Build resolved profiles of base FR tailoring catalog and workaround upstream content issue (#1228)

aj-stein-gsa · web-flow · commit da45cdcb3c67 · 2025-04-04T00:24:54.000-04:00
* Update valid example SSP to use local HIGH profile by path not URL * Workaround malformed upstream content per metaschema-framework/liboscal-java#144 An upstream bug fix to work around profile resolution failures from warning will come shortly. * Update Makefile to build resolved catalog of tailoring profile for debugging and general use
diff --git a/src/content/module.mk b/src/content/module.mk
@@ -39,6 +39,8 @@ build-content:
 	@echo "Producing artifacts for SAR..."
 	$(OSCAL_CLI) convert -f $(SRC_DIR)/content/rev5/templates/sar/xml -o $(DIST_DIR)/content/rev5/templates/sar -s
 
+	@echo "Resolving FedRAMP tailoring catalog ..."
+	$(OSCAL_CLI) resolve -f $(SRC_DIR)/content/rev5/baselines/xml/FedRAMP_rev5_catalog_tailoring_profile.xml -o $(XML_DIR)/FedRAMP_rev5_catalog_tailoring-resolved-profile_catalog.xml -s	
 	@echo "Resolving FedRAMP HIGH baseline profile..."
 	$(OSCAL_CLI) resolve -f $(SRC_DIR)/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml -o $(XML_DIR)/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml -s
 	@echo "Resolving FedRAMP MODERATE baseline profile..."
diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_catalog_tailoring_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_catalog_tailoring_profile.xml
@@ -6405,6 +6405,20 @@
 				<prop ns="http://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
 			</add>
 		</alter>
+		<alter control-id="pe-6.2">
+			<!-- See upstream bug report usnistgov/OSCAL#ABCD why FedRAMP strips the anchor tag to an adjacent parameter. -->
+			<remove by-id="pe-06.02_odp.03"/>
+			<add position="after" by-id="pe-06.02_odp.02">
+				<param id="pe-06.02_odp.03">
+					<prop name="alt-identifier" ns="http://csrc.nist.gov/ns/oscal" value="pe-6.2_prm_3"/>
+					<prop name="label" ns="http://csrc.nist.gov/ns/oscal" value="PE-06(02)_ODP[03]" class="sp800-53a"/>
+					<label>automated mechanisms</label>
+					<guideline>
+						<p>automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in PE-06(02)_ODP) are defined;</p>
+					</guideline>
+				</param>			
+			</add>
+		</alter>
 		<alter control-id="pe-6.4">
 			<add position="starting" by-id="pe-6.4_obj">
 				<prop ns="http://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
@@ -9005,7 +9019,7 @@
 			<add position="after" by-id="sc-13_gdn">
 				<part id="sc-13_fr" name="item" ns="http://fedramp.gov/ns/oscal">
 					<title>SC-13 Additional FedRAMP Requirements and Guidance</title>
-
+					
 					<part id="sc-13_fr_gdn.1" name="guidance" ns="http://fedramp.gov/ns/oscal">
 						<prop name="label" value="Guidance:"/>
 						<p>This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:</p>
diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -564,10 +564,9 @@
     </responsible-party>
   </metadata>
   <import-profile
-    href="https://raw.githubusercontent.com/GSA/fedramp-automation/refs/heads/develop/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml">
+    href="../../../baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml">
     <remarks>
-      <p>This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official
-        FedRAMP 3.0.0 release.</p>
+      <p>This example points to the FedRAMP Rev 5 HIGH baseline that is part of the official FedRAMP 3.0.0 release.</p>
       <p>Must adjust accordingly for applicable baseline and revision.</p>
     </remarks>
   </import-profile>
