diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index b4cd704d0..b8dbe220c 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -12,6 +12,8 @@ Examples: | ssp-all-VALID.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | +| ../../../content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | + @full-coverage Scenario: Preparing constraint coverage analysis diff --git a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml index 9da0b5937..6f3b24487 100644 --- a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml +++ b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml @@ -146,25 +146,37 @@ - + +

+ - + +

+ - + +

+ - + +

+ - + +

+ - + +

+ @@ -272,7 +284,9 @@ The AwesomeCloud Software as a Service (SaaS) Solution - + +

+ @@ -659,7 +673,9 @@ - + +

+ @@ -737,19 +753,25 @@ Authorization Boundary Diagram - + +

+ Network Architecture Diagram - + +

+ Data Flow Diagram - + +

+ diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md new file mode 100644 index 000000000..956fadb5b --- /dev/null +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -0,0 +1,140 @@ +# UUIDs for Examples + +Example content with UUIDs can be difficult to follow due to the long, intentionally-random naure of UUIDs. It is possible to craft UUID values that are treated as valid by OSCAL validation tools, yet are easier to follow for developers. + +# Example UUID Format + +OSCAL allows v4 or v5 UUIDs as defined in [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122). +Please note that UUID values are hexidecimal. Any digit may contain the numbers 0 - 9 and the lower-case letters a - f. + +The format used for examples is v4 compliant as follows: + +``` +00000000-0000-4000-8000-FFF0TTT00### + FILE MODEL ^ ^ FIELD SEQUENCE +``` + +**FILE**: The first grouping represents the OSCAL file. All digits are the same. +- If an example involves the SSP of two systems, the first system's SSP will use UUID values that starts with all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the second system will use UUID values that start with all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`) +- If an example involves a catalog and a profile, the catalog will use all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the prifle will use all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`). + + +**MODEL**: The second group of characters represents the model as follows: +- The values are as follows: + - `0000`: Catalog + - `1111`: Profile + - `2222`: SSP + - `3333`: Component Definition + - `4444`: SAP + - `5555`: SAR + - `6666`: POA&M +- - If an example involves the SSP of two systems, both SSPs will use UUID values that have all 2's in the second grouping (`11111111-2222-4000-8000-xxxxxxxxxxxx` and `22222222-2222-4000-8000-xxxxxxxxxxxx`) + + +**^**: indicates a UUID v4 required digit. +- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID. +- The first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`. +- We will always use `4000` for the third grouping. +- We will always use `8000` for the forth grouping. + + +**FIELD**: `FFF`: Indicates the OSCAL field name associated with the UUID + +**Metadata and Back Matter** +- `-0000`=root +- `-0010`=resource +- `-0020`=prop +- `-0030`=location +- `-0040`=party +- `-0050`=action + +**SSP** +- `-0060`=information-type +- `-0070`=diagram +- `-0080`=user +- `-0090`=component +- `-0100`=protocol +- `-0110`=inventory-item +- `-0120####`=implemented-requirement +- `-0120cccc##`=statement +- `-0120ccccss##`=by-component +- `-0130cccc01xx`=provided +- `-0130cccc02xx`=responsibility +- `-0140cccc01xx`=inherited +- `-0140cccc02xx`=satisfied +- `-0190`=leveraged-authorization + +_Fields for other models to be added as we work with those models._ + + +- `TT`: Used to further distinguish a field that can have multiple types. It is optional and may be difficult to manage. Only use when this clarity is helpful or necessary. + +**Component Types** (`TT`) +- `0000`=This System +- `0010`=System +- `0020`=Interconnection +- `0030`=Software +- `0040`=Hardware +- `0050`=Service +- `0060`=Policy +- `0070`=Physical +- `0080`=Process/Procedure +- `0090`=Plan +- `0100`=Guidance +- `0110`=Standard +- `0120`=Validation +- `0130`=Network +- `0140`=Connection + +**Enumeration** +- `0###`: A simple sequence number. (`001`, `002`, through `fff`) +- Start a new sequence for each system/model/field. + + +# Examples: + +### "This System" + +Always `11111111-2222-4000-8000-009000000000` in its SSP. + + +### Resource UUIDs + +All parties in example SSP content use: +- `11111111-2222-4000-8001-001000000###`, where the first resource is `11111111-2222-4000-8001-001000000001`, the second party is `11111111-2222-4000-8001-001000000002`, etc. + + +Backmatter resources in an SSP will always appear as: +- `11111111-2222-4000-8001-001000000###` + +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `-0010` indicates it is for a resource. +- The final three digits are assigned in sequence to each resource. + +### Parties + +All parties in example SSP content use: +- `11111111-2222-4000-8001-004000000###`, where the first party is `11111111-2222-4000-8001-004000000001`, the second party is `-004000000002`, etc. + +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `0040` indicates it is for a party. +- The final three digits are assigned in sequence to each party. + +### Components + +All components in example SSP content use: +- `11111111-2222-4000-8001-0090TTT00###`, where the first resource is `11111111-2222-4000-8001-009000800001`, the second resource is `11111111-2222-4000-8001-009001200002`, etc. + +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `-00900120` indicates it is for a component of type `validation`. +- `-00900080` indicates it is for a component of type `process-procedure` +- The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero. + + + diff --git a/src/content/rev5/examples/ssp/xml/.gitignore b/src/content/rev5/examples/ssp/xml/.gitignore new file mode 100644 index 000000000..48db62d38 --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/.gitignore @@ -0,0 +1,2 @@ +*.sh +*.sarif diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml new file mode 100644 index 000000000..72d2928e9 --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -0,0 +1,3752 @@ + + + + + [EXAMPLE] FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.3 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

