From 09294df6055d4463278a23658e05b179911abbd3 Mon Sep 17 00:00:00 2001 From: jpower432 Date: Fri, 27 Oct 2023 14:58:26 +0000 Subject: [PATCH 1/3] adds my-comp component to example component definition [skip ci] --- .../example/component-definition.json | 468 ++++++++++++++++-- .../my-comp/fedramp_rev5_high/ac/ac-1.md | 99 ++++ .../my-comp/fedramp_rev5_high/ac/ac-2.md | 144 ++++++ .../my-comp/fedramp_rev5_high/ac/ac-3.md | 43 ++ .../my-comp/fedramp_rev5_high/ac/ac-4.md | 47 ++ .../my-comp/fedramp_rev5_high/ac/ac-6.md | 43 ++ .../my-comp/fedramp_rev5_high/au/au-2.md | 77 +++ .../my-comp/fedramp_rev5_high/au/au-3.md | 65 +++ .../my-comp/fedramp_rev5_high/cm/cm-6.md | 77 +++ .../my-comp/fedramp_rev5_high/cm/cm-7.md | 65 +++ .../my-comp/fedramp_rev5_high/cm/cm-8.md | 68 +++ .../my-comp/fedramp_rev5_high/ia/ia-2.md | 56 +++ .../my-comp/fedramp_rev5_high/ia/ia-3.md | 46 ++ .../my-comp/fedramp_rev5_high/ia/ia-4.md | 60 +++ .../my-comp/fedramp_rev5_high/sc/sc-5.md | 51 ++ .../my-comp/fedramp_rev5_high/sc/sc-7.md | 61 +++ .../my-comp/fedramp_rev5_high/sc/sc-8.md | 98 ++++ .../my-comp/fedramp_rev5_high/si/si-2.md | 71 +++ .../my-comp/fedramp_rev5_high/si/si-3.md | 82 +++ .../my-comp/fedramp_rev5_high/si/si-4.md | 98 ++++ rules/example/my-comp/rule-ac-1.yaml | 12 + rules/example/my-comp/rule-ac-2.yaml | 12 + rules/example/my-comp/rule-ac-3.yaml | 12 + rules/example/my-comp/rule-ac-4.yaml | 12 + rules/example/my-comp/rule-ac-6.yaml | 12 + rules/example/my-comp/rule-au-2.yaml | 12 + rules/example/my-comp/rule-au-3.yaml | 12 + rules/example/my-comp/rule-cm-6.yaml | 12 + rules/example/my-comp/rule-cm-7.yaml | 12 + rules/example/my-comp/rule-cm-8.yaml | 12 + rules/example/my-comp/rule-ia-2.yaml | 12 + rules/example/my-comp/rule-ia-3.yaml | 12 + rules/example/my-comp/rule-ia-4.yaml | 12 + rules/example/my-comp/rule-sc-5.yaml | 12 + rules/example/my-comp/rule-sc-7.yaml | 12 + rules/example/my-comp/rule-sc-8.yaml | 12 + rules/example/my-comp/rule-si-2.yaml | 12 + rules/example/my-comp/rule-si-3.yaml | 12 + rules/example/my-comp/rule-si-4.yaml | 12 + 39 files changed, 2014 insertions(+), 33 deletions(-) create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-1.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-2.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-3.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-4.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-6.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/au/au-2.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/au/au-3.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-6.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-7.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-8.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-2.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-3.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-4.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-5.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-7.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-8.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/si/si-2.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/si/si-3.md create mode 100644 markdown/components/example/my-comp/fedramp_rev5_high/si/si-4.md create mode 100644 rules/example/my-comp/rule-ac-1.yaml create mode 100644 rules/example/my-comp/rule-ac-2.yaml create mode 100644 rules/example/my-comp/rule-ac-3.yaml create mode 100644 rules/example/my-comp/rule-ac-4.yaml create mode 100644 rules/example/my-comp/rule-ac-6.yaml create mode 100644 rules/example/my-comp/rule-au-2.yaml create mode 100644 rules/example/my-comp/rule-au-3.yaml create mode 100644 rules/example/my-comp/rule-cm-6.yaml create mode 100644 rules/example/my-comp/rule-cm-7.yaml create mode 100644 rules/example/my-comp/rule-cm-8.yaml create mode 100644 rules/example/my-comp/rule-ia-2.yaml create mode 100644 rules/example/my-comp/rule-ia-3.yaml create mode 100644 rules/example/my-comp/rule-ia-4.yaml create mode 100644 rules/example/my-comp/rule-sc-5.yaml create mode 100644 rules/example/my-comp/rule-sc-7.yaml create mode 100644 rules/example/my-comp/rule-sc-8.yaml create mode 100644 rules/example/my-comp/rule-si-2.yaml create mode 100644 rules/example/my-comp/rule-si-3.yaml create mode 100644 rules/example/my-comp/rule-si-4.yaml diff --git a/component-definitions/example/component-definition.json b/component-definitions/example/component-definition.json index b589c49..36eeea5 100644 --- a/component-definitions/example/component-definition.json +++ b/component-definitions/example/component-definition.json @@ -1,77 +1,479 @@ { "component-definition": { - "uuid": "86378b1f-7ba6-4cac-bdd4-3b52b13f5132", + "uuid": "19fd6f22-8055-4c2a-8bfb-726d1a29a5a4", "metadata": { "title": "Component definition for example", - "last-modified": "2023-10-13T14:07:08.049847+00:00", + "last-modified": "2023-10-27T14:58:23+00:00", "version": "1.0", "oscal-version": "1.0.4" }, "components": [ { - "uuid": "5752e82b-8d71-4d35-898c-e8aa5c474ed7", + "uuid": "120b2197-66ba-45f4-a7ec-ff8a9c7baf80", "type": "service", - "title": "Example", - "description": "Example Application", + "title": "my-comp", + "description": "My testing comp", "props": [ { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", - "value": "Test-rule_001", - "remarks": "rule_set_0" + "value": "rule-si-3", + "remarks": "rule_set_00" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", - "value": "Ensure all of the services are running these tests", - "remarks": "rule_set_0" + "value": "Rule for si-3", + "remarks": "rule_set_00" }, { - "name": "Parameter_Id", + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-si-4", + "remarks": "rule_set_01" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for si-4", + "remarks": "rule_set_01" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-au-3", + "remarks": "rule_set_02" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for au-3", + "remarks": "rule_set_02" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-si-2", + "remarks": "rule_set_03" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for si-2", + "remarks": "rule_set_03" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-3", + "remarks": "rule_set_04" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ac-3", + "remarks": "rule_set_04" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ia-2", + "remarks": "rule_set_05" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ia-2", + "remarks": "rule_set_05" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-cm-6", + "remarks": "rule_set_06" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for cm-6", + "remarks": "rule_set_06" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-sc-7", + "remarks": "rule_set_07" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for sc-7", + "remarks": "rule_set_07" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-au-2", + "remarks": "rule_set_08" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for au-2", + "remarks": "rule_set_08" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-cm-8", + "remarks": "rule_set_09" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for cm-8", + "remarks": "rule_set_09" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-2", + "remarks": "rule_set_10" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ac-2", + "remarks": "rule_set_10" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-4", + "remarks": "rule_set_11" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ac-4", + "remarks": "rule_set_11" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-1", + "remarks": "rule_set_12" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ac-1", + "remarks": "rule_set_12" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-sc-5", + "remarks": "rule_set_13" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for sc-5", + "remarks": "rule_set_13" + }, + { + "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", - "value": "prm_1", - "remarks": "rule_set_0" + "value": "rule-ia-4", + "remarks": "rule_set_14" }, { - "name": "Parameter_Description", + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ia-4", + "remarks": "rule_set_14" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-cm-7", + "remarks": "rule_set_15" + }, + { + "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", - "value": "prm_1 