Clarify OMB M-07-16 and relevance to PII "rolodex" exception for business contact info in party/role bindings #155

aj-stein-gsa · 2025-01-25T03:26:46Z

User Story

As a security practicioner using OSCAL-enabled tools or software developer that programs them, in order to be sure I give required information in accordance with government, GSA, and FedRAMP policies with sufficient clarity and the most minimal risk, I would like clear documentation as to whether FedRAMP's requirements around OSCAL for contact information and party for certain parties and roles in a Digital Authorization Package are PII or not.

Goals

Clarify how FedRAMP use of OSCAL requires, in some cases, collection information about persons, but it is not PII.
Provide reference information to the OMB policy, OMB M-07-16, and in particular footnote 6 on page 1, explaining how GSA complies with this OMB policy and OSCAL must reflect that

Dependencies

N/A

Acceptance Criteria

A PR to the website with an informational or warning modal box explaining the rolodex exception and linking to OMB M-07-16.

Other information

No response

aj-stein-gsa added the documentation Improvements or additions to documentation label Jan 25, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Clarify OMB M-07-16 and relevance to PII "rolodex" exception for business contact info in party/role bindings #155

Clarify OMB M-07-16 and relevance to PII "rolodex" exception for business contact info in party/role bindings #155

aj-stein-gsa commented Jan 25, 2025

Clarify OMB M-07-16 and relevance to PII "rolodex" exception for business contact info in party/role bindings #155

Clarify OMB M-07-16 and relevance to PII "rolodex" exception for business contact info in party/role bindings #155

Comments

aj-stein-gsa commented Jan 25, 2025

User Story

Goals

Dependencies

Acceptance Criteria

Other information