Export examples for responsibility model #5 (#16)

* Initiated spiral 3 for issue #5

research-2023/effort-responsibility-sharing/2022-07-05.001.md

@@ -2,6 +2,8 @@
 
 ## Define: Customer Responsibility Model
 
+(Content originally posted to [OSCAL/issues/1336](https://github.com/usnistgov/OSCAL/issues/1336), but posted here for historical purposes.)
+
 ## Problem
 
 This research effort is focused on the creation of a model that supports the ability to export content from the System Security Plan (SSP) for customers to import/reference in a separate System Security Plan. This responsibility model is used to expose only the appropriate and necessary SSP content to a leveraging system, when the leveraging system owner is not entitled to see the entire SSP of the leveraged system.
@@ -90,67 +92,78 @@ Impressions:
 The following use cases were created:
 
 ### Direct
+
 In the first case, consider a responsibility that is passed directly from the provider to customer.
 
 ![Control Inheritance-Direct drawio](https://user-images.githubusercontent.com/107055718/180248607-347b9a65-bafc-4e1e-b40e-deeec382978e.png)
 
 The data could be similar to:
 
-Field	Value
-Control ID	PE-11
-Control Name	Emergency Power
-Control Description	Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss.
-Control Origination (Ownership/Responsibility)	Provider
-Implementation Model/Entity	IaaS
-Implementation Details	The infrastructure is supported by multiple uninterruptible power supplies, and a redundant backup generator system capable of continuous operation for an extended period of time.
-Implementation Status	Implemented
-Implementation Requirement (Responsibility)	Customers do not have physical access to any system resources in Provider datacenters. Customer fully inherits this control from the Cloud Service Provider (CSP).
-Inheritable	Yes
-Baseline	Moderate
-Baseline Entity/Framework	FedRAMP
+| Field | Value |
+| --- | --- |
+| Control ID | PE-11 |
+| Control Name | Emergency Power |
+| Control Description | Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss. |
+| Control Origination (Ownership/Responsibility) | Provider |
+| Implementation Model/Entity | IaaS |
+| Implementation Details | The infrastructure is supported by multiple uninterruptible power supplies, and a redundant backup generator system capable of continuous operation for an extended period of time. |
+| Implementation Status | Implemented |
+| Implementation Requirement (Responsibility) | Customers do not have physical access to any system resources in Provider datacenters. Customer fully inherits this control from the Cloud Service Provider (CSP). |
+| Inheritable | Yes |
+| Baseline | Moderate |
+| Baseline Entity/Framework | FedRAMP |
 
 ### Shared
+
 In the second case, consider a responsibility that is passed from a cloud service provider to a managed service provider, and finally to the customer.
 
 ![Control Inheritance-Shared drawio](https://user-images.githubusercontent.com/107055718/180248643-48d6d5a4-88e5-44d1-af3b-77b64ce0102d.png)
 
-The goal of this example is to show information that may need to be documented through some level of shared responsibility. This scenario presents a situation where an organization operates cloud-based systems for customers who focus solely on developing and maintaining applications. This also demonstrates how a customer could understand how responsibilities are addressed for a control, and provides a mechanism to further delegate responsibility to subordinates.
+The goal of this example is to show information that may need to be documented through some level of shared responsibility. This scenario presents a situation where an organization operates cloud-based systems for customers who focus solely on developing and maintaining applications.  This also demonstrates how a customer could understand how responsibilities are addressed for a control, and provides a mechanism to further delegate responsibility to subordinates.
 
-Field	Value
-Control ID	SI-4(d) (Statement)
-Control Name	System Monitoring
-Control Description	Analyze detected events and anomalies
-Control Origination (Ownership/Responsibility)	Shared
-Inheritable	Partial
-Baseline	Low
-Baseline Entity/Framework	FedRAMP
+| Field | Value |
+| --- | --- |
+| Control ID | SI-4(d) (Statement) |
+| Control Name | System Monitoring |
+| Control Description | Analyze detected events and anomalies |
+| Control Origination (Ownership/Responsibility) | Shared |
+| Inheritable | Partial |
+| Baseline | Low |
+| Baseline Entity/Framework | FedRAMP |
 
 #### Cloud Service Provider (IaaS)
-The Cloud Service Provider states the baseline implementation and the overall responsibilities that must be met to fully address the control. In this case, a distinction is not made for entities that will inherit the control, or what portion of responsibility is assigned to each inheriting entity.
 