Initial publication.

+ + + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

Minor prop updates.

+ + + + + + + + + FedRAMP Program Management Office + +

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

+ + + + Prepared By + +

The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

+ + + + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+ + + + System Security Plan Approval + +

The individual or individuals accountable for the accuracy of this SSP.

+ + + + Cloud Service Provider + CSP + + + + Information System Owner + +

The individual within the CSP who is ultimately accountable for everything related to + this system.

+ + + + Authorizing Official + +

The individual or individuals who must grant this system an authorization to + operate.

+ + + + Authorizing Official's Point of Contact + +

The individual representing the authorizing official.

+ + + + Information System Management Point of Contact (POC) + +

The highest level manager who responsible for system operation on behalf of the + System Owner.

+ + + + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+ + + + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+ + + + + System Information System Security Officer (or Equivalent) + +

The individual accountable for the security posture of the system on behalf of the + system owner.

+ + + + Privacy Official's Point of Contact + +

The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

+ + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

The point of contact for an interconnection on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + +

The point of contact for an interconnection on behalf of this external system to + which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + +

Responsible for signing an interconnection security agreement on behalf of this + system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + +

Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + Consultant + +

Any consultants involved with developing or maintaining this content.

+ + + + Customer + +

Represents any customers of this system as may be necessary for assigning customer + responsibility.

+ + + + Provider + +

The provider of a leveraged system, external service, API, CLI.

+ + + + [SAMPLE]Unix Administrator + +

This is a sample role.

+ + + + [SAMPLE]Client Administrator + +

This is a sample role.

+ + + + External System Owner + +

The owner of an external system.

+ + + + External System Management Point of Contact (POC) + +

The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

+ + + + External System Technical Point of Contact + +

The individual or individuals leading the technical operation of an external + system.

+ + + + Approver + +

An internal approving authority.

+ + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 11111111-2222-4000-8000-003000000001 + +

Replace sample CSP information.

+

CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party.

+ + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

+ + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + + + poc@example.com +
+ 3333 Corporate Way + Washington + DC + 00000 + US +
+ + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 11111111-2222-4000-8000-004000000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000004 + + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + Leveraged Authorization User + + + + + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 + +

Zero or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + +

One or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015 + +

One or more

+ + + + 11111111-2222-4000-8000-004000000012 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000013 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000014 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000015 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000016 + +

Exactly one

+
    +
  • testtest

    hello

    • +
+ + + + + + + +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

+

Must adjust accordingly for applicable baseline and revision.

+ + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

+

NOTE: The description is expected to be at least 32 words in length.

+ + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+ + + + + + + + + + + + + fips-199-high + + + + + Information Type Name + +

A description of the information.

+ + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.1 + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-high + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

Remarks are optional if status/state is "operational".

+

Remarks are required otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + + + + + + AwesomeCloud Commercial(IaaS) + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

+

For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

+ + + + + + + none + + +

The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

+

Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

+ + + + + + Add/Remove Admins + This can add and remove admins. + + + + + + + add/remove non-privliged admins + + + + + + + Manage services and components within the virtual cloud environment. + + + + + + + Add and remove users from the virtual cloud environment. + + + + + + + This System + +

This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

+ + + +

A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+ + + + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ + + + + + + +

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+ +

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
    • +
  • The component for a non-authorized service must include + a "still-supported" property/extension.
    • +
  • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
    • +
+ +

Both authorized and non-authorized leveraged services include:

+
    +
  • a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+ +

Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

+ + + + + + Service A + +

An authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + + + + + + + 11111111-2222-4000-8000-004000000008 + + +

This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

+

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
+

+

Where relevant, this component should also have:

+
    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component representing the leveraged system as a whole:

+

- Nature of Agreement, CSP Name

+ + + + + + + + + + Service B + +

An non-authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + +

This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of the leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

+

+

Each non-authorized leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
    • +
  • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + + +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

+

+ +

Where relevant, this component should also have:

+
    +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+ +

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + + + + + + Other Cloud SaaS + +

An external system to which this system shares an interconnection.

+ + + + + + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + + services + + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • a "system" component (this component)
    • +
  • an "interconnection" component
    • +
+

Each "system" component must have:

+
    +
  • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
    • +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • if an interconnection exists with this system and there are + remote listening ports, one or more "protocol" assemblies must + be provided.
    • +
+ +

While not required, each "system" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "authorizing-official" responsible-role
    • +
  • an "system-owner" responsible-role
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "authorizing-official", "system-owner", "system-poc-management + and "system-poc-technical"

+ + + + + + + [EXAMPLE]Authorized Connection Information System Name + +

Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

+ + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + +

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+ + + + + + + + + + + + + ISA + + + UUID of "this system" or a component within this system's boundary + + + UUID of remote system + + + + + + + + + 44444444-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000008 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • one "system" component for each remote system sharing the connection
    • +
  • an "interconnection" component (this component)
    • +
+

Each "interconnection" component must have:

+
    +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • a "nature-of-agreement" property/extension
    • +
  • one or more "authentication-method" properties/extensions.
    • +
  • a "hosting-environment" proptery/extension
    • +
  • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
    • +
  • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
    • +
  • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
    • +
  • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
    • +
  • exactly one "used-by" link with an href value that refers to the "this-system" component.
    • +
  • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
    • +
  • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
    • + +
  • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
    • +
+

Authentication methods must address both system-authentication as well as + user authentication mechanisms.

+

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+

If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

+

+

While not required, each "interconnection" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "system-poc-management" and "system-poc-technical". With an interconnection, + the system POC roles reference parties that represent the connection provider.

+ + + + + + + Other Cloud SaaS + +

+ + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

+ + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+ + + + + + + + 11111111-2222-4000-8000-c0040000000a + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + + + + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

+

Each external service used from a leveraged authorization must have:

+
    +
  • a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).
    • +
  • a "service" component (this component).
    • +
+

+

This component must always have:

+
    +
  • The name of the service in the title - preferably exactly as it appears on the + vendor's web site
    • +
  • An "implementation-point" property with a value of "external".
    • +
  • A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.
    • +
  • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
    • +
  • a status with a state value of "operational"
    • +
+

+

Where relevant, this component should also have:

+
    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
  • Link(s) to the vendor's web site describing the service are encouraged, but not + required.
    • +
+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization + must NOT have the "leveraged-authorization-uuid" property. The presence + or absence of this property is how the authorization status of a service is indicated.

