diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index ee7b6ff79..8affb7d1f 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -10,7 +10,7 @@ Scenario Outline: Documents that should be valid are pass Then I should have valid results "" Examples: | valid_file | -# | ssp-all-VALID.xml | + | fedramp-ssp-example.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | diff --git a/src/validations/constraints/content/fedramp-ssp-example.xml b/src/validations/constraints/content/fedramp-ssp-example.xml index a8272221a..732bbc089 100644 --- a/src/validations/constraints/content/fedramp-ssp-example.xml +++ b/src/validations/constraints/content/fedramp-ssp-example.xml @@ -1,7 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -13,8 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -23,15 +21,14 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 - + @@ -287,7 +284,8 @@

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role - via responsible-party.

+ via responsible-party. +

@@ -563,8 +561,7 @@ - +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

@@ -574,7 +571,7 @@ - F00000000 + F00000000 System's Full Name System's Short Name or Acronym @@ -608,10 +605,10 @@ - + - + fips-199-moderate @@ -777,16 +774,16 @@ AwesomeCloud Commercial(IaaS) - - + + +

For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.

 - +

For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records @@ -807,9 +804,17 @@ + + + + + system-poc-technical - - none + Admin + +

admin user

+ + administration

The user assembly is being reviewed for continued applicability @@ -820,31 +825,57 @@ - + + + + + + system-poc-technical Add/Remove Admins This can add and remove admins. - + + + + + system-poc-technical - - add/remove non-privliged admins + Admin + +

admin user

+ + administration - + + + + + system-poc-technical - - Manage services and components within the virtual cloud environment. + Admin + +

admin user

+ + administration - + + + + + system-owner - - Add and remove users from the virtual cloud environment. + Admin + +

admin user

+ + administration @@ -883,16 +914,16 @@ - - + +

If 'yes', describe the authentication method.

If 'no', explain why no authentication is used.

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

 - - + + @@ -905,8 +936,8 @@ - - + +

This is a leveraged system within which this system operates. @@ -942,7 +973,7 @@

Links to the vendor website describing the system are encouraged, but not required.

- +

Services

A service within the scope of the leveraged system's authorization boundary is considered an "authorized service". Any other service offered by the @@ -961,12 +992,13 @@ a "poam-item" link that references a corrisponding entry in this system's POA&M. - +

Both authorized and non-authorized leveraged services include:

  • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. - (Example: "#11111111-2222-4000-8000-009000100001")
    • + (Example: "#11111111-2222-4000-8000-009000100001") +
  • the name of the service in the title (for authorized services this should be exactly as it appears in the FedRAMP Marketplace
  • an "implementation-point" core property with a value of "external"
    • @@ -978,7 +1010,7 @@
  • a status with a state value of "operational"
  • At least one responsible-role (other than "provider") that indicates any authorized users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
    • + a user assembly entry.

Although SSP Table 7.1 also requires data categoriation and hosting @@ -996,13 +1028,13 @@ - - + + - - + +

This is a service offered by a leveraged system and used by this system. @@ -1017,7 +1049,8 @@ leveraged-authorization entry

  • an "implementation-point" property with a value of "external"; and
  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +

    Where relevant, this component should also have:

    @@ -1055,23 +1088,27 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method.

    If 'no', explain why no authentication is used.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - + + + + + - + + + + 33333333-2222-4000-8000-004000000001

    This is a service offered by a leveraged system and used by this system. @@ -1092,7 +1129,8 @@ POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) in an OSCAL-based POA&M.

  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
  • @@ -1101,7 +1139,7 @@ tools are able to distinguish between authorized and non-authorized services from the same leveraged provider.

    - +

    Where relevant, this component should also have:

    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly @@ -1118,7 +1156,7 @@
    • Package ID, Authorization Type, Impact Level

    - +

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for their system (such as in an OSCAL-based CRM).

    Link(s) to the vendor's web site describing the service are encouraged, but not @@ -1138,20 +1176,20 @@ - + Other Cloud SaaS

    An external system to which this system shares an interconnection.

    - + - + 33333333-2222-4000-8000-004000000001 - + 11111111-2222-4000-8000-004000000008 @@ -1183,7 +1221,7 @@ remote listening ports, one or more "protocol" assemblies must be provided. - +

    While not required, each "system" component should have:

    • an "inherited-uuid" property if the value was provided by the system owner
      • @@ -1192,7 +1230,7 @@
    • an "system-owner" responsible-role
    • an "system-poc-management" responsible-role
    • an "system-poc-technical" responsible-role
      • -
    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1202,50 +1240,50 @@ - + [EXAMPLE]Authorized Connection Information System Name

    Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

    - - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - - + + + + + +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

         - - - - + + + + - + - - + + + - - + 44444444-2222-4000-8000-004000000001 @@ -1293,7 +1331,7 @@
  • a "compliance" property/extension if appropriate
  • an "system-poc-management" responsible-role
  • an "system-poc-technical" responsible-role
    • - +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1309,13 +1347,13 @@

    - - + + - + - + 11111111-2222-4000-8000-004000000010 @@ -1337,8 +1375,8 @@ here.

