From 69498546e364016b4a9114a2484d006913e5706d Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Tue, 3 Dec 2024 17:17:18 +0000 Subject: [PATCH 1/6] Add example ssp to content file and edit constraint script to point yaml pass file to example ssp --- features/fedramp_extensions.feature | 2 +- src/scripts/dev-constraint.js | 2 +- .../content/fedramp-ssp-example.xml | 4834 +++++++++++++++++ 3 files changed, 4836 insertions(+), 2 deletions(-) create mode 100644 src/validations/constraints/content/fedramp-ssp-example.xml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 0887b0375..2a94a8c82 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -9,7 +9,7 @@ Scenario Outline: Documents that should be valid are pass Then I should have valid results "" Examples: | valid_file | -| ssp-all-VALID.xml | +# | ssp-all-VALID.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | diff --git a/src/scripts/dev-constraint.js b/src/scripts/dev-constraint.js index 4df459f1b..40d337dac 100644 --- a/src/scripts/dev-constraint.js +++ b/src/scripts/dev-constraint.js @@ -283,7 +283,7 @@ async function scaffoldTest(constraintId,context) { 'test-case': { name: `Positive Test for ${constraintId}`, description: `This test case validates the behavior of constraint ${constraintId}`, - content: `../content/${model}-all-VALID.xml`, + content: model === 'ssp' ? '../content/fedramp-example-ssp.xml' : `../content/${model}-all-VALID.xml`, expectations: [ { 'constraint-id': constraintId, diff --git a/src/validations/constraints/content/fedramp-ssp-example.xml b/src/validations/constraints/content/fedramp-ssp-example.xml new file mode 100644 index 000000000..a8272221a --- /dev/null +++ b/src/validations/constraints/content/fedramp-ssp-example.xml @@ -0,0 +1,4834 @@ + + + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

Initial publication.

+ + + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

Minor prop updates.

+ + + + + + + + + FedRAMP Program Management Office + +

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

+ + + + Prepared By + +

The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

+ + + + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+ + + + System Security Plan Approval + +

The individual or individuals accountable for the accuracy of this SSP.

+ + + + Cloud Service Provider + CSP + + + + Information System Owner + +

The individual within the CSP who is ultimately accountable for everything related to + this system.

+ + + + Authorizing Official + +

The individual or individuals who must grant this system an authorization to + operate.

+ + + + Authorizing Official's Point of Contact + +

The individual representing the authorizing official.

+ + + + Information System Management Point of Contact (POC) + +

The highest level manager who responsible for system operation on behalf of the + System Owner.

+ + + + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+ + + + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+ + + + + System Information System Security Officer (or Equivalent) + +

The individual accountable for the security posture of the system on behalf of the + system owner.

+ + + + Privacy Official's Point of Contact + +

The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

+ + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

The point of contact for an interconnection on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + +

The point of contact for an interconnection on behalf of this external system to + which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + +

Responsible for signing an interconnection security agreement on behalf of this + system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + +

Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + Consultant + +

Any consultants involved with developing or maintaining this content.

+ + + + Customer + +

Represents any customers of this system as may be necessary for assigning customer + responsibility.

+ + + + Provider + +

The provider of a leveraged system, external service, API, CLI.

+ + + + [SAMPLE]Unix Administrator + +

This is a sample role.

+ + + + [SAMPLE]Client Administrator + +

This is a sample role.

+ + + + Leveraged Authorization Users + +

Any internal users of a leveraged authorization.

+ + + + External System Owner + +

The owner of an external system.

+ + + + External System Management Point of Contact (POC) + +

The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

+ + + + External System Technical Point of Contact + +

The individual or individuals leading the technical operation of an external + system.

+ + + + Approver + +

An internal approving authority.

+ + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 11111111-2222-4000-8000-003000000001 + +

Replace sample CSP information.

+

CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party.

+ + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

+ + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + + + poc@example.com +
+ 3333 Corporate Way + Washington + DC + 00000 + US +
+ + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 11111111-2222-4000-8000-004000000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000004 + + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + Leveraged Authorization User + + + + + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 + +

Zero or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + +

One or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015 + +

One or more

+ + + + 11111111-2222-4000-8000-004000000012 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000013 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000014 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000015 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000016 + +

Exactly one

+ + + + + + + +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

+

Must adjust accordingly for applicable baseline and revision.

+ + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

+

NOTE: The description is expected to be at least 32 words in length.

+ + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+ + + + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

A description of the information.

+ + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.1 + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-high + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

Remarks are optional if status/state is "operational".

+

Remarks are required otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + + + + + + AwesomeCloud Commercial(IaaS) + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

+

For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

+ + + + + + + none + + +

The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

+

Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

+ + + + + + Add/Remove Admins + This can add and remove admins. + + + + + + + add/remove non-privliged admins + + + + + + + Manage services and components within the virtual cloud environment. + + + + + + + Add and remove users from the virtual cloud environment. + + + + + + + + This System + +

This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

+ + + +

A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+ + + + + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ + + + + + + +

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+ +

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
    • +
  • The component for a non-authorized service must include + a "still-supported" property/extension.
    • +
  • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
    • +
+ +

Both authorized and non-authorized leveraged services include:

+
    +
  • a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+ +

Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

+ + + + + + Service A + +

An authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

+

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
+

+

Where relevant, this component should also have:

+
    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component representing the leveraged system as a whole:

+

- Nature of Agreement, CSP Name

+ + + + + + + + + Service B + +

An non-authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of the leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

+

+

Each non-authorized leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • one or two "direction" prperty/extensions
    • +
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
    • +
  • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the + POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) + in an OSCAL-based POA&M.
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • +
  • + +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

+

+ +

Where relevant, this component should also have:

+
    +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+ +

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + + + + + + Other Cloud SaaS + +

An external system to which this system shares an interconnection.

+ + + + + + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + + services + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • a "system" component (this component)
    • +
  • an "interconnection" component
    • +
+

Each "system" component must have:

+
    +
  • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
    • +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • if an interconnection exists with this system and there are + remote listening ports, one or more "protocol" assemblies must + be provided.
    • +
+ +

While not required, each "system" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "authorizing-official" responsible-role
    • +
  • an "system-owner" responsible-role
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "authorizing-official", "system-owner", "system-poc-management + and "system-poc-technical"

+ + + + + + + [EXAMPLE]Authorized Connection Information System Name + +

Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

+ + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + +

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+ + + + + + + + + + + + + + + + + + + + + 44444444-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000008 + + + + Incoming FTP Service + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • one "system" component for each remote system sharing the connection
    • +
  • an "interconnection" component (this component)
    • +
+

Each "interconnection" component must have:

+
    +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • one or two "direction" properties
    • +
  • a "nature-of-agreement" property/extension
    • +
  • one or more "authentication-method" properties/extensions.
    • +
  • a "hosting-environment" proptery/extension
    • +
  • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
    • +
  • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
    • +
  • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
    • +
  • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
    • +
  • exactly one "used-by" link with an href value that refers to the "this-system" component.
    • +
  • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
    • +
  • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
    • +
+

Authentication methods must address both system-authentication as well as + user authentication mechanisms.

+

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+

If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

+

+

While not required, each "interconnection" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "system-poc-management" and "system-poc-technical". With an interconnection, + the system POC roles reference parties that represent the connection provider.

+ + + + + + + Other Cloud SaaS + +

+ + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

+ + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+ + + + + + + 11111111-2222-4000-8000-c0040000000a + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

+

Each external service used from a leveraged authorization must have:

+

- a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - preferably exactly as it appears on the + vendor's web site

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, + this property is blocked from proper use.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + + + + + Remote API Service + + + +

This is a service provided by an external system other than the leveraged system.

+ + + +

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+ + + +

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

All services require the "implementation-point" property. In this case, the property + value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+ + + + + + + + + + Management CLI + +

None

+ + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + +

Either describe a risk associated with this CLI, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + +

+ + + + + + + + + + + + + Service D + +

A service that exists within the authorization boundary.

+

Describe the service and what it is used for.

+ + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + + + + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + 11111111-2222-4000-8000-004000000017 + + + 11111111-2222-4000-8000-004000000011 + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + + + + + + + + Database Sample + +

None

+ + + + + + + + + + + + + + Appliance Sample + +

None

+ + + + + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + AC Policy + +

The Access Control Policy governs how access is managed and approved.

+ + + + + + AT Policy + +

The Awareness and Training Policy governs how access is managed and approved.

+ + + + + + AU Policy + +

The Audit and Accountability governs how access is managed and approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Policy governs how access is managed + and approved.

+ + + + + + CM Policy + +

The Configuration Management Policy governs how access is managed and approved.

+ + + + + + CP Policy + +

The Contingency Planning Policy governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Policy governs how access is managed and + approved.

+ + + + + + IR Policy + +

The Incident Response Policy governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Policy governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Policy governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Policy governs how access is managed and + approved.

+ + + + + + PL Policy + +

The Planning Policy governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Policy governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Policy governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Policy governs how access is managed and + approved.

+ + + + + + RA Policy + +

The Risk Assessment Policy governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Policy governs how access is managed and + approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Policy governs how access is managed and + approved.

+ + + + + + SI Policy + +

The System and Information Integrity Policy governs how access is managed and + approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Policy governs how access is managed and + approved.

+ + + + + + + + AC Policy + +

The Access Control Procedure governs how access is managed and approved.

+ + + + + + AT Policy + +

The Awareness and Training Procedure governs how access is managed and approved.

+ + + + + + AU Policy + +

The Audit and Accountability Procedure governs how access is managed and + approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Procedure governs how access is managed + and approved.

+ + + + + + CM Policy + +

The Configuration Management Procedure governs how access is managed and + approved.

+ + + + + + CP Policy + +

The Contingency Planning Procedure governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Procedure governs how access is managed and + approved.

+ + + + + + IR Policy + +

The Incident Response Procedure governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Procedure governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Procedure governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Procedure governs how access is managed and + approved.

+ + + + + + PL Policy + +

The Planning Procedure governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Procedure governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Procedure governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Procedure governs how access is managed and + approved.

+ + + + + + RA Policy + +

The Risk Assessment Procedure governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Procedure governs how access is managed and + approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Procedure governs how access is managed and + approved.

+ + + + + + SI Policy + +

The System and Information Integrity Procedure governs how access is managed and + approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Procedure governs how access is managed and + approved.

+ + + + + + + + + IPv4 Production Subnet + +

IPv4 Production Subnet.

+ + + + + + + + IPv4 Management Subnet + +

IPv4 Management Subnet.

+ + + + + + + + + Email Service + +

Email Service

+ + + + + + + + + + + + + + +

Legacy Example (No implemented-component).

+ + + + + + + + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + + 11111111-2222-4000-8000-004000000016 + + + 11111111-2222-4000-8000-004000000017 + + + +

This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

+ + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remark.

+ + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000017 + + + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + +

None.

+ + + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

Email-Service

+ + + + + + + + + + + + + + + + +

Appendix A - FedRAMP SSP Rev5 Template

+

This description field is required by OSCAL.

+

FedRAMP does not require any specific information here.

+ + + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

Describe how Part a is satisfied within the system.

+

Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

+

In this case, a link must be provided to the policy.

+

FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

+ + + + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another + component is associated with the component representing the system.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Identity + Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + + + + +

There

+ + + + +

Describe the plan to complete the implementation.

+ + + + + +

Describe how this policy currently satisfies part a.

+ + + +

Describe the plan for addressing the missing policy elements.

+ + + + +

Identify what is currently missing from this policy.

+ + + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + + + + + + +

Describe how AC-2, part a is satisfied within this system.

+

This points to the "This System" component, and is used any time a more + specific component reference is not available.

+ + + + +

Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

+ + + + +

Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the + by-component for "this system".

+ + + 11111111-2222-4000-8000-004000000001 + + + + + + +

For the portion of the control satisfied by the application component of this + system, describe how the control is met.

+ + + + +

Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part + a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + +

Leveraging system's responsibilities with respect to inheriting this + capability from this application.

+

In the context of the application component in satisfaction of AC-2, part + a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

+

While the "this system" component is not explicitly required within every + statement, it will typically be present.

+ + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+ + + +

Optional description.

+

Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

+

In the context of this component in satisfaction of AC-2, part a.

+

The provided-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+ + + + +

Description of how the responsibility was satisfied.

+

The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

+

Tool developers should be mindful that

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

Describe how Part a is satisfied.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000018 + + + + +

Describe how the control is satisfied within the system.

+

DMARC is employed.

+

SPF is employed.

+

DKIM is employed.

+ + + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + to include chief privacy and ISSO and/or similar role or designees + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + + + + + Signed System Security Plan + +

SSP Signature

+ + + + + 00000000 + +

The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

+

For now, the PMO recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
    • +
+

If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

+ + + + + FedRAMP Applicable Laws and Regulations + + + +

Must be present in a FedRAMP SSP.

+ + + + + + Access Control Policy Title + +

AC Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Awareness and Training Policy Title + +

AT Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Audit and Accountability Policy Title + +

AU Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Security Assessment and Authorization Policy Title + +

CA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Configuration Management Policy Title + +

CM Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Contingency Planning Policy Title + +

CP Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Identification and Authentication Policy Title + +

IA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Incident Response Policy Title + +

IR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Maintenance Policy Title + +

MA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Media Protection Policy Title + +

MP Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Physical and Environmental Protection Policy Title + +

PE Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Planning Policy Title + +

PL Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Personnel Security Policy Title + +

PS Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Risk Adjustment Policy Title + +

RA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Service Acquisition Policy Title + +

SA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Communications Protection Policy Title + +

SC Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Information Integrity Policy Title + +

SI Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Supply Chain Risk Policy Title + +

SR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Access Control Procedure Title + +

AC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Awareness and Training Procedure Title + +

AT Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Audit and Accountability Procedure Title + +

AU Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Security Assessment and Authorization Procedure Title + +

CA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Configuration Management Procedure Title + +

CM Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Contingency Planning Procedure Title + +

CP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Identification and Authentication Procedure Title + +

IA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Incident Response Procedure Title + +

IR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Maintenance Procedure Title + +

MA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Media Protection Procedure Title + +

MP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Physical and Environmental Protection Procedure Title + +

PE Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Planning Procedure Title + +

PL Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Personnel Security Procedure Title + +

PS Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Risk Adjustment Procedure Title + +

RA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Service Acquisition Procedure Title + +

SA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Communications Protection Procedure Title + +

SC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Information Integrity Procedure Title + +

SI Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Supply Chain Risk Procedure Title + +

SR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + User's Guide + +

User's Guide

+ + + + + + + +

Table 12-1 Attachments: User's Guide Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + Document Title + +

Rules of Behavior

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Contingency Plan (CP)

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Configuration Management (CM) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Incident Response (IR) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + + + CSP-specific Law Citation + + + + Identification Number + + 00000000 + +

A CSP-specific law citation

+

The "type" property must be present and contain the value "law".

+ + + + + + + + Document Title + +

Continuous Monitoring Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Plan of Actions and Milestones (POAM) + + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

Supply Chain Risk Management Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

FedRAMP Logo

+ + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + CSP Logo + +

CSP Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + 3PAO Logo + +

3PAO Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + + Boundary Diagram + +

The primary authorization boundary diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Network Diagram + +

The primary network diagram.

+ + + + + 00000000 + +

Section 8.1, Figure 8-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Data Flow Diagram + +

The primary data flow diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Interconneciton Security Agreement (ISA) + + + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + +

CSP-specific citation. Note the "type" property's class is "law" + and the value is "citation".

+ + + + CSP Acronyms + + + +

CSP-specific citation. Note the "type" property's class is "acronyms" + and the value is "citation".

+ + + + \ No newline at end of file From 4f42fa3cbc4f3b135baeaaf6eb3884957eb57d45 Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Tue, 3 Dec 2024 17:39:38 +0000 Subject: [PATCH 2/6] Add example ssp to content file and edit constraint script to point yaml pass file to example ssp --- features/fedramp_extensions.feature | 2 +- src/scripts/dev-constraint.js | 2 +- .../content/fedramp-ssp-example.oscal.xml | 4834 +++++++++++++++++ 3 files changed, 4836 insertions(+), 2 deletions(-) create mode 100644 src/validations/constraints/content/fedramp-ssp-example.oscal.xml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 0887b0375..2a94a8c82 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -9,7 +9,7 @@ Scenario Outline: Documents that should be valid are pass Then I should have valid results "" Examples: | valid_file | -| ssp-all-VALID.xml | +# | ssp-all-VALID.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | diff --git a/src/scripts/dev-constraint.js b/src/scripts/dev-constraint.js index 4df459f1b..042d54535 100644 --- a/src/scripts/dev-constraint.js +++ b/src/scripts/dev-constraint.js @@ -283,7 +283,7 @@ async function scaffoldTest(constraintId,context) { 'test-case': { name: `Positive Test for ${constraintId}`, description: `This test case validates the behavior of constraint ${constraintId}`, - content: `../content/${model}-all-VALID.xml`, + content: model === 'ssp' ? '../content/fedramp-ssp-example.oscal.xml' : `../content/${model}-all-VALID.xml`, expectations: [ { 'constraint-id': constraintId, diff --git a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml new file mode 100644 index 000000000..a8272221a --- /dev/null +++ b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml @@ -0,0 +1,4834 @@ + + + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

Initial publication.

+ + + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

Minor prop updates.

+ + + + + + + + + FedRAMP Program Management Office + +

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

+ + + + Prepared By + +

The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

+ + + + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+ + + + System Security Plan Approval + +

The individual or individuals accountable for the accuracy of this SSP.

+ + + + Cloud Service Provider + CSP + + + + Information System Owner + +

The individual within the CSP who is ultimately accountable for everything related to + this system.

+ + + + Authorizing Official + +

The individual or individuals who must grant this system an authorization to + operate.

+ + + + Authorizing Official's Point of Contact + +

The individual representing the authorizing official.

+ + + + Information System Management Point of Contact (POC) + +

The highest level manager who responsible for system operation on behalf of the + System Owner.

+ + + + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+ + + + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+ + + + + System Information System Security Officer (or Equivalent) + +

The individual accountable for the security posture of the system on behalf of the + system owner.

+ + + + Privacy Official's Point of Contact + +

The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

+ + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

The point of contact for an interconnection on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + +

The point of contact for an interconnection on behalf of this external system to + which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + +

Responsible for signing an interconnection security agreement on behalf of this + system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + +

Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + Consultant + +

Any consultants involved with developing or maintaining this content.

+ + + + Customer + +

Represents any customers of this system as may be necessary for assigning customer + responsibility.

+ + + + Provider + +

The provider of a leveraged system, external service, API, CLI.

+ + + + [SAMPLE]Unix Administrator + +

This is a sample role.

+ + + + [SAMPLE]Client Administrator + +

This is a sample role.

+ + + + Leveraged Authorization Users + +

Any internal users of a leveraged authorization.

+ + + + External System Owner + +

The owner of an external system.

+ + + + External System Management Point of Contact (POC) + +

The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

+ + + + External System Technical Point of Contact + +

The individual or individuals leading the technical operation of an external + system.

+ + + + Approver + +

An internal approving authority.

+ + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 11111111-2222-4000-8000-003000000001 + +

Replace sample CSP information.

+

CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party.

+ + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

+ + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + + + poc@example.com +
+ 3333 Corporate Way + Washington + DC + 00000 + US +
+ + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 11111111-2222-4000-8000-004000000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000004 + + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + Leveraged Authorization User + + + + + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 + +

Zero or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + +

One or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015 + +

One or more

+ + + + 11111111-2222-4000-8000-004000000012 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000013 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000014 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000015 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000016 + +

Exactly one

+ + + + + + + +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

+

Must adjust accordingly for applicable baseline and revision.

+ + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

+

NOTE: The description is expected to be at least 32 words in length.

+ + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+ + + + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

A description of the information.

+ + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.1 + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-high + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

Remarks are optional if status/state is "operational".

+

Remarks are required otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + + + + + + AwesomeCloud Commercial(IaaS) + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

+

For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

+ + + + + + + none + + +

The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

+

Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

+ + + + + + Add/Remove Admins + This can add and remove admins. + + + + + + + add/remove non-privliged admins + + + + + + + Manage services and components within the virtual cloud environment. + + + + + + + Add and remove users from the virtual cloud environment. + + + + + + + + This System + +

This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

+ + + +

A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+ + + + + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ + + + + + + +

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+ +

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
    • +
  • The component for a non-authorized service must include + a "still-supported" property/extension.
    • +
  • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
    • +
+ +

Both authorized and non-authorized leveraged services include:

+
    +
  • a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+ +

Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

+ + + + + + Service A + +

An authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

+

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
+

+

Where relevant, this component should also have:

+
    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component representing the leveraged system as a whole:

+

- Nature of Agreement, CSP Name

+ + + + + + + + + Service B + +

An non-authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of the leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

+

+

Each non-authorized leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • one or two "direction" prperty/extensions
    • +
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
    • +
  • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the + POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) + in an OSCAL-based POA&M.
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • +
  • + +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

+

+ +

Where relevant, this component should also have:

+
    +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+ +

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + + + + + + Other Cloud SaaS + +

An external system to which this system shares an interconnection.

+ + + + + + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + + services + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • a "system" component (this component)
    • +
  • an "interconnection" component
    • +
+

Each "system" component must have:

+
    +
  • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
    • +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • if an interconnection exists with this system and there are + remote listening ports, one or more "protocol" assemblies must + be provided.
    • +
+ +

While not required, each "system" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "authorizing-official" responsible-role
    • +
  • an "system-owner" responsible-role
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "authorizing-official", "system-owner", "system-poc-management + and "system-poc-technical"

+ + + + + + + [EXAMPLE]Authorized Connection Information System Name + +

Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

+ + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + +

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+ + + + + + + + + + + + + + + + + + + + + 44444444-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000008 + + + + Incoming FTP Service + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • one "system" component for each remote system sharing the connection
    • +
  • an "interconnection" component (this component)
    • +
+

Each "interconnection" component must have:

+
    +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • one or two "direction" properties
    • +
  • a "nature-of-agreement" property/extension
    • +
  • one or more "authentication-method" properties/extensions.
    • +
  • a "hosting-environment" proptery/extension
    • +
  • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
    • +
  • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
    • +
  • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
    • +
  • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
    • +
  • exactly one "used-by" link with an href value that refers to the "this-system" component.
    • +
  • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
    • +
  • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
    • +
+

Authentication methods must address both system-authentication as well as + user authentication mechanisms.

+

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+

If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

+

+

While not required, each "interconnection" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "system-poc-management" and "system-poc-technical". With an interconnection, + the system POC roles reference parties that represent the connection provider.

+ + + + + + + Other Cloud SaaS + +

+ + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

+ + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+ + + + + + + 11111111-2222-4000-8000-c0040000000a + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

+

Each external service used from a leveraged authorization must have:

+

- a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - preferably exactly as it appears on the + vendor's web site

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, + this property is blocked from proper use.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + + + + + Remote API Service + + + +

This is a service provided by an external system other than the leveraged system.

+ + + +

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+ + + +

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

All services require the "implementation-point" property. In this case, the property + value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+ + + + + + + + + + Management CLI + +

None

+ + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + +

Either describe a risk associated with this CLI, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + +

+ + + + + + + + + + + + + Service D + +

A service that exists within the authorization boundary.

+

Describe the service and what it is used for.

+ + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + + + + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + 11111111-2222-4000-8000-004000000017 + + + 11111111-2222-4000-8000-004000000011 + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + + + + + + + + Database Sample + +

None

+ + + + + + + + + + + + + + Appliance Sample + +

None

+ + + + + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + AC Policy + +

The Access Control Policy governs how access is managed and approved.

+ + + + + + AT Policy + +

The Awareness and Training Policy governs how access is managed and approved.

+ + + + + + AU Policy + +

The Audit and Accountability governs how access is managed and approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Policy governs how access is managed + and approved.

+ + + + + + CM Policy + +

The Configuration Management Policy governs how access is managed and approved.

+ + + + + + CP Policy + +

The Contingency Planning Policy governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Policy governs how access is managed and + approved.

+ + + + + + IR Policy + +

The Incident Response Policy governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Policy governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Policy governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Policy governs how access is managed and + approved.

+ + + + + + PL Policy + +

The Planning Policy governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Policy governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Policy governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Policy governs how access is managed and + approved.

+ + + + + + RA Policy + +

The Risk Assessment Policy governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Policy governs how access is managed and + approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Policy governs how access is managed and + approved.

+ + + + + + SI Policy + +

The System and Information Integrity Policy governs how access is managed and + approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Policy governs how access is managed and + approved.

+ + + + + + + + AC Policy + +

The Access Control Procedure governs how access is managed and approved.

+ + + + + + AT Policy + +

The Awareness and Training Procedure governs how access is managed and approved.

+ + + + + + AU Policy + +

The Audit and Accountability Procedure governs how access is managed and + approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Procedure governs how access is managed + and approved.

+ + + + + + CM Policy + +

The Configuration Management Procedure governs how access is managed and + approved.

+ + + + + + CP Policy + +

The Contingency Planning Procedure governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Procedure governs how access is managed and + approved.

+ + + + + + IR Policy + +

The Incident Response Procedure governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Procedure governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Procedure governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Procedure governs how access is managed and + approved.

+ + + + + + PL Policy + +

The Planning Procedure governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Procedure governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Procedure governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Procedure governs how access is managed and + approved.

+ + + + + + RA Policy + +

The Risk Assessment Procedure governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Procedure governs how access is managed and + approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Procedure governs how access is managed and + approved.

+ + + + + + SI Policy + +

The System and Information Integrity Procedure governs how access is managed and + approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Procedure governs how access is managed and + approved.

+ + + + + + + + + IPv4 Production Subnet + +

IPv4 Production Subnet.

+ + + + + + + + IPv4 Management Subnet + +

IPv4 Management Subnet.

+ + + + + + + + + Email Service + +

Email Service

+ + + + + + + + + + + + + + +

Legacy Example (No implemented-component).

+ + + + + + + + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + + 11111111-2222-4000-8000-004000000016 + + + 11111111-2222-4000-8000-004000000017 + + + +

This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

+ + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remark.

+ + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000017 + + + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + +

None.

+ + + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

Email-Service

+ + + + + + + + + + + + + + + + +

Appendix A - FedRAMP SSP Rev5 Template

+

This description field is required by OSCAL.

+

FedRAMP does not require any specific information here.

+ + + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

Describe how Part a is satisfied within the system.

+

Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

+

In this case, a link must be provided to the policy.

+

FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

+ + + + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another + component is associated with the component representing the system.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Identity + Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + + + + +

There

+ + + + +

Describe the plan to complete the implementation.

+ + + + + +

Describe how this policy currently satisfies part a.

+ + + +

Describe the plan for addressing the missing policy elements.

+ + + + +

Identify what is currently missing from this policy.

+ + + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + + + + + + +

Describe how AC-2, part a is satisfied within this system.

+

This points to the "This System" component, and is used any time a more + specific component reference is not available.

+ + + + +

Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

+ + + + +

Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the + by-component for "this system".

+ + + 11111111-2222-4000-8000-004000000001 + + + + + + +

For the portion of the control satisfied by the application component of this + system, describe how the control is met.

+ + + + +

Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part + a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + +

Leveraging system's responsibilities with respect to inheriting this + capability from this application.

+

In the context of the application component in satisfaction of AC-2, part + a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

+

While the "this system" component is not explicitly required within every + statement, it will typically be present.

+ + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+ + + +

Optional description.

+

Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

+

In the context of this component in satisfaction of AC-2, part a.

+

The provided-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+ + + + +

Description of how the responsibility was satisfied.

+

The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

+

Tool developers should be mindful that

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

Describe how Part a is satisfied.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000018 + + + + +

Describe how the control is satisfied within the system.

+

DMARC is employed.

+

SPF is employed.

+

DKIM is employed.

+ + + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + to include chief privacy and ISSO and/or similar role or designees + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

+ + + + + + + + + + Signed System Security Plan + +

SSP Signature

+ + + + + 00000000 + +

The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

+

For now, the PMO recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
    • +
+

If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

+ + + + + FedRAMP Applicable Laws and Regulations + + + +

Must be present in a FedRAMP SSP.

+ + + + + + Access Control Policy Title + +

AC Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Awareness and Training Policy Title + +

AT Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Audit and Accountability Policy Title + +

AU Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Security Assessment and Authorization Policy Title + +

CA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Configuration Management Policy Title + +

CM Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Contingency Planning Policy Title + +

CP Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Identification and Authentication Policy Title + +

IA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Incident Response Policy Title + +

IR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Maintenance Policy Title + +

MA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Media Protection Policy Title + +

MP Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Physical and Environmental Protection Policy Title + +

PE Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Planning Policy Title + +

PL Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Personnel Security Policy Title + +

PS Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Risk Adjustment Policy Title + +

RA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Service Acquisition Policy Title + +

SA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Communications Protection Policy Title + +

SC Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Information Integrity Policy Title + +

SI Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Supply Chain Risk Policy Title + +

SR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Access Control Procedure Title + +

AC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Awareness and Training Procedure Title + +

AT Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Audit and Accountability Procedure Title + +

AU Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Security Assessment and Authorization Procedure Title + +

CA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Configuration Management Procedure Title + +

CM Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Contingency Planning Procedure Title + +

CP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Identification and Authentication Procedure Title + +

IA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Incident Response Procedure Title + +

IR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Maintenance Procedure Title + +

MA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Media Protection Procedure Title + +

MP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Physical and Environmental Protection Procedure Title + +

PE Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Planning Procedure Title + +

PL Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Personnel Security Procedure Title + +

PS Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Risk Adjustment Procedure Title + +

RA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Service Acquisition Procedure Title + +

SA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Communications Protection Procedure Title + +

SC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + System and Information Integrity Procedure Title + +

SI Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + Supply Chain Risk Procedure Title + +

SR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + User's Guide + +

User's Guide

+ + + + + + + +

Table 12-1 Attachments: User's Guide Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + Document Title + +

Rules of Behavior

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Contingency Plan (CP)

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Configuration Management (CM) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Document Title + +

Incident Response (IR) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + + + CSP-specific Law Citation + + + + Identification Number + + 00000000 + +

A CSP-specific law citation

+

The "type" property must be present and contain the value "law".

+ + + + + + + + Document Title + +

Continuous Monitoring Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + Plan of Actions and Milestones (POAM) + + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

Supply Chain Risk Management Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as + base64.

+ + + + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

FedRAMP Logo

+ + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + CSP Logo + +

CSP Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + 3PAO Logo + +

3PAO Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + + Boundary Diagram + +

The primary authorization boundary diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Network Diagram + +

The primary network diagram.

+ + + + + 00000000 + +

Section 8.1, Figure 8-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Data Flow Diagram + +

The primary data flow diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

+

May use rlink with a relative path, or embedded as + base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

+ + + + Interconneciton Security Agreement (ISA) + + + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + +

CSP-specific citation. Note the "type" property's class is "law" + and the value is "citation".

+ + + + CSP Acronyms + + + +

CSP-specific citation. Note the "type" property's class is "acronyms" + and the value is "citation".

+ + + + \ No newline at end of file From 9f74cd6ac3a47a7655e70ae9c5c8f93c7d9652d9 Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Tue, 3 Dec 2024 13:50:22 -0500 Subject: [PATCH 3/6] fix ssp to pass tests --- features/fedramp_extensions.feature | 3 +- features/steps/fedramp_extensions_steps.ts | 3 +- .../content/fedramp-ssp-example.xml | 1118 ++++++++--------- .../fedramp-external-constraints.xml | 2 +- .../missing-response-components-PASS.yaml | 2 +- 5 files changed, 564 insertions(+), 564 deletions(-) diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 2a94a8c82..f4119f2ab 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -6,10 +6,11 @@ Scenario Outline: Validating OSCAL constraints with metaschema constraints @integration Scenario Outline: Documents that should be valid are pass + Given I have loaded all Metaschema extensions documents Then I should have valid results "" Examples: | valid_file | -# | ssp-all-VALID.xml | + | fedramp-ssp-example.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts index 84338650c..b9fe31276 100644 --- a/features/steps/fedramp_extensions_steps.ts +++ b/features/steps/fedramp_extensions_steps.ts @@ -678,7 +678,8 @@ Then('I should have valid results {string}', async function (fileToValidate) { "src", "validations","constraints","content",fileToValidate ); - const {isValid,log}=await validateDocument(fullPath,{quiet,...fedrampValidationOptions},executor); + const {isValid,log}=await validateDocument(fullPath,{quiet, extensions:metaschemaDocuments.flatMap((x) => resolve(x)), + },executor); expect(isValid,formatSarifOutput(log)).to.be.true; }); diff --git a/src/validations/constraints/content/fedramp-ssp-example.xml b/src/validations/constraints/content/fedramp-ssp-example.xml index a8272221a..732bbc089 100644 --- a/src/validations/constraints/content/fedramp-ssp-example.xml +++ b/src/validations/constraints/content/fedramp-ssp-example.xml @@ -1,7 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -13,8 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -23,15 +21,14 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 - + @@ -287,7 +284,8 @@

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role - via responsible-party.

+ via responsible-party. +

@@ -563,8 +561,7 @@ - +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

@@ -574,7 +571,7 @@ - F00000000 + F00000000 System's Full Name System's Short Name or Acronym @@ -608,10 +605,10 @@ - + - + fips-199-moderate @@ -777,16 +774,16 @@ AwesomeCloud Commercial(IaaS) - - + + +

For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.

 - +

For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records @@ -807,9 +804,17 @@ + + + + + system-poc-technical - - none + Admin + +

admin user

+ + administration

The user assembly is being reviewed for continued applicability @@ -820,31 +825,57 @@ - + + + + + + system-poc-technical Add/Remove Admins This can add and remove admins. - + + + + + system-poc-technical - - add/remove non-privliged admins + Admin + +

admin user

+ + administration - + + + + + system-poc-technical - - Manage services and components within the virtual cloud environment. + Admin + +

admin user

+ + administration - + + + + + system-owner - - Add and remove users from the virtual cloud environment. + Admin + +

admin user

+ + administration @@ -883,16 +914,16 @@ - - + +

If 'yes', describe the authentication method.

If 'no', explain why no authentication is used.

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

 - - + + @@ -905,8 +936,8 @@ - - + +

This is a leveraged system within which this system operates. @@ -942,7 +973,7 @@

Links to the vendor website describing the system are encouraged, but not required.

- +

Services

A service within the scope of the leveraged system's authorization boundary is considered an "authorized service". Any other service offered by the @@ -961,12 +992,13 @@ a "poam-item" link that references a corrisponding entry in this system's POA&M. - +

Both authorized and non-authorized leveraged services include:

  • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. - (Example: "#11111111-2222-4000-8000-009000100001")
    • + (Example: "#11111111-2222-4000-8000-009000100001") +
  • the name of the service in the title (for authorized services this should be exactly as it appears in the FedRAMP Marketplace
  • an "implementation-point" core property with a value of "external"
    • @@ -978,7 +1010,7 @@
  • a status with a state value of "operational"
  • At least one responsible-role (other than "provider") that indicates any authorized users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
    • + a user assembly entry.

