Appendix A - FedRAMP SSP Rev5 Template
-This description field is required by OSCAL.
-FedRAMP does not require any specific information here.
-Appendix A - FedRAMP SSP Rev5 Template
+This description field is required by OSCAL.
+FedRAMP does not require any specific information here.
+Describe how Part a is satisfied within the system.
+Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.
+In this case, a link must be provided to the policy.
+FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.
+The specified component is the system itself.
+Any control implementation response that can not be associated with another component is associated with the component representing the system.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Identity Management and Access Control Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+There
+Describe the plan to complete the implementation.
+Describe how this policy currently satisfies part a.
+Describe the plan for addressing the missing policy elements.
+Identify what is currently missing from this policy.
+Describe how Part b-1 is satisfied.
+Describe how Part b-2 is satisfied.
+Describe the plan to complete the implementation.
+Describe any customer-configured requirements for satisfying this control.
+Describe how the control is satisfied within the system.
+Describe how AC-2, part a is satisfied within this system.
+This points to the This System
component, and is used any time a more specific component reference is not available.
Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.
+Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.
+Not associated with inheritance, thus associated this with the by-component for this system
.
+
For the portion of the control satisfied by the application component of this system, describe how the control is met.
+Consumer-appropriate description of what may be inherited from this application component by a leveraging system.
+In the context of the application component in satisfaction of AC-2, part a.
+Leveraging system's responsibilities with respect to inheriting this capability from this application.
+In the context of the application component in satisfaction of AC-2, part a.
+The component-uuid above points to the this system
component.
Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.
+This can also be used to provide a summary, such as a holistic overview of how multiple components work together.
+While the this system
component is not explicitly required within every statement, it will typically be present.
For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.
+Optional description.
+Consumer-appropriate description of what may be inherited as provided by the leveraged system.
+In the context of this component in satisfaction of AC-2, part a.
+The provided-uuid links this to the same statement in the leveraged system's SSP.
It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).
+Description of how the responsibility was satisfied.
+The responsibility-uuid links this to the same statement in the leveraged system's SSP.
It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).
+Tools should use this to ensure all identified customer responsibility statements have a corresponding satisfied statement in the leveraging system's SSP.
Tool developers should be mindful that
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+Describe how Part a is satisfied.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+Describe how Part b-1 is satisfied.
+Describe how Part b-2 is satisfied.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+The organization coordinates contingency plan development with organizational elements responsible for related plans.
+The organization plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.
+The organization identifies critical system assets supporting essential missions and business functions.
+The organization coordinates contingency plan testing with organizational elements responsible for related plans.
+The organization conducts an assessment of the alternate storage site at least annually to determine its availability and readiness for operation.
+The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
+The organization conducts an assessment of the alternate processing site at least annually to determine its availability and readiness for operation.
+The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
+The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).
+The organization identifies primary and alternate telecommunications services supporting the system and documents provider contingency plans and recovery time objectives to ensure the availability of telecommunication services.
+The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
+The organization conducts backups of user-level information contained in the system at least weekly.
+The organization provides a means to restore system functions without loading backups (e.g., through system reinstallation).
+The organization implements transaction recovery for systems that are transaction-based.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+The organization:
+The organization:
+a. Approves and monitors the use of system maintenance tools; and
+b. Controls maintenance tools through one or more of the following: removal, disabling, preventing unauthorized removal.
+The organization inspects the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
+The organization checks media containing diagnostic and test programs for malicious code before the media are used in the system.
+The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
+(a) Verifying that there is no organizational information contained on the equipment;
+(b) Sanitizing or destroying the equipment;
+(c) Retaining the equipment within the facility; or
+(d) Obtaining an exemption from the authorizing official explicitly authorizing removal of the equipment from the facility.
+The organization:
+a. Approves and monitors nonlocal maintenance and diagnostic activities;
+b. Documents and monitors maintenance and diagnostic activities;
+c. Requires that nonlocal maintenance and diagnostic activities be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
+d. Removes the component to be serviced from the system prior to nonlocal maintenance or diagnostic services.
+The organization:
+a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
+b. Ensures that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
+c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
+The organization:
+a. Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
+Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
+Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
+b. Develops and implements alternate security safeguards in the event a system component cannot be sanitized, removed, or disconnected from the system.
+The organization performs maintenance on organization-defined system components within organization-defined time periods of failure.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how the control is satisfied within the system.
+DMARC is employed.
+SPF is employed.
+DKIM is employed.
+Describe the plan to complete the implementation.
+Describe how the control is satisfied within the system.
