Add more documentation for system-characteristics assemblies #56
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -300,7 +300,7 @@ Valid IAL, AAL, and FAL values (as defined by NIST SP 800-63): | |
| --- | ||
| ### System Sensitivity Level | ||
|
|
||
| The system sensitivity level in the FedRAMP SSP template document, illustrated in the figure below, is expressed through the `security-sensitivity-level` assembly. It is the designated overall information system [FIPS-199](https://doi.org/10.6028/NIST.FIPS.199) categorization based on the system information types, and the corresponding system security impact levels. | ||
|
|
||
| {{< figure src="/img/ssp-figure-9.png" title="FedRAMP SSP template system sensitivity level." alt="Screenshot of the FIPS 199 system sensitivity level in the FedRAMP SSP template." >}} | ||
|
|
||
|
|
@@ -321,7 +321,10 @@ The privacy system designation in in the FedRAMP SSP template document, illustra | |
| <!-- cut DIL Determination --> | ||
|
|
||
| <!-- FIPS PUB 199 Level (SSP Attachment 10) --> | ||
| <security-sensitivity-level>fips-199-moderate</security-sensitivity-level> | ||
|
|
||
| <!-- cut system-information --> | ||
| <!-- cut security-impact-level --> | ||
|
|
||
| <!-- cut --> | ||
| </system-characteristics> | ||
|
|
@@ -334,7 +337,7 @@ The privacy system designation in in the FedRAMP SSP template document, illustra | |
|
|
||
| **OSCAL Allowed Values** | ||
|
|
||
| Valid values for `security-sensitivity-level`: | ||
| - fips-199-low | ||
| - fips-199-moderate | ||
| - fips-199-high | ||
|
|
@@ -350,9 +353,221 @@ Valid values for security-sensitivity-level: | |
|
|
||
| **NOTES:** | ||
|
|
||
| - The System Sensitivity Level is generally set based on the [impact levels of the information types](#security-impact-level) and the [impact levels of the security objectives](#security-impact-level). | ||
| - The identified System Sensitivity Level governs which FedRAMP baseline applies. See the [*Importing the FedRAMP Baseline*](/documentation/ssp/3-working-with-oscal-files/#importing-the-fedramp-baseline) section for more information about importing the appropriate FedRAMP baseline. | ||
|
|
||
| --- | ||
|
|
||
| ### System Information and Information Types | ||
|
|
||
| The `system-information` assembly and its defined `information-type` assemblies are used to document all of the information types that are either stored, processed, or transmitted by the system. The information must be based on a formal standard, such as [NIST SP 800-60](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf). | ||
|
There was a problem hiding this comment. 800-60 is not just an example or a "such as". 800-60 is the required source for information types in a FedRAMP SSP. Update this sentence to read: The information must be based on NIST SP 800-60 Volume 2 Revision 1. There was a problem hiding this comment. For FedRAMP, sure. But generally, OSCAL permits others, hence the There was a problem hiding this comment. Good catch. I don't know when 800-60 r2 will come out (it was in open comment in ). We will have to update when that happens |
||
|
|
||
| The `categorization` assembly captures the set of defined information types (e.g., from [NIST SP 800-60](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf)) that apply, using the appropriate `information-type-id` as unique identifier(s). The referenced standard that defines the information types must be specified using the `system` attribute of the `information-type` assembly. | ||
|
|
||
| Each information type has confidentiality, integrity, and availability security impact prescribed by the referenced information type standard. This is documented by setting a FIPS-199 level in the `base`field. However, this may be adjusted by specifying a different FIPS-199 level in the `selected` field. The `adjustment-justification` field must be used for justification any time the `selected` FIPS-199 level is not the same as the `base`. | ||
|
There was a problem hiding this comment. This is incorrect. the initial CIA levels come from the 800-60 and are different for each information type. They may then be adjusted with justification. For example, if the system has Global Trade Information, this is cited from 800-60v2r1 as information type D.5.3, which is defined to have a recommended CIA of High, High, High. These are the "recommended" or An authorizing Official may then agree that this is only publicly published global trade information, thus the There was a problem hiding this comment. So it sounds like you would like a wording change but it is not immediately clear what you would like. I agree with your summary here and I worded it differently. I can make it more precise given what you wrote and align it with that. There was a problem hiding this comment. Sorry to butt in, but I think we need to be conscious about double spaces between sentences (for example, There was a problem hiding this comment. Yes, that's a good catch, I do not want extra spaces either, @DimitriZhurkin. Thanks. |