Although SSP Table 7.1 also requires data categoriation and hosting @@ -996,13 +1028,13 @@ - - + + - - + +

This is a service offered by a leveraged system and used by this system. @@ -1017,7 +1049,8 @@ leveraged-authorization entry

  • an "implementation-point" property with a value of "external"; and
  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +

    Where relevant, this component should also have:

    @@ -1055,23 +1088,27 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method.

    If 'no', explain why no authentication is used.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - + + + + + - + + + + 33333333-2222-4000-8000-004000000001

    This is a service offered by a leveraged system and used by this system. @@ -1092,7 +1129,8 @@ POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) in an OSCAL-based POA&M.

  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
  • @@ -1101,7 +1139,7 @@ tools are able to distinguish between authorized and non-authorized services from the same leveraged provider.

    - +

    Where relevant, this component should also have:

    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly @@ -1118,7 +1156,7 @@
    • Package ID, Authorization Type, Impact Level

    - +

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for their system (such as in an OSCAL-based CRM).

    Link(s) to the vendor's web site describing the service are encouraged, but not @@ -1138,20 +1176,20 @@ - + Other Cloud SaaS

    An external system to which this system shares an interconnection.

    - + - + 33333333-2222-4000-8000-004000000001 - + 11111111-2222-4000-8000-004000000008 @@ -1183,7 +1221,7 @@ remote listening ports, one or more "protocol" assemblies must be provided. - +

    While not required, each "system" component should have:

    • an "inherited-uuid" property if the value was provided by the system owner
      • @@ -1192,7 +1230,7 @@
    • an "system-owner" responsible-role
    • an "system-poc-management" responsible-role
    • an "system-poc-technical" responsible-role
      • -
    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1202,50 +1240,50 @@ - + [EXAMPLE]Authorized Connection Information System Name

    Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

    - - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - - + + + + + +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

         - - - - + + + + - + - - + + + - - + 44444444-2222-4000-8000-004000000001 @@ -1293,7 +1331,7 @@
  • a "compliance" property/extension if appropriate
  • an "system-poc-management" responsible-role
  • an "system-poc-technical" responsible-role
    • - +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1309,13 +1347,13 @@

    - - + + - + - + 11111111-2222-4000-8000-004000000010 @@ -1337,8 +1375,8 @@ here.

    For an external system, the "implementation-point" property must always be present with a value of "external".

    - - + +

    Each interconnection must be defined with both an "system" component and an "interconnection" component.

    Must include all leveraged services and features from the leveraged authorization @@ -1354,17 +1392,18 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - + +

    This can only be known if provided by the leveraged system. @@ -1374,20 +1413,21 @@ - - - 11111111-2222-4000-8000-c0040000000a - + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 + + 33333333-2222-4000-8000-004000000001 + + - + - +

    This is a service provided by an external system other than the leveraged system.

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1404,7 +1444,8 @@

    - An "implementation-point" property with a value of "external".

    - A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

    -

    - Example: "#11111111-2222-4000-8000-009000100001"

    +

    - Example: "#11111111-2222-4000-8000-009000100001" +

    - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, this property is blocked from proper use.

    - a status with a state value of "operational"

    @@ -1435,50 +1476,58 @@ Service C +

    A service provided by an external system other than the leveraged system.

    Describe the service and what it is used for.

     + - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - +

    Either describe a risk associated with this service, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     - +     + + + 11111111-2222-4000-8000-004000000018 + + Remote API Service +

    This is a service provided by an external system other than the leveraged system.

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    - +

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1490,10 +1539,10 @@

    If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

    - - - - + + + +     @@ -1505,32 +1554,33 @@ - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

     -     - - - + + + +

    Either describe a risk associated with this CLI, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     +

    @@ -1538,6 +1588,9 @@ + + 11111111-2222-4000-8000-004000000018 + @@ -1570,16 +1623,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1591,16 +1642,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1618,7 +1667,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1639,7 +1688,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1661,8 +1710,8 @@

    FUNCTION: Describe typical component function.

    - - + + @@ -1683,18 +1732,18 @@

    None

    - + - + Database Sample

    None

     - + @@ -1710,9 +1759,8 @@

    None

    - - + + @@ -2126,8 +2174,8 @@ - - + +

    If no, explain why. If yes, omit remarks field.

    @@ -2187,7 +2235,7 @@

    If no, explain why. If yes, omit remark.

         - + 11111111-2222-4000-8000-004000000010 @@ -2213,9 +2261,8 @@ - - + + @@ -2228,9 +2275,8 @@ - - + + @@ -2243,9 +2289,8 @@ - - + + @@ -2262,8 +2307,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2276,9 +2320,8 @@ - - + + @@ -2295,8 +2338,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2309,9 +2351,8 @@ - - + + @@ -2327,7 +2368,7 @@

    FedRAMP does not require any specific information here.

    - + @@ -2342,8 +2383,7 @@ - +

    Describe how Part a is satisfied within the system.

    Legacy approach. If no policy component is defined, describe here how the @@ -2361,8 +2401,7 @@ component is associated with the component representing the system.

     - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Identity @@ -2374,26 +2413,22 @@ - +

    There

    - +

    Describe the plan to complete the implementation.

         - +

    Describe how this policy currently satisfies part a.

     - +

    Describe the plan for addressing the missing policy elements.

     @@ -2406,8 +2441,7 @@     - +

    Describe how Part b-1 is satisfied.

     @@ -2415,8 +2449,7 @@     - +

    Describe how Part b-2 is satisfied.

     @@ -2425,16 +2458,15 @@     - - + +

    Describe the plan to complete the implementation.

         - - + +

    Describe any customer-configured requirements for satisfying this control.

     @@ -2446,8 +2478,7 @@ 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2466,8 +2497,7 @@     - +

    Describe how AC-2, part a is satisfied within this system.

    This points to the "This System" component, and is used any time a more @@ -2480,8 +2510,7 @@ leveraging systems to satisfy AC-2, part a.

     - +

    Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

    @@ -2494,8 +2523,7 @@     - +

    For the portion of the control satisfied by the application component of this system, describe how the control is met.

    @@ -2512,8 +2540,7 @@ 11111111-2222-4000-8000-004000000005 - +

    Leveraging system's responsibilities with respect to inheriting this capability from this application.

    @@ -2532,17 +2559,15 @@

    This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

    While the "this system" component is not explicitly required within every - statement, it will typically be present.

    + statement, it will typically be present.

     - +

    For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

     - +

    Optional description.

    Consumer-appropriate description of what may be inherited as provided by the @@ -2554,8 +2579,7 @@ CRM (Inheritance and Responsibility Model).

         - +

    Description of how the responsibility was satisfied.

    The responsibility-uuid links this to the same statement in the @@ -2563,8 +2587,8 @@

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

    Tools should use this to ensure all identified customer - responsibility statements have a corresponding - satisfied statement in the leveraging system's SSP.

    + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

    Tool developers should be mindful that

    @@ -2572,21 +2596,20 @@ - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2602,14 +2625,12 @@     - +

    Describe how Part a is satisfied.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2617,8 +2638,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2628,16 +2648,14 @@     - +

    Describe how Part b-1 is satisfied.

         - +

    Describe how Part b-2 is satisfied.

     @@ -2645,21 +2663,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2675,16 +2692,14 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2692,8 +2707,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2703,42 +2717,39 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2754,15 +2765,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2770,8 +2779,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2781,40 +2789,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2830,15 +2835,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2846,8 +2849,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2857,38 +2859,35 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2904,15 +2903,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2920,8 +2917,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2931,40 +2927,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2980,15 +2973,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2996,8 +2987,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3007,40 +2997,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3056,15 +3043,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3072,8 +3057,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3083,40 +3067,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3132,15 +3113,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3148,8 +3127,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3159,40 +3137,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3208,15 +3183,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3224,8 +3197,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3235,40 +3207,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3284,15 +3253,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3300,8 +3267,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3311,40 +3277,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3360,15 +3323,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3376,8 +3337,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3387,40 +3347,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3436,15 +3393,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3452,8 +3407,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3463,40 +3417,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3512,15 +3463,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3528,8 +3477,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3539,40 +3487,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3588,15 +3533,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3604,8 +3547,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3615,40 +3557,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3664,15 +3603,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3680,8 +3617,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3691,40 +3627,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3740,15 +3673,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3756,8 +3687,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3767,35 +3697,32 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + + 11111111-2222-4000-8000-004000000018 - +

    Describe how the control is satisfied within the system.

    DMARC is employed.

    @@ -3815,21 +3742,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3845,15 +3771,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3861,8 +3785,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3902,8 +3825,7 @@ FedRAMP Applicable Laws and Regulations - +

    Must be present in a FedRAMP SSP.

     @@ -3925,7 +3847,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3942,7 +3865,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3959,7 +3883,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3976,7 +3901,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3993,7 +3919,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4011,7 +3938,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4028,7 +3956,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4045,7 +3974,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4062,7 +3992,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4079,7 +4010,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4096,7 +4028,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4113,7 +4046,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4130,7 +4064,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4147,7 +4082,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4164,7 +4100,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4181,7 +4118,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4198,7 +4136,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4215,7 +4154,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4233,7 +4173,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4250,7 +4191,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4267,7 +4209,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4284,7 +4227,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4301,7 +4245,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4318,7 +4263,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4335,7 +4281,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4352,7 +4299,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4369,7 +4317,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4386,7 +4335,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4403,7 +4353,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4420,7 +4371,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4437,7 +4389,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4454,7 +4407,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4471,7 +4425,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4488,7 +4443,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4505,7 +4461,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4522,7 +4479,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4539,7 +4497,8 @@

    Table 12-1 Attachments: User's Guide Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4559,7 +4518,8 @@

    Table 12-1 Attachments: Rules of Behavior (ROB)

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4577,7 +4537,8 @@

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4595,7 +4556,8 @@

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4613,7 +4575,8 @@

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4652,7 +4615,8 @@

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4682,7 +4646,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4703,7 +4668,7 @@

    FedRAMP Logo

     - + 00000000 @@ -4720,7 +4685,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4735,7 +4701,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4756,7 +4723,8 @@ system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4777,7 +4745,8 @@ system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4796,7 +4765,8 @@

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4813,7 +4783,8 @@ 41 CFR 201 - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. @@ -4830,5 +4801,32 @@ and the value is "citation".

     + + CSP Reference + + + +

    CSP-specific reference. Note the "type" property's class is "reference" + and the value is "citation".

    +     +     + + Separation of Duties Matrix + +

    Separation of Duties Matrix

    +     + + + + + 00000000 + +

    May use rlink with a relative path, or embedded as base64. +

    +     +     + + +     \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index 882b2a0c9..f8358f64d 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -163,7 +163,7 @@ - + Missing Response Components Each implemented requirement MUST have at least one by-component reference to the source component implementing it. diff --git a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml index b070ded70..cd6831c3e 100644 --- a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml +++ b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml @@ -3,7 +3,7 @@ test-case: description: >- This test case validates the behavior of constraint missing-response-components - content: ../content/ssp-all-VALID.xml + content: ../content/fedramp-ssp-example.xml expectations: - constraint-id: missing-response-components result: pass From b88f36bfe9eac1316eac6877478eb335fc2da269 Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Tue, 3 Dec 2024 19:12:01 +0000 Subject: [PATCH 4/6] Delete extra ssp --- features/fedramp_extensions.feature | 1 + .../content/fedramp-ssp-example.oscal.xml | 1118 ++-- .../content/fedramp-ssp-example.xml | 4832 ----------------- .../missing-response-components-PASS.yaml | 2 +- 4 files changed, 560 insertions(+), 5393 deletions(-) delete mode 100644 src/validations/constraints/content/fedramp-ssp-example.xml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 2a94a8c82..7b863e096 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -9,6 +9,7 @@ Scenario Outline: Documents that should be valid are pass Then I should have valid results "" Examples: | valid_file | +| fedramp-ssp-example.oscal.xml | # | ssp-all-VALID.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | diff --git a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml index a8272221a..732bbc089 100644 --- a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml +++ b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml @@ -1,7 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -13,8 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

    Initial publication.

     @@ -23,15 +21,14 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

    Minor prop updates.

     - + @@ -287,7 +284,8 @@

    Replace sample CSP information.

    CSP information must be present and associated with the "cloud-service-provider" role - via responsible-party.

    + via responsible-party. +

    @@ -563,8 +561,7 @@     - +

    This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

    @@ -574,7 +571,7 @@ - F00000000 + F00000000 System's Full Name System's Short Name or Acronym @@ -608,10 +605,10 @@ - + - + fips-199-moderate @@ -777,16 +774,16 @@ AwesomeCloud Commercial(IaaS) - - + + +

    For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.

         - +

    For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records @@ -807,9 +804,17 @@ + + + + + system-poc-technical - - none + Admin + +

    admin user

    + + administration

    The user assembly is being reviewed for continued applicability @@ -820,31 +825,57 @@ - + + + + + + system-poc-technical Add/Remove Admins This can add and remove admins. - + + + + + system-poc-technical - - add/remove non-privliged admins + Admin + +

    admin user

    + + administration - + + + + + system-poc-technical - - Manage services and components within the virtual cloud environment. + Admin + +

    admin user

    +     + administration     - + + + + + system-owner - - Add and remove users from the virtual cloud environment. + Admin + +

    admin user

    +     + administration     @@ -883,16 +914,16 @@ - - + +

    If 'yes', describe the authentication method.

    If 'no', explain why no authentication is used.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - + + @@ -905,8 +936,8 @@     - - + +

    This is a leveraged system within which this system operates. @@ -942,7 +973,7 @@

    Links to the vendor website describing the system are encouraged, but not required.

    - +

    Services

    A service within the scope of the leveraged system's authorization boundary is considered an "authorized service". Any other service offered by the @@ -961,12 +992,13 @@ a "poam-item" link that references a corrisponding entry in this system's POA&M. - +

    Both authorized and non-authorized leveraged services include:

    • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. - (Example: "#11111111-2222-4000-8000-009000100001")
      • + (Example: "#11111111-2222-4000-8000-009000100001") +
    • the name of the service in the title (for authorized services this should be exactly as it appears in the FedRAMP Marketplace
    • an "implementation-point" core property with a value of "external"
      • @@ -978,7 +1010,7 @@
    • a status with a state value of "operational"
    • At least one responsible-role (other than "provider") that indicates any authorized users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
      • + a user assembly entry.

    Although SSP Table 7.1 also requires data categoriation and hosting @@ -996,13 +1028,13 @@ - - + + - - + +

    This is a service offered by a leveraged system and used by this system. @@ -1017,7 +1049,8 @@ leveraged-authorization entry

  • an "implementation-point" property with a value of "external"; and
  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +

    Where relevant, this component should also have:

    @@ -1055,23 +1088,27 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method.

    If 'no', explain why no authentication is used.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - + + + + + - + + + + 33333333-2222-4000-8000-004000000001

    This is a service offered by a leveraged system and used by this system. @@ -1092,7 +1129,8 @@ POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) in an OSCAL-based POA&M.

  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
  • @@ -1101,7 +1139,7 @@ tools are able to distinguish between authorized and non-authorized services from the same leveraged provider.

    - +

    Where relevant, this component should also have:

    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly @@ -1118,7 +1156,7 @@
    • Package ID, Authorization Type, Impact Level

    - +

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for their system (such as in an OSCAL-based CRM).

    Link(s) to the vendor's web site describing the service are encouraged, but not @@ -1138,20 +1176,20 @@ - + Other Cloud SaaS

    An external system to which this system shares an interconnection.

    - + - + 33333333-2222-4000-8000-004000000001 - + 11111111-2222-4000-8000-004000000008 @@ -1183,7 +1221,7 @@ remote listening ports, one or more "protocol" assemblies must be provided. - +

    While not required, each "system" component should have:

    • an "inherited-uuid" property if the value was provided by the system owner
      • @@ -1192,7 +1230,7 @@
    • an "system-owner" responsible-role
    • an "system-poc-management" responsible-role
    • an "system-poc-technical" responsible-role
      • -
    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1202,50 +1240,50 @@ - + [EXAMPLE]Authorized Connection Information System Name

    Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

    - - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - - + + + + + +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

         - - - - + + + + - + - - + + + - - + 44444444-2222-4000-8000-004000000001 @@ -1293,7 +1331,7 @@
  • a "compliance" property/extension if appropriate
  • an "system-poc-management" responsible-role
  • an "system-poc-technical" responsible-role
    • - +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1309,13 +1347,13 @@

    - - + + - + - + 11111111-2222-4000-8000-004000000010 @@ -1337,8 +1375,8 @@ here.

    For an external system, the "implementation-point" property must always be present with a value of "external".

    - - + +

    Each interconnection must be defined with both an "system" component and an "interconnection" component.

    Must include all leveraged services and features from the leveraged authorization @@ -1354,17 +1392,18 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - + +

    This can only be known if provided by the leveraged system. @@ -1374,20 +1413,21 @@ - - - 11111111-2222-4000-8000-c0040000000a - + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 + + 33333333-2222-4000-8000-004000000001 + + - + - +

    This is a service provided by an external system other than the leveraged system.

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1404,7 +1444,8 @@

    - An "implementation-point" property with a value of "external".

    - A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

    -

    - Example: "#11111111-2222-4000-8000-009000100001"

    +

    - Example: "#11111111-2222-4000-8000-009000100001" +

    - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, this property is blocked from proper use.

    - a status with a state value of "operational"

    @@ -1435,50 +1476,58 @@ Service C +

    A service provided by an external system other than the leveraged system.

    Describe the service and what it is used for.

     + - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - +

    Either describe a risk associated with this service, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     - +     + + + 11111111-2222-4000-8000-004000000018 + + Remote API Service +

    This is a service provided by an external system other than the leveraged system.

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    - +

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1490,10 +1539,10 @@

    If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

    - - - - + + + +     @@ -1505,32 +1554,33 @@ - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

     -     - - - + + + +

    Either describe a risk associated with this CLI, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     +

    @@ -1538,6 +1588,9 @@ + + 11111111-2222-4000-8000-004000000018 + @@ -1570,16 +1623,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1591,16 +1642,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1618,7 +1667,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1639,7 +1688,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1661,8 +1710,8 @@

    FUNCTION: Describe typical component function.

    - - + + @@ -1683,18 +1732,18 @@

    None

    - + - + Database Sample

    None

     - + @@ -1710,9 +1759,8 @@

    None

    - - + + @@ -2126,8 +2174,8 @@ - - + +

    If no, explain why. If yes, omit remarks field.

    @@ -2187,7 +2235,7 @@

    If no, explain why. If yes, omit remark.

         - + 11111111-2222-4000-8000-004000000010 @@ -2213,9 +2261,8 @@ - - + + @@ -2228,9 +2275,8 @@ - - + + @@ -2243,9 +2289,8 @@ - - + + @@ -2262,8 +2307,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2276,9 +2320,8 @@ - - + + @@ -2295,8 +2338,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2309,9 +2351,8 @@ - - + + @@ -2327,7 +2368,7 @@

    FedRAMP does not require any specific information here.

    - + @@ -2342,8 +2383,7 @@ - +

    Describe how Part a is satisfied within the system.

    Legacy approach. If no policy component is defined, describe here how the @@ -2361,8 +2401,7 @@ component is associated with the component representing the system.

     - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Identity @@ -2374,26 +2413,22 @@ - +

    There

    - +

    Describe the plan to complete the implementation.

         - +

    Describe how this policy currently satisfies part a.

     - +

    Describe the plan for addressing the missing policy elements.

     @@ -2406,8 +2441,7 @@     - +

    Describe how Part b-1 is satisfied.

     @@ -2415,8 +2449,7 @@     - +

    Describe how Part b-2 is satisfied.

     @@ -2425,16 +2458,15 @@     - - + +

    Describe the plan to complete the implementation.

         - - + +

    Describe any customer-configured requirements for satisfying this control.

     @@ -2446,8 +2478,7 @@ 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2466,8 +2497,7 @@     - +

    Describe how AC-2, part a is satisfied within this system.

    This points to the "This System" component, and is used any time a more @@ -2480,8 +2510,7 @@ leveraging systems to satisfy AC-2, part a.

     - +

    Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

    @@ -2494,8 +2523,7 @@     - +

    For the portion of the control satisfied by the application component of this system, describe how the control is met.

    @@ -2512,8 +2540,7 @@ 11111111-2222-4000-8000-004000000005 - +

    Leveraging system's responsibilities with respect to inheriting this capability from this application.

    @@ -2532,17 +2559,15 @@

    This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

    While the "this system" component is not explicitly required within every - statement, it will typically be present.

    + statement, it will typically be present.

     - +

    For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

     - +

    Optional description.

    Consumer-appropriate description of what may be inherited as provided by the @@ -2554,8 +2579,7 @@ CRM (Inheritance and Responsibility Model).

         - +

    Description of how the responsibility was satisfied.

    The responsibility-uuid links this to the same statement in the @@ -2563,8 +2587,8 @@

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

    Tools should use this to ensure all identified customer - responsibility statements have a corresponding - satisfied statement in the leveraging system's SSP.

    + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

    Tool developers should be mindful that

    @@ -2572,21 +2596,20 @@ - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2602,14 +2625,12 @@     - +

    Describe how Part a is satisfied.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2617,8 +2638,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2628,16 +2648,14 @@     - +

    Describe how Part b-1 is satisfied.

         - +

    Describe how Part b-2 is satisfied.

     @@ -2645,21 +2663,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2675,16 +2692,14 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2692,8 +2707,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2703,42 +2717,39 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2754,15 +2765,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2770,8 +2779,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2781,40 +2789,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2830,15 +2835,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2846,8 +2849,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2857,38 +2859,35 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2904,15 +2903,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2920,8 +2917,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2931,40 +2927,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2980,15 +2973,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2996,8 +2987,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3007,40 +2997,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3056,15 +3043,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3072,8 +3057,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3083,40 +3067,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3132,15 +3113,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3148,8 +3127,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3159,40 +3137,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3208,15 +3183,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3224,8 +3197,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3235,40 +3207,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3284,15 +3253,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3300,8 +3267,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3311,40 +3277,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3360,15 +3323,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3376,8 +3337,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3387,40 +3347,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3436,15 +3393,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3452,8 +3407,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3463,40 +3417,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3512,15 +3463,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3528,8 +3477,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3539,40 +3487,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3588,15 +3533,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3604,8 +3547,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3615,40 +3557,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3664,15 +3603,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3680,8 +3617,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3691,40 +3627,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3740,15 +3673,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3756,8 +3687,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3767,35 +3697,32 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + + 11111111-2222-4000-8000-004000000018 - +

    Describe how the control is satisfied within the system.

    DMARC is employed.

    @@ -3815,21 +3742,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3845,15 +3771,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3861,8 +3785,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3902,8 +3825,7 @@ FedRAMP Applicable Laws and Regulations - +

    Must be present in a FedRAMP SSP.

     @@ -3925,7 +3847,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3942,7 +3865,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3959,7 +3883,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3976,7 +3901,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3993,7 +3919,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4011,7 +3938,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4028,7 +3956,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4045,7 +3974,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4062,7 +3992,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4079,7 +4010,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4096,7 +4028,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4113,7 +4046,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4130,7 +4064,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4147,7 +4082,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4164,7 +4100,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4181,7 +4118,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4198,7 +4136,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4215,7 +4154,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4233,7 +4173,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4250,7 +4191,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4267,7 +4209,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4284,7 +4227,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4301,7 +4245,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4318,7 +4263,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4335,7 +4281,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4352,7 +4299,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4369,7 +4317,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4386,7 +4335,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4403,7 +4353,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4420,7 +4371,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4437,7 +4389,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4454,7 +4407,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4471,7 +4425,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4488,7 +4443,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4505,7 +4461,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4522,7 +4479,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4539,7 +4497,8 @@

    Table 12-1 Attachments: User's Guide Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4559,7 +4518,8 @@

    Table 12-1 Attachments: Rules of Behavior (ROB)

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4577,7 +4537,8 @@

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4595,7 +4556,8 @@

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4613,7 +4575,8 @@

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4652,7 +4615,8 @@

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4682,7 +4646,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4703,7 +4668,7 @@

    FedRAMP Logo

     - + 00000000 @@ -4720,7 +4685,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4735,7 +4701,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4756,7 +4723,8 @@ system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4777,7 +4745,8 @@ system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4796,7 +4765,8 @@

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4813,7 +4783,8 @@ 41 CFR 201 - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. @@ -4830,5 +4801,32 @@ and the value is "citation".

     + + CSP Reference + + + +

    CSP-specific reference. Note the "type" property's class is "reference" + and the value is "citation".

    +     +     + + Separation of Duties Matrix + +

    Separation of Duties Matrix

    +     + + + + + 00000000 + +

    May use rlink with a relative path, or embedded as base64. +

    +     +     + + +     \ No newline at end of file diff --git a/src/validations/constraints/content/fedramp-ssp-example.xml b/src/validations/constraints/content/fedramp-ssp-example.xml deleted file mode 100644 index 732bbc089..000000000 --- a/src/validations/constraints/content/fedramp-ssp-example.xml +++ /dev/null @@ -1,4832 +0,0 @@ - - - - - FedRAMP [Baseline Name] System Security Plan (SSP) - 2024-12-31T23:59:59Z - 2024-11-05T02:24:00Z - fedramp3.0.0-oscal1.1.4 - 1.1.2 - - - 2023-06-30T00:00:00Z - 1.0 - 1.0.4 - - -

    Initial publication.

    -     -     - - 2023-07-06T00:00:00Z - 1.1 - 1.0.4 - - -

    Minor prop updates.

    -     -     -     - - - - - - FedRAMP Program Management Office - -

    The FedRAMP PMO resides within GSA and supports agencies and cloud service providers - through the FedRAMP authorization process and maintains a secure repository of - FedRAMP authorizations to enable reuse of security packages.

    -     -     - - Prepared By - -

    The organization that prepared this SSP. If developed in-house, this is the CSP - itself.

    -     -     - - Prepared For - -

    The organization for which this SSP was prepared. Typically the CSP.

    -     -     - - System Security Plan Approval - -

    The individual or individuals accountable for the accuracy of this SSP.

    -     -     - - Cloud Service Provider - CSP - - - - Information System Owner - -

    The individual within the CSP who is ultimately accountable for everything related to - this system.

    -     -     - - Authorizing Official - -

    The individual or individuals who must grant this system an authorization to - operate.

    -     -     - - Authorizing Official's Point of Contact - -

    The individual representing the authorizing official.

    -     -     - - Information System Management Point of Contact (POC) - -

    The highest level manager who responsible for system operation on behalf of the - System Owner.

    -     -     - - Information System Technical Point of Contact - -

    The individual or individuals leading the technical operation of the system.

    -     -     - - General Point of Contact (POC) - -

    A general point of contact for the system, designated by the system owner.

    -     -     - - - System Information System Security Officer (or Equivalent) - -

    The individual accountable for the security posture of the system on behalf of the - system owner.

    -     -     - - Privacy Official's Point of Contact - -

    The individual responsible for the privacy threshold analysis and if necessary the - privacy impact assessment.

    -     -     - - Owner of an inventory item within the system. - - - Administrative responsibility an inventory item within the system. - - - ICA POC (Local) - -

    The point of contact for an interconnection on behalf of this system.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - ICA POC (Remote) - -

    The point of contact for an interconnection on behalf of this external system to - which this system connects.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - ICA Signatory (Local) - -

    Responsible for signing an interconnection security agreement on behalf of this - system.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - ICA Signatory (Remote) - -

    Responsible for signing an interconnection security agreement on behalf of the - external system to which this system connects.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - Consultant - -

    Any consultants involved with developing or maintaining this content.

    -     -     - - Customer - -

    Represents any customers of this system as may be necessary for assigning customer - responsibility.

    -     -     - - Provider - -

    The provider of a leveraged system, external service, API, CLI.

    -     -     - - [SAMPLE]Unix Administrator - -

    This is a sample role.

    -     -     - - [SAMPLE]Client Administrator - -

    This is a sample role.

    -     -     - - Leveraged Authorization Users - -

    Any internal users of a leveraged authorization.

    -     -     - - External System Owner - -

    The owner of an external system.

    -     -     - - External System Management Point of Contact (POC) - -

    The highest level manager who responsible for an external system's operation on - behalf of the System Owner.

    -     -     - - External System Technical Point of Contact - -

    The individual or individuals leading the technical operation of an external - system.

    -     -     - - Approver - -

    An internal approving authority.

    -     -     - - CSP HQ -
    - Suite 0000 - 1234 Some Street - Haven - ME - 00000 -
    - -

    There must be one location identifying the CSP's primary business address, such as - the CSP's HQ, or the address of the system owner's primary business location.

    -     -     - - Primary Data Center -
    - 2222 Main Street - Anywhere - -- - 00000-0000 - US -
    - - -

    There must be one location for each data center.

    -

    There must be at least two data center locations.

    -

    For a data center, briefly summarize the components at this location.

    -

    All data centers must have a "type" property with a value of "data-center".

    -

    The type property must also have a class of "primary" or "alternate".

    -     -     - - Secondary Data Center -
    - 3333 Small Road - Anywhere - -- - 00000-0000 - US -
    - - -

    There must be one location for each data center.

    -

    There must be at least two data center locations.

    -

    For a data center, briefly summarize the components at this location.

    -

    All data centers must have a "type" property with a value of "data-center".

    -

    The type property must also have a class of "primary" or "alternate".

    -     -     - - - Cloud Service Provider (CSP) Name - CSP Acronym/Short Name - - 11111111-2222-4000-8000-003000000001 - -

    Replace sample CSP information.

    -

    CSP information must be present and associated with the "cloud-service-provider" role - via responsible-party. -

    -     -     - - Federal Risk and Authorization Management Program: Program Management Office - FedRAMP PMO - - - - info@fedramp.gov -
    - 1800 F St. NW - Washington - DC - 20006 - US -
    - -

    This party entry must be present in a FedRAMP SSP.

    -

    The uuid may be different; however, the uuid must be associated with the - "fedramp-pmo" role in the responsible-party assemblies.

    -     -     - - Federal Risk and Authorization Management Program: Joint Authorization Board - FedRAMP JAB - - -

    This party entry must be present in a FedRAMP SSP.

    -

    The uuid may be different; however, the uuid must be associated with the - "fedramp-jab" role in the responsible-party assemblies.

    -     -     - - - External Organization - External - -

    Generic placeholder for any external organization.

    -     -     - - Agency Name - A.N. - -

    Generic placeholder for an authorizing agency.

    -     -     - - Name of Consulting Org - NOCO - - - poc@example.com -
    - 3333 Corporate Way - Washington - DC - 00000 - US -
    -     - - [SAMPLE]Remote System Org Name - - - [SAMPLE]ICA POC's Name - - person@ica.example.org - 2025551212 - 11111111-2222-4000-8000-004000000007 - - - [SAMPLE]Example IaaS Provider - E.I.P. - -

    Underlying service provider. Leveraged Authorization.

    -     -     - - [SAMPLE]Person Name 1 - - - name@example.com - 2020000001 - 11111111-2222-4000-8000-003000000001 - 11111111-2222-4000-8000-004000000001 - - - [SAMPLE]Person Name 2 - - name@example.com - 2020000002 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 3 - - name@example.com - 2020000003 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 4 - - name@example.com - 2020000004 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 5 - - name@example.com - 2020000005 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 6 - - name@example.com - 2020000006 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000004 -     - - [SAMPLE]Person Name 7 - - name@example.com - 2020000007 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE] IT Department - - - [SAMPLE]Security Team - - - Leveraged Authorization User - - - - - - Name of Leveraged System A Provider - - - Name of Leveraged System B Provider - - - Name of Leveraged System C Provider - - - Name of Service Provider - - - Name of Telco Provider - - - 11111111-2222-4000-8000-004000000018 - - - 11111111-2222-4000-8000-004000000001 - 22222222-2222-4000-8000-004000000001 - -

    Zero or more

    -     -     - - - 11111111-2222-4000-8000-004000000010 - -

    Exactly one

    -     -     - - - 11111111-2222-4000-8000-004000000001 - - - - 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-004000000011 - -

    One or more

    -     -     - - - 11111111-2222-4000-8000-004000000010 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000003 - 11111111-2222-4000-8000-004000000015 - -

    One or more

    -     -     - - 11111111-2222-4000-8000-004000000012 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000013 - -

    Exactly one

    -     -     - - - 11111111-2222-4000-8000-004000000014 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000015 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000016 - -

    Exactly one

    -     -     - - -     - - -

    This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official - FedRAMP 3.0.0 release.

    -

    Must adjust accordingly for applicable baseline and revision.

    -     -     - - - - F00000000 - System's Full Name - System's Short Name or Acronym - - -

    [Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] - offering using a multi-tenant [insert based on the Deployment Model above] cloud - computing environment. It is available to [Insert scope of customers in accordance with - instructions above (for example, the public, federal, state, local, and tribal - governments, as well as research institutions, federal contractors, government - contractors etc.)].

    -

    NOTE: Additional description, including the purpose and functions of this system may be - added here. This includes any narrative text usually included in section 9.1 of the - SSP.

    -

    NOTE: The description is expected to be at least 32 words in length.

    -     - - - -

    Remarks are required if service model is "other". Optional otherwise.

    -     -     - - - -

    Remarks are required if deployment model is "hybrid-cloud" or "other". Optional - otherwise.

    -     -     - - - - - - - - - - - fips-199-moderate - - - - - Information Type Name - -

    A description of the information.

    -     - - C.2.4.1 - - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-low - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     -     - - Information Type Name - -

    A description of the information.

    -     - - C.3.5.1 - - - fips-199-moderate - fips-199-low - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-high - -

    Required if the base and selected values do not match.

    -     -     -     - - Information Type Name - -

    A description of the information.

    -     - - C.3.5.8 - - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     -     - - -     - - - fips-199-moderate - fips-199-moderate - fips-199-moderate - - - - - -

    Remarks are optional if status/state is "operational".

    -

    Remarks are required otherwise.

    -     -     - - - - - -

    A holistic, top-level explanation of the FedRAMP authorization boundary.

    -     - - - -

    A diagram-specific explanation.

    -     - - Authorization Boundary Diagram -     -     - - - -

    A holistic, top-level explanation of the network architecture.

    -     - - - -

    A diagram-specific explanation.

    -     - - Network Diagram -     -     - - - -

    A holistic, top-level explanation of the system's data flows.

    -     - - - -

    A diagram-specific explanation.

    -     - - Data Flow Diagram -     -     -     - - - - - - - - AwesomeCloud Commercial(IaaS) - - - - -

    For now, this is a required field. In the future we intend - to pull this information directly from FedRAMP's records - based on the "leveraged-system-identifier" property's value.

    -     -     - - -

    For now, this is a required field. In the future we intend - to pull this information directly from FedRAMP's records - based on the "leveraged-system-identifier" property's value.

    -     -     - - 11111111-2222-4000-8000-c0040000000a - 2015-01-01 - -

    Use one leveraged-authorization assembly for each underlying authorized - cloud system or general support system (GSS).

    -

    For each leveraged authorization there must also be a "system" component. - The corrisponding "system" component must include a - "leveraged-authorization-uuid" property - that links it to this leveraged authorization.

    -     -     - - - - - - - system-poc-technical - - Admin - -

    admin user

    -     - administration -     - -

    The user assembly is being reviewed for continued applicability - under FedRAMP's adoption of Rev 5.

    -

    Currently, FedRAMP will only process user content if it includes the - FedRAMP "separation-of-duties-matrix" property/extension. All other user - entries will be ignored by validation rules, but may be displayed by tools.

