implementation-status-has-remarks error triggering with proper structure

[Telos-sa]

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What happened?

error from oscal-cli:

[ERROR] [/system-security-plan/control-implementation[1]/implemented-requirement[1]/statement[1]/by-component[1]/implementation-status[1]] implementation-status-has-remarks: In a FedRAMP SSP, each by-component that is not implemented MUST have remarks to provide context.

Corresponding section in our OSCAL SSP:

"by-components":[
    {
        "component-uuid":"13fb3c8f-f993-5a3c-b6db-711877b46434",
        "uuid":"2917dcc8-5e41-51d3-897d-a6d83f181800",
        "description":"Private Implementation details and description for the following control statement: AC-01.a",
        "set-parameters":[
            {
                "param-id":"ac-01_odp.01",
                "values":[
                    "Professors, Janitorial Staff, support Staff, and students"
                ]
            },
            {
                "param-id":"ac-01_odp.02",
                "values":[
                    "Professors, Janitorial Staff, support Staff, and students"
                ]
            },
            {
                "param-id":"ac-01_odp.03",
                "values":[
                    "Hogwarts groups, buildings, and all rooms, contents, dungeouns, and corridors"
                ]
            }
        ],
        "implementation-status":{
            "state":"partial"
        },
        "responsible-roles":[
            {
                "role-id":"system-owner",
                "party-uuids":[
                    "f481e7e9-4a56-5936-a196-7d30e34e7bcd"
                ]
            },
            {
                "role-id":"system-owner"
            }
        ],
        "remarks":"Here are the remarks for AC-01.a."
    }
]

This error is showing up despite the remarks section being included, and the OSCAL structure above conforms with the fedramp constraint:

    <context>
        <metapath target="/system-security-plan/control-implementation/implemented-requirement/statement/by-component"/>
        <constraints>
            <expect id="implementation-status-has-remarks" target="implementation-status[@state=('partial', 'planned', 'alternative', 'not-applicable' )]" test="exists(remarks)" level="ERROR">
                <formal-name>Implementation Status Has Remarks</formal-name>
                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#implementation-status"/>
                <message>In a FedRAMP SSP, each by-component that is not implemented MUST have remarks to provide context.</message>
            </expect>
        </constraints>
    </context>

Relevant log output

How do we replicate this issue?

1. validate an OSCAL SSP with a non-implemented control, that has remarks in its by-component section

• I updated the OSCAL in the shared repository that generated this error

Where, exactly?

• oscal-cli v2.4.0
• OSCAL SSP v1.1.3
• up-to-date fedramp constraints

Other relevant details

No response

[Rene2mt]

Thanks for bringing this up @Telos-sa. @aj-stein-gsa and I were looking the the provided example and noticed that you have remarks as a child object of by-component. However, the requirement enforced by the constraint is that if any of the implementation-status state is anything other then "implemented", the implementation-status must have remarks explaining. So it would look like this instead:

"by-components":[
    {
        "component-uuid":"13fb3c8f-f993-5a3c-b6db-711877b46434",
        "uuid":"2917dcc8-5e41-51d3-897d-a6d83f181800",
        "description":"Private Implementation details and description for the following control statement: AC-01.a",
        "set-parameters":[
            {
                "param-id":"ac-01_odp.01",
                "values":[
                    "Professors, Janitorial Staff, support Staff, and students"
                ]
            },
            {
                "param-id":"ac-01_odp.02",
                "values":[
                    "Professors, Janitorial Staff, support Staff, and students"
                ]
            },
            {
                "param-id":"ac-01_odp.03",
                "values":[
                    "Hogwarts groups, buildings, and all rooms, contents, dungeouns, and corridors"
                ]
            }
        ],
        "implementation-status":{
            "state":"partial",
            "remarks":"Describe the plan to complete the implementation."
        },
        "responsible-roles":[
            {
                "role-id":"system-owner",
                "party-uuids":[
                    "f481e7e9-4a56-5936-a196-7d30e34e7bcd"
                ]
            },
            {
                "role-id":"system-owner"
            }
        ]
    }
]

This is also illustrated in the example SSP, however, the constraint error message is misleading, so we will move forward and adjust it.