OSCAL Compliance Notes¶
GovReady-Q supports OSCAL version 1.0.0 RC1 in the following scenarios:
Import of OSCAL components in JSON format
Export of OSCAL components in JSON format
Export of OSCAL SSP in JSON format
The OSCAL specification is complex and subject to change. Refer to this appendix for information on how GovReady-Q currently implements the OSCAL specificaiton.
OSCAL Component Implementation Notes¶
GovReady-Q will only import OSCAL component files that are valid according to the OSCAL version 1.0.0 RC1 schema.
When importing an OSCAL component, GovReady-Q expects to find the control statement narratives in OSCAL statement elements with a statement_id that refers to an element in the corresponding OSCAL catalog.
When exporting an OSCAL component, GovReady-Q emits the control statement narratives using OSCAL statement elements.
When importing and exporting OSCAL components, the source element contained within an control_implementation should be a catalog identifier, not a URI as per the OSCAL specification. This deficiency will be corrected in the future. Valid source identifiers include:
NIST_SP-800-53_rev4
NIST_SP-800-53_rev5
NIST_SP-800-171_rev1
OSCAL SSP Implementation Notes¶
To export OSCAL SSP in JSON format, you must use a Compliance App that includes the OSCAL SSP JSON output template. An OSCAL SSP JSON output template can be found in the included the General IT System ATO (v1.0.1) and the Lightweight_ATO_Template > light-ato-ssp (v0.2.9).
While the OSCAL SSP JSON that GovReady-Q produces is valid according to the OSCAL SSP JSON schema, many optional elements are currently omitted. The component and control implementations, including organizational parameters, are relatively complete, however.
The completeness and fidelity of the OSCAL SSP JSON representation will continue to improve over time.