From b076f55710a319e38a08b5977cac5dcac823d688 Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Tue, 3 Dec 2024 17:17:18 +0000 Subject: [PATCH] Add example ssp to content file and edit constraint script to point yaml pass file to example ssp --- features/fedramp_extensions.feature | 2 +- src/scripts/dev-constraint.js | 2 +- .../content/fedramp-ssp-example.xml | 4834 +++++++++++++++++ 3 files changed, 4836 insertions(+), 2 deletions(-) create mode 100644 src/validations/constraints/content/fedramp-ssp-example.xml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index dc9ac4de0..ee7b6ff79 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -10,7 +10,7 @@ Scenario Outline: Documents that should be valid are pass Then I should have valid results "" Examples: | valid_file | -| ssp-all-VALID.xml | +# | ssp-all-VALID.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | diff --git a/src/scripts/dev-constraint.js b/src/scripts/dev-constraint.js index 4df459f1b..40d337dac 100644 --- a/src/scripts/dev-constraint.js +++ b/src/scripts/dev-constraint.js @@ -283,7 +283,7 @@ async function scaffoldTest(constraintId,context) { 'test-case': { name: `Positive Test for ${constraintId}`, description: `This test case validates the behavior of constraint ${constraintId}`, - content: `../content/${model}-all-VALID.xml`, + content: model === 'ssp' ? '../content/fedramp-example-ssp.xml' : `../content/${model}-all-VALID.xml`, expectations: [ { 'constraint-id': constraintId, diff --git a/src/validations/constraints/content/fedramp-ssp-example.xml b/src/validations/constraints/content/fedramp-ssp-example.xml new file mode 100644 index 000000000..a8272221a --- /dev/null +++ b/src/validations/constraints/content/fedramp-ssp-example.xml @@ -0,0 +1,4834 @@ + + + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

Initial publication.

+
+
+ + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

Minor prop updates.

+
+
+
+ + + + + + FedRAMP Program Management Office + +

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

+
+
+ + Prepared By + +

The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

+
+
+ + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+
+
+ + System Security Plan Approval + +

The individual or individuals accountable for the accuracy of this SSP.

+
+
+ + Cloud Service Provider + CSP + + + + Information System Owner + +

The individual within the CSP who is ultimately accountable for everything related to + this system.

+
+
+ + Authorizing Official + +

The individual or individuals who must grant this system an authorization to + operate.

+
+
+ + Authorizing Official's Point of Contact + +

The individual representing the authorizing official.

+
+
+ + Information System Management Point of Contact (POC) + +

The highest level manager who responsible for system operation on behalf of the + System Owner.

+
+
+ + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+
+
+ + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+
+
+ + + System Information System Security Officer (or Equivalent) + +

The individual accountable for the security posture of the system on behalf of the + system owner.

+
+
+ + Privacy Official's Point of Contact + +

The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

+
+
+ + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

The point of contact for an interconnection on behalf of this system.

+
+ +

Remove this role if there are no ICAs.

+
+
+ + ICA POC (Remote) + +

The point of contact for an interconnection on behalf of this external system to + which this system connects.

+
+ +

Remove this role if there are no ICAs.

+
+
+ + ICA Signatory (Local) + +

Responsible for signing an interconnection security agreement on behalf of this + system.

+
+ +

Remove this role if there are no ICAs.

+
+
+ + ICA Signatory (Remote) + +

Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

+
+ +

Remove this role if there are no ICAs.

+
+
+ + Consultant + +

Any consultants involved with developing or maintaining this content.

+
+
+ + Customer + +

Represents any customers of this system as may be necessary for assigning customer + responsibility.

+
+
+ + Provider + +

The provider of a leveraged system, external service, API, CLI.

+
+
+ + [SAMPLE]Unix Administrator + +

This is a sample role.

+
+
+ + [SAMPLE]Client Administrator + +

This is a sample role.

+
+
+ + Leveraged Authorization Users + +

Any internal users of a leveraged authorization.

+
+
+ + External System Owner + +

The owner of an external system.

+
+
+ + External System Management Point of Contact (POC) + +

The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

+
+
+ + External System Technical Point of Contact + +

The individual or individuals leading the technical operation of an external + system.