    -     -     - - - - - - - system-poc-technical - - Add/Remove Admins - This can add and remove admins. - - - - - - - - system-poc-technical - - Admin - -

    admin user

    -     - administration -     -     - - - - - - system-poc-technical - - Admin - -

    admin user

    -     - administration -     -     - - - - - - system-owner - - Admin - -

    admin user

    -     - administration -     -     - - - - - - This System - -

    This component represents the entire authorization boundary, - as depicted in the system authorization boundary diagram.

    -

    FedRAMP requires exactly one "this-system" component, which is used - in control implementation responses and interconnections.

    -     - - -

    A FedRAMP SSP must always have exactly one "this-system" component - that represents the whole system.

    -

    It does not need system details, as those exist elsewhere in this SSP.

    -     -     - - - - - - - - - - - Awesome Cloud IaaS (Leveraged Authorized System) - -

    Briefly describe the leveraged system.

    -     - - - - - - -

    If 'yes', describe the authentication method.

    -

    If 'no', explain why no authentication is used.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - 11111111-2222-4000-8000-c0040000000a - -

    The "provider" role is required for the component representing - a leveraged system. It must reference exactly one party - (via party-uuid), which points to a party of type "organization" - representing the organization that owns the leveraged system.

    -     -     - - - - - -

    This is a leveraged system within which this system operates. - It is explicitly listed on the FedRAMP marketplace with a status of - "FedRAMP Authorized".

    -

    Requirements

    -

    Each leveraged system must be expressed as a "system" component, and must have:

    -
      -
    • the name of the system in the title - exactly as it appears in the FedRAMP - Marketplace
      • -
    • a "leveraged authorization-uuid" core property that links this component to the - leveraged-authorization entry
      • -
    • an "implementation-point" core property with a value of "external"
      • -
    • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is - "other", use the proeprty's remarks to descibe the agreement.
      • -
    • an "authentication-method" property/extension with a value of "yes", "no" or - "not-applicable" with commentary in the remarks.
      • -
    • One or more "information-type" property/extensions, where the a - llowed values are the 800-63 - information type identifiers.
      • -
    • A "provider" responsible-role with exactly one party-uuid entry - that indicates which organization is the provider of this leveraged system.
      • -
    • a status with a state value of "operational"
      • -
    • At least one responsible-role (other than "provider") that indicates any authorized - users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
      • -
    -

    -

    Where relevant, this component should also have:

    -
      -
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).
      • -
    -

    -

    Links to the vendor website describing the system are encouraged, but not required.

    - -

    Services

    -

    A service within the scope of the leveraged system's authorization boundary - is considered an "authorized service". Any other service offered by the - leveraged system is considered a "non-authorized service"

    -

    Represent each authorized or non-authorized leveraged services using a - "service" component. Both authorized and non-authorized service components - are represented the same in OSCAL with the following exceptions:

    -
      -
    • The component for an authorized servcie includes a - "leveraged-authorization-uuid" property. This - property must be excluded from the component of a - non-authorized leveraged service.
      • -
    • The component for a non-authorized service must include - a "still-supported" property/extension.
      • -
    • The component for a non-authorized service must have - a "poam-item" link that references a corrisponding entry in this system's - POA&M.
      • -
    - -

    Both authorized and non-authorized leveraged services include:

    -
      -
    • a "provided-by" link with a URI fragment that points - to the "system" component representing the leveraged system. - (Example: "#11111111-2222-4000-8000-009000100001") -
      • -
    • the name of the service in the title (for authorized services this should be - exactly as it appears in the FedRAMP Marketplace
      • -
    • an "implementation-point" core property with a value of "external"
      • -
    • an "authentication-method" property/extension with a value of "yes", "no" or - "not-applicable" with commentary in the remarks.
      • -
    • One or more "information-type" property/extensions, where the a - llowed values are the 800-63 - information type identifiers.
      • -
    • a status with a state value of "operational"
      • -
    • At least one responsible-role (other than "provider") that indicates any authorized - users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
      • -
    - -

    Although SSP Table 7.1 also requires data categoriation and hosting - environment information about non-authorized leveraged services, - these datails are derived from other content in this SSP.

    -     -     - - - - Service A - -

    An authorized service provided by the Awesome Cloud leveraged authorization.

    -

    Describe the service and what it is used for.

    -     - - - - - - - - - - - -

    This is a service offered by a leveraged system and used by this system. - It is explicitly listed on the FedRAMP marketplace as being included in the - scope of this leveraged system's ATO, thus is considered an "Authorized Service.

    -

    -

    Each leveraged service must be expressed as a "service" component, and must have:

    -
      -
    • the name of the service in the title - exactly as it appears in the FedRAMP - Marketplace
      • -
    • a "leveraged authorization-uuid" property that links this component to the - leveraged-authorization entry
      • -
    • an "implementation-point" property with a value of "external"; and
      • -
    • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") -
      • -
    -

    -

    Where relevant, this component should also have:

    -
      -
    • One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.
      • -
    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.
      • -
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).
      • -
    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -
      -
    • Package ID, Authorization Type, Impact Level
      • -
    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - "system" component representing the leveraged system as a whole:

    -

    - Nature of Agreement, CSP Name

    -     -     - - - - - - - Service B - -

    An non-authorized service provided by the Awesome Cloud leveraged authorization.

    -

    Describe the service and what it is used for.

    -     - - - - - - -

    If 'yes', describe the authentication method.

    -

    If 'no', explain why no authentication is used.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - - - - - - 33333333-2222-4000-8000-004000000001 - - -

    This is a service offered by a leveraged system and used by this system. - It is NOT explicitly listed on the FedRAMP marketplace as being included - in the scope of the leveraged system's ATO, thus is treated as a - non-authorized, leveraged service.

    -

    -

    Each non-authorized leveraged service must be expressed as a "service" component, and must have:

    -
      -
    • the name of the service in the title - exactly as it appears in the FedRAMP - Marketplace
      • -
    • an "implementation-point" property with a value of "external"; and
      • -
    • one or two "direction" prperty/extensions
      • -
    • One or more "information-type" property/extensions, where the allowed values are the 800-63 - information type identifiers, and the cited types are included full list of system information types.
      • -
    • exactly one "poam-item" link, with an href value that references the - POA&M and a resource-fragment that represents the - POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) - in an OSCAL-based POA&M.
      • -
    • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") -
      • -
    • -
    • - -
    -

    The "leveraged-authorization-uuid" property must NOT be present, as this is how - tools are able to distinguish between authorized and non-authorized services - from the same leveraged provider.

    -

    - -

    Where relevant, this component should also have:

    -
      -
    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.
      • -
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).
      • -
    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -
      -
    • Package ID, Authorization Type, Impact Level
      • -
    -

    - -

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -

    - Package ID, Authorization Type, Impact Level

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - "system" component assembly:

    -

    - Nature of Agreement, CSP Name

    -

    -

    An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

    -     -     - - - - - Other Cloud SaaS - -

    An external system to which this system shares an interconnection.

    -     - - - - - - - - 33333333-2222-4000-8000-004000000001 - - - 11111111-2222-4000-8000-004000000008 - - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - - - 11111111-2222-4000-8000-004000000012 - - - services - - - -

    Each interconnection to one or more remote systems must have:

    -
      -
    • a "system" component (this component)
      • -
    • an "interconnection" component
      • -
    -

    Each "system" component must have:

    -
      -
    • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
      • -
    • an "implementation-point" property with a value of "external"
      • -
    • a "status" field with a state value of "operational"
      • -
    • if an interconnection exists with this system and there are - remote listening ports, one or more "protocol" assemblies must - be provided.
      • -
    - -

    While not required, each "system" component should have:

    -
      -
    • an "inherited-uuid" property if the value was provided by the system owner
      • -
    • a "compliance" property/extension if appropriate
      • -
    • an "authorizing-official" responsible-role
      • -
    • an "system-owner" responsible-role
      • -
    • an "system-poc-management" responsible-role
      • -
    • an "system-poc-technical" responsible-role
      • -
    -

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP - properties/extensions for these roles, instead favor the core OSCAL - responsible-roles constructs, and the NIST-standard roles of - "authorizing-official", "system-owner", "system-poc-management - and "system-poc-technical"

    -     -     - - - - - [EXAMPLE]Authorized Connection Information System Name - -

    Describe the purpose of the external system/service; specifically, provide reasons - for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

    -     - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - - -

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    -     -     - - - - - - - - - - - - - - - - - - - 44444444-2222-4000-8000-004000000001 - - - 11111111-2222-4000-8000-004000000008 - - - 11111111-2222-4000-8000-004000000008 - - - - Incoming FTP Service - - - -

    Each interconnection to one or more remote systems must have:

    -
      -
    • one "system" component for each remote system sharing the connection
      • -
    • an "interconnection" component (this component)
      • -
    -

    Each "interconnection" component must have:

    -
      -
    • an "implementation-point" property with a value of "external"
      • -
    • a "status" field with a state value of "operational"
      • -
    • one or two "direction" properties
      • -
    • a "nature-of-agreement" property/extension
      • -
    • one or more "authentication-method" properties/extensions.
      • -
    • a "hosting-environment" proptery/extension
      • -
    • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
      • -
    • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
      • -
    • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
      • -
    • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
      • -
    • exactly one "used-by" link with an href value that refers to the "this-system" component.
      • -
    • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
      • -
    • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
      • -
    -

    Authentication methods must address both system-authentication as well as - user authentication mechanisms.

    -

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    -

    If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

    -

    -

    While not required, each "interconnection" component should have:

    -
      -
    • an "inherited-uuid" property if the value was provided by the system owner
      • -
    • a "compliance" property/extension if appropriate
      • -
    • an "system-poc-management" responsible-role
      • -
    • an "system-poc-technical" responsible-role
      • -
    -

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP - properties/extensions for these roles, instead favor the core OSCAL - responsible-roles constructs, and the NIST-standard roles of - "system-poc-management" and "system-poc-technical". With an interconnection, - the system POC roles reference parties that represent the connection provider.

    -     -     - - - - - Other Cloud SaaS - -

    - - - - - - - - - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - - - 11111111-2222-4000-8000-004000000012 - - -

    For each external system with which this system connects:

    -

    Must have a "system" component (this component).

    -

    Must have an "interconnection" component that connects this component with the - "this-system" component.

    -

    If the leveraged system owner provides a UUID for their system (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

    -

    Must include all leveraged services and features from the leveraged authorization - here.

    -

    For an external system, the "implementation-point" property must always be present - with a value of "external".

    - - -

    Each interconnection must be defined with both an "system" component and an - "interconnection" component.

    -

    Must include all leveraged services and features from the leveraged authorization - here.

    - -     - - - - Service C - -

    A service provided by an external system other than the leveraged system.

    -

    Describe the service and what it is used for.

    -     - - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - -

    This can only be known if provided by the leveraged system. - such as via an OSCAL-based CRM, component definition, - or as a result to the leveraged system's OSCAL-based SSP.

    -     -     - - - - - 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-004000000011 - 11111111-2222-4000-8000-004000000012 - - - 33333333-2222-4000-8000-004000000001 - - - - - - - - -

    This is a service provided by an external system other than the leveraged system.

    -

    As a result, the "leveraged-authorization-uuid" property is not applicable and must - NOT be used.

    -

    -

    Each external service used from a leveraged authorization must have:

    -

    - a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

    -

    - a "service" component (this component).

    -

    -

    This component must always have:

    -

    - The name of the service in the title - preferably exactly as it appears on the - vendor's web site

    -

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    -

    - An "implementation-point" property with a value of "external".

    -

    - A "provided-by" link with a URI fragment that points to the UUID of the above - "system" component.

    -

    - Example: "#11111111-2222-4000-8000-009000100001" -

    -

    - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, - this property is blocked from proper use.

    -

    - a status with a state value of "operational"

    -

    -

    Where relevant, this component should also have:

    -

    - One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

    -

    - A responsible-role with a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

    -

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -

    - Package ID, Authorization Type, Impact Level

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - "system" component assembly:

    -

    - Nature of Agreement, CSP Name

    -

    -

    An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

    -     -     - - - - Service C - - -

    A service provided by an external system other than the leveraged system.

    -

    Describe the service and what it is used for.

    -     - - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - -

    Either describe a risk associated with this service, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    -     -     - - -

    If there are one or more identified risks, describe any resulting impact.

    -     -     - - -

    If there are one or more identified risks, describe any mitigating factors.

    -     -     - - - - - - 11111111-2222-4000-8000-004000000018 - - - - Remote API Service - - - - -

    This is a service provided by an external system other than the leveraged system.

    - - - -

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    - - - -

    As a result, the "leveraged-authorization-uuid" property is not applicable and must - NOT be used.

    -

    All services require the "implementation-point" property. In this case, the property - value is set to "external.

    -

    All external services would normally require a "provided-by" link; however, a known - bug in core OSCAL syntax prevents the use of this property at this time.

    -

    If the leveraged system owner provides a UUID for their service (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

    - - - - -     -     - - - - Management CLI - -

    None

    -     - - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - -

    Either describe a risk associated with this CLI, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    -     -     - - -

    If there are one or more identified risks, describe any resulting impact.

    -     -     - - -

    If there are one or more identified risks, describe any mitigating factors.

    -     -     - - -

    - - - - - - 11111111-2222-4000-8000-004000000018 - - - - - - - - - - Service D - -

    A service that exists within the authorization boundary.

    -

    Describe the service and what it is used for.

    - - - -     - - - - - - - - [SAMPLE]Cryptographic Module Name - -

    Provide a description and any pertinent note regarding the use of this CM.

    -

    For data-at-rest modules, describe type of encryption implemented (e.g., full disk, - file, record-level, etc.)

    -

    Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS - compliance (e.g., Module in Process).

    -     - - - - - - - - - - -     - - - [SAMPLE]Cryptographic Module Name - -

    Provide a description and any pertinent note regarding the use of this CM.

    -

    For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS - compliance (e.g., Module in Process).

    -     - - - - - - - - - - -     - - - - - - - - - - - [SAMPLE]Product Name - -

    FUNCTION: Describe typical component function.

    -     - - - - - - - - - - 11111111-2222-4000-8000-004000000010 - - -

    COMMENTS: Provide other comments as needed.

    -     -     - - - [SAMPLE]Product Name - -

    FUNCTION: Describe typical component function.

    -     - - - - - - - - - - 11111111-2222-4000-8000-004000000010 - - -

    COMMENTS: Provide other comments as needed.

    -     -     - - - - [SAMPLE]Product - -

    FUNCTION: Describe typical component function.

    -     - - - - - - - - - 11111111-2222-4000-8000-004000000017 - - - 11111111-2222-4000-8000-004000000011 - - -

    COMMENTS: Provide other comments as needed.

    -     -     - - OS Sample - -

    None

    -     - - - - - -     - - Database Sample - -

    None

    -     - - - - - - - - - - -     - - Appliance Sample - -

    None

    -     - - - - - - -

    Vendor appliance. No admin-level access.

    -     -     - -     - - - - AC Policy - -

    The Access Control Policy governs how access is managed and approved.

    -     - - -     - - AT Policy - -

    The Awareness and Training Policy governs how access is managed and approved.

    -     - - -     - - AU Policy - -

    The Audit and Accountability governs how access is managed and approved.

    -     - - -     - - CA Policy - -

    The Assessment, Authorization, and Monitoring Policy governs how access is managed - and approved.

    -     - - -     - - CM Policy - -

    The Configuration Management Policy governs how access is managed and approved.

    -     - - -     - - CP Policy - -

    The Contingency Planning Policy governs how access is managed and approved.

    -     - - -     - - IA Policy - -

    The Identificaiton and Authentication Policy governs how access is managed and - approved.

    -     - - -     - - IR Policy - -

    The Incident Response Policy governs how access is managed and approved.

    -     - - -     - - MA Policy - -

    The Maintenance Policy governs how access is managed and approved.

    -     - - -     - - MP Policy - -

    The Media Protection Policy governs how access is managed and approved.

    -     - - -     - - PE Policy - -

    The Physical and Enviornmental Protection Policy governs how access is managed and - approved.

    -     - - -     - - PL Policy - -

    The Planning Policy governs how access is managed and approved.

    -     - - -     - - PM Policy - -

    The Program Management Policy governs how access is managed and approved.

    -     - - -     - - PS Policy - -

    The Personnel Security Policy governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Policy governs how access is managed and - approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Policy governs how access is managed and approved.

    -     - - -     - - SA Policy - -

    The System and Services Acquisition Policy governs how access is managed and - approved.

    -     - - -     - - S3 Policy - -

    The System and Communication Protection Policy governs how access is managed and - approved.

    -     - - -     - - SI Policy - -

    The System and Information Integrity Policy governs how access is managed and - approved.

    -     - - -     - - SR Policy - -

    The Supply Chain Risk Management Policy governs how access is managed and - approved.

    -     - - -     - - - - AC Policy - -

    The Access Control Procedure governs how access is managed and approved.

    -     - - -     - - AT Policy - -

    The Awareness and Training Procedure governs how access is managed and approved.

    -     - - -     - - AU Policy - -

    The Audit and Accountability Procedure governs how access is managed and - approved.

    -     - - -     - - CA Policy - -

    The Assessment, Authorization, and Monitoring Procedure governs how access is managed - and approved.

    -     - - -     - - CM Policy - -

    The Configuration Management Procedure governs how access is managed and - approved.

    -     - - -     - - CP Policy - -

    The Contingency Planning Procedure governs how access is managed and approved.

    -     - - -     - - IA Policy - -

    The Identificaiton and Authentication Procedure governs how access is managed and - approved.

    -     - - -     - - IR Policy - -

    The Incident Response Procedure governs how access is managed and approved.

    -     - - -     - - MA Policy - -

    The Maintenance Procedure governs how access is managed and approved.

    -     - - -     - - MP Policy - -

    The Media Protection Procedure governs how access is managed and approved.

    -     - - -     - - PE Policy - -

    The Physical and Enviornmental Protection Procedure governs how access is managed and - approved.

    -     - - -     - - PL Policy - -

    The Planning Procedure governs how access is managed and approved.

    -     - - -     - - PM Policy - -

    The Program Management Procedure governs how access is managed and approved.

    -     - - -     - - PS Policy - -

    The Personnel Security Procedure governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Procedure governs how access is managed and - approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Procedure governs how access is managed and approved.

    -     - - -     - - SA Policy - -

    The System and Services Acquisition Procedure governs how access is managed and - approved.

    -     - - -     - - S3 Policy - -

    The System and Communication Protection Procedure governs how access is managed and - approved.

    -     - - -     - - SI Policy - -

    The System and Information Integrity Procedure governs how access is managed and - approved.

    -     - - -     - - SR Policy - -

    The Supply Chain Risk Management Procedure governs how access is managed and - approved.

    -     - - -     - - - - - IPv4 Production Subnet - -

    IPv4 Production Subnet.

    -     - - - - -     - - IPv4 Management Subnet - -

    IPv4 Management Subnet.

    -     - - - - - -     - - Email Service - -

    Email Service

    -     - - - - - - - - -     - - - - -

    Legacy Example (No implemented-component).

    -     - - - - - - - - - - - - - - - - - - - - - - - -

    If no, explain why. If yes, omit remarks field.

    -     -     - - - - -

    If no, explain why. If yes, omit remarks field.

    -     -     - - -

    Optional, longer, formatted description.

    -     -     - - - 11111111-2222-4000-8000-004000000016 - - - 11111111-2222-4000-8000-004000000017 - - - -

    This links to a FIPS 140-2 validated software component that is used by this - inventory item. This type of linkage to a validation through the component is - preferable to the link[rel='validation'] example above.

    -     -     - -

    COMMENTS: Additional information about this item.

    -     -     - - -

    Component Inventory Example

    -     - - - - - - - - - - - - - - - - - -

    If no, explain why. If yes, omit remark.

    -     -     - - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000017 - - - - - -

    COMMENTS: If needed, provide additional information about this inventory item.

    -     -     - - -

    None.

    -     - - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - -

    Asset wasn't running at time of scan.

    -     -     - -     - - -

    None.

    -     - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - -

    Asset wasn't running at time of scan.

    -     -     - -     - - -

    Email-Service

    -     - - - - - - - - - -     -     - - - - -

    Appendix A - FedRAMP SSP Rev5 Template

    -

    This description field is required by OSCAL.

    -

    FedRAMP does not require any specific information here.

    -     - - - - - - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - - - - - -

    Describe how Part a is satisfied within the system.

    -

    Legacy approach. If no policy component is defined, describe here how the - policy satisfies part a.

    -

    In this case, a link must be provided to the policy.

    -

    FedRAMP prefers all policies and procedures be attached as a resource in the - back-matter. The link points to a resource.

    -     - - - - -

    The specified component is the system itself.

    -

    Any control implementation response that can not be associated with another - component is associated with the component representing the system.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Identity - Management and Access Control Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     - -     -     - - - -

    There

    -     - - - -

    Describe the plan to complete the implementation.

    -     -     -     - - -

    Describe how this policy currently satisfies part a.

    -     - - -

    Describe the plan for addressing the missing policy elements.

    -     -     - - -

    Identify what is currently missing from this policy.

    -     -     -     -     - - - -

    Describe how Part b-1 is satisfied.

    -     - -     -     - - - -

    Describe how Part b-2 is satisfied.

    -     - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - -

    Describe any customer-configured requirements for satisfying this control.

    -     -     - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - [SAMPLE]privileged, non-privileged - - - [SAMPLE]all - - - [SAMPLE]The Access Control Procedure - - - at least annually - -     -     - - - -

    Describe how AC-2, part a is satisfied within this system.

    -

    This points to the "This System" component, and is used any time a more - specific component reference is not available.

    -     - - - -

    Leveraged system's statement of capabilities which may be inherited by a - leveraging systems to satisfy AC-2, part a.

    -     -     - - -

    Leveraged system's statement of a leveraging system's responsibilities in - satisfaction of AC-2, part a.

    -

    Not associated with inheritance, thus associated this with the - by-component for "this system".

    -     - - 11111111-2222-4000-8000-004000000001 - -     -     -     - - -

    For the portion of the control satisfied by the application component of this - system, describe how the control is met.

    -     - - - -

    Consumer-appropriate description of what may be inherited from this - application component by a leveraging system.

    -

    In the context of the application component in satisfaction of AC-2, part - a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     - - -

    Leveraging system's responsibilities with respect to inheriting this - capability from this application.

    -

    In the context of the application component in satisfaction of AC-2, part - a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     -     - -

    The component-uuid above points to the "this system" component.

    -

    Any control response content that does not cleanly fit another system component - is placed here. This includes customer responsibility content.

    -

    This can also be used to provide a summary, such as a holistic overview of how - multiple components work together.

    -

    While the "this system" component is not explicitly required within every - statement, it will typically be present.

    -     -     - - -

    For the portion inherited from an underlying FedRAMP-authorized provider, - describe what is inherited.

    -     - - -

    Optional description.

    -

    Consumer-appropriate description of what may be inherited as provided by the - leveraged system.

    -

    In the context of this component in satisfaction of AC-2, part a.

    -

    The provided-uuid links this to the same statement in the - leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).

    -     -     - - -

    Description of how the responsibility was satisfied.

    -

    The responsibility-uuid links this to the same statement in the - leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).

    -

    Tools should use this to ensure all identified customer - responsibility statements have a corresponding - satisfied statement in the leveraging system's SSP.

    -

    Tool developers should be mindful that

    -     -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    Describe how Part a is satisfied.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    Describe how Part b-1 is satisfied.

    -     -     -     - - - -

    Describe how Part b-2 is satisfied.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - - - - 11111111-2222-4000-8000-004000000018 - - - - -

    Describe how the control is satisfied within the system.

    -

    DMARC is employed.

    -

    SPF is employed.

    -

    DKIM is employed.

    -     - - organization-defined personnel or roles - - - [specify frequency] - - - [specify frequency] - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - to include chief privacy and ISSO and/or similar role or designees - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     -     -     - - - - - Signed System Security Plan - -

    SSP Signature

    -     - - - - 00000000 - -

    The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in - OSCAL, and welcome feedback on solutions.

    -

    For now, the PMO recommends one of the following:

    -
      -
    • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
      • -
    • Render the OSCAL SSP content as a printed page that is physically signed, - scanned, and attached.
      • -
    -

    If your organization prefers another approach, please seek prior approval from the - FedRAMP PMO.

    -     -     - - - FedRAMP Applicable Laws and Regulations - - - -

    Must be present in a FedRAMP SSP.

    -     -     - - - - Access Control Policy Title - -

    AC Policy document

    -     - - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Awareness and Training Policy Title - -

    AT Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Audit and Accountability Policy Title - -

    AU Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Security Assessment and Authorization Policy Title - -

    CA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Configuration Management Policy Title - -

    CM Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Contingency Planning Policy Title - -

    CP Policy document

    -     - - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Identification and Authentication Policy Title - -

    IA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Incident Response Policy Title - -

    IR Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Maintenance Policy Title - -

    MA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Media Protection Policy Title - -

    MP Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Physical and Environmental Protection Policy Title - -

    PE Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Planning Policy Title - -

    PL Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Personnel Security Policy Title - -

    PS Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Risk Adjustment Policy Title - -

    RA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Service Acquisition Policy Title - -

    SA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Communications Protection Policy Title - -

    SC Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Information Integrity Policy Title - -

    SI Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Supply Chain Risk Policy Title - -

    SR Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Access Control Procedure Title - -

    AC Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Awareness and Training Procedure Title - -

    AT Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Audit and Accountability Procedure Title - -

    AU Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Security Assessment and Authorization Procedure Title - -

    CA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Configuration Management Procedure Title - -

    CM Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Contingency Planning Procedure Title - -

    CP Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Identification and Authentication Procedure Title - -

    IA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Incident Response Procedure Title - -

    IR Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Maintenance Procedure Title - -

    MA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Media Protection Procedure Title - -

    MP Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Physical and Environmental Protection Procedure Title - -

    PE Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Planning Procedure Title - -

    PL Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Personnel Security Procedure Title - -

    PS Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Risk Adjustment Procedure Title - -

    RA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Service Acquisition Procedure Title - -

    SA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Communications Protection Procedure Title - -

    SC Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Information Integrity Procedure Title - -

    SI Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Supply Chain Risk Procedure Title - -

    SR Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - User's Guide - -

    User's Guide

    -     - - - - - - -

    Table 12-1 Attachments: User's Guide Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - - - Document Title - -

    Rules of Behavior

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Rules of Behavior (ROB)

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Document Title - -

    Contingency Plan (CP)

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Document Title - -

    Configuration Management (CM) Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Document Title - -

    Incident Response (IR) Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - - - - - CSP-specific Law Citation - - - - Identification Number - - 00000000 - -

    A CSP-specific law citation

    -

    The "type" property must be present and contain the value "law".

    -     - -     - - - - - Document Title - -

    Continuous Monitoring Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Plan of Actions and Milestones (POAM) - - - - - - - 00000000 - - - - - Supply Chain Risk Management Plan - -

    Supply Chain Risk Management Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - - - [SAMPLE]Interconnection Security Agreement Title - - - - - - - 00000000 - - - FedRAMP Logo - -

    FedRAMP Logo

    -     - - - - 00000000 - -

    Must be present in a FedRAMP SSP.

    -     -     - - CSP Logo - -

    CSP Logo

    -     - - 00000000 - -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - 3PAO Logo - -

    3PAO Logo

    -     - - 00000000 - -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - - Boundary Diagram - -

    The primary authorization boundary diagram.

    -     - - - 00000000 - -

    Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

    -

    This should be referenced in the - system-characteristics/authorization-boundary/diagram/link/@href flag using a value - of "#11111111-2222-4000-8000-001000000054"

    -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - Network Diagram - -

    The primary network diagram.

    -     - - - - 00000000 - -

    Section 8.1, Figure 8-2 Network Diagram (graphic)

    -

    This should be referenced in the - system-characteristics/network-architecture/diagram/link/@href flag using a value of - "#11111111-2222-4000-8000-001000000055"

    -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - Data Flow Diagram - -

    The primary data flow diagram.

    -     - - - 00000000 - -

    Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

    -

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href - flag using a value of "#11111111-2222-4000-8000-001000000056"

    -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - Interconneciton Security Agreement (ISA) - - - - - - - 41 CFR 201 - - - - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. - - - -

    CSP-specific citation. Note the "type" property's class is "law" - and the value is "citation".

    -     -     - - CSP Acronyms - - - -

    CSP-specific citation. Note the "type" property's class is "acronyms" - and the value is "citation".

    -     -     - - CSP Reference - - - -

    CSP-specific reference. Note the "type" property's class is "reference" - and the value is "citation".