+ + + + + + + Undetermined External API Clients + +

This component represents any of the public API clients that may + access this systems'API service.

+ + + + + + + + +

When an API service is offered to a large community, this one component + bay be used to represent the collection of API clients that may connect + from that community. This must have:

+
    +
  • a component type set to "external-client"
    • +
  • an "implementation-point" property set to "external"
    • +
  • one or more responsible roles should be defined representing + the community of potential API client users. If the servvice + is open to the public, use the "public" responsible-role ID.
    • +
+ + + + + API Service + +

A service offered by this system to external systems, such as an API. + As a result, communication crosses the boundary.

+

Describe the service and what it is used for.

+ + + + + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + +

Terms of Use

+ + + + + +

Explain why authentication scans are not possible for this component. + Provide evidence if available, such as scanner tool or vendor links.

+ + + + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + API Service + + + +

This is a service provided by this system to external systems, such as an + offered API. The following is required:

+
    +
  • The "title" fields must have the name of the offered API.
    • +
  • The "description" field must include the purpose and use of the API.
    • +
  • The component "type" attribute must have a value of "service".
    • +
  • The "implementation-point" property must have a value of "internal".
    • +
  • The "communicates-externally" prop/extensions must have a value of "yes".
    • +
  • One or more "information-type" prop/extensions must be present with 800-60 information type values.
    • +
  • The "connection-security" prop/extensions must be present with an appropriate value.
    • +
  • The "authentication-method" prop/extensions must be present with an appropriate value.
    • +
  • The "authentication-method" prop/extensions "remarks" must provide additional content.
    • +
  • The "nature-of-agreement" prop/extension must identify any governing terms for the connection.
    • +
  • One or more "used-by" links must provide the component UUID of the other system.
    • +
  • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
    • +
  • A "status" field that must have a state of "operational"
    • +
  • One or more "responsible-role" fields with: +
      +
    • one or more roles by "role-id" [rquiried]
      • +
    • one or more "privilege-uuid" prop/extensions [required]
      • +
    • one or more "party-uuid" values to identify who has these privliges. [required]
      • +
    +
    • +
  • One or more "protocol" fields.
    • +
+

+

Because this is softare that exists within the boundary, it is also requires the following + in satisfaction of inventory/CM/ConMon requirements:

+
    +
  • An "allows-authenticated-scan" property with an appropriate value.
    • +
  • An "scan-type" property/extension set to "infrastructure".
    • +
  • TODO: Revisit this list when working the inventory epic
    • +
+ + + + + + + Management CLI + +

A CLI tool used from within this system's boundary to manage a + hypervisor, service, or other system outside this system's boundary, + resulting in communication that crosses the boundary.

+ + + + + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + +

Terms of Use

+ + + + +

Explain why authentication scans are not possible for this component. + Provide evidence if available, such as scanner tool or vendor links.

+ + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

When an internal CLI tool communicates with a system outside the boundary, + such as for management of the underlying leveraged system or interaction + with an external system, the following is required:

+
    +
  • The "title" fields must have the name of the CLI tool.
    • +
  • The "description" field must include the purpose and use of the tool within this system.
    • +
  • The component "type" attribute must have a value of "software".
    • +
  • The "asset-type" property must have a value of "cli".
    • +
  • The "implementation-point" property must have a value of "internal".
    • +
  • The "communicates-externally" prop/extensions must have a value of "yes".
    • +
  • One or more "information-type" prop/extensions must be present with 800-60 information type values.
    • +
  • The "connection-security" prop/extensions must be present with an appropriate value.
    • +
  • The "authentication-method" prop/extensions must be present with an appropriate value.
    • +
  • The "authentication-method" prop/extensions "remarks" must provide additional content.
    • +
  • The "nature-of-agreement" prop/extension must identify any governing terms for the connection.
    • +
  • One or more "communicates-with" link must provide the component UUID of the other system.
    • +
  • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
    • +
  • A "status" field that must have a state of "operational"
    • +
  • One or more "responsible-role" fields with: +
      +
    • one or more roles by "role-id" [rquiried]
      • +
    • one or more "privilege-uuid" prop/extensions [required]
      • +
    • one or more "party-uuid" values to identify who has these privliges. [required]
      • +
    +
    • +
+

+

Because this is softare that exists within the boundary, it is also requires the following + in satisfaction of inventory/CM/ConMon requirements:

+
    +
  • An "allows-authenticated-scan" property with an appropriate value.
    • +
  • An "scan-type" property/extension set to "infrastructure".
    • +
  • TODO: Revisit this list when working the inventory epic
    • +
+ + + + + + External Management CLI + +

A CLI tool used by systems outside the authorization boundary to manage + or interact with this system..

+ + + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + +

Terms of Use

+ + + + + + + + + +

When a CLI tool outside the system communicates with this system, + such as for management of the user's hypervisor in this system, the + following is required:

+
    +
  • The "title" fields must have the name of the CLI tool.
    • +
  • The "description" field that describes how the tool can influence the operation of this system.
    • +
  • The component "type" attribute must have a value of "software".
    • +
  • The "asset-type" property must have a value of "cli".
    • +
  • The "implementation-point" property must have a value of "external".
    • +
  • One or more "information-type" prop/extensions must be present with 800-60 information type values.
    • +
  • The "connection-security" prop/extensions must be present with an appropriate value.
    • +
  • The "authentication-method" prop/extensions must be present with an appropriate value.
    • +
  • The "authentication-method" prop/extensions "remarks" must provide additional content.
    • +
  • The "nature-of-agreement" prop/extension must identify any governing terms for the connection.
    • +
  • One or more "communicates-with" link must provide the component UUID of the component within this system.
    • +
  • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
    • +
  • A "status" field that must have a state of "operational"
    • +
  • One or more "responsible-role" fields with: +
      +
    • one or more roles by "role-id" [rquiried]
      • +
    • one or more "privilege-uuid" prop/extensions [required]
      • +
    • one or more "party-uuid" values to identify who has these privliges. [optional]
      • +
    +
    • +
+

+

As this is impelemented external to the system boundary, information such as "scan-type" + and "allows-authenticated-scanning" are not applicable and should not be present.

+ + + + + + + + + Access Control and Identity Management Policy + +

This is a corporate policy used for the system.

+

The Access Control and Identity Management Policy governs how + user identities and access rights are managed.

+ + + + + +

A policy component is required for each policy that governs the system.

+

The title, description and status fields are required by core OSCAL. + The title field should reflect the actual title of the policy document.

+

For system-specific policies, the "implementation-point" property must be + present and set to "internal".

+

For corproate policies, the "implementation-point" property must be + present and set to "external" with its class set to "corporate".

+

For any policy that is niether system-specific, nor corporate, the + "implementation-point" property must be present and set to "external", + with a class set to anything other than "corporate" or no class + attribute at all.

+

An "attachment" link field must be present that identifies the back-matter + resource representing the attached policy.

+

The document version and date are represented in the linked resource. Not here.

+

At this time FedRAMP does not _require_ policy approver or + audience information in the SSP; however, both may be represented here + using the responsible-role field. If electing to include this information, + use the "approver" role ID to represent approvers. Any other role listed + is assumed to be audience.

+ + + + AT Policy + +

The Awareness and Training Policy governs how access is managed and approved.

+ + + + + + + + + Access Control Procedure + +

The Access Control Procedure governs how access is managed and approved.

+ + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + +

A "process-procedure" component is required for each process or procedure + that governs the system.

+

The title, description and status fields are required by core OSCAL. + The title field should reflect the actual title of the document.

+

For system-specific processes or procedures, the "implementation-point" property must be + present and set to "internal".

+

For corproate processes or procedures, the "implementation-point" property must be + present and set to "external" with its class set to "corporate".

+

For any processes or procedures that is niether system-specific, nor corporate, the + "implementation-point" property must be present and set to "external", + with a class set to anything other than "corporate" or no class + attribute at all.

+

An "attachment" link field must be present that identifies the back-matter + resource representing the attached policy.

+

The document version and date are represented in the linked resource. Not here.

