Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSP Completeness Checks: 7 External Systems and Services Not Having FedRAMP Authorization #808

Open
7 of 19 tasks
Tracked by #803
brian-ruf opened this issue Oct 23, 2024 · 16 comments
Open
7 of 19 tasks
Tracked by #803
Assignees
Labels

Comments

@brian-ruf
Copy link
Contributor

brian-ruf commented Oct 23, 2024

This is a ...

fix - something needs to be different

This relates to ...

  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

  • Check for presence
  • If present, check for required fields

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

  • All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • all constraints associated with the review task have been converted/created
  • automate.fedramp.gov content has been updated accordingly
  • the metaschema help prop has an appropriate link to the constraint
  • the template has an content that models the desired OSCAL presentation
  • the constraint runs against the example template
  • known-bad content has been created
  • the constraint appropriately flags the known-bad content as invalid

Other information

No response

TASKS

@brian-ruf
Copy link
Contributor Author

brian-ruf commented Nov 12, 2024

There are five scenarios that require tracking as part of External Systems and Services Not Having FedRAMP Authorization:

  • Scenario 1: A non-authorized service from a FedRAMP leveraged authorization
  • Scenario 2: An interconnection between this system and an external system
  • Scenario 3: A service from an external system other than the leveraged system
  • Scenario 4: A service from this system offered to external systems
  • Scenario 5: A CLI that connects to leveraged or external systems

In all scenarios:

  • The "interconnection", "service", or "software" component is tied to an external "system" component:
    • For "service" and "software" this is via a "provided-by" link.
    • For "interconnection" this is via a "used-by" link.
  • Details about the information exchanged stay with the "interconnection", "service", or "software" component
  • Details about the provider stay with the "system" component.
  • Still working on this list

Scenario 1: A non-authorized service from a FedRAMP leveraged authorization

A service from an underlying leveraged system, where the underlying system is FedRAMP-authorized; however, the service is not included in the underlying system's authorization. (The service is not included in the underlying's system's FedRAMP Marketplace details.)

  • Create one //component[@type='service'] for each non-authorized leveraged service used by this system
  • Unlike the use of services falling under the leveraged system's authorization, the above component must NOT have prop[@name='leveraged-authorization-uuid'].
    • This would incorrectly indicate the service is covered under the authorization. It is not.
  • Link the service component to the leveraged system using the component UUID of the leveraged system in: //component[@type='service']/link[@ref='provided-by']/@value
    • Need to defer due to incorrect constraint in core OSCAL syntax.
  • Include an "implementation-point" property with the value set to "external".
  • Include one or two "direction" property
graph LR;
   A[This System<br />type='this-system']-->B[Non-Authorized Leveraged Service<br />type='service']-->C[Leveraged System<br />type='system'];
Loading

Scenario 2: An interconnection between this system and an external system

FedRAMP-Authorized System connecting to an external system that may or may not be FedRAMP-authorized.

  • Create one //component[@type='system'] for each external system
  • Create one //component[@type='interconnection'] for each connection between this system and the external system
  • Link the interconnection component to the external system using the component UUID of the external system in: //component[@type='service']/prop[@name='connected-to-system-uuid'][@ns='http://fedramp.gov/ns/oscal']/@value
  • Link the interconnection component to this system using the component UUID of the this systemin : //component[@type='service']/link[@rel='used-by']/@value
  • Include an "implementation-point" property with the value set to "external".
  • Provide Interconnection Security Agreement details
  • Provide remote and local connection details
  • Provide common external service details
graph LR;
   A[This System<br />type='this-system']-->B[Interconnection<br />type='interconnection']-->C[External System<br />type='system'];
Loading

Scenario 3: A service or API from an external system other than the leveraged system

FedRAMP-Authorized System using an API or service from an external system:

  • Create one //component[@type='system'] for each external system
  • Create one //component[@type='service'] for each service or API used
  • Select the asset-type that best describes the function provided by the service or API.
    • Give preference to core OSCAL asset-type values, and only define/use others if none of those fit.
  • Link the service component to the leveraged system using the component UUID of the leveraged system in: //component[@type='service']/link[@rel='provided-by']/@value
    • Need to defer due to incorrect constraint in core OSCAL syntax.
  • Include an "implementation-point" property with the value set to "external".
  • Provide remote connection details
  • Provide common external service details
graph LR;
   A[This System<br />type='this-system']-->B[External Service<br />type='service']-->C[External System<br />type='system'];
Loading