-Field	Value
-Implementation Model/Entity	IaaS
-Implementation Details	Provider implements portions of this control for IaaS and PaaS customers. Servers upload logs to a log monitoring tool and the audit logging process for aggregation and analysis. Access to tool and the audit logging process is restricted as specified in the AU family of controls, specifically AU-9. Provider Infrastructure devices are configured to upload their logs to a central repository managed by the Provider Security team. Access to manage the security incident and event management tool used with the Infrastructure is limited to authorized personnel. These personnel are members of a security incident management team.
-Implementation Status	Implemented
-Implementation Requirement (Delegated Responsibility)	The customer is responsible for monitoring customer-deployed resources. The customer control implementation statement should address the protection of intrusion-monitoring tool information from unauthorized access, modification, and deletion.
+The Cloud Service Provider states the baseline implementation and the overall responsibilities that must be met to fully address the control.  In this case, a distinction is not made for entities that will inherit the control, or what portion of responsibility is assigned to each inheriting entity.
+
+| Field | Value |
+| --- | --- |
+| Implementation Model/Entity | IaaS |
+| Implementation Details | Provider implements portions of this control for IaaS and PaaS customers. Servers upload logs to a log monitoring tool and the audit logging process for aggregation and analysis. Access to tool and the audit logging process is restricted as specified in the AU family of controls, specifically AU-9. Provider Infrastructure devices are configured to upload their logs to a central repository managed by the Provider Security team. Access to manage the security incident and event management tool used with the Infrastructure is limited to authorized personnel. These personnel are members of a security incident management team. |
+| Implementation Status | Implemented |
+| Implementation Requirement (Delegated Responsibility) | The customer is responsible for monitoring customer-deployed resources. The customer control implementation statement should address the protection of intrusion-monitoring tool information from unauthorized access, modification, and deletion. |
 
 #### Managed Service Provider (PaaS)
-In this scenario, the Managed Service Provider is presumed to operate services on behalf of the customer. The MSP provides monitoring services for the platform, but not for customer developed applications. The MSP assumes a portion of the Implementation Requirement from the IaaS, and delegates responsibility for application monitoring.
 
-Field	Value
-Implementation Model/Entity	PaaS
-Implementation Details	Monitors customer-deployed resources for events. Access to events are limited to authorized personnel. The platform management team reviews alerts and logs as events are reported to the customer, and conducts daily analysis.
-Implementation Status	Implemented
-Implementation Requirement (Delegated Responsibility)	Application owners are responsible for monitoring their application logs for signs of unauthorized activity according to laws and regulations, and applying heightened scrutiny when there is an indication of increased risk.
+In this scenario, the Managed Service Provider is presumed to operate services on behalf of the customer. The MSP provides monitoring services for the platform, but not for customer developed applications.  The MSP assumes a portion of the Implementation Requirement from the IaaS, and delegates responsibility for application monitoring.
+
+| Field | Value |
+| --- | --- |
+| Implementation Model/Entity | PaaS |
+| Implementation Details | Monitors customer-deployed resources for events. Access to events are limited to authorized personnel. The platform management team reviews alerts and logs as events are reported to the customer, and conducts daily analysis. |
+| Implementation Status | Implemented |
+| Implementation Requirement (Delegated Responsibility) | Application owners are responsible for monitoring their application logs for signs of unauthorized activity according to laws and regulations, and applying heightened scrutiny when there is an indication of increased risk. |
 
 #### Customer (Application Owner)
-The customer addresses the application monitoring requirement, and while it wouldn't be required, it could also document responsibilities within the organization for an internal responsibility matrix utilized by a development team or business unit. This could be useful for developing a Component Definition for a service or application.
 
-Field	Value
-Implementation Model/Entity	Application Owner
-Implementation Details	Application and service monitoring must be provided by the development team, and incidents reported within one hour of discovery to the Information Security Officer. Access to events are limited to authorized personnel.
-Implementation Status	Planned
-Implementation Requirement (Delegated Responsibility)	Application logs are reviewed daily by approved members of the development team, and suspicious events are reported to the Information Security Officer.
+The customer addresses the application monitoring requirement, and while it wouldn't be required, it could also document responsibilities within the organization for an internal responsibility matrix utilized by a development team or business unit.  This could be useful for developing a Component Definition for a service or application.
+
+| Field | Value |
+| --- | --- |
+| Implementation Model/Entity | Application Owner |
+| Implementation Details | Application and service monitoring must be provided by the development team, and incidents reported within one hour of discovery to the Information Security Officer. Access to events are limited to authorized personnel. |
+| Implementation Status | Planned |
+| Implementation Requirement (Delegated Responsibility) | Application logs are reviewed daily by approved members of the development team, and suspicious events are reported to the Information Security Officer. |
+
 
 
 # Interpretation
@@ -198,4 +211,4 @@ Map use case information to existing OSCAL model(s) and identify gaps.
 
 # References
 
-No remarks.
+No remarks.