description", - "remarks": "rule_set_0" + "value": "Rule for cm-7", + "remarks": "rule_set_15" }, { - "name": "Parameter_Value_Alternatives", + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-sc-8", + "remarks": "rule_set_16" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for sc-8", + "remarks": "rule_set_16" + }, + { + "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", - "value": "{'default': '5%', '5pc': '5%', '10pc': '10%', '15pc': '15%', '20pc': '20%'}", - "remarks": "rule_set_0" + "value": "rule-ac-6", + "remarks": "rule_set_17" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ac-6", + "remarks": "rule_set_17" + }, + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ia-3", + "remarks": "rule_set_18" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Rule for ia-3", + "remarks": "rule_set_18" } ], "control-implementations": [ { - "uuid": "95f1cd02-e507-44b7-9ef7-22c5b4c557ad", - "source": "profiles/fedramp_rev5_high/profile.json", - "description": "FedRAMP REV5 High Baseline", - "set-parameters": [ + "uuid": "5fb2eafa-dbe4-4bf4-b184-5307453c760d", + "source": "trestle://profiles/fedramp_rev5_high/profile.json", + "description": "FedRAMP Rev 5 High Baseline", + "implemented-requirements": [ { - "param-id": "prm_1", - "values": [ - "5%" + "uuid": "a670037c-d4ed-4bf1-80f1-aeaf8c83cc75", + "control-id": "si-3", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-si-3" + } ] - } - ], - "implemented-requirements": [ + }, + { + "uuid": "9457a281-579b-4f7d-bee3-8a60c1758ff6", + "control-id": "si-4", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-si-4" + } + ] + }, + { + "uuid": "b4235539-ff3d-4b2f-925e-358ad35a8a80", + "control-id": "au-3", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-au-3" + } + ] + }, + { + "uuid": "e2be35f8-00d6-4dcf-9fde-4553a319315c", + "control-id": "si-2", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-si-2" + } + ] + }, + { + "uuid": "72d4f078-0834-4ff6-ac52-85ab8a784d48", + "control-id": "ac-3", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-3" + } + ] + }, + { + "uuid": "e4b9e677-687a-4f08-a7df-8548be5318a5", + "control-id": "ia-2", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ia-2" + } + ] + }, { - "uuid": "ae9abfdf-ac4a-4dcb-bf53-ca91e3b86971", + "uuid": "58b07481-a673-41f3-b217-bb306740a248", + "control-id": "cm-6", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-cm-6" + } + ] + }, + { + "uuid": "e3f26e4d-9d3e-40ec-bf9c-7dc3d341f71d", + "control-id": "sc-7", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-sc-7" + } + ] + }, + { + "uuid": "ebddfffd-7ed6-49a9-a370-435abcf4b20e", + "control-id": "au-2", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-au-2" + } + ] + }, + { + "uuid": "2f20f934-97cf-4388-a115-27f71a080cb7", + "control-id": "cm-8", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-cm-8" + } + ] + }, + { + "uuid": "6601dc26-edb8-4da5-8255-cad1b2db9d4f", + "control-id": "ac-2", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-2" + } + ] + }, + { + "uuid": "deb72bd5-a180-4273-a08a-9809cdf3e295", + "control-id": "ac-4", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-4" + } + ] + }, + { + "uuid": "78131b04-256f-4386-ab62-e1ef33df14a2", "control-id": "ac-1", "description": "", "props": [ { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", - "value": "Test-rule_001" - }, + "value": "rule-ac-1" + } + ] + }, + { + "uuid": "825811c0-67cd-47d7-a85a-5bf4e0945a91", + "control-id": "sc-5", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-sc-5" + } + ] + }, + { + "uuid": "e04b1906-9db4-44d3-9b6d-1cda41b1dfe7", + "control-id": "ia-4", + "description": "", + "props": [ { - "name": "implementation-status", - "value": "planned" + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ia-4" + } + ] + }, + { + "uuid": "1684c6ee-43bf-4506-8aaf-a91da7150482", + "control-id": "cm-7", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-cm-7" + } + ] + }, + { + "uuid": "9a85a2a8-2339-44aa-8b17-0fbd0002ca6e", + "control-id": "sc-8", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-sc-8" + } + ] + }, + { + "uuid": "207421b6-56c1-4444-a404-e1ef8a4e1f6e", + "control-id": "ac-6", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ac-6" + } + ] + }, + { + "uuid": "9d0e270e-e0cd-4900-889b-7e06469073a0", + "control-id": "ia-3", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "rule-ia-3" } ] } diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-1.md b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-1.md new file mode 100644 index 0000000..e6de234 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-1.md @@ -0,0 +1,99 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ac-1 + description: Rule for ac-1 +x-trestle-param-values: + ac-1_prm_1: + ac-01_odp.01: + ac-01_odp.02: + ac-01_odp.03: + ac-01_odp.04: + ac-01_odp.05: + ac-01_odp.06: + ac-01_odp.07: + ac-01_odp.08: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ac-01 +--- + +# ac-1 - \[Access Control\] Policy and Procedures + +## Control Statement + +- \[a.\] Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}: + + - \[1.\] {{ insert: param, ac-01_odp.03 }} access control policy that: + + - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + + - \[2.\] Procedures to facilitate the implementation of the access control policy and the associated access controls; + +- \[b.\] Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and + +- \[c.\] Review and update the current access control: + + - \[1.\] Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and + - \[2.\] Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}. + +## Control Assessment Objective + +- \[AC-01a.\] + + - \[AC-01a.[01]\] an access control policy is developed and documented; + - \[AC-01a.[02]\] the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }}; + - \[AC-01a.[03]\] access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented; + - \[AC-01a.[04]\] the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }}; + - \[AC-01a.01\] + + - \[AC-01a.01(a)\] + + - \[AC-01a.01(a)[01]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose; + - \[AC-01a.01(a)[02]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope; + - \[AC-01a.01(a)[03]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles; + - \[AC-01a.01(a)[04]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities; + - \[AC-01a.01(a)[05]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment; + - \[AC-01a.01(a)[06]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities; + - \[AC-01a.01(a)[07]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance; + + - \[AC-01a.01(b)\] the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; + +- \[AC-01b.\] the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures; + +- \[AC-01c.\] + + - \[AC-01c.01\] + + - \[AC-01c.01[01]\] the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }}; + - \[AC-01c.01[02]\] the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }}; + + - \[AC-01c.02\] + + - \[AC-01c.02[01]\] the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }}; + - \[AC-01c.02[02]\] the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}. + +## Control guidance + +Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ac-1 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-2.md b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-2.md new file mode 100644 index 0000000..60c0879 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-2.md @@ -0,0 +1,144 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ac-2 + description: Rule for ac-2 +x-trestle-param-values: + ac-02_odp.01: + ac-02_odp.02: + ac-02_odp.03: + ac-02_odp.04: + ac-02_odp.05: + ac-02_odp.06: + ac-02_odp.07: + ac-02_odp.08: + ac-02_odp.09: + ac-02_odp.10: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ac-02 +--- + +# ac-2 - \[Access Control\] Account Management + +## Control Statement + +- \[a.\] Define and document the types of accounts allowed and specifically prohibited for use within the system; + +- \[b.\] Assign account managers; + +- \[c.\] Require {{ insert: param, ac-02_odp.01 }} for group and role membership; + +- \[d.\] Specify: + + - \[1.\] Authorized users of the system; + - \[2.\] Group and role membership; and + - \[3.\] Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account; + +- \[e.\] Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts; + +- \[f.\] Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }}; + +- \[g.\] Monitor the use of accounts; + +- \[h.\] Notify account managers and {{ insert: param, ac-02_odp.05 }} within: + + - \[1.\] {{ insert: param, ac-02_odp.06 }} when accounts are no longer required; + - \[2.\] {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and + - \[3.\] {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual; + +- \[i.\] Authorize access to the system based on: + + - \[1.\] A valid access authorization; + - \[2.\] Intended system usage; and + - \[3.\] {{ insert: param, ac-02_odp.09 }}; + +- \[j.\] Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }}; + +- \[k.\] Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and + +- \[l.\] Align account management processes with personnel termination and transfer processes. + +## Control Assessment Objective + +- \[AC-02a.\] + + - \[AC-02a.[01]\] account types allowed for use within the system are defined and documented; + - \[AC-02a.[02]\] account types specifically prohibited for use within the system are defined and documented; + +- \[AC-02b.\] account managers are assigned; + +- \[AC-02c.\] {{ insert: param, ac-02_odp.01 }} for group and role membership are required; + +- \[AC-02d.\] + + - \[AC-02d.01\] authorized users of the system are specified; + - \[AC-02d.02\] group and role membership are specified; + - \[AC-02d.03\] + + - \[AC-02d.03[01]\] access authorizations (i.e., privileges) are specified for each account; + - \[AC-02d.03[02]\] {{ insert: param, ac-02_odp.02 }} are specified for each account; + +- \[AC-02e.\] approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts; + +- \[AC-02f.\] + + - \[AC-02f.[01]\] accounts are created in accordance with {{ insert: param, ac-02_odp.04 }}; + - \[AC-02f.[02]\] accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }}; + - \[AC-02f.[03]\] accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }}; + - \[AC-02f.[04]\] accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }}; + - \[AC-02f.[05]\] accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }}; + +- \[AC-02g.\] the use of accounts is monitored; + +- \[AC-02h.\] + + - \[AC-02h.01\] account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required; + - \[AC-02h.02\] account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; + - \[AC-02h.03\] account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual; + +- \[AC-02i.\] + + - \[AC-02i.01\] access to the system is authorized based on a valid access authorization; + - \[AC-02i.02\] access to the system is authorized based on intended system usage; + - \[AC-02i.03\] access to the system is authorized based on {{ insert: param, ac-02_odp.09 }}; + +- \[AC-02j.\] accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }}; + +- \[AC-02k.\] + + - \[AC-02k.[01]\] a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group; + - \[AC-02k.[02]\] a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group; + +- \[AC-02l.\] + + - \[AC-02l.[01]\] account management processes are aligned with personnel termination processes; + - \[AC-02l.[02]\] account management processes are aligned with personnel transfer processes. + +## Control guidance + +Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts. + +Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. + +Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ac-2 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-3.md b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-3.md new file mode 100644 index 0000000..8cb4899 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-3.md @@ -0,0 +1,43 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ac-3 + description: Rule for ac-3 +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ac-03 +--- + +# ac-3 - \[Access Control\] Access Enforcement + +## Control Statement + +Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + +## Control Assessment Objective + +approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies. + +## Control guidance + +Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ac-3 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-4.md b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-4.md new file mode 100644 index 0000000..4a622e2 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-4.md @@ -0,0 +1,47 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ac-4 + description: Rule for ac-4 +x-trestle-param-values: + ac-04_odp: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ac-04 +--- + +# ac-4 - \[Access Control\] Information Flow Enforcement + +## Control Statement + +Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}. + +## Control Assessment Objective + +approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}. + +## Control guidance + +Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels. + +Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS). + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ac-4 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-6.md b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-6.md new file mode 100644 index 0000000..23d270e --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ac/ac-6.md @@ -0,0 +1,43 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ac-6 + description: Rule for ac-6 +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ac-06 +--- + +# ac-6 - \[Access Control\] Least Privilege + +## Control Statement + +Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + +## Control Assessment Objective + +the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + +## Control guidance + +Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ac-6 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/au/au-2.md b/markdown/components/example/my-comp/fedramp_rev5_high/au/au-2.md new file mode 100644 index 0000000..e462d7c --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/au/au-2.md @@ -0,0 +1,77 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-au-2 + description: Rule for au-2 +x-trestle-param-values: + au-2_prm_2: + au-02_odp.01: + au-02_odp.02: + au-02_odp.03: + au-02_odp.04: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: au-02 +--- + +# au-2 - \[Audit and Accountability\] Event Logging + +## Control Statement + +- \[a.\] Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }}; + +- \[b.\] Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + +- \[c.\] Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }}; + +- \[d.\] Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and + +- \[e.\] Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}. + +- \[au-2_fr\] + + - \[Requirement:\] Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. + +## Control Assessment Objective + +- \[AU-02a.\] {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function; + +- \[AU-02b.\] the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + +- \[AU-02c.\] + + - \[AU-02c.[01]\] {{ insert: param, au-02_odp.02 }} are specified for logging within the system; + - \[AU-02c.[02]\] the specified event types are logged within the system {{ insert: param, au-02_odp.03 }}; + +- \[AU-02d.\] a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; + +- \[AU-02e.\] the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}. + +## Control guidance + +Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO. +An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. + +To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. + +Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-au-2 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/au/au-3.md b/markdown/components/example/my-comp/fedramp_rev5_high/au/au-3.md new file mode 100644 index 0000000..235ccde --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/au/au-3.md @@ -0,0 +1,65 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-au-3 + description: Rule for au-3 +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: au-03 +--- + +# au-3 - \[Audit and Accountability\] Content of Audit Records + +## Control Statement + +Ensure that audit records contain information that establishes the following: + +- \[a.\] What type of event occurred; + +- \[b.\] When the event occurred; + +- \[c.\] Where the event occurred; + +- \[d.\] Source of the event; + +- \[e.\] Outcome of the event; and + +- \[f.\] Identity of any individuals, subjects, or objects/entities associated with the event. + +## Control Assessment Objective + +- \[AU-03a.