+
+
+ + Approver + +

An internal approving authority.

+
+
+ + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

+
+
+ + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+
+
+ + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+
+
+ + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 11111111-2222-4000-8000-003000000001 + +

Replace sample CSP information.

+

CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party.

+
+
+ + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

+
+
+ + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

+
+
+ + + External Organization + External + +

Generic placeholder for any external organization.

+
+
+ + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+
+
+ + Name of Consulting Org + NOCO + + + poc@example.com +
+ 3333 Corporate Way + Washington + DC + 00000 + US +
+
+ + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 11111111-2222-4000-8000-004000000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+
+
+ + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 +
+ + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 +
+ + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 +
+ + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 +
+ + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000004 +
+ + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 +
+ + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + Leveraged Authorization User + + + + + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 + +

Zero or more

+
+
+ + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+
+
+ + + 11111111-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + +

One or more

+
+
+ + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+
+
+ + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015 + +

One or more

+
+
+ + 11111111-2222-4000-8000-004000000012 + +

Exactly one

+
+
+ + 11111111-2222-4000-8000-004000000013 + +

Exactly one

+
+
+ + + 11111111-2222-4000-8000-004000000014 + +

Exactly one

+
+
+ + 11111111-2222-4000-8000-004000000015 + +

Exactly one

+
+
+ + 11111111-2222-4000-8000-004000000016 + +

Exactly one

+
+
+ + +
+ + +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

+

Must adjust accordingly for applicable baseline and revision.

+
+
+ + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

+

NOTE: The description is expected to be at least 32 words in length.

+
+ + + +

Remarks are required if service model is "other". Optional otherwise.

+
+
+ + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+
+
+ + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

A description of the information.

+
+ + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+
+
+ + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+
+
+ + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+
+
+
+ + Information Type Name + +

A description of the information.

+
+ + C.3.5.1 + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+
+
+ + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+
+
+ + fips-199-moderate + fips-199-high + +

Required if the base and selected values do not match.

+
+
+
+ + Information Type Name + +

A description of the information.

+
+ + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+
+
+ + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+
+
+ + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+
+
+
+ + +
+ + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

Remarks are optional if status/state is "operational".

+

Remarks are required otherwise.

+
+
+ + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+
+ + + +

A diagram-specific explanation.

+
+ + Authorization Boundary Diagram +
+
+ + + +

A holistic, top-level explanation of the network architecture.

+
+ + + +

A diagram-specific explanation.

+
+ + Network Diagram +
+
+ + + +

A holistic, top-level explanation of the system's data flows.

+
+ + + +

A diagram-specific explanation.

+
+ + Data Flow Diagram +
+
+
+ + + + + + + + AwesomeCloud Commercial(IaaS) + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+
+
+ + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+
+
+ + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

+

For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

+
+
+ + + + + none + + +

The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

+

Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

+
+
+ + + + Add/Remove Admins + This can add and remove admins. + + + + + + + add/remove non-privliged admins + + + + + + + Manage services and components within the virtual cloud environment. + + + + + + + Add and remove users from the virtual cloud environment. + + + + + + + + This System + +

This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

+
+ + +

A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+
+
+ + + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+
+ + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+
+
+ + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+
+
+ + + + + +

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
  • +
  • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
  • +
  • an "implementation-point" core property with a value of "external"
  • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
  • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
  • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
  • +
  • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
  • +
  • a status with a state value of "operational"
  • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
  • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
  • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+ +

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
  • +
  • The component for a non-authorized service must include + a "still-supported" property/extension.
  • +
  • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
  • +
+ +

Both authorized and non-authorized leveraged services include:

+
    +
  • a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001")
  • +
  • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
  • +
  • an "implementation-point" core property with a value of "external"
  • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
  • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
  • +
  • a status with a state value of "operational"
  • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
  • +
+ +

Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

+
+
+ + + + Service A + +

An authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+
+ + + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

+

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
  • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
  • +
  • an "implementation-point" property with a value of "external"; and
  • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
  • +
+

+

Where relevant, this component should also have:

+
    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
  • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
  • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
  • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
  • +
+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component representing the leveraged system as a whole:

+

- Nature of Agreement, CSP Name

+
+
+ + + + + + + Service B + +

An non-authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+
+ + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+
+
+ + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of the leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

+

+

Each non-authorized leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
  • +
  • an "implementation-point" property with a value of "external"; and
  • +
  • one or two "direction" prperty/extensions
  • +
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
  • +
  • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the + POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) + in an OSCAL-based POA&M.
  • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
  • +
  • +
  • + +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

+

+ +

Where relevant, this component should also have:

+
    +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
  • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
  • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
  • +
+

+ +

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+
+
+ + + + + Other Cloud SaaS + +

An external system to which this system shares an interconnection.

