Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for external systems #125

Merged
merged 2 commits into from
Nov 25, 2024
Merged

Add documentation for external systems #125

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5670d38
Add documentation for external systems
DimitriZhurkin Nov 22, 2024
00938a9
Update external systems section
DimitriZhurkin Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 31 additions & 7 deletions content/documentation/ssp/4-ssp-template-to-oscal-mapping.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -913,7 +913,7 @@ Each system must define at least two data centers. There must be exactly one pri
{{</ highlight >}}

---
## Leveraged FedRAMP-authorized Services
## Leveraged FedRAMP-Authorized Services

If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the system-implementation assembly. There must be one leveraged-authorization assembly and one matching component assembly for each leveraged authorization.

Expand Down Expand Up @@ -949,22 +949,22 @@ While a leveraged system has no need to represent content here, its SSP must inc
<!-- FedRAMP Package ID -->
<prop name="leveraged-system-identifier"
ns="https://fedramp.gov/ns/oscal"
value="Package_ID value" />
value="Package_ID value"/>
<prop ns="https://fedramp.gov/ns/oscal" name="authorization-type"
value="fedramp-agency"/>
<prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
<party-uuid>uuid-of-leveraged-system-poc</party-uuid>
<date-authorized>2015-01-01</date-authorized>
</leveraged-authorization>
<!-- CSO name & service description -->
<component uuid="uuid-of-leveraged-system" type="leveraged-system">
<component uuid="uuid-of-leveraged-system" type="system">
<title>Name of Leveraged System</title>
<description>
<p>Briefly describe leveraged system.</p>
</description>
<prop name="leveraged-authorization-uuid"
value="5a9c98ab-8e5e-433d-a7bd-515c07cd1497" />
<prop name="inherited-uuid" value="11111111-0000-4000-9001-000000000001" />
value="5a9c98ab-8e5e-433d-a7bd-515c07cd1497"/>
<prop name="inherited-uuid" value="11111111-0000-4000-9001-000000000001"/>
<prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="sla"/>
<prop name="implementation-point" value="external"/>
<!-- FedRAMP prop extensions for table 6.1 columns -->
Expand All @@ -984,6 +984,8 @@ The nature-of-agreement property identifies the appropriate type of agreement be

{{</callout>}}

<br/>

{{<callout>}}

**FedRAMP Allowed Values**
Expand Down Expand Up @@ -1128,14 +1130,16 @@ count(/*/system-implementation/user[1]/authorized-privilege[1]/function-performe

## External Systems and Services Not Having FedRAMP Authorization

FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using `component` assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.
FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using `component` assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.

The nature-of-agreement property identifies acceptable agreement types.

{{< figure src="/img/ssp-figure-17.png" title="FedRAMP SSP template external systems (not FedRAMP authorized)." alt="Screenshot of the external system information for non-FedRAMP authorized services in the FedRAMP SSP template." >}}

#### OSCAL Representation
{{< highlight xml "linenos=table" >}}
<!-- list any external connections as components in the system-characteristics -->
<component uuid="uuid-value" type="interconnection">
<component uuid="uuid-value" type="system">
<title>[EXAMPLE]External System / Service Name</title>
<description>
<p>Briefly describe the interconnection details.</p>
Expand Down Expand Up @@ -1176,6 +1180,7 @@ FedRAMP authorized services should be used, whenever possible, since their risk
<prop ns="https://fedramp.gov/ns/oscal" name="port" class="remote" value="80"/>
<prop ns="https://fedramp.gov/ns/oscal" name="interconnection-security"
value="ipsec">
<prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
<!-- cut ports, protocols -->
<link href="#uuid-of-ICA-resource-in-back-matter" rel="isa-agreement" />
<!-- cut repeat responsible-party assembly for each required ICA role id -->
Expand All @@ -1192,6 +1197,25 @@ FedRAMP authorized services should be used, whenever possible, since their risk
</back-matter>
{{</ highlight >}}

<br/>

{{<callout>}}

**FedRAMP Allowed Values**

FedRAMP defines the following allowed values for the nature-of-agreement property:
- contract
- eula
- isa
- license
- mou
- other
- sla

{{</callout>}}

<br/>

### External System and Services (Queries)

Refer to the XPath queries below and corresponding notes for guidance on what targets in an OSCAL SSP should be used to represent each column of the "External Systems and Services Not Having FedRAMP Authorization" table in the legacy SSP template.
Expand Down