    -     -     - - Separation of Duties Matrix - -

    Separation of Duties Matrix

    -     - - - - - 00000000 - -

    May use rlink with a relative path, or embedded as base64. -

    -     -     - - - -     -     \ No newline at end of file diff --git a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml index cd6831c3e..271327849 100644 --- a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml +++ b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml @@ -3,7 +3,7 @@ test-case: description: >- This test case validates the behavior of constraint missing-response-components - content: ../content/fedramp-ssp-example.xml + content: ../content/fedramp-ssp-example.oscal.xml expectations: - constraint-id: missing-response-components result: pass From 5af1b11ee98f969495445f6bcc3aef60afedcef4 Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Tue, 3 Dec 2024 15:01:04 -0500 Subject: [PATCH 5/6] nuke rev4 constraints --- features/fedramp_extensions.feature | 12 ----------- .../content/fedramp-ssp-example.oscal.xml | 6 ++---- .../fedramp-external-allowed-values.xml | 21 ------------------- .../fedramp-external-constraints.xml | 16 +++----------- .../user-has-privilege-level-FAIL.yaml | 7 ------- .../user-has-privilege-level-PASS.yaml | 7 ------- .../user-has-sensitivity-level-FAIL.yaml | 9 -------- .../user-has-sensitivity-level-PASS.yaml | 9 -------- .../unit-tests/user-privilege-level-FAIL.yaml | 7 ------- .../unit-tests/user-privilege-level-PASS.yaml | 7 ------- .../user-sensitivity-level-FAIL.yaml | 7 ------- .../user-sensitivity-level-PASS.yaml | 7 ------- 12 files changed, 5 insertions(+), 110 deletions(-) delete mode 100644 src/validations/constraints/unit-tests/user-has-privilege-level-FAIL.yaml delete mode 100644 src/validations/constraints/unit-tests/user-has-privilege-level-PASS.yaml delete mode 100644 src/validations/constraints/unit-tests/user-has-sensitivity-level-FAIL.yaml delete mode 100644 src/validations/constraints/unit-tests/user-has-sensitivity-level-PASS.yaml delete mode 100644 src/validations/constraints/unit-tests/user-privilege-level-FAIL.yaml delete mode 100644 src/validations/constraints/unit-tests/user-privilege-level-PASS.yaml delete mode 100644 src/validations/constraints/unit-tests/user-sensitivity-level-FAIL.yaml delete mode 100644 src/validations/constraints/unit-tests/user-sensitivity-level-PASS.yaml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 7b863e096..3f7ea12db 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -136,12 +136,8 @@ Examples: | unique-inventory-item-asset-id | | user-authentication | | user-has-authorized-privilege | - | user-has-privilege-level | | user-has-role-id | - | user-has-sensitivity-level | | user-has-user-type | - | user-privilege-level | - | user-sensitivity-level | | user-type | #END_DYNAMIC_CONSTRAINT_IDS @@ -378,18 +374,10 @@ Examples: | user-authentication-PASS.yaml | | user-has-authorized-privilege-FAIL.yaml | | user-has-authorized-privilege-PASS.yaml | - | user-has-privilege-level-FAIL.yaml | - | user-has-privilege-level-PASS.yaml | | user-has-role-id-FAIL.yaml | | user-has-role-id-PASS.yaml | - | user-has-sensitivity-level-FAIL.yaml | - | user-has-sensitivity-level-PASS.yaml | | user-has-user-type-FAIL.yaml | | user-has-user-type-PASS.yaml | - | user-privilege-level-FAIL.yaml | - | user-privilege-level-PASS.yaml | - | user-sensitivity-level-FAIL.yaml | - | user-sensitivity-level-PASS.yaml | | user-type-FAIL.yaml | | user-type-PASS.yaml | #END_DYNAMIC_TEST_CASES diff --git a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml index 732bbc089..e00a00a58 100644 --- a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml +++ b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml @@ -806,8 +806,7 @@ - - + system-poc-technical Admin @@ -853,8 +852,7 @@ - - + system-poc-technical Admin diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index c92f705ec..c18cbda0a 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -412,27 +412,6 @@ - - Privilege Level - The privilege level of the user. - - Read - Read-Write - Write - No Access - - - - User Sensitvity Level - Sensitivity level of the user. - - High Risk - Severe - Moderate - Limited - Not Applicable - - User Type The type of user. diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index f8358f64d..dccb08d94 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -12,26 +12,16 @@ A FedRAMP document MUST define a user with at least one authorized privilege by a privilege identifier.     - - User Has Privilege Level + + User Has User Type - A FedRAMP document MUST define a user with a privilege for their use of the system. + A FedRAMP document MUST define a user with a type. User Has Role ID A FedRAMP document MUST define a user with at least one role by a role identifier. - - User Has Sensitivity Level - - A FedRAMP document MUST define a user with a sensitivity level of their use of the system. - - - User Has User Type - - A FedRAMP document MUST define a user with a type. -     diff --git a/src/validations/constraints/unit-tests/user-has-privilege-level-FAIL.yaml b/src/validations/constraints/unit-tests/user-has-privilege-level-FAIL.yaml deleted file mode 100644 index 89e5cebb3..000000000 --- a/src/validations/constraints/unit-tests/user-has-privilege-level-FAIL.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Negative Test for user-has-privilege-level - description: This test case validates the behavior of constraint user-has-privilege-level - content: ../content/ssp-user-INVALID.xml - expectations: - - constraint-id: user-has-privilege-level - result: fail diff --git a/src/validations/constraints/unit-tests/user-has-privilege-level-PASS.yaml b/src/validations/constraints/unit-tests/user-has-privilege-level-PASS.yaml deleted file mode 100644 index cc9f3218d..000000000 --- a/src/validations/constraints/unit-tests/user-has-privilege-level-PASS.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Positive Test for user-has-privilege-level - description: This test case validates the behavior of constraint user-has-privilege-level - content: ../content/ssp-all-VALID.xml - expectations: - - constraint-id: user-has-privilege-level - result: pass diff --git a/src/validations/constraints/unit-tests/user-has-sensitivity-level-FAIL.yaml b/src/validations/constraints/unit-tests/user-has-sensitivity-level-FAIL.yaml deleted file mode 100644 index 1fcd4e448..000000000 --- a/src/validations/constraints/unit-tests/user-has-sensitivity-level-FAIL.yaml +++ /dev/null @@ -1,9 +0,0 @@ -test-case: - name: Negative Test for user-has-sensitivity-level - description: >- - This test case validates the behavior of constraint - user-has-sensitivity-level - content: ../content/ssp-user-INVALID.xml - expectations: - - constraint-id: user-has-sensitivity-level - result: fail diff --git a/src/validations/constraints/unit-tests/user-has-sensitivity-level-PASS.yaml b/src/validations/constraints/unit-tests/user-has-sensitivity-level-PASS.yaml deleted file mode 100644 index cc8adf6ee..000000000 --- a/src/validations/constraints/unit-tests/user-has-sensitivity-level-PASS.yaml +++ /dev/null @@ -1,9 +0,0 @@ -test-case: - name: Positive Test for user-has-sensitivity-level - description: >- - This test case validates the behavior of constraint - user-has-sensitivity-level - content: ../content/ssp-all-VALID.xml - expectations: - - constraint-id: user-has-sensitivity-level - result: pass diff --git a/src/validations/constraints/unit-tests/user-privilege-level-FAIL.yaml b/src/validations/constraints/unit-tests/user-privilege-level-FAIL.yaml deleted file mode 100644 index bb542e47a..000000000 --- a/src/validations/constraints/unit-tests/user-privilege-level-FAIL.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Negative Test for user-privilege-level - description: This test case validates the behavior of constraint user-privilege-level - content: ../content/ssp-user-privilege-level-INVALID.xml - expectations: - - constraint-id: user-privilege-level - result: fail diff --git a/src/validations/constraints/unit-tests/user-privilege-level-PASS.yaml b/src/validations/constraints/unit-tests/user-privilege-level-PASS.yaml deleted file mode 100644 index db272e857..000000000 --- a/src/validations/constraints/unit-tests/user-privilege-level-PASS.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Positive Test for user-privilege-level - description: This test case validates the behavior of constraint user-privilege-level - content: ../content/ssp-all-VALID.xml - expectations: - - constraint-id: user-privilege-level - result: pass diff --git a/src/validations/constraints/unit-tests/user-sensitivity-level-FAIL.yaml b/src/validations/constraints/unit-tests/user-sensitivity-level-FAIL.yaml deleted file mode 100644 index c3e7f295a..000000000 --- a/src/validations/constraints/unit-tests/user-sensitivity-level-FAIL.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Negative Test for user-sensitivity-level - description: This test case validates the behavior of constraint user-sensitivity-level - content: ../content/ssp-user-sensitivity-level-INVALID.xml - expectations: - - constraint-id: user-sensitivity-level - result: fail diff --git a/src/validations/constraints/unit-tests/user-sensitivity-level-PASS.yaml b/src/validations/constraints/unit-tests/user-sensitivity-level-PASS.yaml deleted file mode 100644 index 582d4cd37..000000000 --- a/src/validations/constraints/unit-tests/user-sensitivity-level-PASS.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Positive Test for user-sensitivity-level - description: This test case validates the behavior of constraint user-sensitivity-level - content: ../content/ssp-all-VALID.xml - expectations: - - constraint-id: user-sensitivity-level - result: pass From 10165844fddd40c44bd7cbbe5ec3c640fecf4e6f Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Tue, 3 Dec 2024 15:03:26 -0500 Subject: [PATCH 6/6] fix namespaces and nuke old constraints --- .../awesome-cloud/xml/AwesomeCloudSSP1.xml | 68 +- .../awesome-cloud/xml/AwesomeCloudSSP2.xml | 70 +- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 8328 ++++++++--------- .../FedRAMP_rev5_LI-SaaS-baseline_profile.xml | 512 +- .../xml/FedRAMP_rev5_LOW-baseline_profile.xml | 4838 +++++----- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 7310 +++++++-------- .../ssp/xml/fedramp-ssp-example.oscal.xml | 4832 ++++++++++ .../rev5/resources/xml/FedRAMP_extensions.xml | 24 +- .../rev5/resources/xml/fedramp_threats.xml | 4 +- .../rev5/resources/xml/fedramp_values.xml | 32 +- .../rev5/resources/xml/information-types.xml | 4 +- .../poam/xml/FedRAMP-POAM-OSCAL-Template.xml | 46 +- .../sap/xml/FedRAMP-SAP-OSCAL-Template.xml | 234 +- .../sar/xml/FedRAMP-SAR-OSCAL-Template.xml | 84 +- .../ssp/xml/FedRAMP-SSP-OSCAL-Template.xml | 262 +- .../content/fedramp-ssp-example.oscal.xml | 312 +- .../content/fedramp-ssp-example.xml | 4832 ++++++++++ .../content/fedramp-tailoring-profile.xml | 2 +- .../content/profile-all-INVALID.xml | 4 +- .../constraints/content/ssp-all-VALID.xml | 56 +- .../content/ssp-attachment-type-INVALID.xml | 2 +- ...hentication-method-has-remarks-INVALID.xml | 2 +- .../ssp-authorization-type-INVALID.xml | 2 +- ...nent-has-authentication-method-INVALID.xml | 18 +- ...-control-implementation-status-INVALID.xml | 2 +- ...nal-system-nature-of-agreement-INVALID.xml | 4 +- ...ully-operational-date-is-valid-INVALID.xml | 2 +- ...-fully-operational-date-type-INVALID-1.xml | 2 +- ...-fully-operational-date-type-INVALID-2.xml | 2 +- ...-authenticator-assurance-level-INVALID.xml | 2 +- ...ndary-diagram-link-href-target-VALID-1.xml | 38 +- ...-configuration-management-plan-INVALID.xml | 2 +- ...-flow-diagram-link-href-target-VALID-1.xml | 38 +- ...has-federation-assurance-level-INVALID.xml | 2 +- ...p-has-identity-assurance-level-INVALID.xml | 2 +- ...ssp-has-incident-response-plan-INVALID.xml | 2 +- ...mation-system-contingency-plan-INVALID.xml | 2 +- .../ssp-has-inventory-items-INVALID.xml | 2 +- ...cture-diagram-link-href-target-VALID-1.xml | 38 +- .../ssp-has-rules-of-behavior-INVALID.xml | 2 +- ...as-separation-of-duties-matrix-INVALID.xml | 2 +- .../content/ssp-has-user-guide-INVALID.xml | 2 +- ...le-resolves-to-fedramp-content-VALID-1.xml | 34 +- ...le-resolves-to-fedramp-content-VALID-2.xml | 36 +- ...le-resolves-to-fedramp-content-VALID-3.xml | 36 +- .../ssp-interconnection-direction-INVALID.xml | 4 +- .../ssp-interconnection-security-INVALID.xml | 4 +- ...ization-has-valid-impact-level-INVALID.xml | 2 +- ...orization-has-valid-impact-level-VALID.xml | 44 +- ...horization-nature-of-agreement-INVALID.xml | 2 +- ...sp-missing-response-components-INVALID.xml | 6 +- .../content/ssp-privilege-level-INVALID.xml | 2 +- .../ssp-profile-response-point-INVALID.xml | 4 +- ...p-resource-has-base64-or-rlink-INVALID.xml | 2 +- .../ssp-resource-has-title-INVALID.xml | 2 +- ...sp-responsible-party-is-person-INVALID.xml | 2 +- ...rty-prepared-by-location-valid-VALID-1.xml | 38 +- ...ty-prepared-for-location-valid-VALID-1.xml | 38 +- ...saas-has-leveraged-authorization-VALID.xml | 38 +- .../content/ssp-scan-type-INVALID.xml | 2 +- ...unique-inventory-item-asset-id-INVALID.xml | 4 +- .../ssp-user-authentication-INVALID.xml | 18 +- .../ssp-user-privilege-level-INVALID.xml | 2 +- .../ssp-user-sensitivity-level-INVALID.xml | 2 +- .../fedramp-external-allowed-values.xml | 20 +- .../fedramp-external-constraints.xml | 24 +- src/validations/styleguides/STYLE.md | 14 +- 67 files changed, 21034 insertions(+), 11370 deletions(-) create mode 100644 src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml create mode 100644 src/validations/constraints/content/fedramp-ssp-example.xml diff --git a/src/content/awesome-cloud/xml/AwesomeCloudSSP1.xml b/src/content/awesome-cloud/xml/AwesomeCloudSSP1.xml index ed6d0b95a..6921615ca 100644 --- a/src/content/awesome-cloud/xml/AwesomeCloudSSP1.xml +++ b/src/content/awesome-cloud/xml/AwesomeCloudSSP1.xml @@ -111,7 +111,7 @@ - + @@ -191,7 +191,7 @@ - + system-owner GRC Access (Read Only) @@ -203,7 +203,7 @@ - + authorizing-official GRC Access (Read Only) @@ -215,7 +215,7 @@ - + system-poc-management GRC Access (Read Only) @@ -227,7 +227,7 @@ - + system-poc-technical GRC Access @@ -239,7 +239,7 @@ - + system-poc-other GRC Access @@ -251,7 +251,7 @@ - + information-system-security-officer Managerial Access @@ -263,7 +263,7 @@ - + authorizing-official-poc Managerial Access @@ -275,7 +275,7 @@ - + sys-admin Administrative Access @@ -305,7 +305,7 @@ - +

    This is an appliance.

    @@ -332,7 +332,7 @@ - +

    This is an appliance.

    @@ -359,7 +359,7 @@ - +

    This is an appliance.

    @@ -388,7 +388,7 @@ - + @@ -409,7 +409,7 @@ - + @@ -430,7 +430,7 @@ - + @@ -449,7 +449,7 @@ - +

    This is an appliance.

    @@ -478,7 +478,7 @@ - + @@ -499,7 +499,7 @@ - + @@ -520,7 +520,7 @@ - + @@ -541,7 +541,7 @@ - + @@ -562,7 +562,7 @@ - + @@ -583,7 +583,7 @@ - + @@ -604,7 +604,7 @@ - + @@ -617,8 +617,8 @@ - - + + Access Control policy is disseminated to all personnel with access to the system. The Access Control procedures are disseminated to the System Owner, Information System Security Officer, and all personnel with signifigant security responsibilities. @@ -661,8 +661,8 @@ - - + + the information contained in the FedRAMP Integrated Inventory Workbook Template @@ -760,43 +760,43 @@ Laws and Regulations - + User Guide - + Rules of Behavior - + Contingency Plan - + Configuration Management Plan - + Incident Response Plan - + Separation of Duties Matrix - + diff --git a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml index 9da0b5937..59165e473 100644 --- a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml +++ b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml @@ -111,7 +111,7 @@ - + @@ -179,7 +179,7 @@ - + system-owner GRC Access (Read Only) @@ -191,7 +191,7 @@ - + authorizing-official GRC Access (Read Only) @@ -203,7 +203,7 @@ - + system-poc-management GRC Access (Read Only) @@ -215,7 +215,7 @@ - + system-poc-technical GRC Access @@ -227,7 +227,7 @@ - + system-poc-other GRC Access @@ -239,7 +239,7 @@ - + information-system-security-officer Managerial Access @@ -250,7 +250,7 @@ - + authorizing-official-poc Managerial Access @@ -261,7 +261,7 @@ - + sys-admin Administrative Access @@ -289,7 +289,7 @@ - +

    This is an appliance.

    @@ -316,7 +316,7 @@ - +

    This is an appliance.

    @@ -343,7 +343,7 @@ - +

    This is an appliance.

    @@ -372,7 +372,7 @@ - + @@ -393,7 +393,7 @@ - + @@ -414,7 +414,7 @@ - + @@ -433,7 +433,7 @@ - +

    This is an appliance.

    @@ -462,7 +462,7 @@ - + @@ -483,7 +483,7 @@ - + @@ -504,7 +504,7 @@ - + @@ -525,7 +525,7 @@ - + @@ -546,7 +546,7 @@ - + @@ -567,7 +567,7 @@ - + @@ -588,7 +588,7 @@ - + @@ -609,7 +609,7 @@ - + @@ -630,7 +630,7 @@ - + @@ -651,7 +651,7 @@ - + @@ -662,8 +662,8 @@ - - + + the information contained in the FedRAMP Integrated Inventory Workbook Template @@ -755,43 +755,43 @@ Laws and Regulations - + User Guide - + Rules of Behavior - + Contingency Plan - + Configuration Management Plan - + Incident Response Plan - + Separation of Duties Matrix - + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 9d2d46995..cd17f0140 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -2404,471 +2404,471 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - + - - - + + + - - + + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - + - - - + + + - - - + + + - + - + - - - + + + - + - - + + - - + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - + - - + + - + - + @@ -2890,52 +2890,52 @@ - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + - + @@ -2949,52 +2949,52 @@ - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -3008,15 +3008,15 @@ - - - + + + - + - + @@ -3034,136 +3034,136 @@ - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - + - - - + + + - + - - - + + + - + @@ -3177,12 +3177,12 @@ - - - + + + - + @@ -3196,62 +3196,62 @@ - - + + - - + + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - + @@ -3265,86 +3265,86 @@ - - - + + + - + - + - - - + + + - - + + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - + - - - + + + - + @@ -3358,20 +3358,20 @@ - - - + + + - - - + + + - + - + @@ -3397,43 +3397,43 @@ - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - + + - + - + - + @@ -3450,319 +3450,319 @@ - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - + + - - - + + + - + - + - + - - - + + + - - + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - + - + - - - + + + - - - + + + - - + + - + - + - + - + - - - + + + - + - + - - - + + + - + - + @@ -3780,78 +3780,78 @@ - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - + + - + - + - + - + - + - + - - - + + + - + - + - + - + - + - + - + @@ -3865,75 +3865,75 @@ - - - + + + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - + - + - - - + + + - + - + - - - + + + - + - + @@ -3947,83 +3947,83 @@ - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - + @@ -4037,106 +4037,106 @@ - - - + + + - + - + - - - + + + - + - + - - - - + + + + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - + @@ -4150,12 +4150,12 @@ - - - + + + - + @@ -4177,79 +4177,79 @@ - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         @@ -4265,59 +4265,59 @@ - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - + - + - + - + - + - +     @@ -4331,12 +4331,12 @@ - - - + + + - + @@ -4350,57 +4350,57 @@ - - - + + + - + - - - + + + - + - - - + + + - - + + - - - + + + - + - + - + - - - + + + - + @@ -4418,20 +4418,20 @@ - - - + + + - - - + + + - + - + @@ -4445,48 +4445,48 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - + - + - + - + - + @@ -4508,111 +4508,111 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -4626,22 +4626,22 @@ - - - + + + - + - - - + + + - + @@ -4656,155 +4656,155 @@ - - - + + + - + - + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - + - + - + @@ -4818,66 +4818,66 @@ - - + + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - + - - + + - + - - - + + + - - - + + + - + - + @@ -4895,260 +4895,260 @@ - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - - - + + + - + - - - + + + - + - + - - + + - - - + + + - + - + - - + + - - - + + + - + - + @@ -5171,63 +5171,63 @@ - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - + + - + - + - - - + + + - + - + @@ -5241,43 +5241,43 @@ - - - + + + - - + + - + - + - + - - - + + + - - - + + + - + - + - + @@ -5291,42 +5291,42 @@ - - + + - + - + - - - + + + - - + + - - - + + + - + - + - + - + @@ -5340,89 +5340,89 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - + - - - + + + - + - - + + - - + + - + - + - - - + + + - + @@ -5433,53 +5433,53 @@ - - + + - - + + - - - + + + - - + + - - + + - - + + - - - + + + - - + + - + - + - + - + - + @@ -5493,38 +5493,38 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -5538,11 +5538,11 @@ - - + + - + @@ -5553,101 +5553,101 @@ - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - - + + + + - + - - - - + + + + - + - - - - + + + + - + @@ -5665,161 +5665,161 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - + - + - + - + - + - + - + - + - - - + + + - + - - - - + + + + - + - - - + + + - + - - - - + + + + - - - - + + + + - + - - - + + + - + @@ -5833,46 +5833,46 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - - - - + + + + - + @@ -5890,138 +5890,138 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - + - + - + - + - - - - + + + + - + - - - - + + + + - - - - + + + + - + - + - - - - + + + + - - - - + + + + - - - - + + + + - + - + - - - - + + + + - + - - - - + + + + - + - - - + + + - - - + + + - + @@ -6035,37 +6035,37 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - + - + - + @@ -6079,48 +6079,48 @@ - - - + + + - + - - - + + + - - - + + + - + - - - + + + - + - - - - + + + + - + @@ -6134,79 +6134,79 @@ - - - - + + + + - + - - - - + + + + - - - - + + + + - + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - + - + - + @@ -6232,88 +6232,88 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - + - + - + - + - - - - + + + + - + - - - + + + - + - - - - + + + + - + - - - - + + + + - - - - + + + + - + @@ -6327,100 +6327,100 @@ - - - - + + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - + - - - - + + + + - + - - - + + + - + @@ -6446,22 +6446,22 @@ - - - - + + + + - - - - + + + + - + - + @@ -6483,14 +6483,14 @@ - - + + - + - + @@ -6512,26 +6512,26 @@ - - + + - + - + - - + + - + - + @@ -6549,23 +6549,23 @@ - - - + + + - - - + + + - + - + - + @@ -6579,85 +6579,85 @@ - - - + + + - + - + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + @@ -6675,84 +6675,84 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + - + @@ -6775,96 +6775,96 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - + - + - + - + - + - + - + - + - - + + - - + + - - + + - - + + - + - + - - + + - + @@ -6878,11 +6878,11 @@ - - + + - + @@ -6896,12 +6896,12 @@ - - - + + + - + @@ -6915,12 +6915,12 @@ - - - + + + - + @@ -6941,13 +6941,13 @@ - - - - + + + + - + @@ -6961,29 +6961,29 @@ - - - - + + + + - - - + + + - - - + + + - + - + - + @@ -6997,186 +6997,186 @@ - - - + + + - + - - + + - + - - - - + + + + - + - - + + - + - - + + - + - - + + - - - + + + - + - + - - - - + + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - + - - + + - + @@ -7190,25 +7190,25 @@ - - - + + + - + - + - - - + + + - + @@ -7226,137 +7226,137 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - - - - + + + + - + @@ -7370,67 +7370,67 @@ - - - + + + - - - + + + - + - + - - - - + + + + - + - - - + + + - + - - - + + + - - - + + + - + - - - - + + + + - + @@ -7448,555 +7448,555 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - + + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - + + - + - - + + - + - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - - + + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - + - + - + - + - + - + - - - + + + - - - + + + - + - + - - - - + + + + - - - - + + + + - + - + - - - - + + + + - + - - - - + + + + - + - + - - - - + + + + - + - + - + - + - - - + + + - - - + + + - - + + - - - - + + + + - - + + - - + + - + - + - + - + - + - - - + + + - - + + - - + + - - + + - + - + - - + + - - - - + + + + - - - - + + + + - + - + - + - - - + + + - - - + + + - - - - + + + + - + - + - - - - + + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - - + + + + - - - - + + + + - + @@ -8010,18 +8010,18 @@ - - + + - - + + - + - + @@ -8035,40 +8035,40 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - + - + @@ -8082,61 +8082,61 @@ - - - - + + + + - - - - + + + + - - + + - - - + + + - - + + - + - + - + - + - - - - + + + + - - - - + + + + - + - + @@ -8150,11 +8150,11 @@ - - + + - + @@ -8168,11 +8168,11 @@ - - + + - + @@ -8186,240 +8186,240 @@ - - - + + + - + - - - - + + + + - - - - + + + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - - + + - - - + + + - + - + - + - - - + + + - + - - - + + + - - - + + + - + - - + + - - + + - - + + - - + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - - + + - - - + + + - - - + + + - + - - + + - - - + + + - - - + + + - - - + + + - + - + @@ -8433,655 +8433,655 @@ - - - + + + - - - + + + - + - + - - + + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - - + + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - - - + + + - - + + - - + + - - + + - + - + - + - + - - + + - - - + + + - - - + + + - - + + - - + + - - - + + + - - + + - - - + + + - - + + - - + + - + - + - + - + - + - + - + - + - - + + - - + + - + - - - + + + - + - - + + - + - - - + + + - - + + - - + + - - - + + + - - - + + + - + - + - + - - + + - + - - + + - + - - - + + + - - + + - - - + + + - + - + - + - - - + + + - - + + - + - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - + - + - + @@ -9095,66 +9095,66 @@ - - - + + + - - - + + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -9168,390 +9168,390 @@ - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + - + - - + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + - - - + + + - - - + + + - - + + - - - + + + - + - + - + - + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - + - + - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - + + - - + + - - - + + + - + - + - + @@ -9569,79 +9569,79 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - - - + + + - - - + + + - + - + @@ -9673,131 +9673,131 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - - + + + - + - - - + + + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - - - + + + - + @@ -9811,472 +9811,472 @@ - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - + + + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + @@ -10295,91 +10295,91 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + @@ -10393,45 +10393,45 @@ - - - + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -10446,521 +10446,521 @@ - - - + + + - + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - - + + + - + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - - + + + + - + - - - + + + - + - - - + + + - - - - + + + + - + - + - - + + - - - + + + - + - + - - - + + + - + - - - - + + + + - + - - - - + + + + - + - - - - + + + + - + - - - + + + - + - - - - + + + + - + - - - + + + - + - - - - + + + + - + - - - + + + - - + + - + - + @@ -10974,210 +10974,210 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - + - + - + - + - - - - + + + + - - - + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - - - + + + + - + - + - + - + - + - + - + - + - + @@ -11191,44 +11191,44 @@ - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + @@ -11274,16 +11274,16 @@ - - - - + + + + - + - + @@ -11310,13 +11310,13 @@ - - - - + + + + - + @@ -11338,16 +11338,16 @@ - - - - + + + + - + - + @@ -11395,24 +11395,24 @@ - - - + + + - - - - + + + + - + - + - + @@ -11426,21 +11426,21 @@ - - - + + + - - - - + + + + - + - + @@ -11470,28 +11470,28 @@ - - - - + + + + - - - - + + + + - - - - + + + + - + - + @@ -11525,16 +11525,16 @@ - - - - + + + + - + - + @@ -11556,16 +11556,16 @@ - - - - + + + + - + - + @@ -11583,13 +11583,13 @@ - - - - + + + + - + @@ -11611,231 +11611,231 @@ - - - + + + - - + + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - + + - - + + - + - + - - - + + + - + - - - + + + - + - - - - + + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - - + + + + - + - - - - + + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -11849,241 +11849,241 @@ - - - - + + + + - - - - + + + + - - - + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - + - + - + - + - + - + - + - - - + + + - - - + + + - + - + - - - - + + + + - + - - - - + + + + - + - - - + + + - + - - - + + + - + - + - - - + + + - + - - - + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - - - + + + - + - + - - - - + + + + - + - + - - - + + + - - - - + + + + - + - + @@ -12097,13 +12097,13 @@ - - - - + + + + - + @@ -12117,15 +12117,15 @@ - - - + + + - + - + @@ -12137,162 +12137,162 @@ - - - - + + + + - - - + + + - - - - + + + + - - - + + + - + - + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - + - + - + - - - - + + + + - + - + - - - + + + - + - - - - + + + + - + - - - - + + + + - + - - - + + + - + @@ -12311,20 +12311,20 @@ - - - + + + - - - + + + - + - + @@ -12338,188 +12338,188 @@ - - + + - + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

    This response must address all control sub-statement requirements.

         - + - +

    This response must address all control sub-statement requirements.

         - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - + - + - + - - - + + + - + @@ -12533,44 +12533,44 @@ - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - - + + + + - + @@ -12584,12 +12584,12 @@ - - - + + + - + @@ -12603,12 +12603,12 @@ - - - + + + - + @@ -12622,22 +12622,22 @@ - - - + + + - + - - - + + + - + @@ -12651,35 +12651,35 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml index e83ccfad7..4e976e263 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml @@ -1316,7 +1316,7 @@ - + @@ -1333,31 +1333,31 @@ - + - + - - - - + + + +

    Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.

     - +

    Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.

         - +

    Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.

         - +

    Organizational processes for account management on the information system; automated mechanisms for implementing account management.

     @@ -1367,21 +1367,21 @@ - + - + - + - - + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

     @@ -1392,7 +1392,7 @@ - +

    FED - This is related to agency data and agency policy solution.

     @@ -1403,7 +1403,7 @@ - +

    FED - This is related to agency data and agency policy solution.

     @@ -1412,10 +1412,10 @@ - + - + @@ -1424,7 +1424,7 @@ - +

    NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

     @@ -1436,7 +1436,7 @@ - +

    NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

     @@ -1447,17 +1447,17 @@ - +     - + - + @@ -1466,7 +1466,7 @@ - + @@ -1475,7 +1475,7 @@ - + @@ -1484,7 +1484,7 @@ - + @@ -1493,7 +1493,7 @@ - + @@ -1502,7 +1502,7 @@ - + @@ -1511,7 +1511,7 @@ - + @@ -1520,16 +1520,16 @@ - + - + - + @@ -1537,7 +1537,7 @@ - +

    NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

     @@ -1546,20 +1546,20 @@ - + - + - + - + @@ -1567,7 +1567,7 @@ - + @@ -1575,7 +1575,7 @@ - + @@ -1584,7 +1584,7 @@ - +

    NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

     @@ -1595,7 +1595,7 @@ - + @@ -1604,17 +1604,17 @@ - + - + - + @@ -1622,18 +1622,18 @@ - + - + - - + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

     @@ -1645,7 +1645,7 @@ - +

    Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

     @@ -1654,51 +1654,51 @@ - + - + - + - + - + - + - + - + - + - - + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

     @@ -1710,7 +1710,7 @@ - +     @@ -1718,36 +1718,36 @@ - +     - + - + - + - + - + - +

    Required - Specifically include details of least functionality.

     @@ -1773,17 +1773,17 @@ - +     - + - + @@ -1791,7 +1791,7 @@ - +

    NSO- Not directly related to protection of the data.

     @@ -1802,7 +1802,7 @@ - +

    NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

     @@ -1814,7 +1814,7 @@ - + @@ -1823,7 +1823,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1835,7 +1835,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1847,7 +1847,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1856,10 +1856,10 @@ - + - + @@ -1867,7 +1867,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1879,7 +1879,7 @@ - + @@ -1887,8 +1887,8 @@ - - + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

     @@ -1897,10 +1897,10 @@ - + - + IA-2(1) Additional FedRAMP Requirements and Guidance @@ -1915,35 +1915,35 @@ - + - + - + - + - + - - + + - - - - + + + +

    Determine if the information system:

    • Accepts PIV credentials.
      • @@ -1958,7 +1958,7 @@ - + @@ -1967,7 +1967,7 @@ - + @@ -1976,16 +1976,16 @@ - + - + - + @@ -1993,10 +1993,10 @@ - + - + @@ -2004,17 +2004,17 @@ - + - + - - + +

      Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

       @@ -2023,11 +2023,11 @@ - + - - + +

      Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

       @@ -2038,7 +2038,7 @@ - +       @@ -2047,7 +2047,7 @@ - +       @@ -2056,7 +2056,7 @@ - + @@ -2065,16 +2065,16 @@ - + - + - + @@ -2082,17 +2082,17 @@ - + - + - + @@ -2100,7 +2100,7 @@ - + @@ -2109,7 +2109,7 @@ - +

      Attestation - Specifically attest to US-CERT compliance.

       @@ -2121,17 +2121,17 @@ - + - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2143,17 +2143,17 @@ - +       - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2165,17 +2165,17 @@ - +       - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2184,11 +2184,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2197,11 +2197,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2213,18 +2213,18 @@ - +       - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2234,11 +2234,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2248,11 +2248,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2262,11 +2262,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2275,11 +2275,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2288,11 +2288,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2301,11 +2301,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2323,11 +2323,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2336,11 +2336,11 @@ - + - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2352,17 +2352,17 @@ - +       - + - + @@ -2370,7 +2370,7 @@ - +       @@ -2379,17 +2379,17 @@ - +       - + - + @@ -2398,7 +2398,7 @@ - +       @@ -2407,7 +2407,7 @@ - +       @@ -2416,7 +2416,7 @@ - +       @@ -2424,16 +2424,16 @@ - +       - + - + @@ -2442,7 +2442,7 @@ - +       @@ -2451,7 +2451,7 @@ - +       @@ -2460,7 +2460,7 @@ - +       @@ -2469,7 +2469,7 @@ - +

      Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

       @@ -2480,7 +2480,7 @@ - +       @@ -2489,7 +2489,7 @@ - + @@ -2498,7 +2498,7 @@ - + @@ -2506,19 +2506,19 @@ - + - + - + - + @@ -2527,47 +2527,47 @@ - + - + - + - + - + - + - + - + - + @@ -2576,7 +2576,7 @@ - + @@ -2584,7 +2584,7 @@ - + @@ -2592,7 +2592,7 @@ - + @@ -2600,7 +2600,7 @@ - + @@ -2609,7 +2609,7 @@ - + @@ -2617,7 +2617,7 @@ - + @@ -2626,26 +2626,26 @@ - + - + - + - + - + @@ -2654,17 +2654,17 @@ - + - + - - + +

      Condition: If availability is a requirement, define protections in place as per control requirement.

       @@ -2673,50 +2673,50 @@ - + - + - + - + - + - + - + - + - + - - + +

      Condition: If implementing need to detail how they meet it or don't meet it.

       @@ -2727,7 +2727,7 @@ - +

      NSO - Not directly related to the security of the SaaS.

       @@ -2738,7 +2738,7 @@ - +       @@ -2746,7 +2746,7 @@ - +       @@ -2754,27 +2754,27 @@ - + - + - + - + - + @@ -2782,7 +2782,7 @@ - + @@ -2791,37 +2791,37 @@ - + - + - + - + - + - + - + @@ -2829,7 +2829,7 @@ - + @@ -2837,7 +2837,7 @@ - +

      Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

       @@ -2849,7 +2849,7 @@ - + @@ -2858,7 +2858,7 @@ - + @@ -2867,7 +2867,7 @@ - + @@ -2876,7 +2876,7 @@ - + @@ -2885,7 +2885,7 @@ - + @@ -2894,7 +2894,7 @@ - + @@ -2903,7 +2903,7 @@ - + @@ -2912,7 +2912,7 @@ - + @@ -2921,7 +2921,7 @@ - + @@ -2930,7 +2930,7 @@ - + @@ -2939,7 +2939,7 @@ - + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml index 244c9d94f..887f363ed 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml @@ -1312,294 +1312,294 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - + + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + - + - - + + - - + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - + @@ -1614,20 +1614,20 @@       - - - + + + - - - + + + - + - + @@ -1653,43 +1653,43 @@       - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - + + - + - + - + @@ -1708,20 +1708,20 @@ - - - + + + - - - + + + - + - + @@ -1733,252 +1733,252 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - - - + + + - - - + + + - - + + - - - + + + - + - + - + - - - + + + - - + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - + + - + - + - + - + @@ -1997,112 +1997,112 @@ - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - + + - + - + - + - + - + - + - - - + + + - + - + - + - + - + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - + - + @@ -2117,31 +2117,31 @@ - - - + + + - - - + + + - - - + + + - + - + - + - + @@ -2164,109 +2164,109 @@ - - - + + + - + - + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             @@ -2283,96 +2283,96 @@ - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - + - + - + - + - + - +       - - - + + + - + - - - + + + - - + + - - - + + + - + - + - + @@ -2391,20 +2391,20 @@ - - - + + + - - - + + + - + - + @@ -2418,48 +2418,48 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - + - + - + - + - + @@ -2482,102 +2482,102 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -2591,154 +2591,154 @@ - - - + + + - + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - + - + - + @@ -2752,53 +2752,53 @@ - - + + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - + - + @@ -2822,38 +2822,38 @@ - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -2867,22 +2867,22 @@ - - - + + + - - + + - + - + - + @@ -2897,111 +2897,111 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - + @@ -3020,102 +3020,102 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - + - + - + - + - + - + - + - + @@ -3130,35 +3130,35 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + @@ -3177,44 +3177,44 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - + - + - + - + @@ -3240,94 +3240,94 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             @@ -3355,22 +3355,22 @@ - - - - + + + + - - - - + + + + - + - +       @@ -3392,14 +3392,14 @@ - - + + - + - + @@ -3421,14 +3421,14 @@ - - + + - + - + @@ -3443,66 +3443,66 @@ - - - + + + - + - + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -3521,84 +3521,84 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + - + @@ -3621,63 +3621,63 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - + - + - + - + - + - + - + - + @@ -3699,170 +3699,170 @@ - - - - + + + + - + - - + + - + - - - - + + + + - + - - + + - + - - + + - + - - + + - - - + + + - + - + - - - - + + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + @@ -3880,59 +3880,59 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + @@ -3947,35 +3947,35 @@ - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + @@ -3994,77 +3994,77 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - + + - + - + - + - + - + @@ -4077,404 +4077,404 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - + - + - + - + - + - + - - - + + + - - - + + + - - + + - - - - + + + + - - + + - - + + - + - + - + - + - + - - + + - - - - + + + + - - - - + + + + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - - - - + + + + - + - - - - + + + + - - - - + + + + - + - + - - - - + + + + - - - - + + + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - + + - - + + - - + + - - + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + @@ -4488,20 +4488,20 @@ - - - + + + - - - + + + - + - + @@ -4509,500 +4509,500 @@ - - - + + + - - - + + + - - - + + + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - - + + - - + + - - + + - + - + - + - + - - + + - - - + + + - - - + + + - - + + - - + + - - - + + + - - + + - - + + - - + + - - - + + + - - + + - - + + - + - + - + - + - + - + - + - + - - - + + + - - + + - - + + - - - + + + - - - + + + - + - + - + - - - + + + - - + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - + - + - + @@ -5017,66 +5017,66 @@ - - - + + + - - - + + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -5091,11 +5091,11 @@ - - + + - + @@ -5108,358 +5108,358 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - - + + + - + - + - - + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - - + + - - - + + + - + - + - + - + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - + - + - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - + + - - + + - - - + + + - + - + - + @@ -5477,80 +5477,80 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - - - + + + - - - + + + - + - + @@ -5583,70 +5583,70 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + @@ -5655,204 +5655,204 @@ - - - + + + - + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + @@ -5871,91 +5871,91 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + @@ -5964,302 +5964,302 @@ - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - + - - - - + + + + - + - - - + + + - - + + - + - + @@ -6273,48 +6273,48 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - + - + - + - + @@ -6360,16 +6360,16 @@ - - - - + + + + - + - + @@ -6396,13 +6396,13 @@ - - - - + + + + - + @@ -6424,16 +6424,16 @@ - - - - + + + + - + - + @@ -6482,24 +6482,24 @@ - - - + + + - - - - + + + + - + - + - + @@ -6513,21 +6513,21 @@ - - - + + + - - - - + + + + - + - + @@ -6553,28 +6553,28 @@ - - - - + + + + - - - - + + + + - - - - + + + + - + - + @@ -6610,16 +6610,16 @@ - - - - + + + + - + - + @@ -6641,16 +6641,16 @@ - - - - + + + + - + - + @@ -6668,13 +6668,13 @@ - - - - + + + + - + @@ -6682,155 +6682,155 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - + - - - - + + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -6845,75 +6845,75 @@ - - - - + + + + - - - - + + + + - - - + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - + - + - + - + - + - + - + @@ -6925,38 +6925,38 @@ - - - - + + + + - - - + + + - - - - + + + + - - - + + + - + - + - + - + @@ -6964,166 +6964,166 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - + - + - + - - - + + + - + @@ -7138,45 +7138,45 @@ - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - - + + + + - + @@ -7191,12 +7191,12 @@ - - - + + + - + @@ -7212,35 +7212,35 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index 1c65e46d8..606620f61 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -2072,423 +2072,423 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - + - - - + + + - - + + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - + - + - - - + + + - + - - + + - - + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + - + - + - - - + + + - + - + - - + + - + - + @@ -2511,52 +2511,52 @@ - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + - + @@ -2571,52 +2571,52 @@ - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -2630,15 +2630,15 @@ - - - + + + - + - + @@ -2657,137 +2657,137 @@ - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - + - - - + + + - + - - - + + + - + @@ -2801,62 +2801,62 @@ - - + + - - + + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - + @@ -2870,57 +2870,57 @@ - - - + + + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - + - - - + + + - + @@ -2935,20 +2935,20 @@ - - - + + + - - - + + + - + - + @@ -2974,43 +2974,43 @@ - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - + + - + - + - + @@ -3032,20 +3032,20 @@ - - - + + + - - - + + + - + - + @@ -3057,262 +3057,262 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - + + - - - + + + - + - + - + - - - + + + - - + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - + + - + - + - + - + @@ -3331,78 +3331,78 @@ - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - + + - + - + - + - + - + - + - - - + + + - + - + - + - + - + - + - + @@ -3416,49 +3416,49 @@ - - - + + + - + - + - - - + + + - + - + - - - + + + - - - + + + - + - + - + @@ -3473,31 +3473,31 @@ - - - + + + - - - + + + - - - + + + - + - + - + - + @@ -3523,174 +3523,174 @@ - - - + + + - + - + - - - + + + - + - + - - - + + + - + - + - - - - + + + + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             @@ -3707,59 +3707,59 @@ - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - + - + - + - + - + - +       @@ -3773,12 +3773,12 @@ - - - + + + - + @@ -3786,37 +3786,37 @@ - - - + + + - + - - - + + + - - + + - - - + + + - + - + - + @@ -3835,20 +3835,20 @@ - - - + + + - - - + + + - + - + @@ -3862,48 +3862,48 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - + - + - + - + - + @@ -3926,112 +3926,112 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -4046,22 +4046,22 @@ - - - + + + - + - - - + + + - + @@ -4076,157 +4076,157 @@ - - - + + + - + - + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - + - + - + @@ -4241,66 +4241,66 @@ - - + + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - + - - + + - + - - - + + + - - - + + + - + - + @@ -4319,152 +4319,152 @@ - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + - + - - + + - - - + + + - + - + - - + + - - - + + + - + - + @@ -4488,50 +4488,50 @@ - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - + + - + - + @@ -4545,44 +4545,44 @@ - - - + + + - - + + - + - + - + - - - + + + - - - + + + - + - + - + @@ -4596,43 +4596,43 @@ - - + + - + - + - - - + + + - - + + - - - + + + - + - + - + - + @@ -4647,70 +4647,70 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - + - - + + - - + + - + - + @@ -4722,53 +4722,53 @@ - - + + - - + + - - - + + + - - + + - - + + - - + + - - - + + + - - + + - + - + - + - + - + @@ -4783,38 +4783,38 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -4829,91 +4829,91 @@ - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - + - - - - + + + + - + @@ -4932,132 +4932,132 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - + - + - + - + - + - + - + - + - - - + + + - + - - - + + + - + - - - + + + - + @@ -5072,35 +5072,35 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + @@ -5119,107 +5119,107 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - + - + - + - + - - - - + + + + - + - - - - + + + + - - - - + + + + - - - - + + + + - + - + - - - - + + + + - + - - - + + + - - - + + + - + @@ -5233,37 +5233,37 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - + - + - + @@ -5277,37 +5277,37 @@ - - - + + + - + - - - + + + - - - + + + - + - - - + + + - + @@ -5321,43 +5321,43 @@ - - - - + + + + - + - - - - + + + + - - - - + + + + - + - + - - - + + + - + @@ -5383,51 +5383,51 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - + - + - + - + - - - - + + + + - + @@ -5442,91 +5442,91 @@ - - - - + + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - + - - - - + + + + - + @@ -5552,22 +5552,22 @@ - - - - + + + + - - - - + + + + - + - + @@ -5589,14 +5589,14 @@ - - + + - + - + @@ -5618,26 +5618,26 @@ - - + + - + - + - - + + - + - + @@ -5655,23 +5655,23 @@ - - - + + + - - - + + + - + - + - + @@ -5685,86 +5685,86 @@ - - - + + + - + - + - - - + + + - + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + @@ -5783,84 +5783,84 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + - + @@ -5883,96 +5883,96 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - + - + - + - + - + - + - + - + - - + + - - + + - - + + - - + + - + - + - - + + - + @@ -5986,11 +5986,11 @@ - - + + - + @@ -6014,13 +6014,13 @@ - - - - + + + + - + @@ -6035,29 +6035,29 @@ - - - - + + + + - - - + + + - - - + + + - + - + - + @@ -6075,169 +6075,169 @@ - - - + + + - + - - + + - + - - - - + + + + - + - - + + - + - - + + - + - - + + - - - + + + - + - + - - - - + + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + @@ -6252,25 +6252,25 @@ - - - + + + - + - + - - - + + + - + @@ -6288,73 +6288,73 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - + - + - - - + + + - + @@ -6369,68 +6369,68 @@ - - - + + + - - - + + + - + - + - - - - + + + + - + - - - + + + - + - - - + + + - - - + + + - + - - - - + + + + - + @@ -6449,77 +6449,77 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - + + - + - + - + - + - + @@ -6527,329 +6527,329 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - - + + - + - - + + - + - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - + - + - + - + - + - + - - - - + + + + - - - - + + + + - + - + - - - - + + + + - + - - - - + + + + - + - + - - - - + + + + - + - + - + - + - - - + + + - - - + + + - - + + - - - - + + + + - - + + - - + + - + - + - + - + - + - - + + - - - - + + + + - - - - + + + + - + - + - + @@ -6863,111 +6863,111 @@ - - - + + + - - - + + + - - - - + + + + - + - + - - - - + + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - - - - + + + + - + @@ -6981,18 +6981,18 @@ - - + + - - + + - + - + @@ -7006,40 +7006,40 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - + - + @@ -7053,41 +7053,41 @@ - - - - + + + + - - - - + + + + - - + + - - - + + + - - + + - + - + - + - + @@ -7100,235 +7100,235 @@ - - - - + + + + - - - - + + + + - + - + - - - - + + + + - - - - + + + + - + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - + + - - - + + + - + - + - + - - - + + + - + - - + + - - + + - - + + - - + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - - + + - - - + + + - - - + + + - + - - + + - - - + + + - - - + + + - - - + + + - + - + @@ -7342,591 +7342,591 @@ - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - + + - - + + - - + + - + - + - + - + - - + + - - - + + + - - - + + + - - + + - - + + - - - + + + - - + + - - + + - - + + - - - + + + - - + + - - + + - + - + - + - + - + - + - + - + - - - + + + - + - - + + - + - - - + + + - - + + - - + + - - - + + + - - - + + + - + - + - + - - + + - + - - - + + + - - + + - - - + + + - + - + - + - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - + - + - + @@ -7941,66 +7941,66 @@ - - - + + + - - - + + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + @@ -8015,11 +8015,11 @@ - - + + - + @@ -8033,376 +8033,376 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - + - + - - + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - - + + - - - + + + - + - + - + - + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - + - + - - + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - + + - - + + - - - + + + - + - + - + @@ -8420,80 +8420,80 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - - - + + + - - - + + + - + - + @@ -8526,70 +8526,70 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + @@ -8601,439 +8601,439 @@ - - - + + + - + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - + + + - - - + + + - + - + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + @@ -9052,91 +9052,91 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + @@ -9151,45 +9151,45 @@ - - - + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -9204,15 +9204,15 @@ - - - + + + - + - + @@ -9220,459 +9220,459 @@ - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - - + + + - + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - - + + + + - + - - - + + + - - - - + + + + - + - + - - + + - - - + + + - + - + - - - + + + - + - - - - + + + + - + - - - - + + + + - + - - - - + + + + - + - - - + + + - + - - - - + + + + - + - - - + + + - - + + - + - + @@ -9686,164 +9686,164 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - + - + - + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - - - + + + + - + - + - + - + - + - + - + - + - + @@ -9857,44 +9857,44 @@ - - - - + + + + - + - + - - - - + + + + - + - + - - - - + + + + - + - + @@ -9940,16 +9940,16 @@ - - - - + + + + - + - + @@ -9976,13 +9976,13 @@ - - - - + + + + - + @@ -10004,16 +10004,16 @@ - - - - + + + + - + - + @@ -10062,24 +10062,24 @@ - - - + + + - - - - + + + + - + - + - + @@ -10093,21 +10093,21 @@ - - - + + + - - - - + + + + - + - + @@ -10133,28 +10133,28 @@ - - - - + + + + - - - - + + + + - - - - + + + + - + - + @@ -10190,16 +10190,16 @@ - - - - + + + + - + - + @@ -10221,16 +10221,16 @@ - - - - + + + + - + - + @@ -10248,13 +10248,13 @@ - - - - + + + + - + @@ -10277,22 +10277,22 @@ - - - + + + - - + + - + - + - + @@ -10301,211 +10301,211 @@ - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - + + - - + + - + - + - - - + + + - + - - - + + + - + - - - - + + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - - - - + + + + - + - - - - + + + + - - - + + + - + - + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + @@ -10520,164 +10520,164 @@ - - - - + + + + - - - - + + + + - - - + + + - - - - + + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - + - + - + - + - + - + - + - - - + + + - - - + + + - + - + - - - + + + - + - + - - - + + + - + - - - - + + + + - + - + - - - - + + + + - + - + - - - + + + - - - - + + + + - + - + @@ -10691,13 +10691,13 @@ - - - - + + + + - + @@ -10712,38 +10712,38 @@ - - - - + + + + - - - + + + - - - - + + + + - - - + + + - + - + - + - + @@ -10751,84 +10751,84 @@ - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - + - + - - - + + + - - - + + + - + - + - + - - - - + + + + - + - + - - - + + + - + @@ -10847,20 +10847,20 @@ - - - + + + - - - + + + - + - + @@ -10875,14 +10875,14 @@ - - + + - + - + @@ -10890,176 +10890,176 @@ - - - + + + - + - - - + + + - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + - +

      This response must address all control sub-statement requirements.

             - + - +

      This response must address all control sub-statement requirements.

             - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - + - + - + - - - + + + - + @@ -11074,45 +11074,45 @@ - - - + + + - - - + + + - - - + + + - - - + + + - + - + - + - - - - + + + + - + @@ -11127,12 +11127,12 @@ - - - + + + - + @@ -11147,12 +11147,12 @@ - - - + + + - + @@ -11170,35 +11170,35 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - + - + diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml new file mode 100644 index 000000000..ab5a50777 --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -0,0 +1,4832 @@ + + + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

      Initial publication.

      +       +       + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

      Minor prop updates.

      +       +       +       + + + + + + FedRAMP Program Management Office + +

      The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

      +       +       + + Prepared By + +

      The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

      +       +       + + Prepared For + +

      The organization for which this SSP was prepared. Typically the CSP.

      +       +       + + System Security Plan Approval + +

      The individual or individuals accountable for the accuracy of this SSP.

      +       +       + + Cloud Service Provider + CSP + + + + Information System Owner + +

      The individual within the CSP who is ultimately accountable for everything related to + this system.

      +       +       + + Authorizing Official + +

      The individual or individuals who must grant this system an authorization to + operate.

      +       +       + + Authorizing Official's Point of Contact + +

      The individual representing the authorizing official.

      +       +       + + Information System Management Point of Contact (POC) + +

      The highest level manager who responsible for system operation on behalf of the + System Owner.

      +       +       + + Information System Technical Point of Contact + +

      The individual or individuals leading the technical operation of the system.

      +       +       + + General Point of Contact (POC) + +

      A general point of contact for the system, designated by the system owner.

      +       +       + + + System Information System Security Officer (or Equivalent) + +

      The individual accountable for the security posture of the system on behalf of the + system owner.

      +       +       + + Privacy Official's Point of Contact + +

      The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

      +       +       + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

      The point of contact for an interconnection on behalf of this system.

      +       + +

      Remove this role if there are no ICAs.

      +       +       + + ICA POC (Remote) + +

      The point of contact for an interconnection on behalf of this external system to + which this system connects.

      +       + +

      Remove this role if there are no ICAs.

      +       +       + + ICA Signatory (Local) + +

      Responsible for signing an interconnection security agreement on behalf of this + system.

      +       + +

      Remove this role if there are no ICAs.

      +       +       + + ICA Signatory (Remote) + +

      Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

      +       + +

      Remove this role if there are no ICAs.

      +       +       + + Consultant + +

      Any consultants involved with developing or maintaining this content.

      +       +       + + Customer + +

      Represents any customers of this system as may be necessary for assigning customer + responsibility.

      +       +       + + Provider + +

      The provider of a leveraged system, external service, API, CLI.

      +       +       + + [SAMPLE]Unix Administrator + +

      This is a sample role.

      +       +       + + [SAMPLE]Client Administrator + +

      This is a sample role.

      +       +       + + Leveraged Authorization Users + +

      Any internal users of a leveraged authorization.

      +       +       + + External System Owner + +

      The owner of an external system.

      +       +       + + External System Management Point of Contact (POC) + +

      The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

      +       +       + + External System Technical Point of Contact + +

      The individual or individuals leading the technical operation of an external + system.

      +       +       + + Approver + +

      An internal approving authority.

      +       +       + + CSP HQ +
      + Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
      + +

      There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

      +       +       + + Primary Data Center +
      + 2222 Main Street + Anywhere + -- + 00000-0000 + US +
      + + +

      There must be one location for each data center.

      +

      There must be at least two data center locations.

      +

      For a data center, briefly summarize the components at this location.

      +

      All data centers must have a "type" property with a value of "data-center".

      +

      The type property must also have a class of "primary" or "alternate".

      +       +       + + Secondary Data Center +
      + 3333 Small Road + Anywhere + -- + 00000-0000 + US +
      + + +

      There must be one location for each data center.

      +

      There must be at least two data center locations.

      +

      For a data center, briefly summarize the components at this location.

      +

      All data centers must have a "type" property with a value of "data-center".

      +

      The type property must also have a class of "primary" or "alternate".

      +       +       + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 11111111-2222-4000-8000-003000000001 + +

      Replace sample CSP information.

      +

      CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party. +

      +       +       + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
      + 1800 F St. NW + Washington + DC + 20006 + US +
      + +

      This party entry must be present in a FedRAMP SSP.

      +

      The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

      +       +       + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

      This party entry must be present in a FedRAMP SSP.

      +

      The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

      +       +       + + + External Organization + External + +

      Generic placeholder for any external organization.

      +       +       + + Agency Name + A.N. + +

      Generic placeholder for an authorizing agency.

      +       +       + + Name of Consulting Org + NOCO + + + poc@example.com +
      + 3333 Corporate Way + Washington + DC + 00000 + US +
      +       + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 11111111-2222-4000-8000-004000000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

      Underlying service provider. Leveraged Authorization.

      +       +       + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
      + Address Line + City + ST + 00000 + US +
      + 11111111-2222-4000-8000-004000000001 +       + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
      + Address Line + City + ST + 00000 + US +
      + 11111111-2222-4000-8000-004000000001 +       + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
      + Address Line + City + ST + 00000 + US +
      + 11111111-2222-4000-8000-004000000001 +       + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
      + Address Line + City + ST + 00000 + US +
      + 11111111-2222-4000-8000-004000000001 +       + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
      + Address Line + City + ST + 00000 + US +
      + 11111111-2222-4000-8000-004000000004 +       + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
      + Address Line + City + ST + 00000 + US +
      + 11111111-2222-4000-8000-004000000001 +       + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + Leveraged Authorization User + + + + + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 + +

      Zero or more

      +       +       + + + 11111111-2222-4000-8000-004000000010 + +

      Exactly one

      +       +       + + + 11111111-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + +

      One or more

      +       +       + + + 11111111-2222-4000-8000-004000000010 + +

      Exactly one

      +       +       + + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015 + +

      One or more

      +       +       + + 11111111-2222-4000-8000-004000000012 + +

      Exactly one

      +       +       + + 11111111-2222-4000-8000-004000000013 + +

      Exactly one

      +       +       + + + 11111111-2222-4000-8000-004000000014 + +

      Exactly one

      +       +       + + 11111111-2222-4000-8000-004000000015 + +

      Exactly one

      +       +       + + 11111111-2222-4000-8000-004000000016 + +

      Exactly one

      +       +       + + +       + + +

      This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

      +

      Must adjust accordingly for applicable baseline and revision.

      +       +       + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

      [Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

      +

      NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

      +

      NOTE: The description is expected to be at least 32 words in length.

      +       + + + +

      Remarks are required if service model is "other". Optional otherwise.

      +       +       + + + +

      Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

      +       +       + + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

      A description of the information.

      +       + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

      Required if the base and selected values do not match.

      +       +       + + fips-199-moderate + fips-199-low + +

      Required if the base and selected values do not match.

      +       +       + + fips-199-moderate + fips-199-moderate + +

      Required if the base and selected values do not match.

      +       +       +       + + Information Type Name + +

      A description of the information.

      +       + + C.3.5.1 + + + fips-199-moderate + fips-199-low + +

      Required if the base and selected values do not match.

      +       +       + + fips-199-moderate + fips-199-moderate + +

      Required if the base and selected values do not match.

      +       +       + + fips-199-moderate + fips-199-high + +

      Required if the base and selected values do not match.

      +       +       +       + + Information Type Name + +

      A description of the information.

      +       + + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

      Required if the base and selected values do not match.

      +       +       + + fips-199-moderate + fips-199-moderate + +

      Required if the base and selected values do not match.

      +       +       + + fips-199-moderate + fips-199-moderate + +

      Required if the base and selected values do not match.

      +       +       +       + + +       + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

      Remarks are optional if status/state is "operational".

      +

      Remarks are required otherwise.

      +       +       + + + + + +

      A holistic, top-level explanation of the FedRAMP authorization boundary.

      +       + + + +

      A diagram-specific explanation.

      +       + + Authorization Boundary Diagram +       +       + + + +

      A holistic, top-level explanation of the network architecture.

      +       + + + +

      A diagram-specific explanation.

      +       + + Network Diagram +       +       + + + +

      A holistic, top-level explanation of the system's data flows.

      +       + + + +

      A diagram-specific explanation.

      +       + + Data Flow Diagram +       +       +       + + + + + + + + AwesomeCloud Commercial(IaaS) + + + + +

      For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

      +       +       + + +

      For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

      +       +       + + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

      Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

      +

      For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

      +       +       + + + + + + + system-poc-technical + + Admin + +

      admin user

      +       + administration +       + +

      The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

      +

      Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

      +       +       + + + + + + + system-poc-technical + + Add/Remove Admins + This can add and remove admins. + + + + + + + + system-poc-technical + + Admin + +

      admin user

      +       + administration +       +       + + + + + + system-poc-technical + + Admin + +

      admin user

      +       + administration +       +       + + + + + + system-owner + + Admin + +

      admin user

      +       + administration +       +       + + + + + + This System + +

      This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

      +

      FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

      +       + + +

      A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

      +

      It does not need system details, as those exist elsewhere in this SSP.

      +       +       + + + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

      Briefly describe the leveraged system.

      +       + + + + + + +

      If 'yes', describe the authentication method.

      +

      If 'no', explain why no authentication is used.

      +

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

      +       +       + + + + + + 11111111-2222-4000-8000-c0040000000a + +

      The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

      +       +       + + + + + +

      This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

      +

      Requirements

      +

      Each leveraged system must be expressed as a "system" component, and must have:

      +
        +
      • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
        • +
      • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
        • +
      • an "implementation-point" core property with a value of "external"
        • +
      • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
        • +
      • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
        • +
      • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
        • +
      • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
        • +
      • a status with a state value of "operational"
        • +
      • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
        • +
      +

      +

      Where relevant, this component should also have:

      +
        +
      • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
        • +
      +

      +

      Links to the vendor website describing the system are encouraged, but not required.

      + +

      Services

      +

      A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

      +

      Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

      +
        +
      • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
        • +
      • The component for a non-authorized service must include + a "still-supported" property/extension.
        • +
      • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
        • +
      + +

      Both authorized and non-authorized leveraged services include:

      +
        +
      • a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001") +
        • +
      • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
        • +
      • an "implementation-point" core property with a value of "external"
        • +
      • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
        • +
      • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
        • +
      • a status with a state value of "operational"
        • +
      • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
        • +
      + +

      Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

      +       +       + + + + Service A + +

      An authorized service provided by the Awesome Cloud leveraged authorization.

      +

      Describe the service and what it is used for.

      +       + + + + + + + + + + + +

      This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

      +

      +

      Each leveraged service must be expressed as a "service" component, and must have:

      +
        +
      • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
        • +
      • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
        • +
      • an "implementation-point" property with a value of "external"; and
        • +
      • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
        • +
      +

      +

      Where relevant, this component should also have:

      +
        +
      • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
        • +
      • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
        • +
      • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
        • +
      +

      Link(s) to the vendor's web site describing the service are encouraged, but not + required.

      +

      The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

      +
        +
      • Package ID, Authorization Type, Impact Level
        • +
      +

      +

      The following fields from the Leveraged Authorization Table are handled in the + "system" component representing the leveraged system as a whole:

      +

      - Nature of Agreement, CSP Name

      +       +       + + + + + + + Service B + +

      An non-authorized service provided by the Awesome Cloud leveraged authorization.

      +

      Describe the service and what it is used for.

      +       + + + + + + +

      If 'yes', describe the authentication method.

      +

      If 'no', explain why no authentication is used.

      +

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

      +       +       + + + + + + + + + + + 33333333-2222-4000-8000-004000000001 + + +

      This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of the leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

      +

      +

      Each non-authorized leveraged service must be expressed as a "service" component, and must have:

      +
        +
      • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
        • +
      • an "implementation-point" property with a value of "external"; and
        • +
      • one or two "direction" prperty/extensions
        • +
      • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
        • +
      • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the + POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) + in an OSCAL-based POA&M.
        • +
      • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
        • +
      • +
      • + +
      +

      The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

      +

      + +

      Where relevant, this component should also have:

      +
        +
      • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
        • +
      • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
        • +
      +

      Link(s) to the vendor's web site describing the service are encouraged, but not + required.

      +

      The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

      +
        +
      • Package ID, Authorization Type, Impact Level
        • +
      +

      + +

      - An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

      +

      Link(s) to the vendor's web site describing the service are encouraged, but not + required.

      +

      +

      The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

      +

      - Package ID, Authorization Type, Impact Level

      +

      +

      The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

      +

      - Nature of Agreement, CSP Name

      +

      +

      An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

      +       +       + + + + + Other Cloud SaaS + +

      An external system to which this system shares an interconnection.

      +       + + + + + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + + services + + + +

      Each interconnection to one or more remote systems must have:

      +
        +
      • a "system" component (this component)
        • +
      • an "interconnection" component
        • +
      +

      Each "system" component must have:

      +
        +
      • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
        • +
      • an "implementation-point" property with a value of "external"
        • +
      • a "status" field with a state value of "operational"
        • +
      • if an interconnection exists with this system and there are + remote listening ports, one or more "protocol" assemblies must + be provided.
        • +
      + +

      While not required, each "system" component should have:

      +
        +
      • an "inherited-uuid" property if the value was provided by the system owner
        • +
      • a "compliance" property/extension if appropriate
        • +
      • an "authorizing-official" responsible-role
        • +
      • an "system-owner" responsible-role
        • +
      • an "system-poc-management" responsible-role
        • +
      • an "system-poc-technical" responsible-role
        • +
      +

      Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "authorizing-official", "system-owner", "system-poc-management + and "system-poc-technical"

      +       +       + + + + + [EXAMPLE]Authorized Connection Information System Name + +

      Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

      +       + + + + + +

      If 'yes', describe the authentication method in the remarks.

      +

      If 'no', explain why no authentication is used in the remarks.

      +

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

      +       +       + + + + + + + +

      Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

      +       +       + + + + + + + + + + + + + + + + + + + 44444444-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000008 + + + + Incoming FTP Service + + + +

      Each interconnection to one or more remote systems must have:

      +
        +
      • one "system" component for each remote system sharing the connection
        • +
      • an "interconnection" component (this component)
        • +
      +

      Each "interconnection" component must have:

      +
        +
      • an "implementation-point" property with a value of "external"
        • +
      • a "status" field with a state value of "operational"
        • +
      • one or two "direction" properties
        • +
      • a "nature-of-agreement" property/extension
        • +
      • one or more "authentication-method" properties/extensions.
        • +
      • a "hosting-environment" proptery/extension
        • +
      • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
        • +
      • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
        • +
      • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
        • +
      • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
        • +
      • exactly one "used-by" link with an href value that refers to the "this-system" component.
        • +
      • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
        • +
      • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
        • +
      +

      Authentication methods must address both system-authentication as well as + user authentication mechanisms.

      +

      Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

      +

      If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

      +

      +

      While not required, each "interconnection" component should have:

      +
        +
      • an "inherited-uuid" property if the value was provided by the system owner
        • +
      • a "compliance" property/extension if appropriate
        • +
      • an "system-poc-management" responsible-role
        • +
      • an "system-poc-technical" responsible-role
        • +
      +

      Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "system-poc-management" and "system-poc-technical". With an interconnection, + the system POC roles reference parties that represent the connection provider.

      +       +       + + + + + Other Cloud SaaS + +

      + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

      For each external system with which this system connects:

      +

      Must have a "system" component (this component).

      +

      Must have an "interconnection" component that connects this component with the + "this-system" component.

      +

      If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

      +

      Must include all leveraged services and features from the leveraged authorization + here.

      +

      For an external system, the "implementation-point" property must always be present + with a value of "external".

      + + +

      Each interconnection must be defined with both an "system" component and an + "interconnection" component.

      +

      Must include all leveraged services and features from the leveraged authorization + here.

      + +       + + + + Service C + +

      A service provided by an external system other than the leveraged system.

      +

      Describe the service and what it is used for.

      +       + + + + + + +

      If 'yes', describe the authentication method in the remarks.

      +

      If 'no', explain why no authentication is used in the remarks.

      +

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

      +       +       + + + + +

      This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

      +       +       + + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + 33333333-2222-4000-8000-004000000001 + + + + + + + + +

      This is a service provided by an external system other than the leveraged system.

      +

      As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

      +

      +

      Each external service used from a leveraged authorization must have:

      +

      - a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

      +

      - a "service" component (this component).

      +

      +

      This component must always have:

      +

      - The name of the service in the title - preferably exactly as it appears on the + vendor's web site

      +

      - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

      +

      - An "implementation-point" property with a value of "external".

      +

      - A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

      +

      - Example: "#11111111-2222-4000-8000-009000100001" +

      +

      - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, + this property is blocked from proper use.

      +

      - a status with a state value of "operational"

      +

      +

      Where relevant, this component should also have:

      +

      - One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

      +

      - A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

      +

      - An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

      +

      Link(s) to the vendor's web site describing the service are encouraged, but not + required.

      +

      +

      The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

      +

      - Package ID, Authorization Type, Impact Level

      +

      +

      The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

      +

      - Nature of Agreement, CSP Name

      +

      +

      An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

      +       +       + + + + Service C + + +

      A service provided by an external system other than the leveraged system.

      +

      Describe the service and what it is used for.

      +       + + + + + + +

      If 'yes', describe the authentication method in the remarks.

      +

      If 'no', explain why no authentication is used in the remarks.

      +

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

      +       +       + + +

      Either describe a risk associated with this service, or indicate there is no identified risk.

      +

      If there is no risk, please explain your basis for that conclusion.

      +       +       + + +

      If there are one or more identified risks, describe any resulting impact.

      +       +       + + +

      If there are one or more identified risks, describe any mitigating factors.

      +       +       + + + + + + 11111111-2222-4000-8000-004000000018 + + + + Remote API Service + + + + +

      This is a service provided by an external system other than the leveraged system.

      + + + +

      - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

      + + + +

      As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

      +

      All services require the "implementation-point" property. In this case, the property + value is set to "external.

      +

      All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

      +

      If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

      + + + + +       +       + + + + Management CLI + +

      None

      +       + + + + + + +

      If 'yes', describe the authentication method in the remarks.

      +

      If 'no', explain why no authentication is used in the remarks.

      +

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

      +       +       + + + + +

      Either describe a risk associated with this CLI, or indicate there is no identified risk.

      +

      If there is no risk, please explain your basis for that conclusion.

      +       +       + + +

      If there are one or more identified risks, describe any resulting impact.

      +       +       + + +

      If there are one or more identified risks, describe any mitigating factors.

      +       +       + + +

      + + + + + + 11111111-2222-4000-8000-004000000018 + + + + + + + + + + Service D + +

      A service that exists within the authorization boundary.

      +

      Describe the service and what it is used for.

      + + + +       + + + + + + + + [SAMPLE]Cryptographic Module Name + +

      Provide a description and any pertinent note regarding the use of this CM.

      +

      For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

      +

      Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

      +       + + + + + + + + + + +       + + + [SAMPLE]Cryptographic Module Name + +

      Provide a description and any pertinent note regarding the use of this CM.

      +

      For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

      +       + + + + + + + + + + +       + + + + + + + + + + + [SAMPLE]Product Name + +

      FUNCTION: Describe typical component function.

      +       + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

      COMMENTS: Provide other comments as needed.

      +       +       + + + [SAMPLE]Product Name + +

      FUNCTION: Describe typical component function.

      +       + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

      COMMENTS: Provide other comments as needed.

      +       +       + + + + [SAMPLE]Product + +

      FUNCTION: Describe typical component function.

      +       + + + + + + + + + 11111111-2222-4000-8000-004000000017 + + + 11111111-2222-4000-8000-004000000011 + + +

      COMMENTS: Provide other comments as needed.

      +       +       + + OS Sample + +

      None

      +       + + + + + +       + + Database Sample + +

      None

      +       + + + + + + + + + + +       + + Appliance Sample + +

      None

      +       + + + + + + +

      Vendor appliance. No admin-level access.

      +       +       + +       + + + + AC Policy + +

      The Access Control Policy governs how access is managed and approved.

      +       + + +       + + AT Policy + +

      The Awareness and Training Policy governs how access is managed and approved.

      +       + + +       + + AU Policy + +

      The Audit and Accountability governs how access is managed and approved.

      +       + + +       + + CA Policy + +

      The Assessment, Authorization, and Monitoring Policy governs how access is managed + and approved.

      +       + + +       + + CM Policy + +

      The Configuration Management Policy governs how access is managed and approved.

      +       + + +       + + CP Policy + +

      The Contingency Planning Policy governs how access is managed and approved.

      +       + + +       + + IA Policy + +

      The Identificaiton and Authentication Policy governs how access is managed and + approved.

      +       + + +       + + IR Policy + +

      The Incident Response Policy governs how access is managed and approved.

      +       + + +       + + MA Policy + +

      The Maintenance Policy governs how access is managed and approved.

      +       + + +       + + MP Policy + +

      The Media Protection Policy governs how access is managed and approved.

      +       + + +       + + PE Policy + +

      The Physical and Enviornmental Protection Policy governs how access is managed and + approved.

      +       + + +       + + PL Policy + +

      The Planning Policy governs how access is managed and approved.

      +       + + +       + + PM Policy + +

      The Program Management Policy governs how access is managed and approved.

      +       + + +       + + PS Policy + +

      The Personnel Security Policy governs how access is managed and approved.

      +       + + +       + + PT Policy + +

      The PII Processing and Transparency Policy governs how access is managed and + approved.

      +       + + +       + + RA Policy + +

      The Risk Assessment Policy governs how access is managed and approved.

      +       + + +       + + SA Policy + +

      The System and Services Acquisition Policy governs how access is managed and + approved.

      +       + + +       + + S3 Policy + +

      The System and Communication Protection Policy governs how access is managed and + approved.

      +       + + +       + + SI Policy + +

      The System and Information Integrity Policy governs how access is managed and + approved.

      +       + + +       + + SR Policy + +

      The Supply Chain Risk Management Policy governs how access is managed and + approved.

      +       + + +       + + + + AC Policy + +

      The Access Control Procedure governs how access is managed and approved.

      +       + + +       + + AT Policy + +

      The Awareness and Training Procedure governs how access is managed and approved.

      +       + + +       + + AU Policy + +

      The Audit and Accountability Procedure governs how access is managed and + approved.

      +       + + +       + + CA Policy + +

      The Assessment, Authorization, and Monitoring Procedure governs how access is managed + and approved.

      +       + + +       + + CM Policy + +

      The Configuration Management Procedure governs how access is managed and + approved.

      +       + + +       + + CP Policy + +

      The Contingency Planning Procedure governs how access is managed and approved.

      +       + + +       + + IA Policy + +

      The Identificaiton and Authentication Procedure governs how access is managed and + approved.

      +       + + +       + + IR Policy + +

      The Incident Response Procedure governs how access is managed and approved.

      +       + + +       + + MA Policy + +

      The Maintenance Procedure governs how access is managed and approved.

      +       + + +       + + MP Policy + +

      The Media Protection Procedure governs how access is managed and approved.

      +       + + +       + + PE Policy + +

      The Physical and Enviornmental Protection Procedure governs how access is managed and + approved.

      +       + + +       + + PL Policy + +

      The Planning Procedure governs how access is managed and approved.

      +       + + +       + + PM Policy + +

      The Program Management Procedure governs how access is managed and approved.

      +       + + +       + + PS Policy + +

      The Personnel Security Procedure governs how access is managed and approved.

      +       + + +       + + PT Policy + +

      The PII Processing and Transparency Procedure governs how access is managed and + approved.

      +       + + +       + + RA Policy + +

      The Risk Assessment Procedure governs how access is managed and approved.

      +       + + +       + + SA Policy + +

      The System and Services Acquisition Procedure governs how access is managed and + approved.

      +       + + +       + + S3 Policy + +

      The System and Communication Protection Procedure governs how access is managed and + approved.

      +       + + +       + + SI Policy + +

      The System and Information Integrity Procedure governs how access is managed and + approved.

      +       + + +       + + SR Policy + +

      The Supply Chain Risk Management Procedure governs how access is managed and + approved.

      +       + + +       + + + + + IPv4 Production Subnet + +

      IPv4 Production Subnet.

      +       + + + + +       + + IPv4 Management Subnet + +

      IPv4 Management Subnet.

      +       + + + + + +       + + Email Service + +

      Email Service

      +       + + + + + + + + +       + + + + +

      Legacy Example (No implemented-component).

      +       + + + + + + + + + + + + + + + + + + + + + + + +

      If no, explain why. If yes, omit remarks field.

      +       +       + + + + +

      If no, explain why. If yes, omit remarks field.

      +       +       + + +

      Optional, longer, formatted description.

      +       +       + + + 11111111-2222-4000-8000-004000000016 + + + 11111111-2222-4000-8000-004000000017 + + + +

      This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

      +       +       + +

      COMMENTS: Additional information about this item.

      +       +       + + +

      Component Inventory Example

      +       + + + + + + + + + + + + + + + + + +

      If no, explain why. If yes, omit remark.

      +       +       + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000017 + + + + + +

      COMMENTS: If needed, provide additional information about this inventory item.

      +       +       + + +

      None.

      +       + + + + + + + + + + +       + + +

      None.

      +       + + + + + + + + + +       + + +

      None.

      +       + + + + + + + + + +       + + +

      None.

      +       + + + + + + + + +

      Asset wasn't running at time of scan.

      +       +       + +       + + +

      None.

      +       + + + + + + + + + +       + + +

      None.

      +       + + + + + + + + +

      Asset wasn't running at time of scan.

      +       +       + +       + + +

      Email-Service

      +       + + + + + + + + + +       +       + + + + +

      Appendix A - FedRAMP SSP Rev5 Template

      +

      This description field is required by OSCAL.