+
+ + + + + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + + services + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • a "system" component (this component)
  • +
  • an "interconnection" component
  • +
+

Each "system" component must have:

+
    +
  • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
  • +
  • an "implementation-point" property with a value of "external"
  • +
  • a "status" field with a state value of "operational"
  • +
  • if an interconnection exists with this system and there are + remote listening ports, one or more "protocol" assemblies must + be provided.
  • +
+ +

While not required, each "system" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
  • +
  • a "compliance" property/extension if appropriate
  • +
  • an "authorizing-official" responsible-role
  • +
  • an "system-owner" responsible-role
  • +
  • an "system-poc-management" responsible-role
  • +
  • an "system-poc-technical" responsible-role
  • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "authorizing-official", "system-owner", "system-poc-management + and "system-poc-technical"

+
+
+ + + + + [EXAMPLE]Authorized Connection Information System Name + +

Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

+
+ + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+
+
+ + + + + + + +

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+
+
+ + + + + + + + + + + + + + + + + + + 44444444-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000008 + + + + Incoming FTP Service + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • one "system" component for each remote system sharing the connection
  • +
  • an "interconnection" component (this component)
  • +
+

Each "interconnection" component must have:

+
    +
  • an "implementation-point" property with a value of "external"
  • +
  • a "status" field with a state value of "operational"
  • +
  • one or two "direction" properties
  • +
  • a "nature-of-agreement" property/extension
  • +
  • one or more "authentication-method" properties/extensions.
  • +
  • a "hosting-environment" proptery/extension
  • +
  • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
  • +
  • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
  • +
  • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
  • +
  • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
  • +
  • exactly one "used-by" link with an href value that refers to the "this-system" component.
  • +
  • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
  • +
  • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
  • +
+

Authentication methods must address both system-authentication as well as + user authentication mechanisms.

+

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+

If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

+

+

While not required, each "interconnection" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
  • +
  • a "compliance" property/extension if appropriate
  • +
  • an "system-poc-management" responsible-role
  • +
  • an "system-poc-technical" responsible-role
  • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "system-poc-management" and "system-poc-technical". With an interconnection, + the system POC roles reference parties that represent the connection provider.

+
+
+ + + + + Other Cloud SaaS + +

+ + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

+ +
+ + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+
+ + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+
+
+ + + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+
+
+ + + + + 11111111-2222-4000-8000-c0040000000a + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

+

Each external service used from a leveraged authorization must have:

+

- a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - preferably exactly as it appears on the + vendor's web site

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, + this property is blocked from proper use.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+
+
+ + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+
+ + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+
+
+ + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+
+
+ + +

If there are one or more identified risks, describe any resulting impact.

+
+
+ + +

If there are one or more identified risks, describe any mitigating factors.

+
+
+ + + + + + Remote API Service + + + +

This is a service provided by an external system other than the leveraged system.

+ + + +

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+ + + +

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

All services require the "implementation-point" property. In this case, the property + value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+ + + + +
+
+ + + + Management CLI + +

None

+
+ + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+
+
+ + + + +

Either describe a risk associated with this CLI, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+
+
+ + +

If there are one or more identified risks, describe any resulting impact.

+
+
+ + +

If there are one or more identified risks, describe any mitigating factors.

+
+
+ + +

+ + + + + + + + + + + + + Service D + +

A service that exists within the authorization boundary.

+

Describe the service and what it is used for.

+ + + +
+ + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+
+ + + + + + + + + + +
+ + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+
+ + + + + + + + + + +
+ + + + + + + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+
+ + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+
+
+ + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+
+ + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+
+
+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+
+ + + + + + + + + 11111111-2222-4000-8000-004000000017 + + + 11111111-2222-4000-8000-004000000011 + + +

COMMENTS: Provide other comments as needed.

