FedRAMP SSP Guide - Section 4.9 and Section 7.3.2 compared (rev 5 compared to Rev 4)

[Telos-sa]

Describe the bug

Documentation in rev-4, the tag "used-by" in component type "service" was a prop.

In Rev 5, in section 4.9 the tag is no part of the link, but in section 7.3.2 it is a prop.

Please provide guidance on what this should be. Is it a locally defined prop, as it was in Rev 4, or is it now the link, as defined by NIST?

Who is the bug affecting?

Anyone attempting to upgrade their submission package from rev 4 to rev 5, and was using the prop as defined by FedRAMP on rev 4.

What version of OSCAL are you using? (Check our info on supported OSCAL versions)

1.1.0 Attempting to do Rev 5

Expected behavior (i.e. solution)

Please provide guidance on what the expected behavior is, and what the schematron is checking for, since the documentation is inconsistent.

[Rene2mt]

For rev5, FedRAMP has aligned with NIST which states:

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Section 7.3.2 of the rev 5 SSP guide will be updated.