Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document connection security #130

Merged
merged 3 commits into from
Dec 2, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -1154,14 +1154,16 @@ count(/*/system-implementation/user[1]/authorized-privilege[1]/function-performe

FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using `component` assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.

For components that describe external systems and services that are not FedRAMP-authorized and not part of a leveraged authorization, the component must identify the kind of connection security in use to protect data in transit (for example, IPSec VPN).

The nature-of-agreement property identifies acceptable agreement types.

{{< figure src="/img/ssp-figure-17.png" title="FedRAMP SSP template external systems (not FedRAMP authorized)." alt="Screenshot of the external system information for non-FedRAMP authorized services in the FedRAMP SSP template." >}}

#### OSCAL Representation
{{< highlight xml "linenos=table" >}}
<!-- list any external connections as components in the system-characteristics -->
<component uuid="uuid-value" type="system">
<component uuid="uuid-value" type="service">
<title>[EXAMPLE]External System / Service Name</title>
<description>
<p>Briefly describe the interconnection details.</p>
Expand Down Expand Up @@ -1200,7 +1202,7 @@ The nature-of-agreement property identifies acceptable agreement types.
<prop ns="https://fedramp.gov/ns/oscal" name="information"
value="Describe the information being transmitted."/>
<prop ns="https://fedramp.gov/ns/oscal" name="port" class="remote" value="80"/>
<prop ns="https://fedramp.gov/ns/oscal" name="interconnection-security"
<prop ns="https://fedramp.gov/ns/oscal" name="connection-security"
value="ipsec">
<prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
<!-- cut ports, protocols -->
Expand Down Expand Up @@ -1481,6 +1483,8 @@ Replace XPath predicate "[1]" with "[2]", "[3]", etc.

Entries in the ports, protocols, and services table are represented as component assemblies, with the component-type flag set to "service". Use a protocol assembly for each protocol associated with the service. For a single port, set the port-range start flag and end flag to the same value.

For components that describe [external systems and services that are not FedRAMP authorized and not part of a leveraged authorization](#ports-protocols-and-services), the component must identify the kind of connection security in use to protect data in transit (for example, IPSec VPN).

{{< figure src="/img/ssp-figure-20.png" title="FedRAMP SSP template ports, protocols, and services." alt="Screenshot of the ports, protocols, and services information in the FedRAMP SSP template." >}}

#### OSCAL Representation
Expand All @@ -1491,6 +1495,7 @@ Entries in the ports, protocols, and services table are represented as component
<title>[SAMPLE]Service Name</title>
<description><p>Describe the service</p></description>
<purpose>Describe the purpose for which the service is needed.</purpose>
<prop ns="http://fedramp.gov/ns/oscal" name="connection-security" value="ipsec" />
<link href="uuid-of-component-used-by" rel="used-by" />
<link href="uuid-of-component-provided-by" rel="provided-by" />
<status state="operational" />
Expand Down