Resolved profile catalogs generate validation errors

[Rene2mt]

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What happened?

It turns out that when generating resolved profile catalogs (e.g., using the OSCAL CLI) from the FedRAMP profiles, the resulting resolved profile catalogs fail validation because:

1. there are a few instances where the profiles add a part with a duplicate ID
2. there are numerous instances where the profiles add a part with name="guidance", however, because the profile alterations do not specify the namespace, the resulting resolved profile catalogs fail validation since 'guidance' doesn't match one of 'assessment-objective, item, or objective' for core OSCAL catalog parts.

NOTE - The same issues are present in the HIGH, MODERATE, LOW, and LI-SAAS baselines

Relevant log output

How do we replicate this issue?

1. Take one of the published FedRAMP profiles from the master or develop branch
2. Using OSCAL CLI (v2.4.0), use the following command to resolve the profile:

oscal-cli resolve-profile --to=XML https://raw.githubusercontent.com/GSA/fedramp-automation/refs/heads/master/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml FedRAMP_rev5_High_RPC.xml

3. Using OSCAL CLI (v2.4.0), use the following command to validate the profile:

oscal-cli validate FedRAMP_rev5_High_RPC.xml

Where, exactly?

Fixes only need to be made to the XML profiles, and will cascade to the all formats (XML, JSON, and YAML) during CI profile resolution and conversion.

Other relevant details

No response