      +

      FedRAMP does not require any specific information here.

      +       + + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

      Describe how Part a is satisfied within the system.

      +

      Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

      +

      In this case, a link must be provided to the policy.

      +

      FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

      +       + + + + +

      The specified component is the system itself.

      +

      Any control implementation response that can not be associated with another + component is associated with the component representing the system.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Identity + Management and Access Control Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       + +       +       + + + +

      There

      +       + + + +

      Describe the plan to complete the implementation.

      +       +       +       + + +

      Describe how this policy currently satisfies part a.

      +       + + +

      Describe the plan for addressing the missing policy elements.

      +       +       + + +

      Identify what is currently missing from this policy.

      +       +       +       +       + + + +

      Describe how Part b-1 is satisfied.

      +       + +       +       + + + +

      Describe how Part b-2 is satisfied.

      +       + +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + +

      Describe any customer-configured requirements for satisfying this control.

      +       +       + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + +       +       + + + +

      Describe how AC-2, part a is satisfied within this system.

      +

      This points to the "This System" component, and is used any time a more + specific component reference is not available.

      +       + + + +

      Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

      +       +       + + +

      Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

      +

      Not associated with inheritance, thus associated this with the + by-component for "this system".

      +       + + 11111111-2222-4000-8000-004000000001 + +       +       +       + + +

      For the portion of the control satisfied by the application component of this + system, describe how the control is met.

      +       + + + +

      Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

      +

      In the context of the application component in satisfaction of AC-2, part + a.

      +       + + 11111111-2222-4000-8000-004000000005 + +       + + +

      Leveraging system's responsibilities with respect to inheriting this + capability from this application.

      +

      In the context of the application component in satisfaction of AC-2, part + a.

      +       + + 11111111-2222-4000-8000-004000000005 + +       +       + +

      The component-uuid above points to the "this system" component.

      +

      Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

      +

      This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

      +

      While the "this system" component is not explicitly required within every + statement, it will typically be present.

      +       +       + + +

      For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

      +       + + +

      Optional description.

      +

      Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

      +

      In the context of this component in satisfaction of AC-2, part a.

      +

      The provided-uuid links this to the same statement in the + leveraged system's SSP.

      +

      It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

      +       +       + + +

      Description of how the responsibility was satisfied.

      +

      The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

      +

      It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

      +

      Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

      +

      Tool developers should be mindful that

      +       +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      Describe how Part a is satisfied.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      Describe how Part b-1 is satisfied.

      +       +       +       + + + +

      Describe how Part b-2 is satisfied.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       + +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       + +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       +       +       + + + + + + + 11111111-2222-4000-8000-004000000018 + + + + +

      Describe how the control is satisfied within the system.

      +

      DMARC is employed.

      +

      SPF is employed.

      +

      DKIM is employed.

      +       + + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + +       +       +       + + + + +

      Describe the plan to complete the implementation.

      +       +       + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

      Describe how the control is satisfied within the system.

      +       + + to include chief privacy and ISSO and/or similar role or designees + + + at least every 3 years + + + at least annually + +       +       + + + +

      For the portion of the control satisfied by the service provider, describe + how the control is met.

      +       +       + + +

      Describe how this policy component satisfies part a.

      +

      Component approach. This links to a component representing the Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       +       + + +

      Describe how this procedure component satisfies part a.

      +

      Component approach. This links to a component representing the procedure.

      +

      That component contains a link to the procedure, so it does not have to be + linked here too.

      +       +       +       +       +       + + + + + Signed System Security Plan + +

      SSP Signature

      +       + + + + 00000000 + +

      The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

      +

      For now, the PMO recommends one of the following:

      +
        +
      • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
        • +
      • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
        • +
      +

      If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

      +       +       + + + FedRAMP Applicable Laws and Regulations + + + +

      Must be present in a FedRAMP SSP.

      +       +       + + + + Access Control Policy Title + +

      AC Policy document

      +       + + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Awareness and Training Policy Title + +

      AT Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Audit and Accountability Policy Title + +

      AU Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Security Assessment and Authorization Policy Title + +

      CA Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Configuration Management Policy Title + +

      CM Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Contingency Planning Policy Title + +

      CP Policy document

      +       + + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Identification and Authentication Policy Title + +

      IA Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Incident Response Policy Title + +

      IR Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Maintenance Policy Title + +

      MA Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Media Protection Policy Title + +

      MP Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Physical and Environmental Protection Policy Title + +

      PE Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Planning Policy Title + +

      PL Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Personnel Security Policy Title + +

      PS Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Risk Adjustment Policy Title + +

      RA Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + System and Service Acquisition Policy Title + +

      SA Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + System and Communications Protection Policy Title + +

      SC Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + System and Information Integrity Policy Title + +

      SI Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Supply Chain Risk Policy Title + +

      SR Policy document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Policy Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + Access Control Procedure Title + +

      AC Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Awareness and Training Procedure Title + +

      AT Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Audit and Accountability Procedure Title + +

      AU Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Security Assessment and Authorization Procedure Title + +

      CA Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Configuration Management Procedure Title + +

      CM Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Contingency Planning Procedure Title + +

      CP Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Identification and Authentication Procedure Title + +

      IA Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Incident Response Procedure Title + +

      IR Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Maintenance Procedure Title + +

      MA Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Media Protection Procedure Title + +

      MP Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Physical and Environmental Protection Procedure Title + +

      PE Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Planning Procedure Title + +

      PL Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Personnel Security Procedure Title + +

      PS Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Risk Adjustment Procedure Title + +

      RA Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + System and Service Acquisition Procedure Title + +

      SA Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + System and Communications Protection Procedure Title + +

      SC Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + System and Information Integrity Procedure Title + +

      SI Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + Supply Chain Risk Procedure Title + +

      SR Procedure document

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + User's Guide + +

      User's Guide

      +       + + + + + + +

      Table 12-1 Attachments: User's Guide Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + + + Document Title + +

      Rules of Behavior

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Rules of Behavior (ROB)

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + Document Title + +

      Contingency Plan (CP)

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Contingency Plan (CP) Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + Document Title + +

      Configuration Management (CM) Plan

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + Document Title + +

      Incident Response (IR) Plan

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Incident Response (IR) Plan Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + + + + + CSP-specific Law Citation + + + + Identification Number + + 00000000 + +

      A CSP-specific law citation

      +

      The "type" property must be present and contain the value "law".

      +       + +       + + + + + Document Title + +

      Continuous Monitoring Plan

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Continuous Monitoring Plan Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + Plan of Actions and Milestones (POAM) + + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

      Supply Chain Risk Management Plan

      +       + + + + + + 00000000 + +

      Table 12-1 Attachments: Procedure Attachment

      +

      May use rlink with a relative path, or embedded as + base64. +

      +       +       + + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

      FedRAMP Logo

      +       + + + + 00000000 + +

      Must be present in a FedRAMP SSP.

      +       +       + + CSP Logo + +

      CSP Logo

      +       + + 00000000 + +

      May use rlink with a relative path, or embedded as + base64. +

      +

      FedRAMP prefers base64 for images and diagrams.

      +

      Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

      +       +       + + 3PAO Logo + +

      3PAO Logo

      +       + + 00000000 + +

      May use rlink with a relative path, or embedded as + base64. +

      +

      FedRAMP prefers base64 for images and diagrams.

      +

      Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

      +       +       + + + Boundary Diagram + +

      The primary authorization boundary diagram.

      +       + + + 00000000 + +

      Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

      +

      This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

      +

      May use rlink with a relative path, or embedded as + base64. +

      +

      FedRAMP prefers base64 for images and diagrams.

      +

      Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

      +       +       + + Network Diagram + +

      The primary network diagram.

      +       + + + + 00000000 + +

      Section 8.1, Figure 8-2 Network Diagram (graphic)

      +

      This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

      +

      May use rlink with a relative path, or embedded as + base64. +

      +

      FedRAMP prefers base64 for images and diagrams.

      +

      Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

      +       +       + + Data Flow Diagram + +

      The primary data flow diagram.

      +       + + + 00000000 + +

      Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

      +

      This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

      +

      May use rlink with a relative path, or embedded as + base64. +

      +

      FedRAMP prefers base64 for images and diagrams.

      +

      Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

      +       +       + + Interconneciton Security Agreement (ISA) + + + + + + + 41 CFR 201 + + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + +

      CSP-specific citation. Note the "type" property's class is "law" + and the value is "citation".

      +       +       + + CSP Acronyms + + + +

      CSP-specific citation. Note the "type" property's class is "acronyms" + and the value is "citation".

      +       +       + + CSP Reference + + + +

      CSP-specific reference. Note the "type" property's class is "reference" + and the value is "citation".

      +       +       + + Separation of Duties Matrix + +

      Separation of Duties Matrix

      +       + + + + + 00000000 + +

      May use rlink with a relative path, or embedded as base64. +

      +       +       + + + +       +       \ No newline at end of file diff --git a/src/content/rev5/resources/xml/FedRAMP_extensions.xml b/src/content/rev5/resources/xml/FedRAMP_extensions.xml index 1419b68ac..678bcce77 100644 --- a/src/content/rev5/resources/xml/FedRAMP_extensions.xml +++ b/src/content/rev5/resources/xml/FedRAMP_extensions.xml @@ -9,7 +9,7 @@ 2023-06-30T00:00:00Z DRAFT-01 - +

      Initial draft for fedramp-2.0.0-oscal-1.1.1 release. Subject to change.

       @@ -94,7 +94,7 @@ - + @@ -349,7 +349,7 @@ - +

      Deprecated.

      @@ -427,7 +427,7 @@ interconnection-direction Interconnection Direction Identifies the direction of information flow for the interconnection. - + @@ -446,7 +446,7 @@ interconnection-security Interconnection Security Identifies the type of security applied to the interconnection. - + @@ -1458,7 +1458,7 @@ Control Origination The point(s) from which the control satisfaction originates. - + Service Provider (Corporate) @@ -1472,7 +1472,7 @@ Control Implementation Status Constraints Defines the data type and allowed values for the Control Implementation Status - + The assessor finds sufficient evidence to agree the control objective is fully implemented. @@ -1491,7 +1491,7 @@ Remarks are required for certain Control Implementation Status values. - + @@ -1509,10 +1509,10 @@ If the control implementation status is "Planned" a "Planned Implementation Date" must be provided. 3.1 - - - - + + + +

      In the SSP, if implemented-requirement includes prop[@name='implementation-status'] with value='planned', a planned-completion-date extension must be provided.

       diff --git a/src/content/rev5/resources/xml/fedramp_threats.xml b/src/content/rev5/resources/xml/fedramp_threats.xml index 39fe5fd84..45f113d05 100644 --- a/src/content/rev5/resources/xml/fedramp_threats.xml +++ b/src/content/rev5/resources/xml/fedramp_threats.xml @@ -1,5 +1,5 @@ - + FedRAMP Defined Threat Table [Experimental] @@ -10,7 +10,7 @@ 2023-06-30T00:00:00Z DRAFT-01 - +

      Initial draft for fedramp-2.0.0-oscal-1.1.1 release. Subject to change.

       diff --git a/src/content/rev5/resources/xml/fedramp_values.xml b/src/content/rev5/resources/xml/fedramp_values.xml index c444ee15f..4e20625d4 100644 --- a/src/content/rev5/resources/xml/fedramp_values.xml +++ b/src/content/rev5/resources/xml/fedramp_values.xml @@ -1,6 +1,6 @@ + xmlns="http://fedramp.gov/ns/oscal"> [EXPERIMENTAL] FedRAMP Defined Identifiers and Accepted Values FedRAMP Data Values (Experimental) @@ -13,7 +13,7 @@ DRAFT-01

      Initial draft for fedramp-2.0.0-oscal-1.1.1 release. Subject to change.

      @@ -28,7 +28,7 @@ + ns="http://fedramp.gov/ns/oscal"/> Authorization Type The FedRAMP Authorization Type + pattern="system-characteristics/prop[@name='authorization-type'][@ns='http://fedramp.gov/ns/oscal']"/> Deployment Model The cloud deployment model. + pattern="system-characteristics/prop[@name='cloud-deployment-model'][@ns='http://fedramp.gov/ns/oscal']/@value"/> Privacy Threshold Analysis (Q1) Does the ISA collect, maintain, or share PII in any identifiable form? + pattern="system-information/prop[@name='pta-1'][@ns='http://fedramp.gov/ns/oscal']"/> Privacy Threshold Analysis (Q2) Does the ISA collect, maintain, share PII info from or about the public? + pattern="system-information/prop[@name='pta-2'][@ns='http://fedramp.gov/ns/oscal']"/> Privacy Threshold Analysis (Q3) Has a Privacy Impact Assessment ever been performed for the ISA? + pattern="system-information/prop[@name='pta-3'][@ns='http://fedramp.gov/ns/oscal']"/> Privacy Threshold Analysis (Q4) Is there a Privacy Act System of Records Notice (SORN) for this ISA system? + pattern="system-information/prop[@name='pta-4'][@ns='http://fedramp.gov/ns/oscal']"/> User Sensitivity level Identifies the sensitivity level of the user. + pattern="user/prop[@name='sensitivity'][@ns='http://fedramp.gov/ns/oscal']"/> Interconnection Direction Identifies the direction of information flow for the interconnection. + pattern="component[@component-type='interconnection']/prop[@name='interconnection-direction'][@ns='http://fedramp.gov/ns/oscal']"/> Interconnection Security Identifies the type of security applied to the interconnection. + pattern="component[@component-type='interconnection']/prop[@name='interconnection-security'][@ns='http://fedramp.gov/ns/oscal']/@value"/> Scan Type Identifies the type of scan. + pattern="component/prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']"/> + pattern="inventory-item/prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']"/> Control Origination The point(s) from which the control satisfaction originates. + pattern="implemented-requirement/prop[@name='control-origination'][@ns='http://fedramp.gov/ns/oscal']/@value"/> Attachment Type Identifies the type of attachment. + pattern="resource/prop[@name='type'][@ns='http://fedramp.gov/ns/oscal']"/> - + FedRAMP Acceptable Information Types (Experimental) 2024-09-24T02:24:00Z @@ -10,7 +10,7 @@ 2023-06-30T00:00:00Z DRAFT-01 - +

      Initial draft for fedramp-2.0.0-oscal-1.1.1 release.

       diff --git a/src/content/rev5/templates/poam/xml/FedRAMP-POAM-OSCAL-Template.xml b/src/content/rev5/templates/poam/xml/FedRAMP-POAM-OSCAL-Template.xml index 9c62e92a1..79474b1dc 100644 --- a/src/content/rev5/templates/poam/xml/FedRAMP-POAM-OSCAL-Template.xml +++ b/src/content/rev5/templates/poam/xml/FedRAMP-POAM-OSCAL-Template.xml @@ -9,7 +9,7 @@ 1.0.4 - + @@ -134,8 +134,8 @@

      Provide description

       - - + + @@ -294,14 +294,14 @@

      Describe the risk

       - + open - + @@ -346,17 +346,17 @@

      This is a statement about the identified risk as provided by the tool.

      This field must be present, but may be blank (or state 'No Risk Statement' if no statement is provided by the tool.

      - - - - - + + + + + open - - + + @@ -501,7 +501,7 @@

      Provide description

       - + @@ -514,7 +514,7 @@

      An example set of infrastructure scan findings.

       - + @@ -534,7 +534,7 @@ [System Name] [FIPS-199 Level] SSP - + @@ -551,12 +551,12 @@

      ONLY USE THIS RESOURCE WHEN NO OSCAL-BASED SSP EXISTS

      Briefly describe the system. This will appear in the SAR.

      - - - - - - + + + + + +

      Only include this resource if no OSCAL-based SSP is available.

      Delete it otherwise.

      @@ -565,7 +565,7 @@ FedRAMP Applicable Laws and Regulations - + 00000000 @@ -575,7 +575,7 @@ FedRAMP Master Acronym and Glossary - + 00000000 diff --git a/src/content/rev5/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml b/src/content/rev5/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml index 22a3e5190..01719f8ff 100644 --- a/src/content/rev5/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml +++ b/src/content/rev5/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml @@ -9,12 +9,12 @@ 1.0.4 - + - - + + - + @@ -125,7 +125,7 @@ Assessment Organization Name Acronym/Short Name - + 2ba201ac-8ee9-4a1d-812a-a755591a3963 @@ -250,8 +250,8 @@ bcf47707-49e4-4acc-bf43-e63156046390 abc15ce6-1f43-4951-bcd5-ab62cdff7ed9 - - + +

      One or more parties

      If the "responsible-party" contains multiple "party-uuid", FedRAMP assumes the "ia-validated" and "csp-validated" prop values apply to each referenced party.

      @@ -261,8 +261,8 @@ 9135b789-a40c-4a20-9be6-fab23c0ab0f3 - - + + e934d8b5-13e5-4f77-b55e-871e6f2df2fe @@ -345,7 +345,7 @@

      A known subnet, which is not defined in the SSP inventory.

       - +

      Use any needed prop/annotation allowed in an SSP inventory-item.

      @@ -365,11 +365,11 @@ - + - - + +

      Use any needed prop/annotation allowed in an SSP inventory-item.

      @@ -389,9 +389,9 @@ - + - +

      Use any needed prop/annotation allowed in an SSP inventory-item.

      @@ -493,25 +493,25 @@

      Description of the manual test

      - - + +

      Describe test step #1

       - +

      Describe test step #2

       - +

      Describe test step #3

       - +       @@ -520,8 +520,8 @@

      We will login as a customer and try to see if we can gain access to the Network Administrator and Database Administrator privileges and authorizations by navigating to different views and manually forcing the browser to various URLs

      - - + +       [SAMPLE]CAPTCHA @@ -529,8 +529,8 @@

      We will test the CAPTCHA function on the web form manually

      - - + +       [SAMPLE]OCSP @@ -538,8 +538,8 @@

      We will manually test to see if OCSP is validating certificates.

      - - + +       Web Application Test #1 @@ -547,7 +547,7 @@

      Describe this web application test.

      - +       Web Application Test #2 @@ -555,7 +555,7 @@

      Describe this web application test.

      - +       Role Based Test #1 @@ -563,7 +563,7 @@

      Describe this role based test.

      - +       Role Based Test #2 @@ -571,41 +571,41 @@

      Describe this role based test.

      - +       - + Background

      FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. Security assessments are an integral part of the FedRAMP security authorization process.

      Cloud services must be assessed by an IA. The use of an IA reduces the potential for conflicts of interest that could occur in verifying the implementation status and effectiveness of the security controls. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39, Managing Information Security Risk states:

      - +

      Assessor independence is an important factor in: (i) preserving the impartial and unbiased nature of the assessment process; (ii) determining the credibility of the security assessment results; and (iii) ensuring that the authorizing official receives the most objective information possible in order to make an informed, risk-based, authorization decision.

       - + Purpose - +

      This SAP has been developed by [IA Name] and is for [an initial assessment/an annual assessment/an annual assessment and significant change assessment/a significant change assessment] of the [CSP Name], [CSO Name]. The SAP provides the goals for the assessment and details how the assessment will be conducted.

       - + Applicable Laws, Regulations, Standards and Guidance - +

      The FedRAMP-applicable laws, regulations, standards and guidance is included in the [CSO Name] SSP section – System Security Plan Approvals. Additionally, in Appendix L of the SSP, the [CSP Name] has included laws, regulations, standards, and guidance that apply specifically to this system.

             - + Scope - + Initial Assessment - +

      This plan is for an initial assessment of [CSO Name], a [One: High/Moderate/ Low] baseline system. 100% of the FedRAMP security controls in the system baseline are assessed. The security controls that will be assessed are listed in Appendix A.

       - + Annual Assessment

      This plan is for an annual assessment of [CSO Name], a [One: High/Moderate/ Low] baseline system. After the initial security assessment, FedRAMP requires that the system is assessed annually thereafter (12 months from an agency ATO / JAB P-ATO date). While the entire set of security controls is assessed during the initial assessment, a subset is assessed during the annual assessment. The control selection is in accordance with the criteria outlined in the FedRAMP Annual Assessment Guidance and includes:

        @@ -618,9 +618,9 @@

      The detailed control list, including the rationale for each control’s selection, is included in SAP Appendix A, FedRAMP [CSO Name] Security Controls Selection Worksheet.

       - + Significant Change - +

      This document [is for/also includes] the assessment plan for [a significant change/several significant changes]. Appendix D includes the significant change request documentation submitted by [CSP Name] to the [AO/JAB].

      Appendix A includes the associated control selections. [IA Name] will evaluate (review and/or test), as necessary, [all items related to continuous monitoring activities/all items related to continuous monitoring activities as well as those that are applicable to the significant change assessment/continuous monitoring activities that are only applicable to the significant change assessment], [IA Name] will evaluate all open POA&M items (including VDs); POA&M closures (to confirm adequate closure) and validate and confirm continued relevance and applicability of DRs ((false positives (FPs), risk adjustments (RAs), and operational requirements (ORs)) [(if significant change(s) are included): including those applicable to the significant change assessment/applicable only to the significant change assessment].

      [CSO Name] leverages the FedRAMP Authorized CSOs listed in Table 3-2. [CSP Name], as a customer of these CSOs, must meet customer requirements documented by the leveraged CSOs in the customer responsibility matrix (CRM). Therefore, [IA Name] will validate to the best of their ability that [CSO Name] is in compliance with customer requirements documented in the CRMs of the leveraged CSOs.

      @@ -639,7 +639,7 @@       - + Location of Component

      The physical locations of all the different components that will be tested are described in Table 3-3.

      @@ -657,7 +657,7 @@       - + IP Addresses Slated for Testing

      SSP Appendix M, FedRAMP Integrated Inventory Workbook, captures the inventory items for the entire system and includes all the following required to be tested for the authorization of this system:

        @@ -671,7 +671,7 @@

        The methodology section of this document describes the approach to the assessment of the inventory.

        - + Role Testing Exclusions @@ -686,7 +686,7 @@
        - + Role Testing for Significant Change Requests

        Additional roles that are being introduced as part of significant changes will be tested and are noted in Appendix D. Role testing will be performed to test the authorization restrictions for each role. [IA Name] will access the system while logged in as different user types and attempt to perform restricted functions for that user.

         @@ -694,7 +694,7 @@ Assumptions - +

        The following assumptions were agreed upon between [CSP Name] and [IA Name] when developing this SAP:

        • This SAP is based on [CSO Name] SSP [Version X.X], dated [MM/DD/YYYY], in its entirety. This includes all SSP appendices. The [CSP Name] is responsible for providing [IA Name] the most current SSP.
          • @@ -717,9 +717,9 @@ Methodology - + Control Testing - +

          [IA Name] will perform an assessment of the [CSO Name] security controls using the methodology described in NIST SP 800-53A, incorporating the methodology required by FedRAMP as noted below, and any other methods of testing that may be required to thoroughly test this system authorization boundary. [IA Name] will use the FedRAMP Security Requirements Traceability Matrix (SRTM) Workbook to evaluate the security controls. Contained in Excel worksheets, these test procedures contain the test objectives and associated test cases to determine if a control is effectively implemented and operating as intended. The results of the testing shall be recorded in the SRTM workbook for the appropriate High, Moderate, or Low baseline (provided on the FedRAMP Documents and Resources page under Templates) along with information that notes whether the control (or control enhancement) is satisfied or not.

          [IA Name] will ensure that all [CSO Name] security controls that have an alternative implementation are included in the final SRTM workbook with test procedures that capture the intent of the control. [CSP Name] is advised that testing alternative control implementations involves additional IA rigor since it is much more difficult to prove the intent of the control is being met. The alternative control implementations that are tested for this assessment are:

            @@ -728,9 +728,9 @@

            Deviations from the SAP-defined methodology are described below.

            - + Data Gathering - +

            [IA Name] data gathering activities will consist of the following:

            • Request [CSP Name] to provide FedRAMP required documentation.
              • @@ -748,10 +748,10 @@
            - + Sampling - - + +

            The sampling methodology for evidence/artifact gathering, related to controls assessment, is described in Appendix B.

            [IA Name] [will/will not] use sampling when performing vulnerability scanning.

            [IA Name] [will/will not] use sampling when testing the following controls:

            @@ -763,19 +763,19 @@

            [IA Name] validates that all security controls required to be tested have appropriate sample sizes for items such as account requests, account terminations, account transfers, change control processes as captured in the [CSO Name] SSP, [Version X.X], [MM/DD/YYYY]. The controls sampling methodology is described in Appendix B.

             - - + +

            The Penetration Test Plan and Methodology is attached in Appendix C.

                         - + Test Plan

            The [IA Name] security assessment team, [CSP Name] points of contact, testing schedule, and testing tools that will be used are described in the sections that follow.

            - + Security Assessment Team - +

            The [IA Name] security assessment team consists of the individuals listed in Table 6-1. [CSP Name] is urged to check the capabilities of the named individuals to ensure that each is qualified to hold the position, per A2LA’s personnel requirements specified in the A2LA R311 - Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP).

            Note that this document is signed in Section 8, by the [IA Name] and [CSP Name]. [CSP Name] has a right and a responsibility to ensure that competent assessors are providing the assessment services. The document should not be signed until [CSP Name] has validated the IA team.

            @@ -795,9 +795,9 @@             - + CSP Testing Points of Contact (POCs) - +

            The [CSP Name] POCs are found in Table 6-2. [IA Name] has internal processes to contact the CSP should the need arise.

            @@ -814,7 +814,7 @@ Testing Performed Using Automated Tools - +

            [IA Name] plans to use the following tools noted in Table 6-3 to perform testing of the [CSO Name].

            @@ -831,9 +831,9 @@
            - + Testing Performed Using Manual Methods - + @@ -850,9 +850,9 @@
            - + Schedule - +

            The security assessment schedule can be found in Table 6-5. Any deviations from this accepted schedule are recorded in the SAR as Deviations.

            @@ -877,12 +877,12 @@ Disclosures - - + +

            Any testing will be performed according to the terms and conditions, cited in this SAP and the Penetration Testing ROE, once this SAP is signed by both parties. These ROEs must be upheld to minimize risk exposure that could occur during security assessment testing.

             - - + +

            The following sections provide additional disclosures accepted by the IA and the CSP for proceeding with this Security Assessment.

             @@ -890,47 +890,47 @@ Security Testing May Include

            Every assessment requires certain disclosures. Sometimes a CSO may have the same disclosures as another CSO, but not usually. IAs and CSPs are required to ensure that all requirements contracted between the CSP and IA are adequate for both parties. Examples of inclusive disclosures appear below. Add to and delete from this list, as applicable.

            - +

            Port scans and other network service interaction and queries

             - +

            Port scans and other network service interaction and queries

             - +

            Network sniffing, traffic monitoring, traffic analysis, and host discovery

            - +

            Attempted logins or other use of systems, with any account name, token, password, and privilege

             - +

            Attempted SQL injection and other forms of input parameter testing

             - +

            Use of exploit code for leveraging discovered vulnerabilities

             - +

            Password cracking via capture and scanning of authentication databases

             - +

            Spoofing or deceiving servers regarding network traffic

             - +

            Altering running system configuration except where denial of service would result

             - +

            Adding user accounts

             - +

            Adding other activities as needed...

                         @@ -939,35 +939,35 @@ Security Testing Will Not Include

            Examples of exclusive disclosures appear below. Security testing will not include any of the following activities:

            - +

            Changes to assigned user passwords

             - +

            Modification of user files or system files

             - +

            Telephone modem probes and scans (active and passive)

             - +

            Intentional viewing of [CSP Name] staff email, Internet caches, and/or personnel cookie files

             - +

            Denial of Service attacks

             - +

            Exploits that will introduce new weaknesses to the system

             - +

            Intentional introduction of malicious code (e.g., viruses, Trojans, worms, etc.)

             - +

            Add exclusions here; however, be aware that FedRAMP may not agree with the exclusions listed (e.g., no testing of client side components indicated as imperative for use of the system)

                         @@ -976,28 +976,28 @@ End of Testing - +

            [IA Name] will notify [Name of Person] at [CSP Name] when security testing has been completed.

                         Communications of Test Results - +

            All documentation generated by this security assessment effort, is to be handled securely, in such a way to protect the confidentiality, integrity and availability of the data, and according to [CSP Name] and [IA Name] acceptable requirements. Security testing results will be provided and disclosed to the individual POCs at [CSP Name] as noted in this document. This should be accomplished within [Number of Days] days after security testing has been completed.

                         - + Limitation of Liability - +

            [IA Name], and its stated partners, shall not be held liable to [CSP Name] for any and all liabilities, claims, or damages arising out of or relating to the security vulnerability testing portion of this Agreement, howsoever caused and regardless of the legal theory asserted, including breach of contract or warranty, tort, strict liability, statutory liability, or otherwise.

             - +

            [CSP Name] acknowledges that there are limitations inherent in the methodologies implemented, and the assessment of security and vulnerability relating to information technology is an uncertain process based on past experiences, currently available information, and the anticipation of reasonable threats at the time of the analysis. There is no assurance that an analysis of this nature will identify all vulnerabilities or propose exhaustive and operationally viable recommendations to mitigate all exposure.

                         @@ -1031,9 +1031,9 @@

            These are found in control statements (for CSPs to use in their SSP) and in control objectives (for assessors to use in their SAP and SAR).

            SAP tools should scan the appropriate baseline (as identified by the SSP's import-profile statement), find the response points associated with control objectives (ignoring response points associated with statements), and insert one include-objective field for each identified response point.

            For this task, tools should either scan the resolved profile catalog version of each baseline, or resolve the profile against its catalog before processing.

            -

            XPath for all control objectie response points in a resolved profile catalog: //control/part[@name='objective']//prop[@name='response-point'][@ns='https://fedramp.gov/ns/oscal']/../@id +

            XPath for all control objectie response points in a resolved profile catalog: //control/part[@name='objective']//prop[@name='response-point'][@ns='http://fedramp.gov/ns/oscal']/../@id

            -

            XPath for AC-2(f) control objective response points in a resolved profile catalog: //*/part[@name='objective' and contains(@id, 'ac-2.f')]/prop[@name='response-point'][@ns='https://fedramp.gov/ns/oscal']/../@id +

            XPath for AC-2(f) control objective response points in a resolved profile catalog: //*/part[@name='objective' and contains(@id, 'ac-2.f')]/prop[@name='response-point'][@ns='http://fedramp.gov/ns/oscal']/../@id

            @@ -1138,7 +1138,7 @@

            Describe assessment laptop.

             - +

            Ideally, this assessment laptop would have been defined in the SAP, and not repeated here.

            @@ -1150,8 +1150,8 @@

            Describe the purpose of the tool here.

             - - + + @@ -1160,8 +1160,8 @@

            Describe the purpose of the tool here.

             - - + + @@ -1174,9 +1174,9 @@ Scanning Tools - - - + + +

            Cites assessment laptop.

            @@ -1404,7 +1404,7 @@ [System Name] [FIPS-199 Level] SSP - + @@ -1421,12 +1421,12 @@

            ONLY USE THIS RESOURCE WHEN NO OSCAL-BASED SSP EXISTS

            Briefly describe the system. This will appear in the SAR.

            - - - - - - + + + + + +

            Only include this resource if no OSCAL-based SSP is available.

            Delete it otherwise.

            @@ -1435,7 +1435,7 @@ FedRAMP Applicable Laws and Regulations - + 00000000 @@ -1445,7 +1445,7 @@ FedRAMP Master Acronym and Glossary - + 00000000 @@ -1459,7 +1459,7 @@

            The following individuals at [IA Name] and [CSP Name] have been identified as having the authority to agree to security testing of [CSO Name]. [CSP Name] has validated that the [IA Name] assessors assigned to this project fulfill the FedRAMP assessor requirements, as noted in Section 6.1 and formally named in Table 6-1. This section must be signed and dated prior to an IA beginning an assessment.

             - + 00000000 @@ -1479,7 +1479,7 @@

            Embed or reference copies of the sampling methodology for security controls assessment and vulnerability scanning (if applicable).

             - + @@ -1550,7 +1550,7 @@
            - + 00000000 @@ -1580,7 +1580,7 @@ - + diff --git a/src/content/rev5/templates/sar/xml/FedRAMP-SAR-OSCAL-Template.xml b/src/content/rev5/templates/sar/xml/FedRAMP-SAR-OSCAL-Template.xml index 5541224da..5635d2e3e 100644 --- a/src/content/rev5/templates/sar/xml/FedRAMP-SAR-OSCAL-Template.xml +++ b/src/content/rev5/templates/sar/xml/FedRAMP-SAR-OSCAL-Template.xml @@ -9,7 +9,7 @@ 1.0.4 - + @@ -114,7 +114,7 @@ Assessment Organization Name Acronym/Short Name - + 2ba201ac-8ee9-4a1d-812a-a755591a3963 @@ -396,24 +396,24 @@

            This describes an activity that was not defined in the SAP, but was performed during the assessment. The justification must be included.

            - +

            Describe test step #1

             - +

            Describe test step #2

             - +

            Describe test step #3

             - +             @@ -430,7 +430,7 @@

            A Windows laptop, which is not defined in the SSP inventory.

             - + @@ -439,7 +439,7 @@

            Describe assessment laptop.

             - +

            Ideally, this assessment laptop would have been defined in the SAP, and not repeated here.

            @@ -493,36 +493,36 @@ - + - +

            [IA Name] recommends this system for authorization.

             - +

            [IA Name] does not recommend this system for authorization.

             - +

            [IA Name] recommends this system for continued authorization.

             - +

            [IA Name] does not recommend this system for continued authorization.

             - +

            [IA Name] recommends the following [significant change/significant changes] for authorization:

            • [list significant changes approved for authorization]
             - +

            [IA Name] does not recommend the following [significant change/significant changes] for authorization:

            • [list significant changes not approved for authorization]
              • @@ -840,9 +840,9 @@

              Infrastructure Scan Percentage.

               - - - + + + EXAMINE 2023-05-10T00:00:00Z @@ -854,9 +854,9 @@

              Database Scan Percentage.

               - - - + + + EXAMINE 2023-05-10T03:00:00Z @@ -868,15 +868,15 @@

              Web Scan Percentage.

               - - - + + +

              EXAMPLE - Next Gen Web Application Firewall is blocking requests from scanner.

                             - + EXAMINE 2023-05-10T03:00:00Z @@ -1010,10 +1010,10 @@

              This is a statement about the identified risk as provided by the tool.

              This field must be present, but may be blank (or state 'No Risk Statement' if no statement is provided by the tool.

              - - - - + + + + closed @@ -1096,7 +1096,7 @@

              This is a statement about the risk identified by penetration testing.

               - + open @@ -1133,7 +1133,7 @@ - + @@ -1153,7 +1153,7 @@               - + @@ -1173,7 +1173,7 @@ - + @@ -1248,7 +1248,7 @@ - + @@ -1269,7 +1269,7 @@ - + @@ -1301,7 +1301,7 @@ - + @@ -1323,7 +1323,7 @@ - + @@ -1342,7 +1342,7 @@ [System Name] [FIPS-199 Level] SAP - + @@ -1351,7 +1351,7 @@ FedRAMP Applicable Laws and Regulations - + 00000000 @@ -1361,7 +1361,7 @@ FedRAMP Master Acronym and Glossary - + 00000000 @@ -1374,7 +1374,7 @@

              Signed SAR

               - + @@ -1464,7 +1464,7 @@ Penetration Test Report - + diff --git a/src/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml b/src/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml index 2eb499732..f11e7f780 100644 --- a/src/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml +++ b/src/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml @@ -12,7 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

              Initial publication.