+
+
+ + OS Sample + +

None

+
+ + + + + +
+ + Database Sample + +

None

+
+ + + + + + + + + + +
+ + Appliance Sample + +

None

+
+ + + + + + +

Vendor appliance. No admin-level access.

+
+
+ +
+ + + + AC Policy + +

The Access Control Policy governs how access is managed and approved.

+
+ + +
+ + AT Policy + +

The Awareness and Training Policy governs how access is managed and approved.

+
+ + +
+ + AU Policy + +

The Audit and Accountability governs how access is managed and approved.

+
+ + +
+ + CA Policy + +

The Assessment, Authorization, and Monitoring Policy governs how access is managed + and approved.

+
+ + +
+ + CM Policy + +

The Configuration Management Policy governs how access is managed and approved.

+
+ + +
+ + CP Policy + +

The Contingency Planning Policy governs how access is managed and approved.

+
+ + +
+ + IA Policy + +

The Identificaiton and Authentication Policy governs how access is managed and + approved.

+
+ + +
+ + IR Policy + +

The Incident Response Policy governs how access is managed and approved.

+
+ + +
+ + MA Policy + +

The Maintenance Policy governs how access is managed and approved.

+
+ + +
+ + MP Policy + +

The Media Protection Policy governs how access is managed and approved.

+
+ + +
+ + PE Policy + +

The Physical and Enviornmental Protection Policy governs how access is managed and + approved.

+
+ + +
+ + PL Policy + +

The Planning Policy governs how access is managed and approved.

+
+ + +
+ + PM Policy + +

The Program Management Policy governs how access is managed and approved.

+
+ + +
+ + PS Policy + +

The Personnel Security Policy governs how access is managed and approved.

+
+ + +
+ + PT Policy + +

The PII Processing and Transparency Policy governs how access is managed and + approved.

+
+ + +
+ + RA Policy + +

The Risk Assessment Policy governs how access is managed and approved.

+
+ + +
+ + SA Policy + +

The System and Services Acquisition Policy governs how access is managed and + approved.

+
+ + +
+ + S3 Policy + +

The System and Communication Protection Policy governs how access is managed and + approved.

+
+ + +
+ + SI Policy + +

The System and Information Integrity Policy governs how access is managed and + approved.

+
+ + +
+ + SR Policy + +

The Supply Chain Risk Management Policy governs how access is managed and + approved.

+
+ + +
+ + + + AC Policy + +

The Access Control Procedure governs how access is managed and approved.

+
+ + +
+ + AT Policy + +

The Awareness and Training Procedure governs how access is managed and approved.

+
+ + +
+ + AU Policy + +

The Audit and Accountability Procedure governs how access is managed and + approved.

+
+ + +
+ + CA Policy + +

The Assessment, Authorization, and Monitoring Procedure governs how access is managed + and approved.

+
+ + +
+ + CM Policy + +

The Configuration Management Procedure governs how access is managed and + approved.

+
+ + +
+ + CP Policy + +

The Contingency Planning Procedure governs how access is managed and approved.

+
+ + +
+ + IA Policy + +

The Identificaiton and Authentication Procedure governs how access is managed and + approved.

+
+ + +
+ + IR Policy + +

The Incident Response Procedure governs how access is managed and approved.

+
+ + +
+ + MA Policy + +

The Maintenance Procedure governs how access is managed and approved.

+
+ + +
+ + MP Policy + +

The Media Protection Procedure governs how access is managed and approved.

+
+ + +
+ + PE Policy + +

The Physical and Enviornmental Protection Procedure governs how access is managed and + approved.

+
+ + +
+ + PL Policy + +

The Planning Procedure governs how access is managed and approved.

+
+ + +
+ + PM Policy + +

The Program Management Procedure governs how access is managed and approved.

+
+ + +
+ + PS Policy + +

The Personnel Security Procedure governs how access is managed and approved.

+
+ + +
+ + PT Policy + +

The PII Processing and Transparency Procedure governs how access is managed and + approved.

