`/system-security-plan/system-implementation/users` is not optional

[aj-stein-gsa]

Describe the bug

In the current latest release of the OSCAL models (v1.1.3), the cardinality for /system-security-plan/system-implementation/users is minimum 1 to many (unbounded). FedRAMP engineers have done applied modeling work and requirements analysis with our review staff, and there are some scenarios where currently //users are not known or systems will never have conditions that require user declarations in all scenarios. Previous recommendations appear to have been from ambiguity in modeling requirements that are more clear now on the FedRAMP side (prior to my current tenure here or before my performance as a contractor), but now it is clear they are not always mandatory.

We would recommend the minimum cardinality be set to 0, thereby making //users optional in the SSP model.

Who is the bug affecting

This bug affects engineers using OSCAL data to describe systems and developers of OSCAL-enabled tooling who want to describe systems without an explicit definition of users in a snapshot in time or the full lifecycle of a given information system described in the SSP.

What is affected by this bug

Metaschema, Modeling

How do we replicate this issue

1. Create a model SSP without //users.
2. Run schema validation.
3. Observe schema validation errors because at least one user assembly is not defined in the SSP.

Expected behavior (i.e. solution)

1. An engineer can manually encode an OSCAL SSP or use OSCAL-enabled tooling to generate one without a user assembly, thereby making it optional.

Other comments

More context on recent FedRAMP engineers' analysis that led to this recommendation can be found in GSA/fedramp-automation#902.

Revisions

No response