+

At this time FedRAMP does not _require_ policy approver or + audience information in the SSP; however, both may be represented here + using the responsible-role field. If electing to include this information, + use the "approver" role ID to represent approvers. Any other role listed + is assumed to be audience.

+ + + + Awareness and Training Procedure + +

The Awareness and Training Procedure governs how access is managed and approved.

+ + + + + + + + + + + + + + Encrypted Communication + +

An encryptred communication between the web server and + the database server for the purpose of performing SQL queries.

+ + + + + + + + +

Any notes about this connection to appear in Table Q.

+ + + + + Database Sample + +

None

+ + + + + + + + + + + + + + + + Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+ + + + + + + +

Usage statement

+ + + + + +

If the same FIPS-validated cryptographic module is deployed + in two or more different components, each deployment SHOULD + have its own "validation" component entry, such as if the same + module is embedded in a software product and an operating system.

+

The "asst-type" property is value is "cryptographic-module", + and the class must be present with one of the following values:

+
    +
  • "embeded": Embedded CM
    • +
  • "third-party": Third-party CM
    • +
  • "uses-os": Uses OS CM
    • +
  • "fips-mode": In FIPS Mode
    • +
  • "other": Other as described in the remarks
    • +
+

Note that if the value is "other", additional detail must be + provided in the property's remarks field.

+ + + + + + Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+ + + + + + + +

Usage statement

+ + + + + + + + + Web Server + +

This is a web server that communicates with a database via + an encrypted connection

+ + + + + + + + + + + + + Linux Operating System + +

This is a web server that communicates with a database via + an encrypted connection

+ + + + + + + + + + + + Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+ + + + + + + +

Usage statement

+ + + + + + + + + + + + + + Service D + +

A service that exists within the authorization boundary.

+

Describe the service and what it is used for.

+ + + + + + + + Container Image + +

This is a container image used to create container instances within the system.

+ + + + + + + + 44444444-2222-4000-8000-004000000001 + + + + + + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + + Email Service + +

Email Service

+ + + + + + + + + + + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + 11111111-2222-4000-8000-004000000017 + + + 11111111-2222-4000-8000-004000000011 + + +

COMMENTS: Provide other comments as needed.

+ + + + + OS Sample + +

None

+ + + + + + + + + + Database Sample + +

None

+ + + + + + + + + + + + + + + Appliance Sample + +

None

+ + + + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + + IPv4 Production Subnet + +

IPv4 Production Subnet.

+ + + + + + + + IPv4 Management Subnet + +

IPv4 Management Subnet.

+ + + + + + + + + + + + + + +

Legacy Example (No implemented-component).

+ + + + + + + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + + + 11111111-2222-4000-8000-004000000016 + + + 11111111-2222-4000-8000-004000000017 + + + +

This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

+ + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remark.

+ + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000017 + + + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + +

None.

+ + + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

Email-Service

+ + + + + + + + + + + + + + + +

This description field is required by OSCAL.

+

FedRAMP does not require any specific information here.

+

+

+ + + + all managers, administrators and users of the system + +

[Assignment: organization-defined personnel or roles]

+

This focuses on roles the POLICY is disseminated to.

+ + + + all managers and administrators of the system + +

[Assignment: organization-defined personnel or roles]

+

This focuses on roles PROCEDURES are disseminated to.

+ + + + System-level + +

[Selection (one or more): Organization-level; Mission/business process-level; Systemlevel]

+

This is a SELECT parameter. Use one "value" field for each selection.

+ + + + System Architect + +

[Assignment: organization-defined official]

+ + + + at least every 3 years + +

[Assignment: organization-defined frequency]

+ + + + change in organizational legal status or ownership + +

[Assignment:organization-defined events]

+ + + + at least annually + +

[Assignment: organization-defined frequency]

+ + + + change in policy or a security incident involving a failure of access control mechanisms + +

[Assignment:organization-defined events]

+ + + + + + +

Describe how Part a is satisfied within the system as a whole.

+

FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

+ + + +

This is the "this-system" component, which represents the system as a whole.