Scenario 4: A service or API from this system and offered to external systems

When the system represented by the SSP ("this-system") offers an API or service for external systems:

  • Create one //component[@type='service'] for each service or API used
  • Create one //component[@type='system'] for each known system or system type that may access the API (If the API is publicly accessible, a single "system" component may be created that describes the entire community of potential systems that may use the API/service.)
  • Select the asset-type that best describes the function provided by the service or API.
    • Give preference to core OSCAL asset-type values, and only define/use others if none of those fit.
  • Include an "implementation-point" property with the value set to "internal".
  • Include a "used-by" link that identifies the "system" component(s) representing the external systems.
  • Provide local connection details
  • Identify any information types that are communicated
  • Indicate whether information is flowing in or out
graph LR;
   A[This System<br />type='this-system']-->B[Offered Service or API<br />type='service']-->C[External System<br />type='system'];
Loading

Scenario 5: A CLI that connects to leveraged or external systems

FedRAMP-Authorized System using an CLI to manage remote or underlying system:

  • Create one //component[@type='system'] for each system where the CLI can effect change
  • Create one //component[@type='software'] for each CLI used
  • Specify the software component's asset type as "cli"
  • Link the software component to the leveraged system using the component UUID of the leveraged system in: //component[@type='service']/link[@rel='provided-by']/@value
  • Include an "implementation-point" property with the value set to "external".
  • Provide remote connection details
  • Provide common external service details
graph LR;
   A[This System<br />type='this-system']-->B[Management CLI<br />type='software']-->C[External or Leveraged System<br />type='system'];
Loading

@brian-ruf brian-ruf self-assigned this Nov 12, 2024
@brian-ruf brian-ruf moved this from 🔖 Ready to 🏗 In progress in FedRAMP Automation Nov 12, 2024
@brian-ruf
Copy link
Contributor Author

brian-ruf commented Nov 15, 2024

TARGET:

  • //system-implementation/component[((@type=('system', 'service')) and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='software' and ./prop[@name='asset-type' and @value='cli'])]
Data Location UnAuth
Service
from LA
Intercon External
Service
External
API
Offered
API
Management
CLI
Component Type(s) n/a system
service
system
interconnection
system
service
system
service
this-system
service
system
service
link[@rel='provided-by'] n/a 1 0 1 1 1 1
link[@rel='used-by'] n/a 0+ 2+ 0+ 0+ 0+ 0+
# n/a / Sequential Numbering n/a n/a n/a n/a n/a n/a
System/Service/API/CLI Name ./title (required field) 1 1 1 1 1 1
Service Processor Name [in "system"] ./responsible-role[@name='provider']/party-uuid
(in associated system per the "provided-by" or "used-by" link
1 1 1 1 n/a 1
Connection Details (Direction) [1 or 2] ./prop[@name='direction']/@value 1-2 1-2 1-2 1-2 1-2 1-2
Connection Details (Local IPv4 Address) [0+] ./prop[@name='ipv4-address' and @class='local']/@value 0+ 0+ 0+ 0+ 0+ 0
Connection Details (Local IPv6 Address) [0+] ./prop[@name='ipv6-address' and @class='local']/@value 0+ 0+ 0+ 0+ 0+ 0
Connection Details (Local Port) [0+] ./protocol[@name='local']/port-range 0+ 0+ 0+ 0+ 0+ 0
Connection Details (Local URI/URL) [0+] ./link[@rel='api']/@value 0+ 0+ 0+ 0+ 0+ 0
Connection Details (Remote URI/URL) [0+] ./link[@rel='api']/@value 0+ 0+ 0+ 0+ 0 0+
Connection Details (Remote IPv4 Address) [0+] ./prop[@name='ipv4-address' and @class='remote']/@value 0+ 0+ 0+ 0+ 0 0+
Connection Details (Remote IP6 Address) [0+] ./prop[@name='ipv6-address' and @class='remote']/@value 0+ 0+ 0+ 0+ 0 0+
Connection Details (Remote Port) [0+] ./protocol[@name='remote']/port-range 0+ 0+ 0+ 0+ 0 0+
Connection Details (Non-IP Based) [0 or 1] ./prop[@name='non-ip-based-connection' and @ns='http://fedramp.gov/ns/oscal']/@value 0+ 0+ 0+ 0+ 0+ 0+
Connection Details (Security) [1+] ./prop[@name='connection-security' and @ns='http://fedramp.gov/ns/oscal']/@value 1+ 1+ 1+ 1+ 1+ 1+
Nature of Agreement [1] ./prop[@name='nature-of-agreement' and @ns='http://fedramp.gov/ns/oscal']/@value 1 1 1 1 1 1
Still Supported? [1] ./prop[@name='still-supported' and @ns='http://fedramp.gov/ns/oscal'] 1 1 1 1 1 1
Data Types [1+] ./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value 1+ 1+ 1+ 1+ 1+ 1+
Data Categorization (Confidentiality)
[from //system-information]
//system-characteristics/system-information/information-type[./categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1']/information-type-id/text()=./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value]/confidentiality-impact/selected n/a n/a n/a n/a n/a n/a
Data Categorization (Integrity)
[from //system-information]
//system-characteristics/system-information/information-type[./categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1']/information-type-id/text()=./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value]/integrity-impact/selected n/a n/a n/a n/a n/a n/a
Data Categorization (Availability)
[from //system-information]
//system-characteristics/system-information/information-type[./categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1']/information-type-id/text()=./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value]/availability-impact/selected n/a n/a n/a n/a n/a n/a
Authorized Users //component/responsible-role[not(@role-id='provider'] 1+ 1+ 1+ 1+ n/a 1+
User Authentication Method //component/prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal'] 1+ 1+ 1+ 1+ 1+ 1+
Other Compliance Programs
[ may be in "system" or "interconnection", "service", "software" ]
./prop[@name='compliance-program' and @ns='http://fedramp.gov/ns/oscal']/@value 0+ 0+ 0+ 0+ 0+ 0+
Description [1] OSCAL ./description (Required) 1 1 1 1 1 1
Hosting Environment [1] ./prop[@name='hosting-environment' and @ns='http://fedramp.gov/ns/oscal'] N/A 1 1 1 1 1
poam-item [1] ./link[@rel='poam-item' 1 1 1 1 1 1

@brian-ruf
Copy link
Contributor Author

brian-ruf commented Nov 15, 2024

Table 7.1 Constraint Goals

There are two primary goals to constraints related to table 7.1:

  1. Ensuring every communication path that crosses the authorization boundary is represented by a component pair.
  2. Ensuring the required content is present, which differs slightly due to differences in the ways communication can cross the authorization boundary.

Although all of table 7.1 is represented using components, only the "interconnection" component type always represents communication that crosses the authorization boundary. Additional content is required in "service" and "software" component types to determine if they represent communication that crosses the boundary.


Constraints

Checkboxes Below

The checkboxes are to track the inclusion of the constraint in a defined task issue. Checked indicates the constraint should be fully covered by a task that appears in the task list at the top.

Critical Constraints

Some component types can represent either inter- or intra- boundary communication. As a result, certain fields are required to disambiguate.
target="//component [@type='service' or (@type='software' and ./prop[@name='asset-type' and @value='cli']) ]"

  • All "service" components and all "software"/"cli" components must have exactly one "implementation-point" property.
    • count(./prop[@name='implementation-point']) = 1

Constraints that apply to the entire group:

target="//component[ (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) ]"

  • There must be at least one direction property, with no more than one incoming and no more than one outgoing direction: (This incorrectly conflates direction of connection from direction of data flow.)

    • count(./prop[@name='direction'])>=1
    • count(./prop[@name='direction' and @value='incoming']) <= 1
    • count(./prop[@name='direction' and @value='outgoing']) <= 1
  • If ./prop[@name='direction' and @value='incoming']: (This incorrectly conflates direction of connection from direction of data flow.)