+For the portion of the control satisfied by the service provider, describe how the control is met.
+Describe how this policy component satisfies part a.
+Component approach. This links to a component representing the Policy.
+That component contains a link to the policy, so it does not have to be linked here too.
+Describe how this procedure component satisfies part a.
+Component approach. This links to a component representing the procedure.
+That component contains a link to the procedure, so it does not have to be linked here too.
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Implementation description needed
+Describe how Part a is satisfied within the system.
-Legacy approach. If no policy component is defined, describe here how the - policy satisfies part a.
-In this case, a link must be provided to the policy.
-FedRAMP prefers all policies and procedures be attached as a resource in the - back-matter. The link points to a resource.
-The specified component is the system itself.
-Any control implementation response that can not be associated with another - component is associated with the component representing the system.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Identity - Management and Access Control Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-There
-Describe the plan to complete the implementation.
-Describe how this policy currently satisfies part a.
-Describe the plan for addressing the missing policy elements.
-Identify what is currently missing from this policy.
-Describe how Part b-1 is satisfied.
-Describe how Part b-2 is satisfied.
-Describe the plan to complete the implementation.
-Describe any customer-configured requirements for satisfying this control.
-Describe how the control is satisfied within the system.
-Describe how AC-2, part a is satisfied within this system.
-This points to the "This System" component, and is used any time a more - specific component reference is not available.
-Leveraged system's statement of capabilities which may be inherited by a - leveraging systems to satisfy AC-2, part a.
-Leveraged system's statement of a leveraging system's responsibilities in - satisfaction of AC-2, part a.
-Not associated with inheritance, thus associated this with the - by-component for "this system".
-For the portion of the control satisfied by the application component of this - system, describe how the control is met.
-Consumer-appropriate description of what may be inherited from this - application component by a leveraging system.
-In the context of the application component in satisfaction of AC-2, part - a.
-Leveraging system's responsibilities with respect to inheriting this - capability from this application.
-In the context of the application component in satisfaction of AC-2, part - a.
-The component-uuid above points to the "this system" component.
-Any control response content that does not cleanly fit another system component - is placed here. This includes customer responsibility content.
-This can also be used to provide a summary, such as a holistic overview of how - multiple components work together.
-While the "this system" component is not explicitly required within every
- statement, it will typically be present.
For the portion inherited from an underlying FedRAMP-authorized provider, - describe what is inherited.
-Optional description.
-Consumer-appropriate description of what may be inherited as provided by the - leveraged system.
-In the context of this component in satisfaction of AC-2, part a.
-The provided-uuid links this to the same statement in the
- leveraged system's SSP.
It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).
-Description of how the responsibility was satisfied.
-The responsibility-uuid links this to the same statement in the
- leveraged system's SSP.
It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).
-Tools should use this to ensure all identified customer
- responsibility statements have a corresponding
- satisfied statement in the leveraging system's SSP.
Tool developers should be mindful that
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-Describe how Part a is satisfied.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-Describe how Part b-1 is satisfied.
-Describe how Part b-2 is satisfied.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how the control is satisfied within the system.
-DMARC is employed.
-SPF is employed.
-DKIM is employed.
-Describe the plan to complete the implementation.
-Describe how the control is satisfied within the system.
-For the portion of the control satisfied by the service provider, describe - how the control is met.
-Describe how this policy component satisfies part a.
-Component approach. This links to a component representing the Policy.
-That component contains a link to the policy, so it does not have to be linked - here too.
-Describe how this procedure component satisfies part a.
-Component approach. This links to a component representing the procedure.
-That component contains a link to the procedure, so it does not have to be - linked here too.
-Implementation description needed
+Implementation description needed
+Implementation description needed
+This appears in FedRAMP profiles and resolved profile catalogs.
For control statements, it signals to the CSP which statements require a response in the SSP.
For control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook.
- + @@ -57,20 +58,24 @@ else if (system-characteristics/security-sensitivity-level = 'fips-199-moderate') then ('fips-199-moderate', 'fips-199-high') else ('fips-199-low', 'fips-199-moderate', 'fips-199-high')"/> -All documents in a digital authorization package for FedRAMP must specify the version that identifies which FedRAMP policies, guidance, and technical specifications its authors used during the creation and maintenance of the package.
-FedRAMP maintains an official list of the versions on the fedramp-automation releases page. Unless noted otherwise, a valid version is a published tag name.
+FedRAMP maintains an official list of the versions on the fedramp-automation releases page. Unless noted otherwise, a valid version is a published tag name. +