User Story

As a system owner, I should be able to define the security characteristics of my system in frameworks other than the FIPS-199. For example, suppose I am operating a Certificate Authority under the Federal PKI. In that case, I will identify the Certificate Policies contained in the certificates that my CA will issue, identifying the controls that apply to my system.

Goals

I would like to extend my system security plan's Security Sensitivity Level and Security Impact Level to reference other security frameworks or define a new child element of the System-Characteristics element to define an alternative categorization model.

Dependencies

No response

Acceptance Criteria

• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
• the OSCAL validation tool can successfully validate an SSP that doesn't contain fips-199 impact levels under system characteristics

Revisions

No response