Multiple Layers of Validation
There are several layers at which an OSCAL file can be considered valid. OSCAL-based FedRAMP files must be valid at all layers.
Layer | Description |
---|---|
Well-Formed | The XML or JSON file follows the rules defined for that format. Any tool that processes the format will recognize it as “well-formed,” which means the tool can proceed with processing the XML or JSON. XML: https://www.w3.org/TR/REC-xml/ JSON: https://json.org/ |
OSCAL Syntax | The XML or JSON file only uses names and values defined by OSCAL. OSCAL publishes schemas to verify syntax compliance based on the following standards: XML Syntax Validation: XML Schema Definition Language (XSD) 1.1 JSON Syntax Validation: JSON Schema, draft 07 |
OSCAL Content | For certain OSCAL fields, the OSCAL syntax validation tools also enforce content - allowing only a pre-defined set of values to be used in certain fields. For example, Within the SSP model, impact levels within the information type assemblies only allow the following values: fips-199-low , fips-199-moderate , and fips-199-high . Any other value will cause an error when validating the file. |
FedRAMP Syntax Extensions | OSCAL is designed to represent the commonality of most cybersecurity frameworks and provided the ability to extend the language for framework-specific needs. FedRAMP makes use of these extensions. OSCAL provides prop fields throughout most of its assemblies, always with a name , class , and ns (namespace) flag: <prop name="" class="" ns="">Data</prop> In the core OSCAL syntax, the ns flag is never used. Where FedRAMP extends OSCAL, the value for ns is always: http://fedramp.gov/ns/oscal (case sensitive). When ns="http://fedramp.gov/ns/oscal" the name flag is as defined by FedRAMP. If the class flag is present, that is also defined by FedRAMP. |
FedRAMP Content | Today, FedRAMP content is enforced programmatically. FedRAMP intends to publish automated validation rules, which may be adopted by tool developers to verify OSCAL-based FedRAMP content is acceptable before submission. Initial validation rules ensure a package has all required elements and will evolve to perform more detailed validation. Separate details will be published about this in the near future. |