    • If direction is incoming there must be at least one local ipv4 address, ipv6 address, or URI to an API.
      • count( (./prop[@class='local' and @name=('ipv4-address', 'ipv6-address')]) or (./link[@rel='uri']) ) >=1
    • If direction is incoming there must be at least one local protocol entry.
      • count(./protocol[@name='local']/port-range/@start)
  • If ./prop[@name='direction' and @value='outgoing'] (This incorrectly conflates direction of connection from direction of data flow.)

    • If direction is outgoing there must be at least one remote ipv4 address, ipv6 address or URI to an API.
      • count( (./prop[@class='remote' and @name=('ipv4-address', 'ipv6-address')]) or (./link[@rel='uri']) ) >=1
    • If direction is outgoing there must be at least one remote ports entry.
      • count(./protocol[@name='remote']/port-range/@start)
  • There must be at least one connection security property:

    • count(./prop[@name='connection-security' and @ns='http://fedramp.gov/ns/oscal']) >= 1
  • There must be exactly one nature of agreement property:

    • count(./prop[@name='nature-of-agreement' and @ns='http://fedramp.gov/ns/oscal']) = 1
  • Every role defined in //component/responsible-role/@role-id must exists in //metadata/role/@id index (Should be enforced by core OSCAL, but isn't)

  • Every party defined in //component/responsible-role/@role-id/party-uuid references a valid party in //metadata/party/@uuid index

    • This is enforced by core OSCAL. No constraint needed.
  • There must be at least one responsible-role entry other than the required provider's role:

    • count(./responsible-role[not(@role-id='provider')]) >= 1
  • All responsible-role/@role-id values must be in the //metadata/role/@id index.

  • All ./responsible-role[]/party-uuid values must exists in the //metadata/party index.

    • This may already be addressed by core OSCAL metaschema
  • There must be at least one user authentication method property:

    • count(./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']) >= 1
  • Each user authentication property must have a remarks field

    • target="./prop[@name='authentication-method' and @ns='http://fedramp.gov/ns/oscal']"
    • exists(./remarks)
  • Allowed values for the authentication-method property:

    • yes
    • no
    • not-applicable
  • There must be at least one risk property, either stating a risk or stating there is no risk.

  • There must be one or more "information-type" property/extensions. The value of each, must be included in the system information.

    • count(./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value) >= 1
    • target="//component[ (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) ]"
      • count(//system-characteristics/system-information/information-type/categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1' and ./information-type-id=./@value]) = 1

Allowed Values:

  • Allowed values for "compliance" property/extensions: (NOTE: This is about normalizing the responses, not constraining the list.)

    • target="//component/prop[@name='compliance' and @ns='http://fedramp.gov/ns/oscal'] "
    • Allow Others = "yes"
      • pci-dss: Payment Card Industry Data Security Standard (PCI DSS)
      • iso-27001: ISO/IEC 27001
      • soc-2-type-1: System and Organization Controls 2 (SOC 2) Type 1 Assessment
      • soc-2-type-2: System and Organization Controls 2 (SOC 2) Type 2 Assessment
      • hipaa: Health Insurance Portability and Accountability Act
      • csa-star-level-1: Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Level 1
      • csa-star-level-2: Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Level 2
  • Allowed values for "asset-type" property:

    • target="//component[@type='system']"
    • Allow Others = "yes"
      • saas: A Software-as-a-Service cloud;-based system
      • paas: A Platform-as-a-Service cloud;-based system
      • iaas: An Infrastructure -as-a-Service cloud;-based system
      • other: Another

Constraint Grouping:

There is some variance in the the required information based on the nature of the communication crossing the boundary. Some constraints must be applied to a sub-set of the components.

Constraints that apply only to interconnections:

target="//component[ @type='interconnection' ]"

  • There must be at least two "used-by" links (one that points to this-system and one that points to an external system):

    • count(./link[@rel='used-by'])>=2
  • Exactly one "used-by" link's href should contain a URI fragment that includes the UUID of the "this-system" component.

    • count(//component[@type='this-system' and @uuid=./link[@rel='used-by']/substring-after(@href, "#")])
  • One or more "used-by" link's href should contain a URI fragment that includes the UUID of a "system" component with an "implementation-point" property value set to "external".