||
|
|
||
| #### OSCAL Representation | ||
| {{< highlight xml "linenos=table, hl_lines=18-50" >}} | ||
| <system-security-plan> | ||
| <metadata> | ||
| <!-- cut CSP Name --> | ||
| </metadata> | ||
| <system-characteristics> | ||
| <!-- System Name & Abbreviation --> | ||
| <system-name>System's Full Name</system-name> | ||
| <system-name-short>System's Short Name or Acronym</system-name-short> | ||
| <!-- FedRAMP Unique Identifier --> | ||
| <system-id identifier-type="http://fedramp.gov">F00000000</system-id> | ||
| <!-- cut Service Model --> | ||
| <!-- cut Deployment Model --> | ||
| <!-- cut DIL Determination --> | ||
|
|
||
| <!-- FIPS PUB 199 Level (SSP Attachment 10) --> | ||
| <security-sensitivity-level>fips-199-moderate</security-sensitivity-level> | ||
|
|
||
| <!-- system-information --> | ||
| <system-information> | ||
| <information-type uuid="06ecba4f-db96-4491-a3a2-7febfa227435"> | ||
| <title>Information Type Name</title> | ||
| <description> | ||
| <p>A description of the information.</p> | ||
| </description> | ||
| <categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1"> | ||
| <information-type-id>C.2.4.1</information-type-id> | ||
| </categorization> | ||
| <confidentiality-impact> | ||
| <base>fips-199-moderate</base> | ||
| <selected>fips-199-moderate</selected> | ||
| <adjustment-justification> | ||
| <p>Required if the base and selected values do not match.</p> | ||
| </adjustment-justification> | ||
| </confidentiality-impact> | ||
| <integrity-impact> | ||
| <base>fips-199-moderate</base> | ||
| <selected>fips-199-moderate</selected> | ||
| <adjustment-justification> | ||
| <p>Required if the base and selected values do not match.</p> | ||
| </adjustment-justification> | ||
| </integrity-impact> | ||
| <availability-impact> | ||
| <base>fips-199-moderate</base> | ||
| <selected>fips-199-moderate</selected> | ||
| <adjustment-justification> | ||
| <p>Required if the base and selected values do not match.</p> | ||
| </adjustment-justification> | ||
| </availability-impact> | ||
| </information-type> | ||
| </system-information> | ||
|
|
||
| <!-- cut security-impact-level --> | ||
|
|
||
| <!-- cut --> | ||
| </system-characteristics> | ||
| <!-- cut --> | ||
| </system-security-plan> | ||
| {{</ highlight >}} | ||
|
|
||
| <br /> | ||
| {{<callout>}} | ||
|
|
||
| **OSCAL Allowed Values** | ||
|
|
||
| Valid values for `confidentiality-impact`, `integrity-impact`, and `availability-impact` (`base` and `selected` fields): | ||
| - fips-199-low | ||
| - fips-199-moderate | ||
| - fips-199-high | ||
|
|
||
| {{</callout>}} | ||
|
|
||
|
|
||
| #### XPath Queries | ||
| {{< highlight xml "linenos=table" >}} | ||
| System Information: | ||
| /*/system-characteristics/system-information | ||
| System Information Types: | ||
| /*/system-characteristics/system-information/information-type | ||
| Information Categorization: | ||
| /*/system-characteristics/system-information/information-type/categorization | ||
| Information Categorization System (URI reference to standard used to categorize information types): | ||
| /*/system-characteristics/system-information/information-type/categorization/@system | ||
| System Information Type Unique IDs: | ||
| /*/system-characteristics/system-information/information-type/categorization/information-type-id | ||
| Confidentiality Impact (base): | ||
| /*/system-characteristics/system-information/information-type/confidentiality-impact/base | ||
| Confidentiality Impact (selected): | ||
| /*/system-characteristics/system-information/information-type/confidentiality-impact/selected | ||
| Confidentiality Impact (adjustment justification): | ||
| /*/system-characteristics/system-information/information-type/confidentiality-impact/adjustment-justification | ||
| Integrity Impact (base): | ||
| /*/system-characteristics/system-information/information-type/integrity-impact/base | ||
| Integrity Impact (selected): | ||
| /*/system-characteristics/system-information/information-type/integrity-impact/selected | ||
| Integrity Impact (adjustment justification): | ||
| /*/system-characteristics/system-information/information-type/integrity-impact/adjustment-justification | ||
| Availability Impact (base): | ||
| /*/system-characteristics/system-information/information-type/availability-impact/base | ||