\] audit records contain information that establishes what type of event occurred; + +- \[AU-03b.\] audit records contain information that establishes when the event occurred; + +- \[AU-03c.\] audit records contain information that establishes where the event occurred; + +- \[AU-03d.\] audit records contain information that establishes the source of the event; + +- \[AU-03e.\] audit records contain information that establishes the outcome of the event; + +- \[AU-03f.\] audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. + +## Control guidance + +Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-au-3 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-6.md b/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-6.md new file mode 100644 index 0000000..60e0a04 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-6.md @@ -0,0 +1,77 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-cm-6 + description: Rule for cm-6 +x-trestle-param-values: + cm-06_odp.01: + cm-06_odp.02: + cm-06_odp.03: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: cm-06 +--- + +# cm-6 - \[Configuration Management\] Configuration Settings + +## Control Statement + +- \[a.\] Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }}; + +- \[b.\] Implement the configuration settings; + +- \[c.\] Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and + +- \[d.\] Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. + +- \[cm-6_fr\] + + - \[(a) Requirement 1:\] The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available. + - \[(a) Requirement 2:\] The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). + +## Control Assessment Objective + +- \[CM-06a.\] configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }}; + +- \[CM-06b.\] the configuration settings documented in CM-06a are implemented; + +- \[CM-06c.\] + + - \[CM-06c.[01]\] any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }}; + - \[CM-06c.[02]\] any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved; + +- \[CM-06d.\] + + - \[CM-06d.[01]\] changes to the configuration settings are monitored in accordance with organizational policies and procedures; + - \[CM-06d.[02]\] changes to the configuration settings are controlled in accordance with organizational policies and procedures. + +## Control guidance + +Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable. + +During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests. +Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. + +Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. + +Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-cm-6 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-7.md b/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-7.md new file mode 100644 index 0000000..fdebb7f --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-7.md @@ -0,0 +1,65 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-cm-7 + description: Rule for cm-7 +x-trestle-param-values: + cm-7_prm_2: + cm-07_odp.01: + cm-07_odp.02: + cm-07_odp.03: + cm-07_odp.04: + cm-07_odp.05: + cm-07_odp.06: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: cm-07 +--- + +# cm-7 - \[Configuration Management\] Least Functionality + +## Control Statement + +- \[a.\] Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and + +- \[b.\] Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}. + +- \[cm-7_fr\] + + - \[(b) Requirement:\] The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available. + +## Control Assessment Objective + +- \[CM-07a.\] the system is configured to provide only {{ insert: param, cm-07_odp.01 }}; + +- \[CM-07b.\] + + - \[CM-07b.[01]\] the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted; + - \[CM-07b.[02]\] the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted; + - \[CM-07b.[03]\] the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted; + - \[CM-07b.[04]\] the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted; + - \[CM-07b.[05]\] the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted. + +## Control guidance + +Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3)). + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-cm-7 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-8.md b/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-8.md new file mode 100644 index 0000000..80408d2 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/cm/cm-8.md @@ -0,0 +1,68 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-cm-8 + description: Rule for cm-8 +x-trestle-param-values: + cm-08_odp.01: + cm-08_odp.02: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: cm-08 +--- + +# cm-8 - \[Configuration Management\] System Component Inventory + +## Control Statement + +- \[a.\] Develop and document an inventory of system components that: + + - \[1.\] Accurately reflects the system; + - \[2.\] Includes all components within the system; + - \[3.\] Does not include duplicate accounting of components or components assigned to any other system; + - \[4.\] Is at the level of granularity deemed necessary for tracking and reporting; and + - \[5.\] Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and + +- \[b.\] Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}. + +- \[cm-8_fr\] + + - \[Requirement:\] must be provided at least monthly or when there is a change. + +## Control Assessment Objective + +- \[CM-08a.\] + + - \[CM-08a.01\] an inventory of system components that accurately reflects the system is developed and documented; + - \[CM-08a.02\] an inventory of system components that includes all components within the system is developed and documented; + - \[CM-08a.03\] an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented; + - \[CM-08a.04\] an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented; + - \[CM-08a.05\] an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented; + +- \[CM-08b.\] the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}. + +## Control guidance + +System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. + +Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-cm-8 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-2.md b/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-2.md new file mode 100644 index 0000000..e75af8c --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-2.md @@ -0,0 +1,56 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ia-2 + description: Rule for ia-2 +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ia-02 +--- + +# ia-2 - \[Identification and Authentication\] Identification and Authentication (Organizational Users) + +## Control Statement + +Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. + +- \[ia-2_fr\] + + - \[Requirement:\] For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B. + - \[Requirement:\] Multi-factor authentication must be phishing-resistant. + - \[Requirement:\] All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate. + +## Control Assessment Objective + +- \[IA-02[01]\] organizational users are uniquely identified and authenticated; + +- \[IA-02[02]\] the unique identification of authenticated organizational users is associated with processes acting on behalf of those users. + +## Control guidance + +\"Phishing-resistant\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system. +Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. + +Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. + +The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8). + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ia-2 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-3.md b/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-3.md new file mode 100644 index 0000000..62a7959 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-3.md @@ -0,0 +1,46 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ia-3 + description: Rule for ia-3 +x-trestle-param-values: + ia-03_odp.01: + ia-03_odp.02: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ia-03 +--- + +# ia-3 - \[Identification and Authentication\] Device Identification and Authentication + +## Control Statement + +Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection. + +## Control Assessment Objective + +{{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection. + +## Control guidance + +Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ia-3 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-4.md b/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-4.md new file mode 100644 index 0000000..4276309 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/ia/ia-4.md @@ -0,0 +1,60 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-ia-4 + description: Rule for ia-4 +x-trestle-param-values: + ia-04_odp.01: + ia-04_odp.02: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: ia-04 +--- + +# ia-4 - \[Identification and Authentication\] Identifier Management + +## Control Statement + +Manage system identifiers by: + +- \[a.\] Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier; + +- \[b.\] Selecting an identifier that identifies an individual, group, role, service, or device; + +- \[c.\] Assigning the identifier to the intended individual, group, role, service, or device; and + +- \[d.\] Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}. + +## Control Assessment Objective + +- \[IA-04a.\] system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier; + +- \[IA-04b.\] system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device; + +- \[IA-04c.\] system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device; + +- \[IA-04d.\] system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}. + +## Control guidance + +Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-ia-4 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-5.md b/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-5.md new file mode 100644 index 0000000..9679057 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-5.md @@ -0,0 +1,51 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-sc-5 + description: Rule for sc-5 +x-trestle-param-values: + sc-05_odp.01: + sc-05_odp.02: + sc-05_odp.03: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: sc-05 +--- + +# sc-5 - \[System and Communications Protection\] Denial-of-service Protection + +## Control Statement + +- \[a.\] {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and + +- \[b.\] Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}. + +## Control Assessment Objective + +- \[SC-05a.\] the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }}; + +- \[SC-05b.\] {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective. + +## Control guidance + +Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-sc-5 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-7.md b/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-7.md new file mode 100644 index 0000000..1f7d5f2 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-7.md @@ -0,0 +1,61 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-sc-7 + description: Rule for sc-7 +x-trestle-param-values: + sc-07_odp: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: sc-07 +--- + +# sc-7 - \[System and Communications Protection\] Boundary Protection + +## Control Statement + +- \[a.\] Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; + +- \[b.\] Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and + +- \[c.\] Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. + +- \[sc-7_fr\] + +## Control Assessment Objective + +- \[SC-07a.\] + + - \[SC-07a.[01]\] communications at external managed interfaces to the system are monitored; + - \[SC-07a.[02]\] communications at external managed interfaces to the system are controlled; + - \[SC-07a.[03]\] communications at key internal managed interfaces within the system are monitored; + - \[SC-07a.[04]\] communications at key internal managed interfaces within the system are controlled; + +- \[SC-07b.\] subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks; + +- \[SC-07c.\] external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. + +## Control guidance + +SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information. +Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-sc-7 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-8.md b/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-8.md new file mode 100644 index 0000000..6474391 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/sc/sc-8.md @@ -0,0 +1,98 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-sc-8 + description: Rule for sc-8 +x-trestle-param-values: + sc-08_odp: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: sc-08 +--- + +# sc-8 - \[System and Communications Protection\] Transmission Confidentiality and Integrity + +## Control Statement + +Protect the {{ insert: param, sc-08_odp }} of transmitted information. + +- \[sc-8_fr\] + +## Control Assessment Objective + +the {{ insert: param, sc-08_odp }} of transmitted information is/are protected. + +## Control guidance + +For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination. + + + +For clarity, this control applies to all data in transit. Examples include the following data flows: + +* Crossing the system boundary +* Between compute instances - including containers +* From a compute instance to storage +* Replication between availability zones +* Transmission of backups to storage +* From a load balancer to a compute instance +* Flows from management tools required for their work – e.g. log collection, scanning, etc. + + + + +The following applies only when choosing SC-8 (5) in lieu of SC-8 (1). + +FedRAMP-Defined Assignment / Selection Parameters + +SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)] + +SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information] +SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS. + + + +Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA). + + + +Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3). + + + +Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP. + + + +CNSSI No.7003 can be accessed here: + +https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf + + + +DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here: + +https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf +Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. + +Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-sc-8 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/si/si-2.md b/markdown/components/example/my-comp/fedramp_rev5_high/si/si-2.md new file mode 100644 index 0000000..f55eff1 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/si/si-2.md @@ -0,0 +1,71 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-si-2 + description: Rule for si-2 +x-trestle-param-values: + si-02_odp: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: si-02 +--- + +# si-2 - \[System and Information Integrity\] Flaw Remediation + +## Control Statement + +- \[a.\] Identify, report, and correct system flaws; + +- \[b.\] Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; + +- \[c.\] Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and + +- \[d.\] Incorporate flaw remediation into the organizational configuration management process. + +## Control Assessment Objective + +- \[SI-02a.\] + + - \[SI-02a.[01]\] system flaws are identified; + - \[SI-02a.[02]\] system flaws are reported; + - \[SI-02a.[03]\] system flaws are corrected; + +- \[SI-02b.\] + + - \[SI-02b.[01]\] software updates related to flaw remediation are tested for effectiveness before installation; + - \[SI-02b.[02]\] software updates related to flaw remediation are tested for potential side effects before installation; + - \[SI-02b.[03]\] firmware updates related to flaw remediation are tested for effectiveness before installation; + - \[SI-02b.[04]\] firmware updates related to flaw remediation are tested for potential side effects before installation; + +- \[SI-02c.\] + + - \[SI-02c.[01]\] security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates; + - \[SI-02c.[02]\] security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates; + +- \[SI-02d.\] flaw remediation is incorporated into the organizational configuration management process. + +## Control guidance + +The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. + +Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-si-2 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/si/si-3.md b/markdown/components/example/my-comp/fedramp_rev5_high/si/si-3.md new file mode 100644 index 0000000..4d8248b --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/si/si-3.md @@ -0,0 +1,82 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-si-3 + description: Rule for si-3 +x-trestle-param-values: + si-03_odp.01: + si-03_odp.02: + si-03_odp.03: + si-03_odp.04: + si-03_odp.05: + si-03_odp.06: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: si-03 +--- + +# si-3 - \[System and Information Integrity\] Malicious Code Protection + +## Control Statement + +- \[a.\] Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; + +- \[b.\] Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; + +- \[c.\] Configure malicious code protection mechanisms to: + + - \[1.\] Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and + - \[2.\] {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and + +- \[d.\] Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. + +## Control Assessment Objective + +- \[SI-03a.\] + + - \[SI-03a.[01]\] {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code; + - \[SI-03a.[02]\] {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code; + +- \[SI-03b.\] malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures; + +- \[SI-03c.\] + + - \[SI-03c.01\] + + - \[SI-03c.01[01]\] malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }}; + - \[SI-03c.01[02]\] malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; + + - \[SI-03c.02\] + + - \[SI-03c.02[01]\] malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection; + - \[SI-03c.02[02]\] malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; + +- \[SI-03d.\] the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed. + +## Control guidance + +System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. + +Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. + +In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-si-3 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/markdown/components/example/my-comp/fedramp_rev5_high/si/si-4.md b/markdown/components/example/my-comp/fedramp_rev5_high/si/si-4.md new file mode 100644 index 0000000..a131156 --- /dev/null +++ b/markdown/components/example/my-comp/fedramp_rev5_high/si/si-4.md @@ -0,0 +1,98 @@ +--- +x-trestle-comp-def-rules: + my-comp: + - name: rule-si-4 + description: Rule for si-4 +x-trestle-param-values: + si-04_odp.01: + si-04_odp.02: + si-04_odp.03: + si-04_odp.04: + si-04_odp.05: + si-04_odp.06: +x-trestle-global: + profile: + title: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + sort-id: si-04 +--- + +# si-4 - \[System and Information Integrity\] System Monitoring + +## Control Statement + +- \[a.\] Monitor the system to detect: + + - \[1.\] Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and + - \[2.\] Unauthorized local, network, and remote connections; + +- \[b.\] Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }}; + +- \[c.\] Invoke internal monitoring capabilities or deploy monitoring devices: + + - \[1.\] Strategically within the system to collect organization-determined essential information; and + - \[2.\] At ad hoc locations within the system to track specific types of transactions of interest to the organization; + +- \[d.\] Analyze detected events and anomalies; + +- \[e.\] Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; + +- \[f.\] Obtain legal opinion regarding system monitoring activities; and + +- \[g.\] Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}. + +- \[si-4_fr\] + +## Control Assessment Objective + +- \[SI-04a.\] + + - \[SI-04a.01\] the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }}; + - \[SI-04a.02\] + + - \[SI-04a.02[01]\] the system is monitored to detect unauthorized local connections; + - \[SI-04a.02[02]\] the system is monitored to detect unauthorized network connections; + - \[SI-04a.02[03]\] the system is monitored to detect unauthorized remote connections; + +- \[SI-04b.\] unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }}; + +- \[SI-04c.\] + + - \[SI-04c.01\] internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information; + - \[SI-04c.02\] internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization; + +- \[SI-04d.\] + + - \[SI-04d.[01]\] detected events are analyzed; + - \[SI-04d.[02]\] detected anomalies are analyzed; + +- \[SI-04e.\] the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; + +- \[SI-04f.\] a legal opinion regarding system monitoring activities is obtained; + +- \[SI-04g.\] {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}. + +## Control guidance + +See US-CERT Incident Response Reporting Guidelines. +System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. + +Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. + +______________________________________________________________________ + +## What is the solution and how is it implemented? + + + + + + + +### Rules: + + - rule-si-4 + +### Implementation Status: planned + +______________________________________________________________________ diff --git a/rules/example/my-comp/rule-ac-1.yaml b/rules/example/my-comp/rule-ac-1.yaml new file mode 100644 index 0000000..68b8970 --- /dev/null +++ b/rules/example/my-comp/rule-ac-1.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ac-1 + name: rule-ac-1 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ac-1 diff --git a/rules/example/my-comp/rule-ac-2.yaml b/rules/example/my-comp/rule-ac-2.yaml new file mode 100644 index 0000000..c9c8865 --- /dev/null +++ b/rules/example/my-comp/rule-ac-2.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ac-2 + name: rule-ac-2 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ac-2 diff --git a/rules/example/my-comp/rule-ac-3.yaml b/rules/example/my-comp/rule-ac-3.yaml new file mode 100644 index 0000000..fbd4732 --- /dev/null +++ b/rules/example/my-comp/rule-ac-3.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ac-3 + name: rule-ac-3 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ac-3 diff --git a/rules/example/my-comp/rule-ac-4.yaml b/rules/example/my-comp/rule-ac-4.yaml new file mode 100644 index 0000000..0c6ed08 --- /dev/null +++ b/rules/example/my-comp/rule-ac-4.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ac-4 + name: rule-ac-4 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ac-4 diff --git a/rules/example/my-comp/rule-ac-6.yaml b/rules/example/my-comp/rule-ac-6.yaml new file mode 100644 index 0000000..87455ba --- /dev/null +++ b/rules/example/my-comp/rule-ac-6.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ac-6 + name: rule-ac-6 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ac-6 diff --git a/rules/example/my-comp/rule-au-2.yaml b/rules/example/my-comp/rule-au-2.yaml new file mode 100644 index 0000000..65e118d --- /dev/null +++ b/rules/example/my-comp/rule-au-2.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for au-2 + name: rule-au-2 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: au-2 diff --git a/rules/example/my-comp/rule-au-3.yaml b/rules/example/my-comp/rule-au-3.yaml new file mode 100644 index 0000000..f503bb9 --- /dev/null +++ b/rules/example/my-comp/rule-au-3.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for au-3 + name: rule-au-3 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: au-3 diff --git a/rules/example/my-comp/rule-cm-6.yaml b/rules/example/my-comp/rule-cm-6.yaml new file mode 100644 index 0000000..02df6ec --- /dev/null +++ b/rules/example/my-comp/rule-cm-6.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for cm-6 + name: rule-cm-6 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: cm-6 diff --git a/rules/example/my-comp/rule-cm-7.yaml b/rules/example/my-comp/rule-cm-7.yaml new file mode 100644 index 0000000..7fc24ed --- /dev/null +++ b/rules/example/my-comp/rule-cm-7.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for cm-7 + name: rule-cm-7 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: cm-7 diff --git a/rules/example/my-comp/rule-cm-8.yaml b/rules/example/my-comp/rule-cm-8.yaml new file mode 100644 index 0000000..3c88edc --- /dev/null +++ b/rules/example/my-comp/rule-cm-8.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for cm-8 + name: rule-cm-8 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: cm-8 diff --git a/rules/example/my-comp/rule-ia-2.yaml b/rules/example/my-comp/rule-ia-2.yaml new file mode 100644 index 0000000..97357f6 --- /dev/null +++ b/rules/example/my-comp/rule-ia-2.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ia-2 + name: rule-ia-2 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ia-2 diff --git a/rules/example/my-comp/rule-ia-3.yaml b/rules/example/my-comp/rule-ia-3.yaml new file mode 100644 index 0000000..5e97384 --- /dev/null +++ b/rules/example/my-comp/rule-ia-3.