+

There are two reasons to provide a response here:

+
    +
  • When first converting a legacy/Word-based SSP to OSCAL, the entire control + response may be placed here until it can be parsed out into appropriate component + responses.
    • +
  • When it is necessary to explain how two or more components work together to + satisfy this requirement.
    • +
+ + + + +

Describe how this policy satisfies part a.

+ + + +

This is the "policy" component, which represents the Access Control and + Identity Management Policy.

+ + + + +

Describe how this procedure satisfies part a.

+ + + +

This is the "process-procedure" component, which represents the Access Control Process.

+ + + + + + +

Describe how Part b is satisfied within the system as a whole.

+ + + + +

Describe the plan to complete the implementation.

+ + + +

This is the "this-system" component, which represents the system as a whole.

+

There are two reasons to provide a response here:

+
    +
  • When first converting a legacy/Word-based SSP to OSCAL, the entire control + response may be placed here until it can be parsed out into appropriate component + responses.
    • +
  • When it is necessary to explain how two or more components work together to + satisfy this requirement.
    • +
+ + + + + +

Describe how this policy currently satisfies part a.

+ + + +

Describe the plan for addressing the missing policy elements.

+ + + + +

Identify what is currently missing from this policy.

+ + + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + + + + + +

Description for the "this-system" component.

+

Describe how AC-2, part a is satisfied within this system.

+

This points to the "This System" component, and is used any time a more + specific component reference is not available.

+ + + + +

This system's statement of capabilities which may be inherited by a + customer's leveraging systems toward satisfaction of AC-2, part a.

+ + + + +

Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the + by-component for "this system".

+ + + 11111111-2222-4000-8000-004000000001 + + + +

Any content for the customer responsibility matrix must be included within export.

+

provided is a statement about what

+ + + + + +

For the portion of the control satisfied by the application component of this + system, describe how the control is met.

+ + + + +

Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part + a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + +

Leveraging system's responsibilities with respect to inheriting this + capability from this application.

+

In the context of the application component in satisfaction of AC-2, part + a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

+

While the "this system" component is not explicitly required within every + statement, it will typically be present.

+ + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+ + + +

Optional description.

+

Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

+

In the context of this component in satisfaction of AC-2, part a.

+

The provided-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+ + + + +

Description of how the responsibility was satisfied.

+

The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

+

Tool developers should be mindful that

+ + + + + + + +

Describe how AC-2, part a is satisfied within this system.

+

This points to the "This System" component, and is used any time a more + specific component reference is not available.

+ + + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

Describe how Part a is satisfied within the system.

+

Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

+

In this case, a link must be provided to the policy.

+

FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

+ + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another + component is associated with the component representing the system.

+ + + + +

Describe how this policy satisfies part a.

+

Component approach. This links to a component representing the Identity + Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + + +

Describe how this procedure satisfies part a.

+

Component approach. This links to a component representing the Identity + Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + + + + +

There

+ + + + +

Describe the plan to complete the implementation.

+ + + + + +

Describe how this policy currently satisfies part a.

+ + + +

Describe the plan for addressing the missing policy elements.

+ + + + +

Identify what is currently missing from this policy.

+ + + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + + + + + + + + + Signed System Security Plan + +

SSP Signature

+ + + + + 00000000 + +

The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

+

For now, the PMO recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
    • +
+

If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

+ + + + + FedRAMP Applicable Laws and Regulations + + + +

Must be present in a FedRAMP SSP.

+ + + + + + Access Control and Identity Management Policy + +

A single policy that addresses both the AC and IA families.

+ + + + + + 00000000 + +

Each policy must be attached as back-matter resources, and must include:

+
    +
  • a title field with the attached document's published title.
    • +
  • a "type" property with a value of "policy".
    • +
  • a "published" property with the attached document's publication date.
    • +
  • a "version" property with the attached document's published version.
    • +
  • Either base64 embedded attachment or an rlink with a valid href value.
    • +
  • both base64 and rlink require a media-type for policies
    • +
+

Each policy must have a corrisponding "policy" component.

