From 645f03e694786ccb0d4c9eb1f20f295ddafc7712 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Thu, 16 May 2024 13:08:38 -0400 Subject: [PATCH 01/36] Fix team mentions --- .github/workflows/account_request_approve.yaml | 2 +- .github/workflows/account_request_authorize.yaml | 2 +- .github/workflows/account_request_open.yaml | 4 ++-- .github/workflows/account_request_reject.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index a729ebc..b34b17c 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -21,4 +21,4 @@ jobs: NUMBER: ${{ github.event.issue.number }} BODY: > Account management request APPROVED by Blossom Management. - @blossom-sysdevs please review and submit Account Management Authorization Form. \ No newline at end of file + @usnistgov/blossom-sysdevs please review, implement, and submit Account Management Authorization Form. \ No newline at end of file diff --git a/.github/workflows/account_request_authorize.yaml b/.github/workflows/account_request_authorize.yaml index 4753e0a..45e0390 100644 --- a/.github/workflows/account_request_authorize.yaml +++ b/.github/workflows/account_request_authorize.yaml @@ -21,7 +21,7 @@ jobs: GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} BODY: > - Account management AUTHORIZED + @usnistgov/blossom-management An approved account modification has been implemented. # Contact AWS Cognito to show users diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml index 35d4fa2..8071943 100644 --- a/.github/workflows/account_request_open.yaml +++ b/.github/workflows/account_request_open.yaml @@ -22,5 +22,5 @@ jobs: NUMBER: ${{ github.event.issue.number }} BODY: > Account management request CREATED. - @blossom-management please review and approve/reject this request - by adding ACCOUNT_APPROVED or ACCOUNT_REJECTED label. \ No newline at end of file + @usnistgov/blossom-management please review and approve/reject this request + by adding ACCOUNT_APPROVED or ACCOUNT_REJECTED label to this issue. \ No newline at end of file diff --git a/.github/workflows/account_request_reject.yaml b/.github/workflows/account_request_reject.yaml index 5454ca2..ffc2812 100644 --- a/.github/workflows/account_request_reject.yaml +++ b/.github/workflows/account_request_reject.yaml @@ -14,7 +14,7 @@ jobs: issues: write steps: - name: Close rejected account request - run: gh issue close "$NUMBER" --comment "$COMMENT" + run: gh issue close "$NUMBER" --comment "$COMMENT" --reason "not planned" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} From 742cc343e05b08ef96b1933be70beae026475beb Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Tue, 21 May 2024 16:40:43 -0400 Subject: [PATCH 02/36] Close approved account request --- .github/workflows/account_request_approve.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index b34b17c..a5fd078 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -14,11 +14,12 @@ jobs: issues: write steps: - name: Notify Blossom Sysdevs about Approved Account - run: gh issue comment "$NUMBER" --body "$BODY" + run: gh issue close "$NUMBER" --comment "$COMMENT" --reason "completed" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} - BODY: > + COMMENT: > Account management request APPROVED by Blossom Management. - @usnistgov/blossom-sysdevs please review, implement, and submit Account Management Authorization Form. \ No newline at end of file + @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP. + Then submit the [Account Management Authorization Form](https://github.com/usnistgov/blossom-oscal/issues/new?assignees=&labels=ACCOUNT_AUTHORIZED_RECORD&projects=&template=account_management_authorization_form.yaml) \ No newline at end of file From 3d61e7ca2974c941856781638cc2f57361180a9f Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Tue, 21 May 2024 16:57:15 -0400 Subject: [PATCH 03/36] Change to ubuntu latest --- .github/workflows/account_request_approve.yaml | 2 +- .github/workflows/account_request_authorize.yaml | 2 +- .github/workflows/account_request_open.yaml | 2 +- .github/workflows/account_request_reject.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index a5fd078..8ba1569 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -9,7 +9,7 @@ jobs: # When ACCOUNT_APPROVED label is added to account management request request-approved: if: github.event.label.name == 'ACCOUNT_APPROVED' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: issues: write steps: diff --git a/.github/workflows/account_request_authorize.yaml b/.github/workflows/account_request_authorize.yaml index 45e0390..3ea1a1b 100644 --- a/.github/workflows/account_request_authorize.yaml +++ b/.github/workflows/account_request_authorize.yaml @@ -10,7 +10,7 @@ jobs: # Label of account management request form is ACCOUNT_AUTHORIZED_RECORD request-authorized: if: github.event.label.name == 'ACCOUNT_AUTHORIZED_RECORD' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: issues: write steps: diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml index 8071943..aba78e1 100644 --- a/.github/workflows/account_request_open.yaml +++ b/.github/workflows/account_request_open.yaml @@ -10,7 +10,7 @@ jobs: # Label of account management request form is ACCOUNT_REQUEST_RECORD request-opened: if: github.event.label.name == 'ACCOUNT_REQUEST_RECORD' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: issues: write steps: diff --git a/.github/workflows/account_request_reject.yaml b/.github/workflows/account_request_reject.yaml index ffc2812..c3bce19 100644 --- a/.github/workflows/account_request_reject.yaml +++ b/.github/workflows/account_request_reject.yaml @@ -9,7 +9,7 @@ jobs: # When ACCOUNT_REJECTED label is added to account management request request-rejected: if: github.event.label.name == 'ACCOUNT_REJECTED' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: issues: write steps: From 48d7488ecfb72371d1593927267697404f4f37c6 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Thu, 23 May 2024 11:20:08 -0400 Subject: [PATCH 04/36] Newline and close --- .github/workflows/account_request_approve.yaml | 4 ++-- .github/workflows/account_request_open.yaml | 2 +- .github/workflows/account_request_reject.yaml | 4 ++-- account_workflow.md | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index 8ba1569..a608be6 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -20,6 +20,6 @@ jobs: GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} COMMENT: > - Account management request APPROVED by Blossom Management. - @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP. + Account management request APPROVED by Blossom Management. Closing request as "completed".\ + @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP.\ Then submit the [Account Management Authorization Form](https://github.com/usnistgov/blossom-oscal/issues/new?assignees=&labels=ACCOUNT_AUTHORIZED_RECORD&projects=&template=account_management_authorization_form.yaml) \ No newline at end of file diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml index aba78e1..983c73c 100644 --- a/.github/workflows/account_request_open.yaml +++ b/.github/workflows/account_request_open.yaml @@ -21,6 +21,6 @@ jobs: GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} BODY: > - Account management request CREATED. + Account management request CREATED.\ @usnistgov/blossom-management please review and approve/reject this request by adding ACCOUNT_APPROVED or ACCOUNT_REJECTED label to this issue. \ No newline at end of file diff --git a/.github/workflows/account_request_reject.yaml b/.github/workflows/account_request_reject.yaml index c3bce19..c985068 100644 --- a/.github/workflows/account_request_reject.yaml +++ b/.github/workflows/account_request_reject.yaml @@ -20,5 +20,5 @@ jobs: GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} COMMENT: > - Account management request REJECTED by Blossom Management. - Closing request. + Account management request REJECTED by Blossom Management.