As a user I want to validate Fedramp conformance objectives, from trestle, using fedramp automation code.

[butler54]

Issue description / feature objectives

The Fedramp automation team are building an automation workflow using primarily XSLT's to evaluate the whether a SSP meets the conformance criteria (here: https://github.com/GSA/fedramp-automation).

The current approach with XSLT uses XSLT 3.0 which has a very limited number of implementations (primarily saxon and the C binidngs). This approach is also taken by the OSCAL team and limits applicability (although we may be able to use a python binding to this in the future).

@ohsh6o and team have build scripts to wrap downloading required code and validating the artifacts. Given this approach for trestle would be.

Given Saxon's java dependencies the issue is on packaging particularly for those using pip/ similar. So the proposal below is effectively a very ad-hoc integration for now. Improvements can be made if we constrain the code only to run in the CICD pipeline.

1. Build a validator that wraps the Fedramp validators as completely run time dependencies for now. (e.g. it either git clones or similar into the local trestle directory).

   • suggestion would be to wrap inside of the .trestle directory to ensure there is no contamination of the system path.

2. From trestle call the scripts to download the copies of saxon etc setup a local environment and run.

   • Note at this stage this is most likely platform specific (e.g. POSIX systems) we will need to check for windows.

3. Execute validation and report back status to trestle and clean up temporary staging files.

Additional notes:

• Given this approach we can probably re-use for doing xml to json conversions of OSCAL artifacts, however, I believe this current workflow is the priority.
• We will need to identify how to execute platform specific tests in pytest.

Completion Criteria

• Fedramp validation can occur for an SSP (and only a SSP).
• Can execute on at least mac and linux (potentially windows)
• Unit testing where possible
• Thorough documentation to allow those running in a non-internet facing environment to be able to replicate.

[ohsh6o]

Quick heads up, before others work on this, we are working with the FedRAMP Team as part of our 10x work, but not directly on their upstream repo.

In the interim, we are working with that team from our fork within the GSA TTS 18F org in Github. The intent is to merge back the code upstream while working with Brian and his team, but we are not quite there yet as of this week. Just a quick FYI to you and your team because if they look at upstream GSA, they won't finding anything at this time.

[butler54]

@vikas-agarwal76 I think we can call this one done?

[vikas-agarwal76]

First version of fedramp validation is done as per xslt.