               @@ -21,7 +21,7 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

              Minor prop updates.

               @@ -29,7 +29,7 @@ - + @@ -537,10 +537,10 @@ - + - + fips-199-moderate @@ -638,19 +638,19 @@ - - - - + + + + GovCloud - + - + - + @@ -665,10 +665,10 @@ [SAMPLE]Unix System Administrator - + - + admin-unix @@ -681,10 +681,10 @@ [SAMPLE]Client Administrator - + - + admin-client @@ -695,10 +695,10 @@ [SAMPLE]Program Director - + - + information-system-security-officer isa-poc-local @@ -714,10 +714,10 @@ [SAMPLE]ISA POC - + - + isa-poc-remote isa-authorizing-official-remote @@ -751,9 +751,9 @@

              Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

              - - - + + + @@ -769,9 +769,9 @@

              For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

              - - - + + + @@ -790,21 +790,21 @@

              If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

              Must include all leveraged services and features from the leveraged authorization here.

              - + - + - + - + - + @@ -835,34 +835,34 @@

              Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).

               - + - + - + - + - + - + - + - + - + - - + + - + - + @@ -873,9 +873,9 @@ - - - + + +

              If "other", remarks are required. Optional otherwise.

               @@ -910,7 +910,7 @@

              FUNCTION: Describe typical component function.

              - + @@ -930,8 +930,8 @@

              FUNCTION: Describe typical component function.

              - - + + @@ -952,7 +952,7 @@

              None

              - + @@ -963,7 +963,7 @@

              None

              - + @@ -974,8 +974,8 @@

              None

              - - + + @@ -1070,16 +1070,16 @@

              Briefly describe the interconnection.

               - + - - - + + +

              If "other", remarks are required. Optional otherwise.

               @@ -1158,8 +1158,8 @@ - - + +

              If no, explain why. If yes, omit remarks field.

              @@ -1217,7 +1217,7 @@

              If no, explain why. If yes, omit remark.

                             - + 3360e343-9860-4bda-9dfc-ff427c3dfab6 @@ -1243,7 +1243,7 @@ - + @@ -1257,7 +1257,7 @@ - + @@ -1271,7 +1271,7 @@ - + @@ -1302,7 +1302,7 @@ - + @@ -1333,7 +1333,7 @@ - +               @@ -1350,13 +1350,13 @@

              FedRAMP does not require any specific information here.

              - - + +

              Describe the plan to complete the implementation.

                             - + @@ -1432,15 +1432,15 @@               - - + +

              Describe the plan to complete the implementation.

                             - - + +

              Describe any customer-configured requirements for satisfying this control.

               @@ -1550,13 +1550,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -1615,13 +1615,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -1683,13 +1683,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -1748,13 +1748,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -1813,13 +1813,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + 36b8d6c0-3b25-42cc-b529-cf4066145cdd @@ -1876,13 +1876,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -1941,13 +1941,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2006,13 +2006,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2071,13 +2071,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2136,13 +2136,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2201,13 +2201,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2266,13 +2266,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2331,13 +2331,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2396,13 +2396,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2461,13 +2461,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2526,13 +2526,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2592,8 +2592,8 @@               - - + + 59cdc953-5902-4fa4-a878-f3163854624c @@ -2619,13 +2619,13 @@ - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2688,7 +2688,7 @@

              SSP Signature

               - + 00000000 @@ -2705,7 +2705,7 @@ FedRAMP Applicable Laws and Regulations - + 00000000 @@ -2717,7 +2717,7 @@ FedRAMP Master Acronym and Glossary - + 00000000 @@ -3471,7 +3471,7 @@

              FedRAMP Logo

               - + 00000000 @@ -3558,7 +3558,7 @@

              Separation of Duties Matrix

               - + diff --git a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml index e00a00a58..1ba2f4c6f 100644 --- a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml +++ b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml @@ -12,7 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

              Initial publication.

               @@ -21,14 +21,14 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

              Minor prop updates.

               - + @@ -605,10 +605,10 @@ - + - + fips-199-moderate @@ -775,15 +775,15 @@ AwesomeCloud Commercial(IaaS) - - + +

              For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.

                             - +

              For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records @@ -804,7 +804,7 @@ - + system-poc-technical @@ -824,10 +824,10 @@ - + - - + + system-poc-technical @@ -836,10 +836,10 @@ - + - - + + system-poc-technical Admin @@ -850,7 +850,7 @@ - + system-poc-technical @@ -863,9 +863,9 @@ - - - + + + system-owner @@ -912,16 +912,16 @@ - - + +

              If 'yes', describe the authentication method.

              If 'no', explain why no authentication is used.

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

                             - - + + @@ -934,8 +934,8 @@               - - + +

              This is a leveraged system within which this system operates. @@ -1026,13 +1026,13 @@ - - + + - - + +

              This is a service offered by a leveraged system and used by this system. @@ -1086,20 +1086,20 @@

              Describe the service and what it is used for.

              - - - - + + + +

              If 'yes', describe the authentication method.

              If 'no', explain why no authentication is used.

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

                             - - - - + + + + @@ -1245,34 +1245,34 @@

              Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

              - - - - + + + +

              If 'yes', describe the authentication method in the remarks.

              If 'no', explain why no authentication is used in the remarks.

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

                             - - - - - - + + + + + +

              Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

                             - - - - + + + + - + @@ -1345,8 +1345,8 @@

              - - + + @@ -1392,16 +1392,16 @@ - - + +

              If 'yes', describe the authentication method in the remarks.

              If 'no', explain why no authentication is used in the remarks.

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

                             - - + +

              This can only be known if provided by the leveraged system. @@ -1481,27 +1481,27 @@ - - - + + +

              If 'yes', describe the authentication method in the remarks.

              If 'no', explain why no authentication is used in the remarks.

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

                             - +

              Either describe a risk associated with this service, or indicate there is no identified risk.

              If there is no risk, please explain your basis for that conclusion.

                             - +

              If there are one or more identified risks, describe any resulting impact.

                             - +

              If there are one or more identified risks, describe any mitigating factors.

               @@ -1552,29 +1552,29 @@ - - - + + +

              If 'yes', describe the authentication method in the remarks.

              If 'no', explain why no authentication is used in the remarks.

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

                             - - - + + +

              Either describe a risk associated with this CLI, or indicate there is no identified risk.

              If there is no risk, please explain your basis for that conclusion.

                             - +

              If there are one or more identified risks, describe any resulting impact.

                             - +

              If there are one or more identified risks, describe any mitigating factors.

               @@ -1621,9 +1621,9 @@ compliance (e.g., Module in Process).

              - - - + + + @@ -1640,9 +1640,9 @@ compliance (e.g., Module in Process).

              - - - + + + @@ -1665,7 +1665,7 @@

              FUNCTION: Describe typical component function.

              - + @@ -1686,7 +1686,7 @@

              FUNCTION: Describe typical component function.

              - + @@ -1708,8 +1708,8 @@

              FUNCTION: Describe typical component function.

              - - + + @@ -1730,7 +1730,7 @@

              None

              - + @@ -1741,7 +1741,7 @@

              None

              - + @@ -1757,8 +1757,8 @@

              None

              - - + + @@ -2172,8 +2172,8 @@ - - + +

              If no, explain why. If yes, omit remarks field.

              @@ -2233,7 +2233,7 @@

              If no, explain why. If yes, omit remark.

                             - + 11111111-2222-4000-8000-004000000010 @@ -2259,7 +2259,7 @@ - + @@ -2273,7 +2273,7 @@ - + @@ -2287,7 +2287,7 @@ - + @@ -2318,7 +2318,7 @@ - + @@ -2349,7 +2349,7 @@ - + @@ -2366,7 +2366,7 @@

              FedRAMP does not require any specific information here.

              - + @@ -2415,7 +2415,7 @@

              There

              - +

              Describe the plan to complete the implementation.

              @@ -2426,7 +2426,7 @@

              Describe how this policy currently satisfies part a.

               - +

              Describe the plan for addressing the missing policy elements.

               @@ -2456,15 +2456,15 @@               - - + +

              Describe the plan to complete the implementation.

                             - - + +

              Describe any customer-configured requirements for satisfying this control.

               @@ -2594,13 +2594,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2661,13 +2661,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2734,13 +2734,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2804,13 +2804,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -2874,13 +2874,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + 11111111-2222-4000-8000-004000000011 @@ -2942,13 +2942,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3012,13 +3012,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3082,13 +3082,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3152,13 +3152,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3222,13 +3222,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3292,13 +3292,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3362,13 +3362,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3432,13 +3432,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3502,13 +3502,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3572,13 +3572,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3642,13 +3642,13 @@               - - + +

              Describe the plan to complete the implementation.

                             - + @@ -3713,8 +3713,8 @@               - - + + 11111111-2222-4000-8000-004000000018 @@ -3740,13 +3740,13 @@ - - + +

              Describe the plan to complete the implementation.

                             - + @@ -4666,7 +4666,7 @@

              FedRAMP Logo

               - + 00000000 @@ -4813,7 +4813,7 @@

              Separation of Duties Matrix

               - + diff --git a/src/validations/constraints/content/fedramp-ssp-example.xml b/src/validations/constraints/content/fedramp-ssp-example.xml new file mode 100644 index 000000000..ab5a50777 --- /dev/null +++ b/src/validations/constraints/content/fedramp-ssp-example.xml @@ -0,0 +1,4832 @@ + + + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

              Initial publication.

              +               +               + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

              Minor prop updates.

              +               +               +               + + + + + + FedRAMP Program Management Office + +

              The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

              +               +               + + Prepared By + +

              The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

              +               +               + + Prepared For + +

              The organization for which this SSP was prepared. Typically the CSP.

              +               +               + + System Security Plan Approval + +

              The individual or individuals accountable for the accuracy of this SSP.

              +               +               + + Cloud Service Provider + CSP + + + + Information System Owner + +

              The individual within the CSP who is ultimately accountable for everything related to + this system.

              +               +               + + Authorizing Official + +

              The individual or individuals who must grant this system an authorization to + operate.

              +               +               + + Authorizing Official's Point of Contact + +

              The individual representing the authorizing official.

              +               +               + + Information System Management Point of Contact (POC) + +

              The highest level manager who responsible for system operation on behalf of the + System Owner.

              +               +               + + Information System Technical Point of Contact + +

              The individual or individuals leading the technical operation of the system.

              +               +               + + General Point of Contact (POC) + +

              A general point of contact for the system, designated by the system owner.

              +               +               + + + System Information System Security Officer (or Equivalent) + +

              The individual accountable for the security posture of the system on behalf of the + system owner.

              +               +               + + Privacy Official's Point of Contact + +

              The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

              +               +               + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

              The point of contact for an interconnection on behalf of this system.

              +               + +

              Remove this role if there are no ICAs.

              +               +               + + ICA POC (Remote) + +

              The point of contact for an interconnection on behalf of this external system to + which this system connects.

              +               + +

              Remove this role if there are no ICAs.

              +               +               + + ICA Signatory (Local) + +

              Responsible for signing an interconnection security agreement on behalf of this + system.

              +               + +

              Remove this role if there are no ICAs.

              +               +               + + ICA Signatory (Remote) + +

              Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

              +               + +

              Remove this role if there are no ICAs.

              +               +               + + Consultant + +

              Any consultants involved with developing or maintaining this content.

              +               +               + + Customer + +

              Represents any customers of this system as may be necessary for assigning customer + responsibility.

              +               +               + + Provider + +

              The provider of a leveraged system, external service, API, CLI.

              +               +               + + [SAMPLE]Unix Administrator + +

              This is a sample role.

              +               +               + + [SAMPLE]Client Administrator + +

              This is a sample role.

              +               +               + + Leveraged Authorization Users + +

              Any internal users of a leveraged authorization.

              +               +               + + External System Owner + +

              The owner of an external system.

              +               +               + + External System Management Point of Contact (POC) + +

              The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

              +               +               + + External System Technical Point of Contact + +

              The individual or individuals leading the technical operation of an external + system.

              +               +               + + Approver + +

              An internal approving authority.

              +               +               + + CSP HQ +
              + Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
              + +

              There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

              +               +               + + Primary Data Center +
              + 2222 Main Street + Anywhere + -- + 00000-0000 + US +
              + + +

              There must be one location for each data center.

              +

              There must be at least two data center locations.

              +

              For a data center, briefly summarize the components at this location.

              +

              All data centers must have a "type" property with a value of "data-center".

              +

              The type property must also have a class of "primary" or "alternate".

              +               +               + + Secondary Data Center +
              + 3333 Small Road + Anywhere + -- + 00000-0000 + US +
              + + +

              There must be one location for each data center.

              +

              There must be at least two data center locations.

              +

              For a data center, briefly summarize the components at this location.

              +

              All data centers must have a "type" property with a value of "data-center".

              +

              The type property must also have a class of "primary" or "alternate".

              +               +               + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 11111111-2222-4000-8000-003000000001 + +

              Replace sample CSP information.

              +

              CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party. +

              +               +               + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
              + 1800 F St. NW + Washington + DC + 20006 + US +
              + +

              This party entry must be present in a FedRAMP SSP.

              +

              The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

              +               +               + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

              This party entry must be present in a FedRAMP SSP.

              +

              The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

              +               +               + + + External Organization + External + +

              Generic placeholder for any external organization.

              +               +               + + Agency Name + A.N. + +

              Generic placeholder for an authorizing agency.

              +               +               + + Name of Consulting Org + NOCO + + + poc@example.com +
              + 3333 Corporate Way + Washington + DC + 00000 + US +
              +               + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 11111111-2222-4000-8000-004000000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

              Underlying service provider. Leveraged Authorization.

              +               +               + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
              + Address Line + City + ST + 00000 + US +
              + 11111111-2222-4000-8000-004000000001 +               + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
              + Address Line + City + ST + 00000 + US +
              + 11111111-2222-4000-8000-004000000001 +               + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
              + Address Line + City + ST + 00000 + US +
              + 11111111-2222-4000-8000-004000000001 +               + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
              + Address Line + City + ST + 00000 + US +
              + 11111111-2222-4000-8000-004000000001 +               + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
              + Address Line + City + ST + 00000 + US +
              + 11111111-2222-4000-8000-004000000004 +               + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
              + Address Line + City + ST + 00000 + US +
              + 11111111-2222-4000-8000-004000000001 +               + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + Leveraged Authorization User + + + + + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 + +

              Zero or more

              +               +               + + + 11111111-2222-4000-8000-004000000010 + +

              Exactly one

              +               +               + + + 11111111-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + +

              One or more

              +               +               + + + 11111111-2222-4000-8000-004000000010 + +

              Exactly one

              +               +               + + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015 + +

              One or more

              +               +               + + 11111111-2222-4000-8000-004000000012 + +

              Exactly one

              +               +               + + 11111111-2222-4000-8000-004000000013 + +

              Exactly one

              +               +               + + + 11111111-2222-4000-8000-004000000014 + +

              Exactly one

              +               +               + + 11111111-2222-4000-8000-004000000015 + +

              Exactly one

              +               +               + + 11111111-2222-4000-8000-004000000016 + +

              Exactly one

              +               +               + + +               + + +

              This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

              +

              Must adjust accordingly for applicable baseline and revision.

              +               +               + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

              [Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

              +

              NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

              +

              NOTE: The description is expected to be at least 32 words in length.

              +               + + + +

              Remarks are required if service model is "other". Optional otherwise.

              +               +               + + + +

              Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

              +               +               + + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

              A description of the information.

              +               + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

              Required if the base and selected values do not match.

              +               +               + + fips-199-moderate + fips-199-low + +

              Required if the base and selected values do not match.

              +               +               + + fips-199-moderate + fips-199-moderate + +

              Required if the base and selected values do not match.

              +               +               +               + + Information Type Name + +

              A description of the information.

              +               + + C.3.5.1 + + + fips-199-moderate + fips-199-low + +

              Required if the base and selected values do not match.

              +               +               + + fips-199-moderate + fips-199-moderate + +

              Required if the base and selected values do not match.

              +               +               + + fips-199-moderate + fips-199-high + +

              Required if the base and selected values do not match.

              +               +               +               + + Information Type Name + +

              A description of the information.

              +               + + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

              Required if the base and selected values do not match.

              +               +               + + fips-199-moderate + fips-199-moderate + +

              Required if the base and selected values do not match.

              +               +               + + fips-199-moderate + fips-199-moderate + +

              Required if the base and selected values do not match.

              +               +               +               + + +               + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

              Remarks are optional if status/state is "operational".

              +

              Remarks are required otherwise.

              +               +               + + + + + +

              A holistic, top-level explanation of the FedRAMP authorization boundary.

              +               + + + +

              A diagram-specific explanation.

              +               + + Authorization Boundary Diagram +               +               + + + +

              A holistic, top-level explanation of the network architecture.

              +               + + + +

              A diagram-specific explanation.

              +               + + Network Diagram +               +               + + + +

              A holistic, top-level explanation of the system's data flows.

              +               + + + +

              A diagram-specific explanation.

              +               + + Data Flow Diagram +               +               +               + + + + + + + + AwesomeCloud Commercial(IaaS) + + + + +

              For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

              +               +               + + +

              For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

              +               +               + + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

              Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

              +

              For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

              +               +               + + + + + + + system-poc-technical + + Admin + +

              admin user

              +               + administration +               + +

              The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

              +

              Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

              +               +               + + + + + + + system-poc-technical + + Add/Remove Admins + This can add and remove admins. + + + + + + + + system-poc-technical + + Admin + +

              admin user

              +               + administration +               +               + + + + + + system-poc-technical + + Admin + +

              admin user

              +               + administration +               +               + + + + + + system-owner + + Admin + +

              admin user

              +               + administration +               +               + + + + + + This System + +

              This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

              +

              FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

              +               + + +

              A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

              +

              It does not need system details, as those exist elsewhere in this SSP.

              +               +               + + + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

              Briefly describe the leveraged system.

              +               + + + + + + +

              If 'yes', describe the authentication method.

              +

              If 'no', explain why no authentication is used.

              +

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

              +               +               + + + + + + 11111111-2222-4000-8000-c0040000000a + +

              The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

              +               +               + + + + + +

              This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

              +

              Requirements

              +

              Each leveraged system must be expressed as a "system" component, and must have:

              +
                +
              • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
                • +
              • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
                • +
              • an "implementation-point" core property with a value of "external"
                • +
              • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
                • +
              • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
                • +
              • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
                • +
              • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
                • +
              • a status with a state value of "operational"
                • +
              • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
                • +
              +

              +

              Where relevant, this component should also have:

              +
                +
              • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
                • +
              +

              +

              Links to the vendor website describing the system are encouraged, but not required.

              + +

              Services

              +

              A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

              +

              Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

              +
                +
              • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
                • +
              • The component for a non-authorized service must include + a "still-supported" property/extension.
                • +
              • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
                • +
              + +

              Both authorized and non-authorized leveraged services include:

              +
                +
              • a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001") +
                • +
              • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
                • +
              • an "implementation-point" core property with a value of "external"
                • +
              • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
                • +
              • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
                • +
              • a status with a state value of "operational"
                • +
              • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
                • +
              + +

              Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

              +               +               + + + + Service A + +

              An authorized service provided by the Awesome Cloud leveraged authorization.

              +

              Describe the service and what it is used for.

              +               + + + + + + + + + + + +

              This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

              +

              +

              Each leveraged service must be expressed as a "service" component, and must have:

              +
                +
              • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
                • +
              • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
                • +
              • an "implementation-point" property with a value of "external"; and
                • +
              • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
                • +
              +

              +

              Where relevant, this component should also have:

              +
                +
              • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
                • +
              • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
                • +
              • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
                • +
              +

              Link(s) to the vendor's web site describing the service are encouraged, but not + required.

              +

              The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

              +
                +
              • Package ID, Authorization Type, Impact Level
                • +
              +

              +

              The following fields from the Leveraged Authorization Table are handled in the + "system" component representing the leveraged system as a whole:

              +

              - Nature of Agreement, CSP Name

              +               +               + + + + + + + Service B + +

              An non-authorized service provided by the Awesome Cloud leveraged authorization.

              +

              Describe the service and what it is used for.

              +               + + + + + + +

              If 'yes', describe the authentication method.

              +

              If 'no', explain why no authentication is used.

              +

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

              +               +               + + + + + + + + + + + 33333333-2222-4000-8000-004000000001 + + +

              This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of the leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

              +

              +

              Each non-authorized leveraged service must be expressed as a "service" component, and must have:

              +
                +
              • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
                • +
              • an "implementation-point" property with a value of "external"; and
                • +
              • one or two "direction" prperty/extensions
                • +
              • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
                • +
              • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the + POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) + in an OSCAL-based POA&M.
                • +
              • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
                • +
              • +
              • + +
              +

              The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

              +

              + +

              Where relevant, this component should also have:

              +
                +
              • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
                • +
              • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
                • +
              +

              Link(s) to the vendor's web site describing the service are encouraged, but not + required.

              +

              The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

              +
                +
              • Package ID, Authorization Type, Impact Level
                • +
              +

              + +

              - An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

              +

              Link(s) to the vendor's web site describing the service are encouraged, but not + required.

              +

              +

              The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

              +

              - Package ID, Authorization Type, Impact Level

              +

              +

              The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

              +

              - Nature of Agreement, CSP Name

              +

              +

              An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

              +               +               + + + + + Other Cloud SaaS + +

              An external system to which this system shares an interconnection.

              +               + + + + + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + + services + + + +

              Each interconnection to one or more remote systems must have:

              +
                +
              • a "system" component (this component)
                • +
              • an "interconnection" component
                • +
              +

              Each "system" component must have:

              +
                +
              • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
                • +
              • an "implementation-point" property with a value of "external"
                • +
              • a "status" field with a state value of "operational"
                • +
              • if an interconnection exists with this system and there are + remote listening ports, one or more "protocol" assemblies must + be provided.
                • +
              + +

              While not required, each "system" component should have:

              +
                +
              • an "inherited-uuid" property if the value was provided by the system owner
                • +
              • a "compliance" property/extension if appropriate
                • +
              • an "authorizing-official" responsible-role
                • +
              • an "system-owner" responsible-role
                • +
              • an "system-poc-management" responsible-role
                • +
              • an "system-poc-technical" responsible-role
                • +
              +

              Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "authorizing-official", "system-owner", "system-poc-management + and "system-poc-technical"

              +               +               + + + + + [EXAMPLE]Authorized Connection Information System Name + +

              Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

              +               + + + + + +

              If 'yes', describe the authentication method in the remarks.

              +

              If 'no', explain why no authentication is used in the remarks.

              +

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

              +               +               + + + + + + + +

              Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

              +               +               + + + + + + + + + + + + + + + + + + + 44444444-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000008 + + + + Incoming FTP Service + + + +

              Each interconnection to one or more remote systems must have:

              +
                +
              • one "system" component for each remote system sharing the connection
                • +
              • an "interconnection" component (this component)
                • +
              +

              Each "interconnection" component must have:

              +
                +
              • an "implementation-point" property with a value of "external"
                • +
              • a "status" field with a state value of "operational"
                • +
              • one or two "direction" properties
                • +
              • a "nature-of-agreement" property/extension
                • +
              • one or more "authentication-method" properties/extensions.
                • +
              • a "hosting-environment" proptery/extension
                • +
              • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
                • +
              • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
                • +
              • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
                • +
              • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
                • +
              • exactly one "used-by" link with an href value that refers to the "this-system" component.
                • +
              • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
                • +
              • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
                • +
              +

              Authentication methods must address both system-authentication as well as + user authentication mechanisms.

              +

              Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

              +

              If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

              +

              +

              While not required, each "interconnection" component should have:

              +
                +
              • an "inherited-uuid" property if the value was provided by the system owner
                • +
              • a "compliance" property/extension if appropriate
                • +
              • an "system-poc-management" responsible-role
                • +
              • an "system-poc-technical" responsible-role
                • +
              +

              Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "system-poc-management" and "system-poc-technical". With an interconnection, + the system POC roles reference parties that represent the connection provider.

              +               +               + + + + + Other Cloud SaaS + +

              + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

              For each external system with which this system connects:

              +

              Must have a "system" component (this component).

              +

              Must have an "interconnection" component that connects this component with the + "this-system" component.

              +

              If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

              +

              Must include all leveraged services and features from the leveraged authorization + here.

              +

              For an external system, the "implementation-point" property must always be present + with a value of "external".

              + + +

              Each interconnection must be defined with both an "system" component and an + "interconnection" component.

              +

              Must include all leveraged services and features from the leveraged authorization + here.

              +               + + + + + Service C + +

              A service provided by an external system other than the leveraged system.

              +

              Describe the service and what it is used for.

              +               + + + + + + +

              If 'yes', describe the authentication method in the remarks.

              +

              If 'no', explain why no authentication is used in the remarks.

              +

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

              +               +               + + + + +

              This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

              +               +               + + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + 33333333-2222-4000-8000-004000000001 + + + + + + + + +

              This is a service provided by an external system other than the leveraged system.

              +

              As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

              +

              +

              Each external service used from a leveraged authorization must have:

              +

              - a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

              +

              - a "service" component (this component).

              +

              +

              This component must always have:

              +

              - The name of the service in the title - preferably exactly as it appears on the + vendor's web site

              +

              - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

              +

              - An "implementation-point" property with a value of "external".

              +

              - A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

              +

              - Example: "#11111111-2222-4000-8000-009000100001" +

              +

              - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, + this property is blocked from proper use.

              +

              - a status with a state value of "operational"

              +

              +

              Where relevant, this component should also have:

              +

              - One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

              +

              - A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

              +

              - An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

              +

              Link(s) to the vendor's web site describing the service are encouraged, but not + required.

              +

              +

              The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

              +

              - Package ID, Authorization Type, Impact Level

              +

              +

              The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

              +

              - Nature of Agreement, CSP Name

              +

              +

              An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

              +               +               + + + + Service C + + +

              A service provided by an external system other than the leveraged system.

              +

              Describe the service and what it is used for.

              +               + + + + + + +

              If 'yes', describe the authentication method in the remarks.

              +

              If 'no', explain why no authentication is used in the remarks.

              +

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

              +               +               + + +

              Either describe a risk associated with this service, or indicate there is no identified risk.

              +

              If there is no risk, please explain your basis for that conclusion.

              +               +               + + +

              If there are one or more identified risks, describe any resulting impact.

              +               +               + + +

              If there are one or more identified risks, describe any mitigating factors.

              +               +               + + + + + + 11111111-2222-4000-8000-004000000018 + + + + Remote API Service + + + + +

              This is a service provided by an external system other than the leveraged system.

              + + + +

              - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

              + + + +

              As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

              +

              All services require the "implementation-point" property. In this case, the property + value is set to "external.

              +

              All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

              +

              If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

              + + + + +               +               + + + + Management CLI + +

              None

              +               + + + + + + +

              If 'yes', describe the authentication method in the remarks.

              +

              If 'no', explain why no authentication is used in the remarks.

              +

              If 'not-applicable', attest explain why authentication is not applicable in the remarks.

              +               +               + + + + +

              Either describe a risk associated with this CLI, or indicate there is no identified risk.

              +

              If there is no risk, please explain your basis for that conclusion.

              +               +               + + +

              If there are one or more identified risks, describe any resulting impact.

              +               +               + + +

              If there are one or more identified risks, describe any mitigating factors.

              +               +               + + +

              + + + + + + 11111111-2222-4000-8000-004000000018 + + + + + + + + + + Service D + +

              A service that exists within the authorization boundary.

              +

              Describe the service and what it is used for.

              + + + +               + + + + + + + + [SAMPLE]Cryptographic Module Name + +

              Provide a description and any pertinent note regarding the use of this CM.

              +

              For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

              +

              Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

              +               + + + + + + + + + + +               + + + [SAMPLE]Cryptographic Module Name + +

              Provide a description and any pertinent note regarding the use of this CM.

              +

              For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

              +               + + + + + + + + + + +               + + + + + + + + + + + [SAMPLE]Product Name + +

              FUNCTION: Describe typical component function.

              +               + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

              COMMENTS: Provide other comments as needed.

              +               +               + + + [SAMPLE]Product Name + +

              FUNCTION: Describe typical component function.

              +               + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

              COMMENTS: Provide other comments as needed.

              +               +               + + + + [SAMPLE]Product + +

              FUNCTION: Describe typical component function.

              +               + + + + + + + + + 11111111-2222-4000-8000-004000000017 + + + 11111111-2222-4000-8000-004000000011 + + +

              COMMENTS: Provide other comments as needed.

              +               +               + + OS Sample + +

              None

              +               + + + + + +               + + Database Sample + +

              None

              +               + + + + + + + + + + +               + + Appliance Sample + +

              None

              +               + + + + + + +

              Vendor appliance. No admin-level access.

              +               +               + +               + + + + AC Policy + +

              The Access Control Policy governs how access is managed and approved.

              +               + + +               + + AT Policy + +

              The Awareness and Training Policy governs how access is managed and approved.

              +               + + +               + + AU Policy + +

              The Audit and Accountability governs how access is managed and approved.

              +               + + +               + + CA Policy + +

              The Assessment, Authorization, and Monitoring Policy governs how access is managed + and approved.

              +               + + +               + + CM Policy + +

              The Configuration Management Policy governs how access is managed and approved.

              +               + + +               + + CP Policy + +

              The Contingency Planning Policy governs how access is managed and approved.

              +               + + +               + + IA Policy + +

              The Identificaiton and Authentication Policy governs how access is managed and + approved.

              +               + + +               + + IR Policy + +

              The Incident Response Policy governs how access is managed and approved.

              +               + + +               + + MA Policy + +

              The Maintenance Policy governs how access is managed and approved.

              +               + + +               + + MP Policy + +

              The Media Protection Policy governs how access is managed and approved.

              +               + + +               + + PE Policy + +

              The Physical and Enviornmental Protection Policy governs how access is managed and + approved.

              +               + + +               + + PL Policy + +

              The Planning Policy governs how access is managed and approved.

              +               + + +               + + PM Policy + +

              The Program Management Policy governs how access is managed and approved.

              +               + + +               + + PS Policy + +

              The Personnel Security Policy governs how access is managed and approved.

              +               + + +               + + PT Policy + +

              The PII Processing and Transparency Policy governs how access is managed and + approved.

              +               + + +               + + RA Policy + +

              The Risk Assessment Policy governs how access is managed and approved.

              +               + + +               + + SA Policy + +

              The System and Services Acquisition Policy governs how access is managed and + approved.

              +               + + +               + + S3 Policy + +

              The System and Communication Protection Policy governs how access is managed and + approved.

              +               + + +               + + SI Policy + +

              The System and Information Integrity Policy governs how access is managed and + approved.

              +               + + +               + + SR Policy + +

              The Supply Chain Risk Management Policy governs how access is managed and + approved.

              +               + + +               + + + + AC Policy + +

              The Access Control Procedure governs how access is managed and approved.

              +               + + +               + + AT Policy + +

              The Awareness and Training Procedure governs how access is managed and approved.

              +               + + +               + + AU Policy + +

              The Audit and Accountability Procedure governs how access is managed and + approved.

              +               + + +               + + CA Policy + +

              The Assessment, Authorization, and Monitoring Procedure governs how access is managed + and approved.

              +               + + +               + + CM Policy + +

              The Configuration Management Procedure governs how access is managed and + approved.

              +               + + +               + + CP Policy + +

              The Contingency Planning Procedure governs how access is managed and approved.

              +               + + +               + + IA Policy + +

              The Identificaiton and Authentication Procedure governs how access is managed and + approved.

              +               + + +               + + IR Policy + +

              The Incident Response Procedure governs how access is managed and approved.

              +               + + +               + + MA Policy + +

              The Maintenance Procedure governs how access is managed and approved.

              +               + + +               + + MP Policy + +

              The Media Protection Procedure governs how access is managed and approved.

              +               + + +               + + PE Policy + +

              The Physical and Enviornmental Protection Procedure governs how access is managed and + approved.

              +               + + +               + + PL Policy + +

              The Planning Procedure governs how access is managed and approved.

              +               + + +               + + PM Policy + +

              The Program Management Procedure governs how access is managed and approved.

              +               + + +               + + PS Policy + +

              The Personnel Security Procedure governs how access is managed and approved.

              +               + + +               + + PT Policy + +

              The PII Processing and Transparency Procedure governs how access is managed and + approved.

              +               + + +               + + RA Policy + +

              The Risk Assessment Procedure governs how access is managed and approved.

              +               + + +               + + SA Policy + +

              The System and Services Acquisition Procedure governs how access is managed and + approved.

              +               + + +               + + S3 Policy + +

              The System and Communication Protection Procedure governs how access is managed and + approved.

              +               + + +               + + SI Policy + +

              The System and Information Integrity Procedure governs how access is managed and + approved.

              +               + + +               + + SR Policy + +

              The Supply Chain Risk Management Procedure governs how access is managed and + approved.

              +               + + +               + + + + + IPv4 Production Subnet + +

              IPv4 Production Subnet.

              +               + + + + +               + + IPv4 Management Subnet + +

              IPv4 Management Subnet.

              +               + + + + + +               + + Email Service + +

              Email Service

              +               + + + + + + + + +               + + + + +

              Legacy Example (No implemented-component).

              +               + + + + + + + + + + + + + + + + + + + + + + + +

              If no, explain why. If yes, omit remarks field.

              +               +               + + + + +

              If no, explain why. If yes, omit remarks field.

              +               +               + + +

              Optional, longer, formatted description.

              +               +               + + + 11111111-2222-4000-8000-004000000016 + + + 11111111-2222-4000-8000-004000000017 + + + +

              This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

              +               +               + +

              COMMENTS: Additional information about this item.

              +               +               + + +

              Component Inventory Example

              +               + + + + + + + + + + + + + + + + + +

              If no, explain why. If yes, omit remark.

              +               +               + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000017 + + + + + +

              COMMENTS: If needed, provide additional information about this inventory item.

              +               +               + + +

              None.

              +               + + + + + + + + + + +               + + +

              None.

              +               + + + + + + + + + +               + + +

              None.

              +               + + + + + + + + + +               + + +

              None.

              +               + + + + + + + + +

              Asset wasn't running at time of scan.

              +               +               + +               + + +

              None.

              +               + + + + + + + + + +               + + +

              None.

              +               + + + + + + + + +

              Asset wasn't running at time of scan.

              +               +               + +               + + +

              Email-Service

              +               + + + + + + + + + +               + + + + + +

              Appendix A - FedRAMP SSP Rev5 Template

              +

              This description field is required by OSCAL.

              +

              FedRAMP does not require any specific information here.

              +               + + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

              Describe how Part a is satisfied within the system.

              +

              Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

              +

              In this case, a link must be provided to the policy.

              +

              FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

              +               + + + + +

              The specified component is the system itself.

              +

              Any control implementation response that can not be associated with another + component is associated with the component representing the system.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Identity + Management and Access Control Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               + +               +               + + + +

              There

              +               + + + +

              Describe the plan to complete the implementation.

              +               +               +               + + +

              Describe how this policy currently satisfies part a.

              +               + + +

              Describe the plan for addressing the missing policy elements.

              +               +               + + +

              Identify what is currently missing from this policy.

              +               +               +               +               + + + +

              Describe how Part b-1 is satisfied.

              +               + +               +               + + + +

              Describe how Part b-2 is satisfied.

