Gap
data/frameworks/fedramp.json declares only scoring.profiles (Low / Moderate / High baselines). FedRAMP r5 is built on NIST 800-53 r5 and uses the same 20 control families (AC, AU, IA, …) as controlId prefixes. None are declared in CheckID. Downstream consumers (M365-Assess #843) regex them out of controlId strings.
Families to declare
Identical to NIST 800-53 r5 (#319). Same 20 codes, same display names, same extraction strategy. The values map can be shared/imported from nist-800-53-r5.json once #319 lands — or duplicated for now.
Extraction
Same as 800-53: 2-letter family code + - (e.g. AC-1, IA-5(7)). Strategy: letter-prefix-before-dash.
Acceptance criteria
Blocked by
Spike #317. Likely lands in the same PR as #319 since the data is identical.
Related
#319 (NIST 800-53 r5).
Gap
data/frameworks/fedramp.jsondeclares onlyscoring.profiles(Low / Moderate / High baselines). FedRAMP r5 is built on NIST 800-53 r5 and uses the same 20 control families (AC,AU,IA, …) as controlId prefixes. None are declared in CheckID. Downstream consumers (M365-Assess #843) regex them out ofcontrolIdstrings.Families to declare
Identical to NIST 800-53 r5 (#319). Same 20 codes, same display names, same extraction strategy. The values map can be shared/imported from
nist-800-53-r5.jsononce #319 lands — or duplicated for now.Extraction
Same as 800-53: 2-letter family code +
-(e.g.AC-1,IA-5(7)). Strategy:letter-prefix-before-dash.Acceptance criteria
data/frameworks/fedramp.jsondeclares the family axis per agreed shapenist-800-53-r5.json(or references it, if the schema supports cross-framework references)data/registry.jsonresolves to a declared familyscoring.profiles(Low/Mod/High) coexists with the new axis (or migrates tobaselineper spike outcome)Blocked by
Spike #317. Likely lands in the same PR as #319 since the data is identical.
Related
#319 (NIST 800-53 r5).