\ + Closing request as "not planned". diff --git a/account_workflow.md b/account_workflow.md index f3f7244..b814f97 100644 --- a/account_workflow.md +++ b/account_workflow.md @@ -1,8 +1,8 @@ # Account Management Workflow Document that explains the workflow of GitHub actions used to automate account management. -The requester creates a new GitHub issue (Account Request Form) to request an account for the Account Holder. -The Blossom Management group is automatically notified to review this request through GitHub. -A Blossom Management member reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED -If ACCOUNT_APPROVED, the Blossom Sysdevs group is automatically notified to implement the account and submit a new issue (Account Management Authorization Form) for the Account Holder. +The requester creates a new GitHub issue (Account Request Form) to request an account for the Account Holder.\ +The Blossom Management group is automatically notified to review this request through GitHub.\ +A Blossom Management member reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED\ +If ACCOUNT_APPROVED, the Blossom Sysdevs group is automatically notified to implement the account and submit a new issue (Account Management Authorization Form) for the Account Holder.\ If ACCOUNT_REJECTED, the account request issue is automatically closed. \ No newline at end of file From 50f24eede1bebf4a63d7a8add42f25edb17a2e22 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Tue, 4 Jun 2024 12:27:28 -0400 Subject: [PATCH 05/36] Revert back to Ubuntu 20.04 --- .github/workflows/account_request_approve.yaml | 2 +- .github/workflows/account_request_authorize.yaml | 2 +- .github/workflows/account_request_open.yaml | 2 +- .github/workflows/account_request_reject.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index a608be6..fd0f4a3 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -9,7 +9,7 @@ jobs: # When ACCOUNT_APPROVED label is added to account management request request-approved: if: github.event.label.name == 'ACCOUNT_APPROVED' - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 permissions: issues: write steps: diff --git a/.github/workflows/account_request_authorize.yaml b/.github/workflows/account_request_authorize.yaml index 3ea1a1b..45e0390 100644 --- a/.github/workflows/account_request_authorize.yaml +++ b/.github/workflows/account_request_authorize.yaml @@ -10,7 +10,7 @@ jobs: # Label of account management request form is ACCOUNT_AUTHORIZED_RECORD request-authorized: if: github.event.label.name == 'ACCOUNT_AUTHORIZED_RECORD' - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 permissions: issues: write steps: diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml index 983c73c..5640336 100644 --- a/.github/workflows/account_request_open.yaml +++ b/.github/workflows/account_request_open.yaml @@ -10,7 +10,7 @@ jobs: # Label of account management request form is ACCOUNT_REQUEST_RECORD request-opened: if: github.event.label.name == 'ACCOUNT_REQUEST_RECORD' - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 permissions: issues: write steps: diff --git a/.github/workflows/account_request_reject.yaml b/.github/workflows/account_request_reject.yaml index c985068..a0e7e3b 100644 --- a/.github/workflows/account_request_reject.yaml +++ b/.github/workflows/account_request_reject.yaml @@ -9,7 +9,7 @@ jobs: # When ACCOUNT_REJECTED label is added to account management request request-rejected: if: github.event.label.name == 'ACCOUNT_REJECTED' - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 permissions: issues: write steps: From 0d0b1826c9456a6ef787db01613d23f26fa15019 Mon Sep 17 00:00:00 2001 From: Iorga Date: Tue, 4 Jun 2024 15:46:15 -0400 Subject: [PATCH 06/36] Fixed validation errors in AWS SSP. --- .gitignore | 2 + ...moderate_profile_resolved_to_catalog.json} | 0 .../ssp/aws_leveraged_authorization_ssp.json | 192 +++++++++ ..._moderate_profile_resolved_to_catalog.xml} | 9 +- .../ssp/aws_leveraged_authorization_ssp.xml | 384 +++++++++--------- .../xml/ssp/blossom_admin_member_ssp.xml | 2 +- 6 files changed, 392 insertions(+), 197 deletions(-) rename oscal-content/json/{profile/blossom_moderate_profile_resolved.json => catalog/blossom_moderate_profile_resolved_to_catalog.json} (100%) rename oscal-content/xml/{profile/blossom_moderate_profile_resolved.xml => catalog/blossom_moderate_profile_resolved_to_catalog.xml} (99%) diff --git a/.gitignore b/.gitignore index 3532e70..579c978 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,5 @@ draft-* .pyenv* .env* oscal-cli.txt +# Ignore validation tool oscal-cli +build/oscal-cli diff --git a/oscal-content/json/profile/blossom_moderate_profile_resolved.json b/oscal-content/json/catalog/blossom_moderate_profile_resolved_to_catalog.json similarity index 100% rename from oscal-content/json/profile/blossom_moderate_profile_resolved.json rename to oscal-content/json/catalog/blossom_moderate_profile_resolved_to_catalog.json diff --git a/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json b/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json index bc38bf9..d06f9f7 100644 --- a/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json +++ b/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json @@ -224,6 +224,7 @@ "information-types" : [ { "uuid" : "27e034c9-2164-47c1-ba0b-8eb56c941842", "title" : "Corrective Action (Policy/Regulation)", + "description" : "TBD", "categorizations" : [ { "system" : "https://doi.org/10.6028/NIST.SP.800-60v2r1", "information-type-ids" : [ "C.2.1.1" ] @@ -251,11 +252,13 @@ "state" : "operational" }, "authorization-boundary" : { + "description" : "TBD", "diagrams" : [ { "uuid" : "1d92b6f3-1260-421c-9bda-5c4a7739f0d1" } ] }, "network-architecture" : { + "description" : "TBD", "diagrams" : [ { "uuid" : "2d92b6f3-1260-421c-9bda-5c4a7739f0d2" } ] @@ -384,6 +387,7 @@ "uuid" : "1398d737-8041-4774-bed3-668d90617860", "description" : "TBD:", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f5c1b59c-04ff-4821-980a-e10c18e379a8", "description" : "TBD:" @@ -429,7 +433,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "fdecdd89-e6ce-40d7-97a9-55d3a57abb8c", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9c4a8b31-fe34-4b5f-933d-2a1c448a4ef2", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -447,7 +453,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2cd8b8e6-673a-4470-8534-13b5e2c9a240", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "bbeec595-6c96-4102-ac5d-a7675ed6c529", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -486,7 +494,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8103b498-0f37-4106-92e0-d88886da6eb3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9678dd9d-6125-45b7-ba22-9fa41f03f72e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -504,7 +514,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "ea52159a-8bc8-4a7e-b552-6cfd49291a6b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6b0ef9b2-6b7d-4178-b8e8-1f9ffc471045", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -522,7 +534,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8ed49eba-7071-4d05-8a72-7170cd70e073", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9af6d025-089c-4b60-aa2a-f2301a1f4ba1", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -540,7 +554,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "aed2636d-73bc-4484-aa02-744c7d7766e3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "72a3d5fb-6021-4052-8b8d-645f445f1de9", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -558,7 +574,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "eaaf5c14-f217-4f73-9a05-6238ee9e2e00", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "63b1f1a3-ed64-4b3b-91f0-80255ccfdd80", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -576,7 +594,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d4182aa0-508a-4bf4-97d7-7c351b34f8c9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6ba7424b-ec07-494c-a937-315be22012df", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -605,7 +625,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bd636006-e24a-48a6-826d-e140ce79688b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "13f36d45-615b-41e2-9760-6731a543e3b5", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -633,7 +655,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c938abfb-d25c-4810-acba-7676d2462a88", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c906e5b4-40ce-42e0-af33-6e70e2f93499", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -661,7 +685,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "17a3d2b4-9caa-405c-bfe3-ef4f43b7f7bf", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "dfa89026-ff35-47e6-8c3f-cc4b2b623dd6", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -696,7 +722,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7a32cdf4-0904-4c26-8f1d-9906d35ede53", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ebfb1122-fd4b-49d2-acc2-349d54db3c51", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -714,7 +742,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "e06595df-f3b7-4ce5-a510-6ca8fe068b72", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6e8f46ce-8f4e-40f1-95a8-71430a769709", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -732,7 +762,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "cc0efa05-1f76-46d3-a974-3d96b3257d64", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "36d198cc-91e3-4f0b-a633-7cc256d29c42", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -750,7 +782,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "0702e1b5-f95a-47b8-8244-a66ab38b0908", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "78df87ae-283c-4626-981a-e14291a0c8dd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -782,7 +816,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "a68e4b6a-b77e-485d-aa8a-e785fc158085", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "4d23c4d8-b0cb-4a8a-9d64-aa24da8ab619", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -800,7 +836,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "42c76696-a674-464a-9229-6c6c3efae55d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "35ab73e0-937c-48c3-b02f-fc2d10b1a81e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -818,7 +856,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d6522c04-d78d-4672-b4d5-297e035a4a47", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "8b875c18-e130-40ef-9f54-479c9593dbb4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -836,7 +876,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "b2c30e47-7e20-4d8c-a8a5-76e14371f047", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "3486928c-60a9-4549-a090-1b56af560221", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -854,7 +896,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "a0710b8a-49a7-42f9-9c6b-c15345f3fbee", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f075f560-32f2-4ec6-bd12-868d3bdd2310", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -883,7 +927,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c190a70f-74f3-4f4a-bf1b-b7a373816d48", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "d07af2dd-4725-4651-89d8-d732eb20fb22", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -914,7 +960,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "ffe84fd7-6541-4b14-b09e-dbd792d76ef3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "bbf26c5d-bb82-4d70-b4f2-882afe6d9bf4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -932,7 +980,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "747dc783-b19e-49bb-ab71-f095f7b3011f", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "faa72600-62e7-4440-b241-63ec94afd763", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -961,7 +1011,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "f42c46cb-443d-459e-9aae-8bbf3b82edaf", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "1d56cf05-5ccc-4491-b506-8cebae18963a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -992,7 +1044,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d8cc5638-2afe-459d-a3cb-a01976aeac85", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "441dadf2-bef9-4e06-8f43-dd03b441acdd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1010,7 +1064,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "96892541-9b58-440e-b44e-3998a4a7be84", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "627ba3bb-1a54-4cf5-ad56-7155247f5280", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1028,7 +1084,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "02655970-983a-4b85-a49f-587749ce3d19", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "245d3044-c5f1-4167-9a6e-2c29388bba5e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1060,7 +1118,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "24ee516c-0d3f-4960-90b7-afa66abc28a9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f4a058aa-a41c-4c58-9758-6c79f980fd18", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1078,7 +1138,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7fe0f375-88a4-4fb0-b38c-d4a500e3b1d9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "86b5fad1-4e75-43da-b257-9467fff7acfe", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1114,7 +1176,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "409c1e47-be79-43bf-aa2c-0fed0889c6d0", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c81f9919-29f5-455b-a40d-3240093a0be5", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1155,7 +1219,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "092bfd62-aa7b-4409-a875-5fff7d2975b5", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "32b76454-93db-4bd1-9222-9604e6c5f7c7", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1173,7 +1239,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d862d207-64d0-4d00-bcbe-097ea62ba6f5", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "b7367d62-0528-426b-8f97-f68a9530d619", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1209,7 +1277,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "9aaadee4-d49f-4de8-87ae-558fc6352e13", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "52572cd0-59ae-4248-8f07-68757ed538ec", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1247,7 +1317,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3d05b563-2cb8-4e38-8f56-694f60a2453f", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "af8ae830-df78-443c-bf0f-dc164f0d90b3", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1265,7 +1337,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bda847e5-11cc-4d9f-857a-45f8819fd230", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ffc17fe4-0e82-4292-8fd0-493905941d48", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1304,7 +1378,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2e132311-f565-4aed-9614-ccc6a77158e2", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "a02735f9-5446-4ed4-8c26-5ab744ae1b04", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1322,7 +1398,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "91fa9408-1373-4254-9159-cb2695e615a8", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "70698d4a-e8c2-4b9c-9395-c0582d8b8022", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1361,7 +1439,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c487bf9a-c8fc-4180-92dc-ee528ece1949", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6056c6b8-60b1-498b-acf4-3d6c6fe8830a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1379,7 +1459,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "40d22136-bb9c-4366-889b-6e59f8332069", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "01fa8cff-5d8e-4e04-af66-9384ee9c3606", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1397,7 +1479,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4c84e881-7969-45ce-be75-7b223d4d1be3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "03f61f6e-7c67-4701-a9cd-30563989a670", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1415,7 +1499,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "dee24e7a-a80e-4598-b281-e15f6d247e4d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "769edda4-b4ed-4671-978d-85b16bfd564e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1444,7 +1530,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "902a1af4-6479-4833-8d22-3efdf7d30edc", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f7c948c9-b471-4a53-a56a-af75ece5d75e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1482,7 +1570,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7e5a2ff0-9bb8-4e96-b3ea-8ee6c7ae189e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "80e0c1ad-0366-4d71-a228-e81f553daf70", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1500,7 +1590,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2f0f0bfa-fa0e-4245-b54a-926b349f5f6b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "1b8d9da7-1c8e-4b05-af8c-b4887adcfe2a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1529,7 +1621,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3c52d224-4181-42e6-a477-96862a7547ea", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c803d36a-1e21-4f51-9380-29fdaca0c823", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1561,7 +1655,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5bf37408-0101-487e-82d3-6aef883b259d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ad041938-5dff-484d-8ecd-3888b3f30781", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1593,7 +1689,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "f5ac2d2d-abeb-4ad5-be32-83225ff6a8da", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "373974c4-c109-4b09-81f7-bf16ab35794d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1634,7 +1732,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "e93f9b10-7017-4bbb-beb2-c0c60a11570e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c5ca7ce6-d6bd-4b15-bfff-222f9c04b23a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1662,7 +1762,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4e1cfda5-3463-4dff-ab6f-ee82d4fc12d4", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "01a0d189-d163-42ef-971e-f483eb1a89e3", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1703,7 +1805,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5f8020ca-afa5-41d3-8b8c-29372db8af1d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "febe4d8a-4107-4e8f-9bca-c9a0c96d7cb0", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1721,7 +1825,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5b81c845-e335-4854-9189-bbbdeeb8c220", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "920d4c86-6f4a-4b57-a991-3ec6c62a5cfd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1757,7 +1863,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c463ebb0-ec05-4bdf-af2e-b44b0ab9ed7e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "5643f75d-672b-465b-869e-c6c80962c9be", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1775,7 +1883,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "0a8cdb94-3fbc-4c0e-a4a1-5bbbeb85aca2", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "3301e8bd-5cdc-4cc6-835e-ac8af07d7f5c", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1793,7 +1903,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8b94c5b1-f4c9-47e4-b2e6-1b3ba3ff0808", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "cfeb89af-a484-49c4-9988-96237c86944e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1811,7 +1923,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2f9fe10b-ba9e-4291-98b5-13bb6fc0c58c", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e7024325-6340-4e1f-a4b8-c741d1e36bb4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1871,7 +1985,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3b3ecf6b-d4a9-499c-a5d1-2887b4987aca", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "542b2329-5497-456f-b117-746e798b9929", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1889,7 +2005,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "ead33ba5-eb15-48e3-900e-8a3e9cf289d9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "96ff07de-683f-4181-8813-ae4498d66f05", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1907,7 +2025,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "66ece908-ee7b-468b-a5b4-e900aa724ea1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f4c09934-895b-40e8-b122-aa08ea9b50ba", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1925,7 +2045,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2db60ecd-c0a9-4be8-a6b5-c4bb45d9ec49", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "81660f14-0393-4219-98ac-9e2c8f7142f6", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1943,7 +2065,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "72dfa4c9-d24a-4ac2-8c66-46e0992e9158", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "0a453bbe-cb88-45c8-b6ae-5033bc09feff", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1961,7 +2085,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "27000dc4-4d7c-4e0c-aa8a-581babfe7745", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e7799c91-b885-4d4e-b198-a7988c76c3ad", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1979,7 +2105,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2040d1a5-ddd0-405d-8edd-e58f77a59ad3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "92842d62-9ca0-46f9-a431-abf9e6b4f594", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2012,7 +2140,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "6d925c2b-0462-4a75-aa45-03b73c017307", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c2ac04dc-acb4-418a-84e5-b58730f01dee", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2047,7 +2177,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bec2e74d-c33d-4232-a4ac-424abf2637ff", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "cd19a3a6-00e2-4a44-9c63-bf795f9c93d1", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2075,7 +2207,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4a99e9c6-ff33-4a37-abc9-b6b9ca7d4657", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "259c0c8f-3bb9-4e43-877b-c896a20aee7d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2113,7 +2247,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "6fd8dba3-df21-4c25-9994-95a66c3c74be", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f5320fa1-6ce9-4ef6-a6a8-422f619a41f9", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2131,7 +2267,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4d196aef-1385-4bf2-8b00-28258e22b677", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "b62d1197-e6c0-4b42-8f77-02b311b8faab", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2149,7 +2287,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c148993e-862d-40b1-b670-f19db4114e95", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "25356503-3b18-4a0e-b97a-cf243e4e174c", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2178,7 +2318,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "70e9c839-37dc-48c9-ac6a-d34bf6dbaa17", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e9a252ad-ff10-43ca-a790-024d5c8771ae", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2210,7 +2352,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8727a64e-a367-4b17-86b1-742dada3a0c1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "59b5f4ea-33eb-4000-a636-aaa4004e29b0", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2248,7 +2392,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "83d8d2e9-abb0-442a-a232-b6b3ade4040e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9301b521-7676-45eb-9d3c-a7466b652b84", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2266,7 +2412,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "36ab955e-ac9b-4fd5-83a9-2cc35c5fa5b8", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "dc217439-df1e-4d91-ae4c-10b790b961e4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2295,7 +2443,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5e212f76-bae7-47ce-b7bc-c093b7133dfc", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "2079e0b4-5fb6-403b-a69a-1f39fd96c0b7", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2323,7 +2473,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "476a42e2-6778-4b2b-8f9b-77aec5a538dd", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "20679a94-74fe-4055-b7d8-3a2014dcc049", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2358,7 +2510,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d1b09916-2698-4642-bddd-7e3f6b69e1e1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f556c40b-a2d8-4f2a-bdaa-5a37073548fe", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2376,7 +2530,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7600b228-0413-4e7b-91ae-24537ad02f25", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "291bebf7-594a-401d-a2c0-d24d2aac6bf2", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2394,7 +2550,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "b8c7793c-8209-4280-97ec-8637c6e55fd3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "b37cec5a-2b40-477f-976d-f0e264dd2b8e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2427,7 +2585,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4e691a77-ec56-4ad4-b532-7ed71b9b08aa", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "01f1d712-a58c-40b5-aa5b-ea123f03d7dc", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2455,7 +2615,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7a0ef9ab-66e7-47a6-b25a-3db8378d04f8", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "d6d16f6d-5ac5-4c94-8066-d9bc1c67eb82", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2483,7 +2645,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7153a18a-1c44-43f9-b897-a7c51f024d40", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "956fb932-4841-402b-9b3d-3393ad295dfd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2511,7 +2675,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "12f7481f-055d-46d3-bb53-86d7e3651e26", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "178d5628-b2fc-40ee-ad44-ba6b95888b99", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2546,7 +2712,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d68dcfcc-48bd-440d-a7e0-8c0699449ad6", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9f2515b3-e250-4449-9779-28bcd6faf77d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2581,7 +2749,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4ede96a6-6cac-4dfb-9769-40f341192bea", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e28bff74-96a4-454d-98d7-c59e122d63fb", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2609,7 +2779,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "47f93be9-2806-4939-b7cb-4dc13784717a", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "d7caf3b3-f81b-42ef-9afc-926cee762d34", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2647,7 +2819,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bd8d9613-c072-44fe-8674-147d13925382", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "24d459a8-dd81-4881-ae25-6f69a155a174", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2665,7 +2839,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "e126ea00-6678-4b2d-a171-d75a0a0f3d9a", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9ff9038d-e1f7-4d3f-a5b0-ff301848eeaf", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2694,7 +2870,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "20c0da71-a712-46c1-84a2-856fd428f7f3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "a1ef191c-a130-4145-82ca-fa1895af11dd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2722,7 +2900,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3b39a1d5-d58b-40cc-a800-126c564f7da4", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ac93fa47-dd7d-445a-a407-cb93947580ca", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2754,7 +2934,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "00c98ea4-1a92-4f46-ad19-49934bbba173", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "7b581e32-56d2-4243-9057-8d57c7ec842e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2786,7 +2968,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "f8d231f5-d9be-42cc-be78-dad690e480c1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "4bb45439-3b70-4a5c-adcd-e4becd0b14c9", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2821,7 +3005,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "965e16bb-a4b1-4396-b523-baa8e0b9a5bc", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "311bf6f3-8920-44bf-a216-3aad35b27614", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2839,7 +3025,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7091b24c-1aa1-49d7-9ad6-bae60f88d0e3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "7fd2e269-a354-440d-bc52-6a158fb2dbd4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2857,7 +3045,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4df3485f-407d-42b8-ab8e-8c634216c51b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "81f4d2b6-91de-48eb-a0ad-8afe37eccd2d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2890,7 +3080,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "15a1aa21-71d2-4728-9b0b-38fbe10f8b86", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "78a2ecba-1b3b-4aac-ad0b-f0ce572aea46", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." diff --git a/oscal-content/xml/profile/blossom_moderate_profile_resolved.xml b/oscal-content/xml/catalog/blossom_moderate_profile_resolved_to_catalog.xml similarity index 99% rename from oscal-content/xml/profile/blossom_moderate_profile_resolved.xml rename to oscal-content/xml/catalog/blossom_moderate_profile_resolved_to_catalog.xml index 145e83d..3f127d0 100644 --- a/oscal-content/xml/profile/blossom_moderate_profile_resolved.xml +++ b/oscal-content/xml/catalog/blossom_moderate_profile_resolved_to_catalog.xml @@ -1,12 +1,13 @@ - - + + NIST BloSS@M Tailored Moderate Baseline - 2024-03-20T21:24:47.769914Z + 2024-05-30T18:28:59.688431Z 0.0.1 1.1.2 - diff --git a/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml b/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml index 47ceebe..5aee1fa 100644 --- a/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml +++ b/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml @@ -181,7 +181,7 @@ Corrective Action (Policy/Regulation) - +