    For an external system, the "implementation-point" property must always be present with a value of "external".

    - - + +

    Each interconnection must be defined with both an "system" component and an "interconnection" component.

    Must include all leveraged services and features from the leveraged authorization @@ -1354,17 +1392,18 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - + +

    This can only be known if provided by the leveraged system. @@ -1374,20 +1413,21 @@ - - - 11111111-2222-4000-8000-c0040000000a - + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 + + 33333333-2222-4000-8000-004000000001 + + - + - +

    This is a service provided by an external system other than the leveraged system.

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1404,7 +1444,8 @@

    - An "implementation-point" property with a value of "external".

    - A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

    -

    - Example: "#11111111-2222-4000-8000-009000100001"

    +

    - Example: "#11111111-2222-4000-8000-009000100001" +

    - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, this property is blocked from proper use.

    - a status with a state value of "operational"

    @@ -1435,50 +1476,58 @@ Service C +

    A service provided by an external system other than the leveraged system.

    Describe the service and what it is used for.

     + - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - +

    Either describe a risk associated with this service, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     - +     + + + 11111111-2222-4000-8000-004000000018 + + Remote API Service +

    This is a service provided by an external system other than the leveraged system.

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    - +

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1490,10 +1539,10 @@

    If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

    - - - - + + + +     @@ -1505,32 +1554,33 @@ - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

     -     - - - + + + +

    Either describe a risk associated with this CLI, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     +

    @@ -1538,6 +1588,9 @@ + + 11111111-2222-4000-8000-004000000018 + @@ -1570,16 +1623,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1591,16 +1642,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1618,7 +1667,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1639,7 +1688,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1661,8 +1710,8 @@

    FUNCTION: Describe typical component function.

    - - + + @@ -1683,18 +1732,18 @@

    None

    - + - + Database Sample

    None

     - + @@ -1710,9 +1759,8 @@

    None

    - - + + @@ -2126,8 +2174,8 @@ - - + +

    If no, explain why. If yes, omit remarks field.

    @@ -2187,7 +2235,7 @@

    If no, explain why. If yes, omit remark.

         - + 11111111-2222-4000-8000-004000000010 @@ -2213,9 +2261,8 @@ - - + + @@ -2228,9 +2275,8 @@ - - + + @@ -2243,9 +2289,8 @@ - - + + @@ -2262,8 +2307,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2276,9 +2320,8 @@ - - + + @@ -2295,8 +2338,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2309,9 +2351,8 @@ - - + + @@ -2327,7 +2368,7 @@

    FedRAMP does not require any specific information here.

    - + @@ -2342,8 +2383,7 @@ - +

    Describe how Part a is satisfied within the system.

    Legacy approach. If no policy component is defined, describe here how the @@ -2361,8 +2401,7 @@ component is associated with the component representing the system.

     - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Identity @@ -2374,26 +2413,22 @@ - +

    There

    - +

    Describe the plan to complete the implementation.

         - +

    Describe how this policy currently satisfies part a.

     - +

    Describe the plan for addressing the missing policy elements.

     @@ -2406,8 +2441,7 @@     - +

    Describe how Part b-1 is satisfied.

     @@ -2415,8 +2449,7 @@     - +

    Describe how Part b-2 is satisfied.

     @@ -2425,16 +2458,15 @@     - - + +

    Describe the plan to complete the implementation.

         - - + +

    Describe any customer-configured requirements for satisfying this control.

     @@ -2446,8 +2478,7 @@ 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2466,8 +2497,7 @@     - +

    Describe how AC-2, part a is satisfied within this system.

    This points to the "This System" component, and is used any time a more @@ -2480,8 +2510,7 @@ leveraging systems to satisfy AC-2, part a.

     - +

    Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

    @@ -2494,8 +2523,7 @@     - +

    For the portion of the control satisfied by the application component of this system, describe how the control is met.

    @@ -2512,8 +2540,7 @@ 11111111-2222-4000-8000-004000000005 - +

    Leveraging system's responsibilities with respect to inheriting this capability from this application.

    @@ -2532,17 +2559,15 @@

    This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

    While the "this system" component is not explicitly required within every - statement, it will typically be present.

    + statement, it will typically be present.

     - +

    For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

     - +

    Optional description.

    Consumer-appropriate description of what may be inherited as provided by the @@ -2554,8 +2579,7 @@ CRM (Inheritance and Responsibility Model).