    • count(//component[@type='system' and @uuid=./link[@rel='used-by']/substring-after(@href, "#") and ./prop[@name='implementation-point' and @value='external']]) >= 1
  • One or more interconnection security agreements must be attached as a back-matter resource, each with an "agreement" link.

    • count(//resource[@uuid=substring-after( ./link[@rel='agreement']/@href, "#")]) >= 1
    • By requiring the ISA to be a back-matter resource, we can simply enforce the title and version at the resource, and do not need separate properties for this data in the "interconnection" component.
      • count(//resource[@uuid=substring-after( ./link[@rel='agreement']/@href, "#")]) = count(//resource[@uuid=substring-after( ./link[@rel='agreement']/@href, "#")]/title)
      • count(//resource[@uuid=substring-after( ./link[@rel='agreement']/@href, "#")]) = count(//resource[@uuid=substring-after( ./link[@rel='agreement']/@href, "#")]/prop[@name='published'])
      • count(//resource[@uuid=substring-after( ./link[@rel='agreement']/@href, "#")]) = count(//resource[@uuid=substring-after( ./link[@rel='agreement']/@href, "#")]/version)
  • The ISA Remote system name is available via the "used-by" link to the "system" component.

    • count(//component[@uuid=//component[@type='interconnection']/link[@rel='used-by']/substring-after(@href, "#") and @type='system']/title) = ( count(./link[@rel='used-by']) - 1)
  • NOTE: The FedRAMP Rev 5 requirements no longer include POC details about the interconnection. While these fields are still encouraged, they are not required, thus no constraints are necessary.

Constraints that apply to external communication other-than interconnections

target="//component[ (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) ]"

  • There must be exactly one "provided-by" link:
    • count(./link[@rel='provided-by'])=1
  • The "provided-by" link's href should contain a URI fragment that includes the UUID of a "system" component with an "implementation-point" property value set to "external".
    • ./link[@rel='provided-by']/@href
    • //component[@type='system' and ./prop[@name='implementation-point' and @value='external'] and @uuid=[ --uuid-portion-of-href-URI-fragment-- ]]

Constraints that apply to external communications other an offered services/APIs

target="//component[ (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) ]"

  • There must be exactly one Service Processor / Provider

    • count(./responsible-role[@name='provider']/party-uuid)=1
  • There must be exactly one still supported property:

    • count(./prop[@name='still-supported' and @ns='http://fedramp.gov/ns/oscal']) = 1
  • There must be exactly one linked external system

    • count( //component[@type='system' and @uuid=./link[@rel=('provided-by', 'used-by') ]/substring-after(@href, "#") ] ) = 1

Constraints that apply to external communications other an non-authorized leveraged services

target="//component[ (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal']) ]"

  • There must be exactly one hosting environment property
    • count(./prop[@name='hosting-environment' and @ns='http://fedramp.gov/ns/oscal']) = 1

NOTE: There may be no way to exclude this property only from external services that are non-authorized services of a leveraged system as the relationship between the service and its system (which would have a leveraged authorization property) is via an href with a URI fragment. I am unaware of how to decompose a URI fragment to just the resolvable UUID portion (essentially by dropping the leading hash/#).

Worst case, we can make the hosting environment property required for all components in the group and not make this distinction.

@brian-ruf
Copy link
Contributor Author

brian-ruf commented Nov 19, 2024

@Telos-sa
Copy link

@brian-ruf for the first scenario, are you also taking into account the additional props for a service that does not have a FedRAMP ATO? Since it is "offered by" the packaged, but not actually authorized, will the iso-poc's still be required, and the connection agreement, or can we still piggy back off of the lev-auth poc and sla? This may be a @aj-stein-gsa question, but I like this structure.
Didnt see "offered-by" in the core oscal constraints, but this could be a bespoke prop created by FedRAMP to support their specific use case (especially if they make determinations of all elements required for this use case).

Scenario's 2-5 seem like they are fully covered under OSCAL and defined in the FedRAMP use case.

For the constraint grouping, what is the use case for linking the interconnection component to this-system? Is it strictly for external implementation points? I am not sure that this constraint should be included, as the this-system already represents the entire package. Specificity should be included where more detail is needed and provides value to the reviewer. It could maybe be a conditional constraint, but I would want to understand what value that constraint brings to the assessor and Authorization process.

