Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Example SSP Reflecting Latest FedRAMP OSCAL Modeling #925

Open
wants to merge 53 commits into
base: develop
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
a5ae413
example-ssp WIP
brian-ruf Nov 8, 2024
31e979e
Example UUID Legend Creation
brian-ruf Nov 8, 2024
dfb251c
WIP
brian-ruf Nov 9, 2024
0a3a6e1
oscal-cli validation cleanup
brian-ruf Nov 9, 2024
bc4b2cd
Leveraged Authorization revisions
brian-ruf Nov 11, 2024
24a7caf
WIP SSP Example, Made AwesomeCloudSSP2.xml XML Schema valid
brian-ruf Nov 14, 2024
7bdcf52
Component WIP
brian-ruf Nov 15, 2024
7c93843
Ch 7 External WIP
brian-ruf Nov 15, 2024
d5f4594
External system/service WIP
brian-ruf Nov 15, 2024
a13306d
Table 7.1 WIP
brian-ruf Nov 15, 2024
a53d3b7
Table 7.1 examples WIP
brian-ruf Nov 19, 2024
d7743f0
Tables 6.1 and 7.1 WIP
brian-ruf Nov 21, 2024
8522fbe
Table 6.1 and 7.1 WIP
Nov 21, 2024
0f59992
example-ssp WIP
brian-ruf Nov 8, 2024
939402b
Example UUID Legend Creation
brian-ruf Nov 8, 2024
20c578e
WIP
brian-ruf Nov 9, 2024
9111641
oscal-cli validation cleanup
brian-ruf Nov 9, 2024
e17dae5
Leveraged Authorization revisions
brian-ruf Nov 11, 2024
155a97d
WIP SSP Example, Made AwesomeCloudSSP2.xml XML Schema valid
brian-ruf Nov 14, 2024
21582e3
Component WIP
brian-ruf Nov 15, 2024
ccf4923
Ch 7 External WIP
brian-ruf Nov 15, 2024
bfbc6b9
External system/service WIP
brian-ruf Nov 15, 2024
e071643
Table 7.1 WIP
brian-ruf Nov 15, 2024
adbf9dc
Table 7.1 examples WIP
brian-ruf Nov 19, 2024
18fef78
Tables 6.1 and 7.1 WIP
brian-ruf Nov 21, 2024
60c2913
Table 6.1 and 7.1 WIP
Nov 21, 2024
18bd9f2
added example ssp to fedramp_extensions.feature
Nov 21, 2024
50c771b
Merge branch 'example-ssp' of github.com:brian-ruf/fedramp-automation…
Nov 21, 2024
53da905
WIP
Nov 21, 2024
51dfea8
fixed import URL
Nov 21, 2024
1c341d7
fixed party-uuids in component
Nov 21, 2024
a18b110
removed zone identifier file
Nov 21, 2024
8915671
interconnection updates WIP
brian-ruf Nov 22, 2024
5d8d510
leveraged authorizations and interconnections
brian-ruf Nov 23, 2024
f6eb3d6
LA and External/Intercon cleanup
brian-ruf Nov 26, 2024
75f273f
fixing validation errors
brian-ruf Nov 26, 2024
ef659d8
more cleanup
brian-ruf Nov 26, 2024
445e036
more cleanup
brian-ruf Nov 26, 2024
78336ae
attachment cleanup
brian-ruf Nov 27, 2024
4109c76
revised resources to omit defunct FedRAMP acronyms attachment, plus a…
brian-ruf Dec 3, 2024
3d8fcde
attachment modeling WIP
brian-ruf Dec 4, 2024
d8beca6
attachment modeling WIP
brian-ruf Dec 4, 2024
9605ba8
SSP component cleanup, UUID planning for implemented controls
brian-ruf Dec 4, 2024
6161401
attachments WIP
brian-ruf Dec 6, 2024
55fe3e4
syntax cleanup
brian-ruf Dec 6, 2024
b0d42a0
additional table 6-1, 7-1 revisions
brian-ruf Dec 9, 2024
b94a79b
enumerating all controls WIP
brian-ruf Dec 11, 2024
adfea54
documents and other component work
brian-ruf Dec 17, 2024
24cd966
Crypto WIP
brian-ruf Dec 24, 2024
4b7fbf8
cryptographic modules WIP
brian-ruf Dec 24, 2024
51e68e9
all inventory-items now point to valid components
brian-ruf Dec 30, 2024
0f1bd9d
moved from 'baseline-configuration-name' prop to 'baseline' link
brian-ruf Dec 31, 2024
dd4871a
WIP
brian-ruf Jan 7, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Crypto WIP
brian-ruf committed Dec 24, 2024
commit 24cd96632339a049171270e8b347f36e8666456e
1 change: 1 addition & 0 deletions src/content/rev5/examples/UUIDs_for_Examples_Legend.md
brian-ruf marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -84,6 +84,7 @@ _Fields for other models to be added as we work with those models._
- `0110`=Standard
- `0120`=Validation
- `0130`=Network
- `0140`=Connection