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ia-3 + name: rule-ia-3 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ia-3 diff --git a/rules/example/my-comp/rule-ia-4.yaml b/rules/example/my-comp/rule-ia-4.yaml new file mode 100644 index 0000000..ea8eb0f --- /dev/null +++ b/rules/example/my-comp/rule-ia-4.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for ia-4 + name: rule-ia-4 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: ia-4 diff --git a/rules/example/my-comp/rule-sc-5.yaml b/rules/example/my-comp/rule-sc-5.yaml new file mode 100644 index 0000000..f4c7510 --- /dev/null +++ b/rules/example/my-comp/rule-sc-5.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for sc-5 + name: rule-sc-5 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: sc-5 diff --git a/rules/example/my-comp/rule-sc-7.yaml b/rules/example/my-comp/rule-sc-7.yaml new file mode 100644 index 0000000..94669b8 --- /dev/null +++ b/rules/example/my-comp/rule-sc-7.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for sc-7 + name: rule-sc-7 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: sc-7 diff --git a/rules/example/my-comp/rule-sc-8.yaml b/rules/example/my-comp/rule-sc-8.yaml new file mode 100644 index 0000000..cd19c43 --- /dev/null +++ b/rules/example/my-comp/rule-sc-8.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for sc-8 + name: rule-sc-8 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: sc-8 diff --git a/rules/example/my-comp/rule-si-2.yaml b/rules/example/my-comp/rule-si-2.yaml new file mode 100644 index 0000000..401a0ac --- /dev/null +++ b/rules/example/my-comp/rule-si-2.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for si-2 + name: rule-si-2 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: si-2 diff --git a/rules/example/my-comp/rule-si-3.yaml b/rules/example/my-comp/rule-si-3.yaml new file mode 100644 index 0000000..fbdb4b7 --- /dev/null +++ b/rules/example/my-comp/rule-si-3.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for si-3 + name: rule-si-3 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: si-3 diff --git a/rules/example/my-comp/rule-si-4.yaml b/rules/example/my-comp/rule-si-4.yaml new file mode 100644 index 0000000..17a2f14 --- /dev/null +++ b/rules/example/my-comp/rule-si-4.yaml @@ -0,0 +1,12 @@ +x-trestle-component-info: + description: My testing comp + name: my-comp + type: service +x-trestle-rule-info: + description: Rule for si-4 + name: rule-si-4 + profile: + description: FedRAMP Rev 5 High Baseline + href: trestle://profiles/fedramp_rev5_high/profile.json + include-controls: + - id: si-4 From 052317660173effc6ef765cd88d864e8144a7e84 Mon Sep 17 00:00:00 2001 From: jpower432 Date: Fri, 27 Oct 2023 15:10:00 +0000 Subject: [PATCH 2/3] Sync automatic updates --- .../example/component-definition.json | 189 ++++++++++++------ 1 file changed, 128 insertions(+), 61 deletions(-) diff --git a/component-definitions/example/component-definition.json b/component-definitions/example/component-definition.json index 36eeea5..9bbc3ac 100644 --- a/component-definitions/example/component-definition.json +++ b/component-definitions/example/component-definition.json @@ -1,15 +1,82 @@ { "component-definition": { - "uuid": "19fd6f22-8055-4c2a-8bfb-726d1a29a5a4", + "uuid": "9d83b834-7a25-4a3d-9525-07bf9e97bb2c", "metadata": { "title": "Component definition for example", - "last-modified": "2023-10-27T14:58:23+00:00", + "last-modified": "2023-10-27T15:10:00+00:00", "version": "1.0", "oscal-version": "1.0.4" }, "components": [ { - "uuid": "120b2197-66ba-45f4-a7ec-ff8a9c7baf80", + "uuid": "616e4e28-0aa9-4391-8ff8-8e55eb42209c", + "type": "service", + "title": "Example", + "description": "Example Application", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Test-rule_001", + "remarks": "rule_set_00" + }, + { + "name": "Rule_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Ensure all of the services are running these tests", + "remarks": "rule_set_00" + }, + { + "name": "Parameter_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "prm_1", + "remarks": "rule_set_00" + }, + { + "name": "Parameter_Description", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "prm_1 description", + "remarks": "rule_set_00" + }, + { + "name": "Parameter_Value_Alternatives", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "{'default': '5%', '5pc': '5%', '10pc': '10%', '15pc': '15%', '20pc': '20%'}", + "remarks": "rule_set_00" + } + ], + "control-implementations": [ + { + "uuid": "6399d9f7-cd73-4579-8242-548aecb48bfd", + "source": "profiles/fedramp_rev5_high/profile.json", + "description": "FedRAMP REV5 High Baseline", + "set-parameters": [ + { + "param-id": "prm_1", + "values": [ + "5%" + ] + } + ], + "implemented-requirements": [ + { + "uuid": "64a6329d-8d44-48f1-91bb-099a067d19d1", + "control-id": "ac-1", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", + "value": "Test-rule_001" + } + ] + } + ] + } + ] + }, + { + "uuid": "2485d619-f4d7-4814-9a5f-fbb57675803b", "type": "service", "title": "my-comp", "description": "My testing comp", @@ -18,239 +85,239 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-si-3", - "remarks": "rule_set_00" + "remarks": "rule_set_01" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for si-3", - "remarks": "rule_set_00" + "remarks": "rule_set_01" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-si-4", - "remarks": "rule_set_01" + "remarks": "rule_set_02" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for si-4", - "remarks": "rule_set_01" + "remarks": "rule_set_02" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-au-3", - "remarks": "rule_set_02" + "remarks": "rule_set_03" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for au-3", - "remarks": "rule_set_02" + "remarks": "rule_set_03" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-si-2", - "remarks": "rule_set_03" + "remarks": "rule_set_04" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for si-2", - "remarks": "rule_set_03" + "remarks": "rule_set_04" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-3", - "remarks": "rule_set_04" + "remarks": "rule_set_05" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ac-3", - "remarks": "rule_set_04" + "remarks": "rule_set_05" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ia-2", - "remarks": "rule_set_05" + "remarks": "rule_set_06" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ia-2", - "remarks": "rule_set_05" + "remarks": "rule_set_06" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-cm-6", - "remarks": "rule_set_06" + "remarks": "rule_set_07" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for cm-6", - "remarks": "rule_set_06" + "remarks": "rule_set_07" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-sc-7", - "remarks": "rule_set_07" + "remarks": "rule_set_08" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for sc-7", - "remarks": "rule_set_07" + "remarks": "rule_set_08" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-au-2", - "remarks": "rule_set_08" + "remarks": "rule_set_09" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for au-2", - "remarks": "rule_set_08" + "remarks": "rule_set_09" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-cm-8", - "remarks": "rule_set_09" + "remarks": "rule_set_10" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for cm-8", - "remarks": "rule_set_09" + "remarks": "rule_set_10" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-2", - "remarks": "rule_set_10" + "remarks": "rule_set_11" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ac-2", - "remarks": "rule_set_10" + "remarks": "rule_set_11" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-4", - "remarks": "rule_set_11" + "remarks": "rule_set_12" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ac-4", - "remarks": "rule_set_11" + "remarks": "rule_set_12" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-1", - "remarks": "rule_set_12" + "remarks": "rule_set_13" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ac-1", - "remarks": "rule_set_12" + "remarks": "rule_set_13" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-sc-5", - "remarks": "rule_set_13" + "remarks": "rule_set_14" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for