+ + + + Awareness and Training Policy Title + +

AT Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Audit and Accountability Policy Title + +

AU Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Security Assessment and Authorization Policy Title + +

CA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Configuration Management Policy Title + +

CM Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Contingency Planning Policy Title + +

CP Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Identification and Authentication Policy Title + +

IA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Incident Response Policy Title + +

IR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Maintenance Policy Title + +

MA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Media Protection Policy Title + +

MP Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Physical and Environmental Protection Policy Title + +

PE Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Planning Policy Title + +

PL Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Personnel Security Policy Title + +

PS Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Risk Adjustment Policy Title + +

RA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Service Acquisition Policy Title + +

SA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Communications Protection Policy Title + +

SC Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Information Integrity Policy Title + +

SI Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Supply Chain Risk Policy Title + +

SR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Access Control Procedure Title + +

AC Procedure document

+ + + + + + + 00000000 + +

Procedures must be attached as back-matter resources, and must include:

+
    +
  • a title field with the attached document's published title.
    • +
  • a "type" property with a value of "procedure".
    • +
  • a "published" property with the attached document's publication date.
    • +
  • a "version" property with the attached document's published version.
    • +
  • Either base64 embedded attachment or an rlink with a valid href value.
    • +
  • both base64 and rlink require a media-type for policies
    • +
+ + + + Awareness and Training Procedure Title + +

AT Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Audit and Accountability Procedure Title + +

AU Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Security Assessment and Authorization Procedure Title + +

CA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Configuration Management Procedure Title + +

CM Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Contingency Planning Procedure Title + +

CP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Identification and Authentication Procedure Title + +

IA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Incident Response Procedure Title + +

IR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Maintenance Procedure Title + +

MA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Media Protection Procedure Title + +

MP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Physical and Environmental Protection Procedure Title + +

PE Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Planning Procedure Title + +

PL Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Personnel Security Procedure Title + +

PS Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Risk Adjustment Procedure Title + +

RA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Service Acquisition Procedure Title + +

SA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Communications Protection Procedure Title + +

SC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Information Integrity Procedure Title + +

SI Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Supply Chain Risk Procedure Title + +

SR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + User's Guide + +

User's Guide

+ + + + + + + +

Table 12-1 Attachments: User's Guide Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + Document Title + +

Rules of Behavior

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Contingency Plan (CP)

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Configuration Management (CM) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Incident Response (IR) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + + + CSP-specific Law Citation + + + + Identification Number + + 00000000 + +

A CSP-specific law citation

+

The "type" property must be present and contain the value "law".

+ + + + + + + + Document Title + +

Continuous Monitoring Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Plan of Actions and Milestones (POAM) + + + + + +

The POA&M attachment may either be a legacy Excel workbook or OSCAL file. + The resource must have:

+
    +
  • a title field with the the value, "Plan of Actions and Milestones (POAM)"
    • +
  • a "published" property with the effective date of the attached POA&M.
    • +
  • a "type" property with a value of "plan" and a class of "poam".
    • +
  • Either base64 embedded attachment or an rlink with a valid href value.
    • +
  • Both base64 and rlink require a media-type for policies
    • +
+

A "version" property is optional.

+

The appropriate media types for OSCAL content + are, "application/xml", "application/json" or "application/yaml".

+

FedRAMP does not accept base64 POA&M contenta at this time.

+ + + + + Supply Chain Risk Management Plan + +

Supply Chain Risk Management Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + Interconnection Security Agreement + + + + + + + 00000000 + + + FedRAMP Logo + +

FedRAMP Logo

+ + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + CSP Logo + +

CSP Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + 3PAO Logo + +

3PAO Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + + Boundary Diagram + +

The primary authorization boundary diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Network Diagram + +

The primary network diagram.

+ + + + + 00000000 + +

Section 8.1, Figure 8-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Data Flow Diagram + +

The primary data flow diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Interconneciton Security Agreement (ISA) + + + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + +

CSP-specific citation. Note the "type" property's class is "law" + and the value is "citation".

+ + + + CSP Acronyms + + + +

CSP-specific citation. Note the "type" property's class is "acronyms" + and the value is "citation".

+ + + + Server Security Technical Implementation Guide (STIG) + + + + + +