**Enumeration**
- `0###`: A simple sequence number. (`001`, `002`, through `fff`)
176 changes: 114 additions & 62 deletions src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
Original file line number Diff line number Diff line change
@@ -609,7 +609,7 @@
<!-- FedRAMP Authorization Path: fedramp-jab, fedramp-agency, or fedramp-li-saas -->
<prop ns="http://fedramp.gov/ns/oscal" name="authorization-type" value="fedramp-agency"/>
<!-- FIPS PUB 199 Level -->
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
<security-sensitivity-level>fips-199-high</security-sensitivity-level>
<system-information>
<!-- Rev5 update - PIA/PTAs are no longer required by FedRAMP -->
<!-- Table K.1 - Use the information-type element to provide details about all information types that are stored, processed, or transmitted by the system -->
@@ -1092,8 +1092,7 @@
or poam-item UUID (OSCAL POA&amp;M)</li>
<li>a "provided-by" link with a URI fragment that points to the
"system" component representing the leveraged system. (Example: <code>"#11111111-2222-4000-8000-009000100001"</code>)</li>
<li></li>
<li></li>


</ul>
<p>The "leveraged-authorization-uuid" property must NOT be present, as this is how
@@ -1237,9 +1236,15 @@

<prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal" />

<link rel="attachment" href="#11111111-2222-4000-8000-001000000058"/>
<link rel="used-by" href="#11111111-2222-4000-8000-009000000000" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000100002" />
<link rel="attachment" href="#11111111-2222-4000-8000-001000000058">
<text>ISA</text>
</link>
<link rel="used-by" href="#11111111-2222-4000-8000-009000000000" >
<text>UUID of "this system" or a component within this system's boundary</text>
</link>
<link rel="used-by" href="#11111111-2222-4000-8000-009000100002" >
<text>UUID of remote system</text>
</link>

<link rel="poam-item" href="https://raw.githubusercontent.com/usnistgov/oscal-content/refs/heads/main/examples/poam/xml/ifa_plan-of-action-and-milestones.xml" resource-fragment="11111111-3333-4000-8000-000000000001" />

@@ -1261,7 +1266,7 @@
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
</responsible-role>


<remarks>
<!-- TODO: Validate this description -->
@@ -1489,6 +1494,7 @@
<p>Describe the service and what it is used for.</p>
</description>
<prop name="implementation-point" value="internal"/>
<prop name="public" value="yes"></prop>

<prop name="communicates-externally" value="yes" ns="http://fedramp.gov/ns/oscal"/>
<prop name="information-type" class="incoming-outgoing" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal" />
@@ -1580,13 +1586,13 @@
resulting in communication that crosses the boundary.</p>
</description>
<prop name="asset-type" value="cli"/>
<prop name="implementation-point" value="internal"/>
<prop name="implementation-point" value="internal"/>

<prop name="communicates-externally" value="yes" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="outgoing" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal" />
<prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal" />
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal" >
<prop name="communicates-externally" value="yes" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="outgoing" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal" />
<prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal" />
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal" >
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
@@ -1726,6 +1732,7 @@
<component uuid="11111111-2222-4000-8000-009000600001" type="policy">
<title>Access Control and Identity Management Policy</title>
<description>
<p>This is a corporate policy used for the system.</p>
<p>The Access Control and Identity Management Policy governs how
user identities and access rights are managed.</p>
</description>
@@ -1811,23 +1818,39 @@
<link href="#11111111-2222-4000-8000-001000000024" rel="attachment"/>
<status state="operational"/>
</component>


<!-- ============= INTERNAL COMPONENTS ============= -->
<component uuid="11111111-2222-4000-8000-009000500005" type="service">
<title>Service D</title>