+
+ + +
+ + RA Policy + +

The Risk Assessment Procedure governs how access is managed and approved.

+
+ + +
+ + SA Policy + +

The System and Services Acquisition Procedure governs how access is managed and + approved.

+
+ + +
+ + S3 Policy + +

The System and Communication Protection Procedure governs how access is managed and + approved.

+
+ + +
+ + SI Policy + +

The System and Information Integrity Procedure governs how access is managed and + approved.

+
+ + +
+ + SR Policy + +

The Supply Chain Risk Management Procedure governs how access is managed and + approved.

+
+ + +
+ + + + + IPv4 Production Subnet + +

IPv4 Production Subnet.

+
+ + + + +
+ + IPv4 Management Subnet + +

IPv4 Management Subnet.

+
+ + + + + +
+ + Email Service + +

Email Service

+
+ + + + + + + + +
+ + + + +

Legacy Example (No implemented-component).

+
+ + + + + + + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remarks field.

+
+
+ + + + +

If no, explain why. If yes, omit remarks field.

+
+
+ + +

Optional, longer, formatted description.

+
+
+ + + 11111111-2222-4000-8000-004000000016 + + + 11111111-2222-4000-8000-004000000017 + + + +

This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

+
+
+ +

COMMENTS: Additional information about this item.

+
+
+ + +

Component Inventory Example

+
+ + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remark.

+
+
+ + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000017 + + + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+
+
+ + +

None.

+
+ + + + + + + + + + +
+ + +

None.

+
+ + + + + + + + + +
+ + +

None.

+
+ + + + + + + + + +
+ + +

None.

+
+ + + + + + + + +

Asset wasn't running at time of scan.

+
+
+ +
+ + +

None.

+
+ + + + + + + + + +
+ + +

None.

+
+ + + + + + + + +

Asset wasn't running at time of scan.

+
+
+ +
+ + +

Email-Service

+
+ + + + + + + + + +
+
+ + + + +

Appendix A - FedRAMP SSP Rev5 Template

+

This description field is required by OSCAL.

+

FedRAMP does not require any specific information here.

+
+ + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

Describe how Part a is satisfied within the system.

+

Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

+

In this case, a link must be provided to the policy.

+

FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

+
+ + + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another + component is associated with the component representing the system.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Identity + Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+ +
+
+ + + +

There

+
+ + + +

Describe the plan to complete the implementation.

+
+
+
+ + +

Describe how this policy currently satisfies part a.

+
+ + +

Describe the plan for addressing the missing policy elements.

+
+
+ + +

Identify what is currently missing from this policy.

+
+
+
+
+ + + +

Describe how Part b-1 is satisfied.

+
+ +
+
+ + + +

Describe how Part b-2 is satisfied.

+
+ +
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + +

Describe any customer-configured requirements for satisfying this control.

+
+
+ + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + +
+
+ + + +

Describe how AC-2, part a is satisfied within this system.

+

This points to the "This System" component, and is used any time a more + specific component reference is not available.

+
+ + + +

Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

+
+
+ + +

Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the + by-component for "this system".

+
+ + 11111111-2222-4000-8000-004000000001 + +
+
+
+ + +

For the portion of the control satisfied by the application component of this + system, describe how the control is met.

+
+ + + +

Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part + a.

+
+ + 11111111-2222-4000-8000-004000000005 + +
+ + +

Leveraging system's responsibilities with respect to inheriting this + capability from this application.

+

In the context of the application component in satisfaction of AC-2, part + a.

+
+ + 11111111-2222-4000-8000-004000000005 + +
+
+ +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

+

While the "this system" component is not explicitly required within every + statement, it will typically be present.

+
+
+ + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+
+ + +

Optional description.

+

Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

+

In the context of this component in satisfaction of AC-2, part a.

+

The provided-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+
+
+ + +

Description of how the responsibility was satisfied.

+

The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

+

Tool developers should be mindful that

+
+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

Describe how Part a is satisfied.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

Describe how Part b-1 is satisfied.

+
+
+
+ + + +

Describe how Part b-2 is satisfied.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+ +
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+ +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+ +
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+
+
+ + + + + + + 11111111-2222-4000-8000-004000000018 + + + + +

Describe how the control is satisfied within the system.