TBD

 C.2.1.1 @@ -206,11 +206,11 @@ - +

TBD

 - +

TBD

 @@ -323,7 +323,7 @@

TBD:

- +

TBD

TBD:

@@ -361,9 +361,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -387,9 +387,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -426,9 +426,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -452,9 +452,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -478,9 +478,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -504,9 +504,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -530,9 +530,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -556,9 +556,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -588,9 +588,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -619,9 +619,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -650,9 +650,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -685,9 +685,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -711,9 +711,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -737,9 +737,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -763,9 +763,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -796,9 +796,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -822,9 +822,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -848,9 +848,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -874,9 +874,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -900,9 +900,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -932,9 +932,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -964,9 +964,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -990,9 +990,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1022,9 +1022,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1054,9 +1054,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1080,9 +1080,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1106,9 +1106,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1139,9 +1139,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1165,9 +1165,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1203,9 +1203,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1244,9 +1244,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1270,9 +1270,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1308,9 +1308,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1346,9 +1346,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1372,9 +1372,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1411,9 +1411,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1437,9 +1437,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1476,9 +1476,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1502,9 +1502,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1528,9 +1528,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1554,9 +1554,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1586,9 +1586,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1624,9 +1624,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1650,9 +1650,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1682,9 +1682,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1716,9 +1716,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1750,9 +1750,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1793,9 +1793,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1824,9 +1824,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1865,9 +1865,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1891,9 +1891,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1927,9 +1927,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1953,9 +1953,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1979,9 +1979,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2005,9 +2005,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2065,9 +2065,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2091,9 +2091,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2117,9 +2117,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2143,9 +2143,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2169,9 +2169,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2195,9 +2195,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2221,9 +2221,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2256,9 +2256,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2293,9 +2293,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2324,9 +2324,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2362,9 +2362,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2388,9 +2388,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2414,9 +2414,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2446,9 +2446,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2480,9 +2480,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2518,9 +2518,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2544,9 +2544,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2576,9 +2576,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2607,9 +2607,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2642,9 +2642,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2668,9 +2668,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2694,9 +2694,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2729,9 +2729,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2760,9 +2760,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2791,9 +2791,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2822,9 +2822,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2859,9 +2859,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2896,9 +2896,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2927,9 +2927,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2965,9 +2965,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2991,9 +2991,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3023,9 +3023,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3054,9 +3054,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3088,9 +3088,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3122,9 +3122,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3157,9 +3157,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3183,9 +3183,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3209,9 +3209,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3244,9 +3244,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index 8531014..00bfaa2 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -581,7 +581,7 @@ -

FedRAMP SSP Template Section 13

+

This is a palceholder for the FedRAMP SSP Template Section 13

This description field is required by OSCAL.

FedRAMP does not require any specific information here.