@brian-ruf
Copy link
Contributor Author

@Telos-sa you actually caught a mistake. It was supposed to be "provided-by", not "offered-by". I've corrected. "provided-by" is part of the core OSCAL syntax.

Yes the goals here are as follows:

  • use core OSCAL syntax as much as possible.
  • keep the data constructs the same as much as possible between 6.1 (LAs) and 7.1 (external and unauthorized)
  • Keep the data normalized as much as possible, which includes referring to the to information from the leveraged system on behalf of the service, rather than duplicating that information into the service.

It's still a work in progress, but I'm working on one example for each of the above scenarios here:
https://github.com/brian-ruf/fedramp-automation/blob/example-ssp/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml

@brian-ruf
Copy link
Contributor Author

Changed user-authentication property/extension to authentication-method.

@brian-ruf
Copy link
Contributor Author

Modifying the "user-authentication" property/extension to an "authentication-method" property/extension as the true intention of this information is to document the nature of any authentication method, whether it be external users or external systems/automation accounts.

@aj-stein-gsa
Copy link
Contributor

Changed user-authentication property/extension to authentication-method.

@brian-ruf, just a heads up because I can tell this may be the same thing as the leveraged authorization prop will likely be the same thing, that prop elsewhere is already wrapping on a review. If we wanted to change that, we may want to notify Gabe as he is working on #891.

@brian-ruf
Copy link
Contributor Author

@aj-stein-gsa thank you. Yes, I actually needed to make notes/revisions to PR #921, as well as issues #807, #891, #893, #897, and created issue #924.

The good news is this will check boxes in both 807 and 808. While I did have to tweak the language associated with the allowed values, it turned out that language was missing from the PR anyway. So we can get the updated language in when that gets corrected.

@brian-ruf
Copy link
Contributor Author

After consultation with the review team as captured in #935, we have eliminated "risk", "mitigation", and "impact" property/extensions in favor of a "poam-item" link. This is based on the assertion that every entry in Table 7.1 is required to have a corresponding POA&M entry.

The primary benefits of referring to the POA&M entry can include:

  • elimination of redundancy
  • simplicity of data modeling and tool development
  • the POA&M model offers far more comprehensive treatment of risk and mitigation vs property/extensions

@brian-ruf
Copy link
Contributor Author

We need allowed values for the "connection-security" prop/extension. Created issue #961 to address this.

@brian-ruf
Copy link
Contributor Author

For "service" or "software" components with an "implementation-point" of "external" it is clear that communication crosses the boundary.

For "service" and "software" components I am adding a "communicates-externally" prop/extension that is required when the "implementation-point" is "internal". This is how tools will know to impose Table 7-1 information requirements on these internal components. (information types, authentication, POA&M item, etc.)

@brian-ruf
Copy link
Contributor Author

In the wake of recent revisions, and in an effort to reduce future rework, I am moving to the following approach for things like properties and links that should appear in some components, but not others based on complex conditions:

  • Have one constraint that enforces the presence of the field (or fields) based on those complex conditions.
  • Have very simply allowed value constraints that simply enforce allowed values in any component where the property or link exists.

In other words, allowed value constraints should always trust that cardinality or complex circumstances are enforced by other constraints and are not the "responsibility" of the allowed value constraint. This should also simplify error messages.

@Telos-sa
Copy link

For "service" or "software" components with an "implementation-point" of "external" it is clear that communication crosses the boundary.

For "service" and "software" components I am adding a "communicates-externally" prop/extension that is required when the "implementation-point" is "internal". This is how tools will know to impose Table 7-1 information requirements on these internal components. (information types, authentication, POA&M item, etc.)

For this new prop "communicates-externally", what are the expected values of this new prop? should it be a "yes"/"no"?

@brian-ruf
Copy link
Contributor Author

@Telos-sa, yes. That is correct. There will be an allowed values constraint that defines/enforces, "yes" and "no" as the two allowed values for "communicates-externally"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: 🔍 Active Objectives and Issues
Development

No branches or pull requests

3 participants