              +               + +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + +

              Describe any customer-configured requirements for satisfying this control.

              +               +               + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + +               +               + + + +

              Describe how AC-2, part a is satisfied within this system.

              +

              This points to the "This System" component, and is used any time a more + specific component reference is not available.

              +               + + + +

              Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

              +               +               + + +

              Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

              +

              Not associated with inheritance, thus associated this with the + by-component for "this system".

              +               + + 11111111-2222-4000-8000-004000000001 + +               +               +               + + +

              For the portion of the control satisfied by the application component of this + system, describe how the control is met.

              +               + + + +

              Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

              +

              In the context of the application component in satisfaction of AC-2, part + a.

              +               + + 11111111-2222-4000-8000-004000000005 + +               + + +

              Leveraging system's responsibilities with respect to inheriting this + capability from this application.

              +

              In the context of the application component in satisfaction of AC-2, part + a.

              +               + + 11111111-2222-4000-8000-004000000005 + +               +               + +

              The component-uuid above points to the "this system" component.

              +

              Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

              +

              This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

              +

              While the "this system" component is not explicitly required within every + statement, it will typically be present.

              +               +               + + +

              For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

              +               + + +

              Optional description.

              +

              Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

              +

              In the context of this component in satisfaction of AC-2, part a.

              +

              The provided-uuid links this to the same statement in the + leveraged system's SSP.

              +

              It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

              +               +               + + +

              Description of how the responsibility was satisfied.

              +

              The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

              +

              It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

              +

              Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

              +

              Tool developers should be mindful that

              +               +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              Describe how Part a is satisfied.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              Describe how Part b-1 is satisfied.

              +               +               +               + + + +

              Describe how Part b-2 is satisfied.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               + +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               + +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               +               +               + + + + + + + 11111111-2222-4000-8000-004000000018 + + + + +

              Describe how the control is satisfied within the system.

              +

              DMARC is employed.

              +

              SPF is employed.

              +

              DKIM is employed.

              +               + + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + +               +               +               + + + + +

              Describe the plan to complete the implementation.

              +               +               + + + + + 11111111-2222-4000-8000-004000000011 + + + + +

              Describe how the control is satisfied within the system.

              +               + + to include chief privacy and ISSO and/or similar role or designees + + + at least every 3 years + + + at least annually + +               +               + + + +

              For the portion of the control satisfied by the service provider, describe + how the control is met.

              +               +               + + +

              Describe how this policy component satisfies part a.

              +

              Component approach. This links to a component representing the Policy.

              +

              That component contains a link to the policy, so it does not have to be linked + here too.

              +               +               + + +

              Describe how this procedure component satisfies part a.

              +

              Component approach. This links to a component representing the procedure.

              +

              That component contains a link to the procedure, so it does not have to be + linked here too.

              +               +               +               +               +               + + + + + Signed System Security Plan + +

              SSP Signature

              +               + + + + 00000000 + +

              The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

              +

              For now, the PMO recommends one of the following:

              +
                +
              • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
                • +
              • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
                • +
              +

              If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

              +               +               + + + FedRAMP Applicable Laws and Regulations + + + +

              Must be present in a FedRAMP SSP.

              +               +               + + + + Access Control Policy Title + +

              AC Policy document

              +               + + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Awareness and Training Policy Title + +

              AT Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Audit and Accountability Policy Title + +

              AU Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Security Assessment and Authorization Policy Title + +

              CA Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Configuration Management Policy Title + +

              CM Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Contingency Planning Policy Title + +

              CP Policy document

              +               + + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Identification and Authentication Policy Title + +

              IA Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Incident Response Policy Title + +

              IR Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Maintenance Policy Title + +

              MA Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Media Protection Policy Title + +

              MP Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Physical and Environmental Protection Policy Title + +

              PE Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Planning Policy Title + +

              PL Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Personnel Security Policy Title + +

              PS Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Risk Adjustment Policy Title + +

              RA Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + System and Service Acquisition Policy Title + +

              SA Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + System and Communications Protection Policy Title + +

              SC Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + System and Information Integrity Policy Title + +

              SI Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Supply Chain Risk Policy Title + +

              SR Policy document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Policy Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + Access Control Procedure Title + +

              AC Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Awareness and Training Procedure Title + +

              AT Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Audit and Accountability Procedure Title + +

              AU Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Security Assessment and Authorization Procedure Title + +

              CA Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Configuration Management Procedure Title + +

              CM Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Contingency Planning Procedure Title + +

              CP Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Identification and Authentication Procedure Title + +

              IA Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Incident Response Procedure Title + +

              IR Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Maintenance Procedure Title + +

              MA Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Media Protection Procedure Title + +

              MP Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Physical and Environmental Protection Procedure Title + +

              PE Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Planning Procedure Title + +

              PL Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Personnel Security Procedure Title + +

              PS Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Risk Adjustment Procedure Title + +

              RA Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + System and Service Acquisition Procedure Title + +

              SA Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + System and Communications Protection Procedure Title + +

              SC Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + System and Information Integrity Procedure Title + +

              SI Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + Supply Chain Risk Procedure Title + +

              SR Procedure document

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + User's Guide + +

              User's Guide

              +               + + + + + + +

              Table 12-1 Attachments: User's Guide Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + + + Document Title + +

              Rules of Behavior

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Rules of Behavior (ROB)

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + Document Title + +

              Contingency Plan (CP)

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Contingency Plan (CP) Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + Document Title + +

              Configuration Management (CM) Plan

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + Document Title + +

              Incident Response (IR) Plan

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Incident Response (IR) Plan Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + + + + + CSP-specific Law Citation + + + + Identification Number + + 00000000 + +

              A CSP-specific law citation

              +

              The "type" property must be present and contain the value "law".

              +               + +               + + + + + Document Title + +

              Continuous Monitoring Plan

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Continuous Monitoring Plan Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + Plan of Actions and Milestones (POAM) + + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

              Supply Chain Risk Management Plan

              +               + + + + + + 00000000 + +

              Table 12-1 Attachments: Procedure Attachment

              +

              May use rlink with a relative path, or embedded as + base64. +

              +               +               + + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

              FedRAMP Logo

              +               + + + + 00000000 + +

              Must be present in a FedRAMP SSP.

              +               +               + + CSP Logo + +

              CSP Logo

              +               + + 00000000 + +

              May use rlink with a relative path, or embedded as + base64. +

              +

              FedRAMP prefers base64 for images and diagrams.

              +

              Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

              +               +               + + 3PAO Logo + +

              3PAO Logo

              +               + + 00000000 + +

              May use rlink with a relative path, or embedded as + base64. +

              +

              FedRAMP prefers base64 for images and diagrams.

              +

              Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

              +               +               + + + Boundary Diagram + +

              The primary authorization boundary diagram.

              +               + + + 00000000 + +

              Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

              +

              This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

              +

              May use rlink with a relative path, or embedded as + base64. +

              +

              FedRAMP prefers base64 for images and diagrams.

              +

              Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

              +               +               + + Network Diagram + +

              The primary network diagram.

              +               + + + + 00000000 + +

              Section 8.1, Figure 8-2 Network Diagram (graphic)

              +

              This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

              +

              May use rlink with a relative path, or embedded as + base64. +

              +

              FedRAMP prefers base64 for images and diagrams.

              +

              Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

              +               +               + + Data Flow Diagram + +

              The primary data flow diagram.

              +               + + + 00000000 + +

              Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

              +

              This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

              +

              May use rlink with a relative path, or embedded as + base64. +

              +

              FedRAMP prefers base64 for images and diagrams.

              +

              Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

              +               +               + + Interconneciton Security Agreement (ISA) + + + + + + + 41 CFR 201 + + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + +

              CSP-specific citation. Note the "type" property's class is "law" + and the value is "citation".

              +               +               + + CSP Acronyms + + + +

              CSP-specific citation. Note the "type" property's class is "acronyms" + and the value is "citation".

              +               +               + + CSP Reference + + + +

              CSP-specific reference. Note the "type" property's class is "reference" + and the value is "citation".

              +               +               + + Separation of Duties Matrix + +

              Separation of Duties Matrix

              +               + + + + + 00000000 + +

              May use rlink with a relative path, or embedded as base64. +

              +               +               + + + +               + \ No newline at end of file diff --git a/src/validations/constraints/content/fedramp-tailoring-profile.xml b/src/validations/constraints/content/fedramp-tailoring-profile.xml index ac28635e8..b5301ab3f 100644 --- a/src/validations/constraints/content/fedramp-tailoring-profile.xml +++ b/src/validations/constraints/content/fedramp-tailoring-profile.xml @@ -20,7 +20,7 @@ - + diff --git a/src/validations/constraints/content/profile-all-INVALID.xml b/src/validations/constraints/content/profile-all-INVALID.xml index de6bfcbb9..5b5bc573a 100644 --- a/src/validations/constraints/content/profile-all-INVALID.xml +++ b/src/validations/constraints/content/profile-all-INVALID.xml @@ -16,8 +16,8 @@ - - + +

              This is a test checking that profiles validation fails if more than one response point is specified for a given (control) part.

                             diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml index 013f591e4..3e48725d9 100644 --- a/src/validations/constraints/content/ssp-all-VALID.xml +++ b/src/validations/constraints/content/ssp-all-VALID.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Authorizing Official @@ -178,11 +178,11 @@

              Remarks are required if service model is "other". Optional otherwise.

                             - + - + fips-199-moderate @@ -262,9 +262,9 @@ GovCloud - - - + + + f0bc13a4-3303-47dd-80d3-380e159c8362 2015-01-01 @@ -277,8 +277,8 @@ System Administrator - - + + system-admin Admin @@ -308,8 +308,8 @@

              An external leveraged system.

              - - + +

              Some description of the authentication method.

               @@ -325,9 +325,9 @@

              Secure connection to an external API for data enrichment.

               - - - + + +

              Some description of the authentication method.

               @@ -350,9 +350,9 @@

              Briefly describe the external system.

              - - - + + +

              Some description of the authentication method.

               @@ -372,7 +372,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -390,7 +390,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -406,15 +406,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -422,14 +422,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -443,7 +443,7 @@

              Detailed access control policy document

               - + @@ -524,7 +524,7 @@

              Separation of Duties Matrix

               - + @@ -540,7 +540,7 @@

              Authorization Boundary Diagram

               - + @@ -555,7 +555,7 @@

              Network Architecture Diagram

               - + @@ -570,7 +570,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-attachment-type-INVALID.xml b/src/validations/constraints/content/ssp-attachment-type-INVALID.xml index d06c671c3..bc716ca85 100644 --- a/src/validations/constraints/content/ssp-attachment-type-INVALID.xml +++ b/src/validations/constraints/content/ssp-attachment-type-INVALID.xml @@ -5,7 +5,7 @@ uuid="12345678-1234-4321-8765-123456789012"> - + diff --git a/src/validations/constraints/content/ssp-authentication-method-has-remarks-INVALID.xml b/src/validations/constraints/content/ssp-authentication-method-has-remarks-INVALID.xml index 06b7b625d..678aa18b8 100644 --- a/src/validations/constraints/content/ssp-authentication-method-has-remarks-INVALID.xml +++ b/src/validations/constraints/content/ssp-authentication-method-has-remarks-INVALID.xml @@ -1,7 +1,7 @@ - + diff --git a/src/validations/constraints/content/ssp-authorization-type-INVALID.xml b/src/validations/constraints/content/ssp-authorization-type-INVALID.xml index dd2fab6b5..1cd5436ae 100644 --- a/src/validations/constraints/content/ssp-authorization-type-INVALID.xml +++ b/src/validations/constraints/content/ssp-authorization-type-INVALID.xml @@ -4,6 +4,6 @@ xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012"> - + diff --git a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml index 41bba60e6..76c638f63 100644 --- a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml +++ b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml @@ -7,8 +7,8 @@ - - + diff --git a/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-1.xml b/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-1.xml index 9777a0709..903819fa8 100644 --- a/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-1.xml +++ b/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-1.xml @@ -5,7 +5,7 @@ uuid="12345678-1234-4321-8765-123456789012"> - + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-2.xml b/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-2.xml index f56852859..d3dda7a06 100644 --- a/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-2.xml +++ b/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-2.xml @@ -5,7 +5,7 @@ uuid="12345678-1234-4321-8765-123456789012"> - + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-has-authenticator-assurance-level-INVALID.xml b/src/validations/constraints/content/ssp-has-authenticator-assurance-level-INVALID.xml index c44fa26ed..ee2130ab0 100644 --- a/src/validations/constraints/content/ssp-has-authenticator-assurance-level-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-authenticator-assurance-level-INVALID.xml @@ -4,6 +4,6 @@ xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012"> - + diff --git a/src/validations/constraints/content/ssp-has-authorization-boundary-diagram-link-href-target-VALID-1.xml b/src/validations/constraints/content/ssp-has-authorization-boundary-diagram-link-href-target-VALID-1.xml index f2df4e7d7..45dc7b0ed 100644 --- a/src/validations/constraints/content/ssp-has-authorization-boundary-diagram-link-href-target-VALID-1.xml +++ b/src/validations/constraints/content/ssp-has-authorization-boundary-diagram-link-href-target-VALID-1.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Document Creator @@ -118,9 +118,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -203,8 +203,8 @@ System Administrator - - + + system-admin Admin @@ -234,8 +234,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -254,7 +254,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -269,15 +269,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -285,14 +285,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -306,7 +306,7 @@

              Detailed access control policy document

               - +               @@ -387,7 +387,7 @@

              Separation of Duties Matrix

               - + @@ -403,7 +403,7 @@

              Authorization Boundary Diagram

               - + @@ -418,7 +418,7 @@

              Network Architecture Diagram

               - + @@ -433,7 +433,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-has-configuration-management-plan-INVALID.xml b/src/validations/constraints/content/ssp-has-configuration-management-plan-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-has-configuration-management-plan-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-configuration-management-plan-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - +               diff --git a/src/validations/constraints/content/ssp-has-data-flow-diagram-link-href-target-VALID-1.xml b/src/validations/constraints/content/ssp-has-data-flow-diagram-link-href-target-VALID-1.xml index e747c4e5d..eff7a0554 100644 --- a/src/validations/constraints/content/ssp-has-data-flow-diagram-link-href-target-VALID-1.xml +++ b/src/validations/constraints/content/ssp-has-data-flow-diagram-link-href-target-VALID-1.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Document Creator @@ -118,9 +118,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -203,8 +203,8 @@ System Administrator - - + + system-admin Admin @@ -234,8 +234,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -254,7 +254,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -269,15 +269,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -285,14 +285,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -306,7 +306,7 @@

              Detailed access control policy document

               - + @@ -387,7 +387,7 @@

              Separation of Duties Matrix

               - + @@ -403,7 +403,7 @@

              Authorization Boundary Diagram

               - + @@ -418,7 +418,7 @@

              Network Architecture Diagram

               - + @@ -433,7 +433,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-has-federation-assurance-level-INVALID.xml b/src/validations/constraints/content/ssp-has-federation-assurance-level-INVALID.xml index 72e6dfad0..24c15bdec 100644 --- a/src/validations/constraints/content/ssp-has-federation-assurance-level-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-federation-assurance-level-INVALID.xml @@ -4,6 +4,6 @@ xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012"> - + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-has-identity-assurance-level-INVALID.xml b/src/validations/constraints/content/ssp-has-identity-assurance-level-INVALID.xml index 72e6dfad0..24c15bdec 100644 --- a/src/validations/constraints/content/ssp-has-identity-assurance-level-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-identity-assurance-level-INVALID.xml @@ -4,6 +4,6 @@ xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012"> - + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-has-incident-response-plan-INVALID.xml b/src/validations/constraints/content/ssp-has-incident-response-plan-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-has-incident-response-plan-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-incident-response-plan-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - +               diff --git a/src/validations/constraints/content/ssp-has-information-system-contingency-plan-INVALID.xml b/src/validations/constraints/content/ssp-has-information-system-contingency-plan-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-has-information-system-contingency-plan-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-information-system-contingency-plan-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - + diff --git a/src/validations/constraints/content/ssp-has-inventory-items-INVALID.xml b/src/validations/constraints/content/ssp-has-inventory-items-INVALID.xml index e395ad924..ae3e4e5ac 100644 --- a/src/validations/constraints/content/ssp-has-inventory-items-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-inventory-items-INVALID.xml @@ -14,7 +14,7 @@ - + 11111111-0000-4000-9000-000000000001 diff --git a/src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-VALID-1.xml b/src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-VALID-1.xml index 4b144a341..610e48d88 100644 --- a/src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-VALID-1.xml +++ b/src/validations/constraints/content/ssp-has-network-architecture-diagram-link-href-target-VALID-1.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Document Creator @@ -118,9 +118,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -203,8 +203,8 @@ System Administrator - - + + system-admin Admin @@ -234,8 +234,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -254,7 +254,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -269,15 +269,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -285,14 +285,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -306,7 +306,7 @@

              Detailed access control policy document

               - + @@ -387,7 +387,7 @@

              Separation of Duties Matrix

               - + @@ -403,7 +403,7 @@

              Authorization Boundary Diagram

               - + @@ -418,7 +418,7 @@

              Network Architecture Diagram

               - + @@ -433,7 +433,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-has-rules-of-behavior-INVALID.xml b/src/validations/constraints/content/ssp-has-rules-of-behavior-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-has-rules-of-behavior-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-rules-of-behavior-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - +               diff --git a/src/validations/constraints/content/ssp-has-separation-of-duties-matrix-INVALID.xml b/src/validations/constraints/content/ssp-has-separation-of-duties-matrix-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-has-separation-of-duties-matrix-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-separation-of-duties-matrix-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - + diff --git a/src/validations/constraints/content/ssp-has-user-guide-INVALID.xml b/src/validations/constraints/content/ssp-has-user-guide-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-has-user-guide-INVALID.xml +++ b/src/validations/constraints/content/ssp-has-user-guide-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - + diff --git a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-1.xml b/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-1.xml index fcf746648..02f2ada98 100644 --- a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-1.xml +++ b/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-1.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Document Creator @@ -76,9 +76,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -175,8 +175,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -195,7 +195,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -210,15 +210,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -226,14 +226,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -247,7 +247,7 @@

              Detailed access control policy document

               - + @@ -328,7 +328,7 @@

              Separation of Duties Matrix

               - + @@ -344,7 +344,7 @@

              Authorization Boundary Diagram

               - + @@ -359,7 +359,7 @@

              Network Architecture Diagram

               - + @@ -374,7 +374,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-2.xml b/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-2.xml index c423b81e2..a1d753c7a 100644 --- a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-2.xml +++ b/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-2.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Document Creator @@ -76,9 +76,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -175,8 +175,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -195,7 +195,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -210,15 +210,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -226,14 +226,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -247,7 +247,7 @@

              Detailed access control policy document

               - +               @@ -255,7 +255,7 @@

              Profile to be imported

               - +               @@ -336,7 +336,7 @@

              Separation of Duties Matrix

               - + @@ -352,7 +352,7 @@

              Authorization Boundary Diagram

               - + @@ -367,7 +367,7 @@

              Network Architecture Diagram

               - + @@ -382,7 +382,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-3.xml b/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-3.xml index b658e6310..481190f47 100644 --- a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-3.xml +++ b/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-VALID-3.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Document Creator @@ -76,9 +76,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -175,8 +175,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -195,7 +195,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -210,15 +210,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -226,14 +226,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -247,7 +247,7 @@

              Detailed access control policy document

               - +               @@ -255,7 +255,7 @@

              Profile to be imported

               - +               @@ -336,7 +336,7 @@

              Separation of Duties Matrix

               - + @@ -352,7 +352,7 @@

              Authorization Boundary Diagram

               - + @@ -367,7 +367,7 @@

              Network Architecture Diagram

               - + @@ -382,7 +382,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-interconnection-direction-INVALID.xml b/src/validations/constraints/content/ssp-interconnection-direction-INVALID.xml index 1a9a7bc8c..987fe20b7 100644 --- a/src/validations/constraints/content/ssp-interconnection-direction-INVALID.xml +++ b/src/validations/constraints/content/ssp-interconnection-direction-INVALID.xml @@ -9,8 +9,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 diff --git a/src/validations/constraints/content/ssp-interconnection-security-INVALID.xml b/src/validations/constraints/content/ssp-interconnection-security-INVALID.xml index 1a9a7bc8c..987fe20b7 100644 --- a/src/validations/constraints/content/ssp-interconnection-security-INVALID.xml +++ b/src/validations/constraints/content/ssp-interconnection-security-INVALID.xml @@ -9,8 +9,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml index 13bf1f266..e8f9caa20 100644 --- a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml +++ b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml @@ -4,7 +4,7 @@ - + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml index f3c9ec506..d5b67b751 100644 --- a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml +++ b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Authorizing Official @@ -178,11 +178,11 @@

              Remarks are required if service model is "other". Optional otherwise.

                             - + - + fips-199-moderate @@ -261,17 +261,17 @@ GovCloud - - - + + + f0bc13a4-3303-47dd-80d3-380e159c8362 2020-01-01 System Administrator - - + + system-admin Admin @@ -301,8 +301,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -321,7 +321,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -339,7 +339,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -355,15 +355,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -371,14 +371,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -392,7 +392,7 @@

              Detailed access control policy document

               - + @@ -473,7 +473,7 @@

              Separation of Duties Matrix

               - + @@ -489,7 +489,7 @@

              Authorization Boundary Diagram

               - + @@ -504,7 +504,7 @@

              Network Architecture Diagram

               - + @@ -519,7 +519,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-nature-of-agreement-INVALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-nature-of-agreement-INVALID.xml index 560d3183d..96ce1e1a3 100644 --- a/src/validations/constraints/content/ssp-leveraged-authorization-nature-of-agreement-INVALID.xml +++ b/src/validations/constraints/content/ssp-leveraged-authorization-nature-of-agreement-INVALID.xml @@ -11,7 +11,7 @@

              An external leveraged system.

              - +               diff --git a/src/validations/constraints/content/ssp-missing-response-components-INVALID.xml b/src/validations/constraints/content/ssp-missing-response-components-INVALID.xml index 9af07aea0..805e44bb2 100644 --- a/src/validations/constraints/content/ssp-missing-response-components-INVALID.xml +++ b/src/validations/constraints/content/ssp-missing-response-components-INVALID.xml @@ -8,14 +8,14 @@

              Implementation of controls for the Enhanced Example System

              - - + + - + diff --git a/src/validations/constraints/content/ssp-privilege-level-INVALID.xml b/src/validations/constraints/content/ssp-privilege-level-INVALID.xml index dcd963ded..84120558b 100644 --- a/src/validations/constraints/content/ssp-privilege-level-INVALID.xml +++ b/src/validations/constraints/content/ssp-privilege-level-INVALID.xml @@ -5,7 +5,7 @@ uuid="12345678-1234-4321-8765-123456789012"> - + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-profile-response-point-INVALID.xml b/src/validations/constraints/content/ssp-profile-response-point-INVALID.xml index b4839d067..d83e672c0 100644 --- a/src/validations/constraints/content/ssp-profile-response-point-INVALID.xml +++ b/src/validations/constraints/content/ssp-profile-response-point-INVALID.xml @@ -93,8 +93,8 @@ - - + + diff --git a/src/validations/constraints/content/ssp-resource-has-base64-or-rlink-INVALID.xml b/src/validations/constraints/content/ssp-resource-has-base64-or-rlink-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-resource-has-base64-or-rlink-INVALID.xml +++ b/src/validations/constraints/content/ssp-resource-has-base64-or-rlink-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - + diff --git a/src/validations/constraints/content/ssp-resource-has-title-INVALID.xml b/src/validations/constraints/content/ssp-resource-has-title-INVALID.xml index d134e7119..ab9d648ee 100644 --- a/src/validations/constraints/content/ssp-resource-has-title-INVALID.xml +++ b/src/validations/constraints/content/ssp-resource-has-title-INVALID.xml @@ -8,7 +8,7 @@

              Detailed access control policy document

               - + diff --git a/src/validations/constraints/content/ssp-responsible-party-is-person-INVALID.xml b/src/validations/constraints/content/ssp-responsible-party-is-person-INVALID.xml index 321c778df..77558dca9 100644 --- a/src/validations/constraints/content/ssp-responsible-party-is-person-INVALID.xml +++ b/src/validations/constraints/content/ssp-responsible-party-is-person-INVALID.xml @@ -45,7 +45,7 @@
              US
              - + Example Organization diff --git a/src/validations/constraints/content/ssp-responsible-party-prepared-by-location-valid-VALID-1.xml b/src/validations/constraints/content/ssp-responsible-party-prepared-by-location-valid-VALID-1.xml index deffeb3d5..cbdb9aa0b 100644 --- a/src/validations/constraints/content/ssp-responsible-party-prepared-by-location-valid-VALID-1.xml +++ b/src/validations/constraints/content/ssp-responsible-party-prepared-by-location-valid-VALID-1.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Prepared By @@ -142,9 +142,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -227,8 +227,8 @@ System Administrator - - + + system-admin Admin @@ -258,8 +258,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -278,7 +278,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -293,15 +293,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -309,14 +309,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -330,7 +330,7 @@

              Detailed access control policy document

               - + @@ -411,7 +411,7 @@

              Separation of Duties Matrix

               - + @@ -427,7 +427,7 @@

              Authorization Boundary Diagram

               - + @@ -442,7 +442,7 @@

              Network Architecture Diagram

               - + @@ -457,7 +457,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-responsible-party-prepared-for-location-valid-VALID-1.xml b/src/validations/constraints/content/ssp-responsible-party-prepared-for-location-valid-VALID-1.xml index 2cbfddbc6..ec321dfc2 100644 --- a/src/validations/constraints/content/ssp-responsible-party-prepared-for-location-valid-VALID-1.xml +++ b/src/validations/constraints/content/ssp-responsible-party-prepared-for-location-valid-VALID-1.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + Prepared For @@ -138,9 +138,9 @@

              This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

               - - - + + + @@ -223,8 +223,8 @@ System Administrator - - + + system-admin Admin @@ -254,8 +254,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -274,7 +274,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -289,15 +289,15 @@

              Implementation of controls for the Enhanced Example System

               - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -305,14 +305,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -326,7 +326,7 @@

              Detailed access control policy document

               - +               @@ -407,7 +407,7 @@

              Separation of Duties Matrix

               - + @@ -423,7 +423,7 @@

              Authorization Boundary Diagram

               - + @@ -438,7 +438,7 @@

              Network Architecture Diagram

               - + @@ -453,7 +453,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-saas-has-leveraged-authorization-VALID.xml b/src/validations/constraints/content/ssp-saas-has-leveraged-authorization-VALID.xml index d501f09d9..072ec3217 100644 --- a/src/validations/constraints/content/ssp-saas-has-leveraged-authorization-VALID.xml +++ b/src/validations/constraints/content/ssp-saas-has-leveraged-authorization-VALID.xml @@ -10,7 +10,7 @@ 1.1 1.1.2 SSP-2024-002 - + @@ -173,11 +173,11 @@

              Remarks are required if service model is "other". Optional otherwise.

                             - + - + fips-199-moderate @@ -272,8 +272,8 @@ System Administrator - - + + system-admin Admin @@ -303,8 +303,8 @@

              Secure connection to an external API for data enrichment.

               - - + + 11111111-0000-4000-9000-000000000001 @@ -323,7 +323,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -341,7 +341,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -357,15 +357,15 @@

              Implementation of controls for the Enhanced Example System

              - - + +

              Access Control Policy and Procedures (AC-1) is fully implemented in our system.

               - + 11111111-0000-4000-9000-000000000001 @@ -373,14 +373,14 @@               - +

              Information System Component Inventory (CM-8) is partially implemented.

               - + 11111111-0000-4000-9000-000000000001 @@ -394,7 +394,7 @@

              Detailed access control policy document

               - + @@ -475,7 +475,7 @@

              Separation of Duties Matrix

               - + @@ -491,7 +491,7 @@

              Authorization Boundary Diagram

               - + @@ -506,7 +506,7 @@

              Network Architecture Diagram

               - + @@ -521,7 +521,7 @@

              Data flow Diagram

               - + diff --git a/src/validations/constraints/content/ssp-scan-type-INVALID.xml b/src/validations/constraints/content/ssp-scan-type-INVALID.xml index 4e64d0cbf..4c6c62b54 100644 --- a/src/validations/constraints/content/ssp-scan-type-INVALID.xml +++ b/src/validations/constraints/content/ssp-scan-type-INVALID.xml @@ -5,7 +5,7 @@ uuid="12345678-1234-4321-8765-123456789012"> - + diff --git a/src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml b/src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml index 5460bc49d..06768b340 100644 --- a/src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml +++ b/src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml @@ -9,7 +9,7 @@ - + 11111111-0000-4000-9000-000000000001 @@ -26,7 +26,7 @@ - + 11111111-0000-4000-9000-000000000001 diff --git a/src/validations/constraints/content/ssp-user-authentication-INVALID.xml b/src/validations/constraints/content/ssp-user-authentication-INVALID.xml index 2f95792f2..beddedf80 100644 --- a/src/validations/constraints/content/ssp-user-authentication-INVALID.xml +++ b/src/validations/constraints/content/ssp-user-authentication-INVALID.xml @@ -7,8 +7,8 @@ - - + +

              If 'yes', describe the authentication method.

              If 'no', explain why no authentication is used.

              @@ -24,8 +24,8 @@ - - + +

              If 'yes', describe the authentication method.

              If 'no', explain why no authentication is used.

              @@ -36,9 +36,9 @@ - - - + + +

              If 'yes', describe the authentication method in the remarks.

              If 'no', explain why no authentication is used in the remarks.

              @@ -54,7 +54,7 @@ - +

              If 'yes', describe the authentication method in the remarks.

              If 'no', explain why no authentication is used in the remarks.

              @@ -70,7 +70,7 @@ - +

              If 'yes', describe the authentication method in the remarks.

              If 'no', explain why no authentication is used in the remarks.

              diff --git a/src/validations/constraints/content/ssp-user-privilege-level-INVALID.xml b/src/validations/constraints/content/ssp-user-privilege-level-INVALID.xml index 695e56111..d7b35a773 100644 --- a/src/validations/constraints/content/ssp-user-privilege-level-INVALID.xml +++ b/src/validations/constraints/content/ssp-user-privilege-level-INVALID.xml @@ -2,7 +2,7 @@ - + diff --git a/src/validations/constraints/content/ssp-user-sensitivity-level-INVALID.xml b/src/validations/constraints/content/ssp-user-sensitivity-level-INVALID.xml index a1e2b8801..6332bfb15 100644 --- a/src/validations/constraints/content/ssp-user-sensitivity-level-INVALID.xml +++ b/src/validations/constraints/content/ssp-user-sensitivity-level-INVALID.xml @@ -2,7 +2,7 @@ - + diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index c18cbda0a..1ea1c6cf2 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -30,7 +30,7 @@ Controlled Unclassified Information - + Attachment Type Identifies the type of attachment. Law or Statute @@ -71,7 +71,7 @@               - + Authorization Type The FedRAMP Authorization Type FedRAMP JAB P-ATO @@ -127,7 +127,7 @@ Other - + Nature of Agreement for External Systems Identifies nature of agreement for external systems. @@ -140,7 +140,7 @@ A service-level agreement between the CSP and the organization that owns the external system. - + FedRAMP Version Identifies the FedRAMP version of the document. FedRAMP Version @@ -326,7 +326,7 @@ NIST SP 800-60 Volume 2 Revision 1 - + Interconnection Direction Identifies the direction of information flow for the interconnection. Incoming @@ -334,7 +334,7 @@ Bi-Directional - + Interconnection Security Identifies the type of security applied to the interconnection. IPsec @@ -367,7 +367,7 @@ No - + Nature of Agreement for Leveraged Authorizations Identifies nature of agreement for leveraged authorizations. @@ -379,7 +379,7 @@ A service-level agreement between the CSP and the organization that owns the leveraged system. - + Privilege Level The privilege level of the user. @@ -389,7 +389,7 @@ No Access - + Scan Type Identifies the type of scan. Infrastructure and Operating System Scan @@ -398,7 +398,7 @@ Other - + User Authentication Identifies if user authentication is required. diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index dccb08d94..89583db06 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -30,7 +30,7 @@ - + Prop Response Point Has Cardinality One MUST NOT have Duplicate response point at '{ path(.) }'. @@ -57,7 +57,7 @@ else if (system-characteristics/security-sensitivity-level = 'fips-199-moderate') then ('fips-199-moderate', 'fips-199-high') else ('fips-199-low', 'fips-199-moderate', 'fips-199-high')"/> - + Component Has Authentication Method A FedRAMP SSP MUST include at least one authentication method for each leveraged system. @@ -87,7 +87,7 @@ A FedRAMP SSP MUST import a profile or catalog with a valid file or HTTP(S) address. - + Import Profile resolves to Fedramp content A FedRAMP SSP MUST import a profile or catalog of security controls to reference implemented requirements against those control(s). @@ -95,7 +95,7 @@

              A FedRAMP SSP MUST use a valid FedRAMP catalog to reference security controls. It MUST NOT reference controls from a non-FedRAMP catalog.

               - + Leveraged Authorization Has Valid Impact Level A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization. @@ -287,12 +287,12 @@ A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact. - + Fully Operational Date Is Valid A system MUST be fully implemented prior to submitting the SSP to FedRAMP. - + Fully Operational Date Type A FedRAMP SSP MUST specify the system's fully operational data as a "full-date" per RFC3339 with the addition of a timezone. @@ -405,7 +405,7 @@ A FedRAMP SSP MUST define its NIST SP 800-63 federation assurance level (FAL). - + Fully Operational Date A FedRAMP SSP MUST define the system's fully operational date. @@ -501,7 +501,7 @@ - + Authentication Method Has Remarks Each authentication method in a FedRAMP SSP MUST have a remarks field. @@ -511,17 +511,17 @@ A FedRAMP SSP system implementation section MUST have at least two inventory items. - + Leveraged Authorization Has Authorization Type A FedRAMP SSP MUST define exactly one authorization type for each leveraged authorization entry. - + Leveraged Authorization Has Impact Level A FedRAMP SSP MUST define exactly one impact level for each leveraged authorization entry. - + Leveraged Authorization Has System Identifier A FedRAMP SSP MUST define exactly one system identifier for each leveraged authorization entry. @@ -541,7 +541,7 @@ - + Fedramp Version A FedRAMP document's metadata MUST define a valid FedRAMP version. diff --git a/src/validations/styleguides/STYLE.md b/src/validations/styleguides/STYLE.md index 44921b10a..9943d5ef3 100644 --- a/src/validations/styleguides/STYLE.md +++ b/src/validations/styleguides/STYLE.md @@ -174,7 +174,7 @@ Below is a conformant example. - + Duplicate response point at '{ path(.) }'. @@ -226,7 +226,7 @@ Below is a non-conformant example. --> - + Duplicate response point at '{ path(.) }'. @@ -398,7 +398,7 @@ Below is a conformant example. - + Duplicate response point at '{ path(.) }'. @@ -419,7 +419,7 @@ Below is a non-conformant example. - + Duplicate response point at '{ path(.) }'. @@ -514,7 +514,7 @@ Below is a conformant example. - + Duplicate response point at '{ path(.) }'. @@ -535,7 +535,7 @@ Below is a non-conformant example. - + Duplicate response point at '{ path(.) }'. @@ -590,7 +590,7 @@ Below is a non-conformant example. - + Duplicate response point at '{ path(.) }'.