         - +

    Description of how the responsibility was satisfied.

    The responsibility-uuid links this to the same statement in the @@ -2563,8 +2587,8 @@

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

    Tools should use this to ensure all identified customer - responsibility statements have a corresponding - satisfied statement in the leveraging system's SSP.

    + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

    Tool developers should be mindful that

    @@ -2572,21 +2596,20 @@ - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2602,14 +2625,12 @@     - +

    Describe how Part a is satisfied.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2617,8 +2638,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2628,16 +2648,14 @@     - +

    Describe how Part b-1 is satisfied.

         - +

    Describe how Part b-2 is satisfied.

     @@ -2645,21 +2663,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2675,16 +2692,14 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2692,8 +2707,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2703,42 +2717,39 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2754,15 +2765,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2770,8 +2779,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2781,40 +2789,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2830,15 +2835,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2846,8 +2849,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2857,38 +2859,35 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2904,15 +2903,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2920,8 +2917,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2931,40 +2927,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2980,15 +2973,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2996,8 +2987,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3007,40 +2997,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3056,15 +3043,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3072,8 +3057,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3083,40 +3067,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3132,15 +3113,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3148,8 +3127,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3159,40 +3137,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3208,15 +3183,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3224,8 +3197,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3235,40 +3207,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3284,15 +3253,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3300,8 +3267,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3311,40 +3277,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3360,15 +3323,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3376,8 +3337,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3387,40 +3347,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3436,15 +3393,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3452,8 +3407,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3463,40 +3417,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3512,15 +3463,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3528,8 +3477,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3539,40 +3487,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3588,15 +3533,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3604,8 +3547,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3615,40 +3557,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3664,15 +3603,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3680,8 +3617,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3691,40 +3627,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3740,15 +3673,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3756,8 +3687,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3767,35 +3697,32 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + + 11111111-2222-4000-8000-004000000018 - +

    Describe how the control is satisfied within the system.

    DMARC is employed.

    @@ -3815,21 +3742,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3845,15 +3771,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3861,8 +3785,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3902,8 +3825,7 @@ FedRAMP Applicable Laws and Regulations - +

    Must be present in a FedRAMP SSP.

     @@ -3925,7 +3847,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3942,7 +3865,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3959,7 +3883,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3976,7 +3901,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3993,7 +3919,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4011,7 +3938,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4028,7 +3956,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4045,7 +3974,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4062,7 +3992,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4079,7 +4010,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4096,7 +4028,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4113,7 +4046,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4130,7 +4064,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4147,7 +4082,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4164,7 +4100,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4181,7 +4118,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4198,7 +4136,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4215,7 +4154,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4233,7 +4173,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4250,7 +4191,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4267,7 +4209,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4284,7 +4227,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4301,7 +4245,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4318,7 +4263,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4335,7 +4281,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4352,7 +4299,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4369,7 +4317,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4386,7 +4335,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4403,7 +4353,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4420,7 +4371,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4437,7 +4389,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4454,7 +4407,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4471,7 +4425,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4488,7 +4443,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4505,7 +4461,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4522,7 +4479,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4539,7 +4497,8 @@

    Table 12-1 Attachments: User's Guide Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4559,7 +4518,8 @@

    Table 12-1 Attachments: Rules of Behavior (ROB)

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4577,7 +4537,8 @@

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4595,7 +4556,8 @@

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4613,7 +4575,8 @@

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4652,7 +4615,8 @@

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4682,7 +4646,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4703,7 +4668,7 @@

    FedRAMP Logo

     - + 00000000 @@ -4720,7 +4685,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4735,7 +4701,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4756,7 +4723,8 @@ system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4777,7 +4745,8 @@ system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4796,7 +4765,8 @@

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4813,7 +4783,8 @@ 41 CFR 201 - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. @@ -4830,5 +4801,32 @@ and the value is "citation".

     + + CSP Reference + + + +

    CSP-specific reference. Note the "type" property's class is "reference" + and the value is "citation".

    +     +     + + Separation of Duties Matrix + +

    Separation of Duties Matrix

    +     + + + + + 00000000 + +

    May use rlink with a relative path, or embedded as base64. +

    +     +     + + +     \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index 9de641170..dd0b5057d 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -166,7 +166,7 @@ - + Missing Response Components Each implemented requirement MUST have at least one by-component reference to the source component implementing it. diff --git a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml index b070ded70..cd6831c3e 100644 --- a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml +++ b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml @@ -3,7 +3,7 @@ test-case: description: >- This test case validates the behavior of constraint missing-response-components - content: ../content/ssp-all-VALID.xml + content: ../content/fedramp-ssp-example.xml expectations: - constraint-id: missing-response-components result: pass