sc-5", - "remarks": "rule_set_13" + "remarks": "rule_set_14" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ia-4", - "remarks": "rule_set_14" + "remarks": "rule_set_15" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ia-4", - "remarks": "rule_set_14" + "remarks": "rule_set_15" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-cm-7", - "remarks": "rule_set_15" + "remarks": "rule_set_16" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for cm-7", - "remarks": "rule_set_15" + "remarks": "rule_set_16" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-sc-8", - "remarks": "rule_set_16" + "remarks": "rule_set_17" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for sc-8", - "remarks": "rule_set_16" + "remarks": "rule_set_17" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-6", - "remarks": "rule_set_17" + "remarks": "rule_set_18" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ac-6", - "remarks": "rule_set_17" + "remarks": "rule_set_18" }, { "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ia-3", - "remarks": "rule_set_18" + "remarks": "rule_set_19" }, { "name": "Rule_Description", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Rule for ia-3", - "remarks": "rule_set_18" + "remarks": "rule_set_19" } ], "control-implementations": [ { - "uuid": "5fb2eafa-dbe4-4bf4-b184-5307453c760d", + "uuid": "3cf92571-6512-4c50-841e-18617e9e2925", "source": "trestle://profiles/fedramp_rev5_high/profile.json", "description": "FedRAMP Rev 5 High Baseline", "implemented-requirements": [ { - "uuid": "a670037c-d4ed-4bf1-80f1-aeaf8c83cc75", + "uuid": "e9b73dea-8982-462d-9bd7-3ae5680c2018", "control-id": "si-3", "description": "", "props": [ @@ -262,7 +329,7 @@ ] }, { - "uuid": "9457a281-579b-4f7d-bee3-8a60c1758ff6", + "uuid": "9efa4bd4-76a4-45bd-8983-2adc7ff2e6cb", "control-id": "si-4", "description": "", "props": [ @@ -274,7 +341,7 @@ ] }, { - "uuid": "b4235539-ff3d-4b2f-925e-358ad35a8a80", + "uuid": "a257c4d6-7412-4869-b187-52fd87b07ea3", "control-id": "au-3", "description": "", "props": [ @@ -286,7 +353,7 @@ ] }, { - "uuid": "e2be35f8-00d6-4dcf-9fde-4553a319315c", + "uuid": "ca1ca6b7-264e-4d49-9fb9-9aa0ab43f2a3", "control-id": "si-2", "description": "", "props": [ @@ -298,7 +365,7 @@ ] }, { - "uuid": "72d4f078-0834-4ff6-ac52-85ab8a784d48", + "uuid": "a9058e90-c49c-4ca7-a2ec-03cd063871aa", "control-id": "ac-3", "description": "", "props": [ @@ -310,7 +377,7 @@ ] }, { - "uuid": "e4b9e677-687a-4f08-a7df-8548be5318a5", + "uuid": "67603b0c-3f52-4da0-b8da-a8b22b85a26c", "control-id": "ia-2", "description": "", "props": [ @@ -322,7 +389,7 @@ ] }, { - "uuid": "58b07481-a673-41f3-b217-bb306740a248", + "uuid": "3168bb21-2288-4789-84ef-c27c1ad7c9e7", "control-id": "cm-6", "description": "", "props": [ @@ -334,7 +401,7 @@ ] }, { - "uuid": "e3f26e4d-9d3e-40ec-bf9c-7dc3d341f71d", + "uuid": "ecca49d1-5010-4579-845d-a02e9a8e2772", "control-id": "sc-7", "description": "", "props": [ @@ -346,7 +413,7 @@ ] }, { - "uuid": "ebddfffd-7ed6-49a9-a370-435abcf4b20e", + "uuid": "9a56a170-1d2b-4fbf-90f0-b6c3b726bc4e", "control-id": "au-2", "description": "", "props": [ @@ -358,7 +425,7 @@ ] }, { - "uuid": "2f20f934-97cf-4388-a115-27f71a080cb7", + "uuid": "0414a894-945c-4434-afed-1601ec589593", "control-id": "cm-8", "description": "", "props": [ @@ -370,7 +437,7 @@ ] }, { - "uuid": "6601dc26-edb8-4da5-8255-cad1b2db9d4f", + "uuid": "5dd1ff3b-c420-4e6f-ac16-ecc561437e3d", "control-id": "ac-2", "description": "", "props": [ @@ -382,7 +449,7 @@ ] }, { - "uuid": "deb72bd5-a180-4273-a08a-9809cdf3e295", + "uuid": "4169b02d-b73c-443c-a8bf-d4c5891a3c5b", "control-id": "ac-4", "description": "", "props": [ @@ -394,7 +461,7 @@ ] }, { - "uuid": "78131b04-256f-4386-ab62-e1ef33df14a2", + "uuid": "667950ba-045c-4e07-afc4-5ef852e8a79b", "control-id": "ac-1", "description": "", "props": [ @@ -406,7 +473,7 @@ ] }, { - "uuid": "825811c0-67cd-47d7-a85a-5bf4e0945a91", + "uuid": "77f77b35-4283-4ed8-8ae9-dd30682de875", "control-id": "sc-5", "description": "", "props": [ @@ -418,7 +485,7 @@ ] }, { - "uuid": "e04b1906-9db4-44d3-9b6d-1cda41b1dfe7", + "uuid": "393e9e52-2322-49d4-89d9-9bb4aba6959b", "control-id": "ia-4", "description": "", "props": [ @@ -430,7 +497,7 @@ ] }, { - "uuid": "1684c6ee-43bf-4506-8aaf-a91da7150482", + "uuid": "bc10742e-202d-4c42-9a7e-12c2e599e1e4", "control-id": "cm-7", "description": "", "props": [ @@ -442,7 +509,7 @@ ] }, { - "uuid": "9a85a2a8-2339-44aa-8b17-0fbd0002ca6e", + "uuid": "51ea6bbd-51aa-4ecb-9bda-58b8518225f5", "control-id": "sc-8", "description": "", "props": [ @@ -454,7 +521,7 @@ ] }, { - "uuid": "207421b6-56c1-4444-a404-e1ef8a4e1f6e", + "uuid": "90d3b540-0cff-40fe-8087-92ccdef1c2db", "control-id": "ac-6", "description": "", "props": [ @@ -466,7 +533,7 @@ ] }, { - "uuid": "9d0e270e-e0cd-4900-889b-7e06469073a0", + "uuid": "02eaf74c-bcd2-40c7-958e-8912731f7845", "control-id": "ia-3", "description": "", "props": [ From 2a1db3cfd79f65f3eb330092878bc5c626f5e381 Mon Sep 17 00:00:00 2001 From: "trestle-bot[bot]" Date: Fri, 27 Oct 2023 15:24:10 +0000 Subject: [PATCH 3/3] Sync automatic updates --- .../example/component-definition.json | 82 ++++++++++++++++++- 1 file changed, 81 insertions(+), 1 deletion(-) diff --git a/component-definitions/example/component-definition.json b/component-definitions/example/component-definition.json index 9bbc3ac..27bf701 100644 --- a/component-definitions/example/component-definition.json +++ b/component-definitions/example/component-definition.json @@ -3,7 +3,7 @@ "uuid": "9d83b834-7a25-4a3d-9525-07bf9e97bb2c", "metadata": { "title": "Component definition for example", - "last-modified": "2023-10-27T15:10:00+00:00", + "last-modified": "2023-10-27T15:24:06.191004+00:00", "version": "1.0", "oscal-version": "1.0.4" }, @@ -68,6 +68,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "Test-rule_001" + }, + { + "name": "implementation-status", + "value": "planned" } ] } @@ -325,6 +329,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-si-3" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -337,6 +345,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-si-4" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -349,6 +361,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-au-3" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -361,6 +377,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-si-2" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -373,6 +393,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-3" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -385,6 +409,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ia-2" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -397,6 +425,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-cm-6" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -409,6 +441,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-sc-7" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -421,6 +457,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-au-2" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -433,6 +473,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-cm-8" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -445,6 +489,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-2" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -457,6 +505,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-4" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -469,6 +521,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-1" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -481,6 +537,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-sc-5" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -493,6 +553,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ia-4" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -505,6 +569,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-cm-7" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -517,6 +585,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-sc-8" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -529,6 +601,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ac-6" + }, + { + "name": "implementation-status", + "value": "planned" } ] }, @@ -541,6 +617,10 @@ "name": "Rule_Id", "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal", "value": "rule-ia-3" + }, + { + "name": "implementation-status", + "value": "planned" } ] }