<!-- ============= INTERNAL COMPONENTS - ENCRYPTED COMMUNICATION ============= -->

<component uuid="11111111-2222-4000-8000-009001400001" type="connection">
<title>Encrypted Communication</title>
<description><p>An encryptred communication between the web server and the database server</p></description>
<prop name="asset-type" value="cryptographic" />
<prop name="asset-type" value="cryptographic" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000300100" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000300200" />
<status state="operational"></status>
</component>



<component uuid="11111111-2222-4000-8000-009000300100" type="software">
<title>Database Sample</title>
<description>
<p>A service that exists within the authorization boundary.</p>
<p>Describe the service and what it is used for.</p>
<p>None</p>
</description>
<prop name="implementation-point" value="internal"/>
<prop name="asset-type" value="database"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
<prop name="baseline-configuration-name" value="Baseline Config. Name"/>
<prop name="allows-authenticated-scan" value="yes"/>
<link href="#11111111-2222-4000-8000-009000500006" rel="used-by" />
<status state="operational"/>
<protocol name="postgresql">
<port-range start="5432" end="5432" transport="TCP" />
<port-range start="5432" end="5432" transport="UDP" />
</protocol>
</component>


<!-- Section 10 / Appendix Q - Cryptographic Modules -->
<!-- NOTE: Must set type="cryptographic-module" -->
<!-- List all cryptographic modules for Data-at-Rest (DAT) - must referenced by using component(s), provide CMVP #, FIPS validation status, Vendor Name, Module Name, and brief usage description -->
<component uuid="11111111-2222-4000-8000-009001200001" type="validation">
<title>[SAMPLE]Cryptographic Module Name</title>
<description>
@@ -1838,48 +1861,87 @@
compliance (e.g., Module in Process).</p>
</description>
<!-- Rev 5 new props for CMs -->
<prop ns="http://fedramp.gov/ns/oscal" name="asset-type" value="cryptographic-module"/>
<prop name="asset-type" value="cryptographic-module"/>
<prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="CM Vendor"/>
<prop ns="http://fedramp.gov/ns/oscal" name="cryptographic-module-usage"
value="data-at-rest"/>
<!-- Provide the validation type for this CM -->
<prop name="validation-type" value="fips-140-2"/>
<!-- Provide the certificate number (CMVP #) -->
<prop name="validation-reference" value="3928"/>
<link rel="validation-details"
<link rel="proof-of-compliance"
href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3928"/>
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
</responsible-role>
</component>
<!-- List all cryptographic modules for Data-in-Transit (DIT) - must referenced by using component(s), provide CMVP #, FIPS validation status, Vendor Name, Module Name, and brief usage description -->



<component uuid="11111111-2222-4000-8000-009001200002" type="validation">
<title>[SAMPLE]Cryptographic Module Name</title>
<description>
<p>Provide a description and any pertinent note regarding the use of this CM.</p>
<p>For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS
compliance (e.g., Module in Process).</p>
</description>
<!-- Rev5 new props for CMs -->
<prop ns="http://fedramp.gov/ns/oscal" name="asset-type" value="cryptographic-module"/>
<prop ns="http://fedramp.gov/ns/oscal" name="cryptographic-module-usage"
value="data-in-transit"/>
<!-- Provide the validation type for this CM -->
<prop name="asset-type" value="cryptographic-module"/>
<prop name="cryptographic-module-usage" ns="http://fedramp.gov/ns/oscal" value="data-in-transit"/>
<prop name="validation-type" value="fips-140-3"/>
<!-- Provide the certificate number (CMVP #) -->
<prop name="validation-reference" value="3920"/>
<link rel="validation-details"
<link rel="proof-of-compliance"
href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3920"/>
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
</responsible-role>

</component>

<component uuid="11111111-2222-4000-8000-009000300200" type="software">
<title>Appliance Sample</title>
<description>
<p>None</p>
</description>
<prop name="asset-type" value="appliance"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="web"/>
<prop ns="http://fedramp.gov/ns/oscal" name="login-url"
value="https://admin.offering.com/login"/>
<prop name="baseline-configuration-name" value="Baseline Config. Name"/>
<prop name="allows-authenticated-scan" value="no" />
<status state="operational"/>
</component>






<!-- ============= INTERNAL COMPONENTS ============= -->
<component uuid="11111111-2222-4000-8000-009000500005" type="service">
<title>Service D</title>
<description>
<p>A service that exists within the authorization boundary.</p>
<p>Describe the service and what it is used for.</p>
</description>
<prop name="implementation-point" value="internal"/>
<status state="operational"/>
</component>


