From ef71276ca905cc85404078078e5eb5568cd6bb39 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Fri, 8 Nov 2024 19:05:06 -0500 Subject: [PATCH] Relax component protocol constraint for #1913 This change also relates to #1922. FedRAMP staff have analyzed the progression of this constraint as it pertains FedRAMP's tailored use of NIST SP 800-53 controls customized for FedRAMP processes. Previously, it was believed with a representation of a SSP prior to the "this-system" component construct that limiting the protocol assembly usage to _only_ components of service type was feasible. However, this does not allow homogenous this-system-based SSPs to have the same requirement. Moreover this limits the ability of understandbly different sub-component of components approaches with complex multi-layered architecture to have non-service components document their ports and have it filter up into later transformation and processing by OSCAL-enabled tools. For both reasons, we recommend removing this constraint. Staff reviewed historical documentation and believed this constraint to be an overreach of a previous business rule recommended by FedRAMP staff during collaboration with NIST. --- src/metaschema/oscal_component_metaschema.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml index ac09a01c42..d9f3f6496c 100644 --- a/src/metaschema/oscal_component_metaschema.xml +++ b/src/metaschema/oscal_component_metaschema.xml @@ -232,8 +232,6 @@ &allowed-values-component_component_service; - -