+

DMARC is employed.

+

SPF is employed.

+

DKIM is employed.

+
+ + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + +
+
+
+ + + + +

Describe the plan to complete the implementation.

+
+
+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+
+ + to include chief privacy and ISSO and/or similar role or designees + + + at least every 3 years + + + at least annually + +
+
+ + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+
+
+ + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+
+
+ + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+
+
+
+
+
+ + + + + Signed System Security Plan + +

SSP Signature

+
+ + + + 00000000 + +

The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

+

For now, the PMO recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
  • +
  • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
  • +
+

If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

+
+
+ + + FedRAMP Applicable Laws and Regulations + + + +

Must be present in a FedRAMP SSP.

+
+
+ + + + Access Control Policy Title + +

AC Policy document

+
+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Awareness and Training Policy Title + +

AT Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Audit and Accountability Policy Title + +

AU Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Security Assessment and Authorization Policy Title + +

CA Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Configuration Management Policy Title + +

CM Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Contingency Planning Policy Title + +

CP Policy document

+
+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Identification and Authentication Policy Title + +

IA Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Incident Response Policy Title + +

IR Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Maintenance Policy Title + +

MA Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Media Protection Policy Title + +

MP Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Physical and Environmental Protection Policy Title + +

PE Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Planning Policy Title + +

PL Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Personnel Security Policy Title + +

PS Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Risk Adjustment Policy Title + +

RA Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + System and Service Acquisition Policy Title + +

SA Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + System and Communications Protection Policy Title + +

SC Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + System and Information Integrity Policy Title + +

SI Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Supply Chain Risk Policy Title + +

SR Policy document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + Access Control Procedure Title + +

AC Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Awareness and Training Procedure Title + +

AT Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Audit and Accountability Procedure Title + +

AU Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Security Assessment and Authorization Procedure Title + +

CA Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Configuration Management Procedure Title + +

CM Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Contingency Planning Procedure Title + +

CP Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Identification and Authentication Procedure Title + +

IA Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Incident Response Procedure Title + +

IR Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Maintenance Procedure Title + +

MA Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Media Protection Procedure Title + +

MP Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Physical and Environmental Protection Procedure Title + +

PE Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Planning Procedure Title + +

PL Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Personnel Security Procedure Title + +

PS Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Risk Adjustment Procedure Title + +

RA Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + System and Service Acquisition Procedure Title + +

SA Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + System and Communications Protection Procedure Title + +

SC Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + System and Information Integrity Procedure Title + +

SI Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + Supply Chain Risk Procedure Title + +

SR Procedure document

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + User's Guide + +

User's Guide

+
+ + + + + + +

Table 12-1 Attachments: User's Guide Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + + + Document Title + +

Rules of Behavior

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + Document Title + +

Contingency Plan (CP)

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + Document Title + +

Configuration Management (CM) Plan

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + Document Title + +

Incident Response (IR) Plan

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + + + + + CSP-specific Law Citation + + + + Identification Number + + 00000000 + +

A CSP-specific law citation

+

The "type" property must be present and contain the value "law".

+
+ +
+ + + + + Document Title + +

Continuous Monitoring Plan

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + Plan of Actions and Milestones (POAM) + + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

Supply Chain Risk Management Plan

+
+ + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+
+
+ + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

FedRAMP Logo

+
+ + + + 00000000 + +

Must be present in a FedRAMP SSP.

+
+
+ + CSP Logo + +

CSP Logo

+
+ + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+
+
+ + 3PAO Logo + +

3PAO Logo

+
+ + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+
+
+ + + Boundary Diagram + +

The primary authorization boundary diagram.

+
+ + + 00000000 + +

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+
+
+ + Network Diagram + +

The primary network diagram.

+
+ + + + 00000000 + +

Section 8.1, Figure 8-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+
+
+ + Data Flow Diagram + +

The primary data flow diagram.

+
+ + + 00000000 + +

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+
+
+ + Interconneciton Security Agreement (ISA) + + + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + +

CSP-specific citation. Note the "type" property's class is "law" + and the value is "citation".

+
+
+ + CSP Acronyms + + + +

CSP-specific citation. Note the "type" property's class is "acronyms" + and the value is "citation".

+
+
+
+
\ No newline at end of file