<component uuid="11111111-2222-4000-8000-009001200002" type="software">
<title>Container Image</title>
<description>
<p>This is a container image used to create container instances within the system.</p>
</description>
<prop name="asset-type" value="image"/>
<prop name="asset-id" value="image"/>
<prop name="checksum" value="a1b2c3" ns="http://fedramp.gov/ns/oscal"/>
<link href="#11111111-2222-4000-8000-001000000059" rel="attachment"/>
<status state="operational" />
<responsible-role role-id="administrator">
<party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
</responsible-role>
</component>

<!-- Use Components to identify Security and Management Technologies (Table 8.1), -->
<!-- including Operating Systems, IAM/Access Management, Endpoint/Antivirus (AV), -->
<!-- File Integrity Monitoring (FIM), Code Repository, Service Desk / Ticketing, -->
@@ -2051,7 +2113,6 @@
<prop name="mac-address" value="00:00:00:00:00:00"/>
<prop name="software-name" value="software-name"/>
<prop name="asset-type" value="operating-system"/>
<!-- vendor-name, model, and patch-level are component level props -->
<!-- <prop name="vendor-name" value="Vendor Name"/> -->
<!-- <prop name="model" value="Model Number"/> -->
<!-- <prop name="patch-level" value="Patch-Level"/> -->
@@ -2060,7 +2121,7 @@
<prop name="vlan-id" value="VLAN Identifier"/>
<prop name="network-id" value="Network Identifier"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<!-- <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/>-->
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
<prop name="allows-authenticated-scan" value="no">
<remarks>
<p>If no, explain why. If yes, omit remarks field.</p>
@@ -2406,20 +2467,6 @@
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2" uuid="11111111-2222-4000-8000-012000020000">
<prop ns="http://fedramp.gov/ns/oscal" name="planned-completion-date" value="2024-01-31Z"/>
<prop ns="http://fedramp.gov/ns/oscal" name="implementation-status" value="planned">
<remarks>
<p>Describe the plan to complete the implementation.</p>
</remarks>
</prop>
<!-- sample implementation-status below -->
<prop ns="http://fedramp.gov/ns/oscal" name="control-origination" value="sp-system"/>
<prop ns="http://fedramp.gov/ns/oscal" name="control-origination"
value="customer-configured">
<remarks>
<p>Describe any customer-configured requirements for satisfying this control.</p>
</remarks>
</prop>
<set-parameter param-id="ac-2_prm_1">
<value>[SAMPLE]privileged, non-privileged</value>
</set-parameter>
@@ -2432,26 +2479,21 @@
<set-parameter param-id="ac-2_prm_4">
<value>at least annually</value>
</set-parameter>
<responsible-role role-id="admin-unix">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-role>
<responsible-role role-id="information-system-security-officer">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role>

<statement statement-id="ac-2_smt.a" uuid="11111111-2222-4000-8000-012000020100">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000020101">
<description>
<h1>Description for the "this-system" component.</h1>
<p>Describe how AC-2, part a is satisfied within this system.</p>
<p>This points to the "This System" component, and is used any time a more
specific component reference is not available.</p>
</description>
<export>
<provided uuid="11111111-2222-4000-8000-015000000001">
<description>
<p>Leveraged system's statement of capabilities which may be inherited by a
leveraging systems to satisfy AC-2, part a.</p>
<p>This system's statement of capabilities which may be inherited by a
customer's leveraging systems toward satisfaction of AC-2, part a.</p>
</description>
</provided>
<responsibility uuid="11111111-2222-4000-8000-016000000001"
@@ -2466,6 +2508,10 @@
<party-uuid>11111111-2222-4000-8000-004000000001</party-uuid>
</responsible-role>
</responsibility>
<remarks>
<p>Any content for the customer responsibility matrix must be included within <code>export</code>.</p>
<p><code>provided</code> is a statement about what </p>
</remarks>
</export>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000014"
@@ -3632,5 +3678,11 @@
and the value is "citation".</p>
</remarks>
</resource>
</back-matter>
<resource uuid="11111111-2222-4000-8000-001000000059">
<title>Server Security Technical Implementation Guide (STIG)</title>
<prop name="type" value="external-guidance" class="stig"/>
<prop name="published" value="2024-01-31T00:00:00Z" />
<prop name="version" value="2.1"/>
<rlink href="./attachments/server-stig.pdf" media-type="application/pdf" />
</resource> </back-matter>
</system-security-plan>