Skip to content
This repository was archived by the owner on Jul 1, 2025. It is now read-only.
This repository was archived by the owner on Jul 1, 2025. It is now read-only.

Clarify OMB M-07-16 and relevance to PII "rolodex" exception for business contact info in party/role bindings #155

Open
Open
Clarify OMB M-07-16 and relevance to PII "rolodex" exception for business contact info in party/role bindings#155
Labels
documentationImprovements or additions to documentation
@aj-stein-gsa

Description

@aj-stein-gsa
aj-stein-gsa
opened on Jan 25, 2025

User Story

As a security practicioner using OSCAL-enabled tools or software developer that programs them, in order to be sure I give required information in accordance with government, GSA, and FedRAMP policies with sufficient clarity and the most minimal risk, I would like clear documentation as to whether FedRAMP's requirements around OSCAL for contact information and party for certain parties and roles in a Digital Authorization Package are PII or not.

Goals

  • Clarify how FedRAMP use of OSCAL requires, in some cases, collection information about persons, but it is not PII.
  • Provide reference information to the OMB policy, OMB M-07-16, and in particular footnote 6 on page 1, explaining how GSA complies with this OMB policy and OSCAL must reflect that

Dependencies

N/A

Acceptance Criteria

  • A PR to the website with an informational or warning modal box explaining the rolodex exception and linking to OMB M-07-16.

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions