP OSCAL baselines
  • the FedRAMP SSP OSCAL Example
  • the FedRAMP SAP OSCAL Example
  • the FedRAMP SAR OSCAL Example
  • the FedRAMP POA&M OSCAL Example
  • the FedRAMP OSCAL Validations
  • the Not sure

User Story

As a FedRAMP OSCAL stakeholder, I need to understand how to represent the various authorization types (e.g., agency authorizations, and LI-SaaS), so that how "this system" and/or leveraged authorizations were authorized.

Goals

FedRAMP has an extension prop called "authorization-type" that indicates whether a system received via the FedRAMP JAB, FedRAMP Agency , or FedRAMP Tailored for LI-SaaS path. Note that the JAB ATO path is being discontinued. Upon review of issue #1190, it was noted that the "authorization-type" FedRAMP extension prop is under documented.

The goal of this issue is to add the following to a new FedRAMP OSCAL SSP > SSP Template Topic Areas > Authorization Paths page in the FedRAMP developer hub:

  • Add a section for the "Agency Authorization Path" and "LI-SaaS Authorization Path" to document the "authorization-type" FedRAMP extension.
  • Include documentation on the allowed values for this FedRAMP extension
  • Include JSON, XML, and YAML examples
  • Address any validation rules / constraints that apply to this content

For LI-SaaS Only

Need to make sure documentation explains clearly some of the special handling for LI-SaaS, specifically:

  • The SSP must import the LI-SaaS baseline (profile or resolved profile catalog)
  • The SSP must have the cloud service model set to “saas”: <prop name="cloud-service-model" value="saas">
  • The SSP must have the authorization type set accordingly: <prop ns="http://fedramp.gov/ns/oscal" name="authorization-type" value="fedramp-li-saas"/>
    • Allowed values are “fedramp-agency” and “fedramp-li-saas”. "fedramp-jab" is deprecated.
  • The SSP must have the security sensitivity level set to “fips-199-low”
  • The SSP must have all the security impact levels set to “fips-199-low”

Dependencies

No response

Acceptance Criteria

  • All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.

Other information

No response
@Rene2mt Rene2mt added this to the Digital Authorization Phase 1 milestone Mar 6, 2025
This was referenced Mar 6, 2025
Open
Open
@aj-stein-gsa aj-stein-gsa moved this from 🆕 New to 🔖 Ready in FedRAMP Automation Mar 7, 2025
@aj-stein-gsa
Copy link
Contributor

I am cool with this moving forward @Rene2mt, I moved it to ready state.

@Rene2mt Rene2mt self-assigned this Mar 11, 2025
@Rene2mt Rene2mt moved this from 🔖 Ready to 🏗 In progress in FedRAMP Automation Mar 11, 2025
@Rene2mt Rene2mt moved this from 🏗 In progress to 👀 In review in FedRAMP Automation Mar 12, 2025
@aj-stein-gsa aj-stein-gsa moved this from 👀 In review to 🚢 Ready to Ship in FedRAMP Automation Mar 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rene2mt Rene2mt

Labels
enhancement New feature or request scope: documentation type: task
Projects
FedRAMP Automation
Status: 🚢 Ready to Ship
Milestone
v3.0.0-milestone1
Development

No branches or pull requests
2 participants
@Rene2mt @aj-stein-gsa