| Availability Impact (selected): | ||
| /*/system-characteristics/system-information/information-type/availability-impact/selected | ||
| Availability Impact (adjustment justification): | ||
| /*/system-characteristics/system-information/information-type/availability-impact/adjustment-justification | ||
| {{</ highlight >}} | ||
|
|
||
| --- | ||
|
|
||
| ### Security Impact Level | ||
|
|
||
| The security impact level describes the expected impact resulting from unauthorized disclosure, modification, or loss of access to information. It is documented in the `system-impact-level` assembly derived from the confidentiality, integrity, and availability security objectives for the system, which considers the sensitivity of information within the system. | ||
|
|
||
| #### OSCAL Representation | ||
| {{< highlight xml "linenos=table, hl_lines=52-57" >}} | ||
| <system-security-plan> | ||
| <metadata> | ||
| <!-- cut CSP Name --> | ||
| </metadata> | ||
| <system-characteristics> | ||
| <!-- System Name & Abbreviation --> | ||
| <system-name>System's Full Name</system-name> | ||
| <system-name-short>System's Short Name or Acronym</system-name-short> | ||
| <!-- FedRAMP Unique Identifier --> | ||
| <system-id identifier-type="http://fedramp.gov">F00000000</system-id> | ||
| <!-- cut Service Model --> | ||
| <!-- cut Deployment Model --> | ||
| <!-- cut DIL Determination --> | ||
|
|
||
| <!-- FIPS PUB 199 Level (SSP Attachment 10) --> | ||
| <security-sensitivity-level>fips-199-moderate</security-sensitivity-level> | ||
|
|
||
| <!-- system-information --> | ||
| <system-information> | ||
| <information-type uuid="06ecba4f-db96-4491-a3a2-7febfa227435"> | ||
| <title>Information Type Name</title> | ||
| <description> | ||
| <p>A description of the information.</p> | ||
| </description> | ||
| <categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1"> | ||
| <information-type-id>C.2.4.1</information-type-id> | ||
| </categorization> | ||
| <confidentiality-impact> | ||
| <base>fips-199-moderate</base> | ||
| <selected>fips-199-moderate</selected> | ||
| <adjustment-justification> | ||
| <p>Required if the base and selected values do not match.</p> | ||
| </adjustment-justification> | ||
| </confidentiality-impact> | ||
| <integrity-impact> | ||
| <base>fips-199-moderate</base> | ||
| <selected>fips-199-moderate</selected> | ||
| <adjustment-justification> | ||
| <p>Required if the base and selected values do not match.</p> | ||
| </adjustment-justification> | ||
| </integrity-impact> | ||
| <availability-impact> | ||
| <base>fips-199-moderate</base> | ||
| <selected>fips-199-moderate</selected> | ||
| <adjustment-justification> | ||
| <p>Required if the base and selected values do not match.</p> | ||
| </adjustment-justification> | ||
| </availability-impact> | ||
| </information-type> | ||
| </system-information> | ||
|
|
||
| <!-- Security Impact Level --> | ||
| <security-impact-level> | ||
| <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality> | ||
| <security-objective-integrity>fips-199-moderate</security-objective-integrity> | ||
| <security-objective-availability>fips-199-moderate</security-objective-availability> | ||
| </security-impact-level> | ||
|
|
||
| <!-- cut --> | ||
| </system-characteristics> | ||
| <!-- cut --> | ||
| </system-security-plan> | ||
| {{</ highlight >}} | ||
|
|
||
| <br /> | ||
| {{<callout>}} | ||
|
|
||
| **OSCAL Allowed Values** | ||
|
|
||
| Valid values for `security-objective-confidentiality`, `security-objective-integrity`, and `security-objective-availability`: | ||
| - fips-199-low | ||
| - fips-199-moderate | ||
| - fips-199-high | ||
|
|
||
| {{</callout>}} | ||
|
|
||
| #### XPath Queries | ||
| {{< highlight xml "linenos=table" >}} | ||
| Confidentiality Security Objective: | ||
| /*/system-characteristics/security-impact-level/security-objective-confidentiality | ||
| Integrity Security Objective: | ||
| /*/system-characteristics/security-impact-level/security-objective-integrity | ||
| Availability Security Objective: | ||
| /*/system-characteristics/security-impact-level/security-objective-availability | ||
| {{</ highlight >}} | ||
|
|
||
| --- | ||
|
|
||
| ### System Status | ||
|
|
||
| The system status in the FedRAMP SSP template document is specified in the "Fully Operational as of" table cell illustrated in the figure below. OSCAL has a `status` assembly that is used to describe the operational status of the system. In addition, FedRAMP has defined an extension that must be used to provide the date when the system became operational. | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
security-sensitivity-levelis afield, not anassembly.