 From 876051a099170afcefdddbc8c734b2bd6b5f49ff Mon Sep 17 00:00:00 2001 From: Iorga Date: Wed, 5 Jun 2024 07:45:54 -0400 Subject: [PATCH 07/36] Update of account_workflow document --- .gitignore | 1 + account_workflow.md | 27 +++++++++++++++++++++------ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 579c978..29ffb99 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .DS_Store .vscode/* +.history/* *.pyc __pycache__/ draft-* diff --git a/account_workflow.md b/account_workflow.md index b814f97..f51ead5 100644 --- a/account_workflow.md +++ b/account_workflow.md @@ -1,8 +1,23 @@ # Account Management Workflow -Document that explains the workflow of GitHub actions used to automate account management. -The requester creates a new GitHub issue (Account Request Form) to request an account for the Account Holder.\ -The Blossom Management group is automatically notified to review this request through GitHub.\ -A Blossom Management member reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED\ -If ACCOUNT_APPROVED, the Blossom Sysdevs group is automatically notified to implement the account and submit a new issue (Account Management Authorization Form) for the Account Holder.\ -If ACCOUNT_REJECTED, the account request issue is automatically closed. \ No newline at end of file +This document explains the workflow of GitHub actions used to automate Blossom service's accounts management. + +## Account Request and Creation +-[ ] The requester requests an account for the Account Holder by creating a new GitHub issue using the Account Request Form. +-[ ] The Blossom Management group is automatically notified to review the request through GitHub. +-[ ] One of the Blossom Management (a member of the Blossom Management group) reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED +-[ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified to implement the account. +-[ ] Upon completion of creating the account requested, the Blossom Sysdev submits a new GitHub issue using the Account Management Authorization Form for the Account Holder. +-[ ] If ACCOUNT_REJECTED, the account request issue is automatically closed. + +## Account Disable +[TBD] + +## Account Enable +[TBD] + +## Account Change +[TBD] + +## Account Deletion +[TBD] From fc61406cb16c2c5850b4899b778343132de7f883 Mon Sep 17 00:00:00 2001 From: Iorga Date: Tue, 4 Jun 2024 15:46:15 -0400 Subject: [PATCH 08/36] Fixed validation errors in AWS SSP. --- .gitignore | 2 + ...moderate_profile_resolved_to_catalog.json} | 0 .../ssp/aws_leveraged_authorization_ssp.json | 192 +++++++++ ..._moderate_profile_resolved_to_catalog.xml} | 9 +- .../ssp/aws_leveraged_authorization_ssp.xml | 384 +++++++++--------- .../xml/ssp/blossom_admin_member_ssp.xml | 2 +- 6 files changed, 392 insertions(+), 197 deletions(-) rename oscal-content/json/{profile/blossom_moderate_profile_resolved.json => catalog/blossom_moderate_profile_resolved_to_catalog.json} (100%) rename oscal-content/xml/{profile/blossom_moderate_profile_resolved.xml => catalog/blossom_moderate_profile_resolved_to_catalog.xml} (99%) diff --git a/.gitignore b/.gitignore index 3532e70..579c978 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,5 @@ draft-* .pyenv* .env* oscal-cli.txt +# Ignore validation tool oscal-cli +build/oscal-cli diff --git a/oscal-content/json/profile/blossom_moderate_profile_resolved.json b/oscal-content/json/catalog/blossom_moderate_profile_resolved_to_catalog.json similarity index 100% rename from oscal-content/json/profile/blossom_moderate_profile_resolved.json rename to oscal-content/json/catalog/blossom_moderate_profile_resolved_to_catalog.json diff --git a/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json b/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json index bc38bf9..d06f9f7 100644 --- a/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json +++ b/oscal-content/json/ssp/aws_leveraged_authorization_ssp.json @@ -224,6 +224,7 @@ "information-types" : [ { "uuid" : "27e034c9-2164-47c1-ba0b-8eb56c941842", "title" : "Corrective Action (Policy/Regulation)", + "description" : "TBD", "categorizations" : [ { "system" : "https://doi.org/10.6028/NIST.SP.800-60v2r1", "information-type-ids" : [ "C.2.1.1" ] @@ -251,11 +252,13 @@ "state" : "operational" }, "authorization-boundary" : { + "description" : "TBD", "diagrams" : [ { "uuid" : "1d92b6f3-1260-421c-9bda-5c4a7739f0d1" } ] }, "network-architecture" : { + "description" : "TBD", "diagrams" : [ { "uuid" : "2d92b6f3-1260-421c-9bda-5c4a7739f0d2" } ] @@ -384,6 +387,7 @@ "uuid" : "1398d737-8041-4774-bed3-668d90617860", "description" : "TBD:", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f5c1b59c-04ff-4821-980a-e10c18e379a8", "description" : "TBD:" @@ -429,7 +433,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "fdecdd89-e6ce-40d7-97a9-55d3a57abb8c", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9c4a8b31-fe34-4b5f-933d-2a1c448a4ef2", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -447,7 +453,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2cd8b8e6-673a-4470-8534-13b5e2c9a240", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "bbeec595-6c96-4102-ac5d-a7675ed6c529", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -486,7 +494,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8103b498-0f37-4106-92e0-d88886da6eb3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9678dd9d-6125-45b7-ba22-9fa41f03f72e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -504,7 +514,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "ea52159a-8bc8-4a7e-b552-6cfd49291a6b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6b0ef9b2-6b7d-4178-b8e8-1f9ffc471045", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -522,7 +534,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8ed49eba-7071-4d05-8a72-7170cd70e073", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9af6d025-089c-4b60-aa2a-f2301a1f4ba1", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -540,7 +554,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "aed2636d-73bc-4484-aa02-744c7d7766e3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "72a3d5fb-6021-4052-8b8d-645f445f1de9", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -558,7 +574,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "eaaf5c14-f217-4f73-9a05-6238ee9e2e00", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "63b1f1a3-ed64-4b3b-91f0-80255ccfdd80", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -576,7 +594,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d4182aa0-508a-4bf4-97d7-7c351b34f8c9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6ba7424b-ec07-494c-a937-315be22012df", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -605,7 +625,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bd636006-e24a-48a6-826d-e140ce79688b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "13f36d45-615b-41e2-9760-6731a543e3b5", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -633,7 +655,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c938abfb-d25c-4810-acba-7676d2462a88", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c906e5b4-40ce-42e0-af33-6e70e2f93499", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -661,7 +685,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "17a3d2b4-9caa-405c-bfe3-ef4f43b7f7bf", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "dfa89026-ff35-47e6-8c3f-cc4b2b623dd6", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -696,7 +722,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7a32cdf4-0904-4c26-8f1d-9906d35ede53", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ebfb1122-fd4b-49d2-acc2-349d54db3c51", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -714,7 +742,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "e06595df-f3b7-4ce5-a510-6ca8fe068b72", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6e8f46ce-8f4e-40f1-95a8-71430a769709", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -732,7 +762,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "cc0efa05-1f76-46d3-a974-3d96b3257d64", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "36d198cc-91e3-4f0b-a633-7cc256d29c42", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -750,7 +782,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "0702e1b5-f95a-47b8-8244-a66ab38b0908", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "78df87ae-283c-4626-981a-e14291a0c8dd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -782,7 +816,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "a68e4b6a-b77e-485d-aa8a-e785fc158085", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "4d23c4d8-b0cb-4a8a-9d64-aa24da8ab619", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -800,7 +836,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "42c76696-a674-464a-9229-6c6c3efae55d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "35ab73e0-937c-48c3-b02f-fc2d10b1a81e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -818,7 +856,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d6522c04-d78d-4672-b4d5-297e035a4a47", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "8b875c18-e130-40ef-9f54-479c9593dbb4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -836,7 +876,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "b2c30e47-7e20-4d8c-a8a5-76e14371f047", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "3486928c-60a9-4549-a090-1b56af560221", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -854,7 +896,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "a0710b8a-49a7-42f9-9c6b-c15345f3fbee", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f075f560-32f2-4ec6-bd12-868d3bdd2310", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -883,7 +927,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c190a70f-74f3-4f4a-bf1b-b7a373816d48", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "d07af2dd-4725-4651-89d8-d732eb20fb22", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -914,7 +960,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "ffe84fd7-6541-4b14-b09e-dbd792d76ef3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "bbf26c5d-bb82-4d70-b4f2-882afe6d9bf4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -932,7 +980,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "747dc783-b19e-49bb-ab71-f095f7b3011f", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "faa72600-62e7-4440-b241-63ec94afd763", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -961,7 +1011,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "f42c46cb-443d-459e-9aae-8bbf3b82edaf", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "1d56cf05-5ccc-4491-b506-8cebae18963a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -992,7 +1044,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d8cc5638-2afe-459d-a3cb-a01976aeac85", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "441dadf2-bef9-4e06-8f43-dd03b441acdd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1010,7 +1064,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "96892541-9b58-440e-b44e-3998a4a7be84", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "627ba3bb-1a54-4cf5-ad56-7155247f5280", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1028,7 +1084,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "02655970-983a-4b85-a49f-587749ce3d19", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "245d3044-c5f1-4167-9a6e-2c29388bba5e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1060,7 +1118,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "24ee516c-0d3f-4960-90b7-afa66abc28a9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f4a058aa-a41c-4c58-9758-6c79f980fd18", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1078,7 +1138,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7fe0f375-88a4-4fb0-b38c-d4a500e3b1d9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "86b5fad1-4e75-43da-b257-9467fff7acfe", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1114,7 +1176,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "409c1e47-be79-43bf-aa2c-0fed0889c6d0", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c81f9919-29f5-455b-a40d-3240093a0be5", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1155,7 +1219,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "092bfd62-aa7b-4409-a875-5fff7d2975b5", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "32b76454-93db-4bd1-9222-9604e6c5f7c7", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1173,7 +1239,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d862d207-64d0-4d00-bcbe-097ea62ba6f5", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "b7367d62-0528-426b-8f97-f68a9530d619", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1209,7 +1277,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "9aaadee4-d49f-4de8-87ae-558fc6352e13", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "52572cd0-59ae-4248-8f07-68757ed538ec", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1247,7 +1317,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3d05b563-2cb8-4e38-8f56-694f60a2453f", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "af8ae830-df78-443c-bf0f-dc164f0d90b3", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1265,7 +1337,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bda847e5-11cc-4d9f-857a-45f8819fd230", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ffc17fe4-0e82-4292-8fd0-493905941d48", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1304,7 +1378,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2e132311-f565-4aed-9614-ccc6a77158e2", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "a02735f9-5446-4ed4-8c26-5ab744ae1b04", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1322,7 +1398,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "91fa9408-1373-4254-9159-cb2695e615a8", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "70698d4a-e8c2-4b9c-9395-c0582d8b8022", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1361,7 +1439,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c487bf9a-c8fc-4180-92dc-ee528ece1949", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "6056c6b8-60b1-498b-acf4-3d6c6fe8830a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1379,7 +1459,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "40d22136-bb9c-4366-889b-6e59f8332069", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "01fa8cff-5d8e-4e04-af66-9384ee9c3606", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1397,7 +1479,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4c84e881-7969-45ce-be75-7b223d4d1be3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "03f61f6e-7c67-4701-a9cd-30563989a670", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1415,7 +1499,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "dee24e7a-a80e-4598-b281-e15f6d247e4d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "769edda4-b4ed-4671-978d-85b16bfd564e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1444,7 +1530,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "902a1af4-6479-4833-8d22-3efdf7d30edc", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f7c948c9-b471-4a53-a56a-af75ece5d75e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1482,7 +1570,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7e5a2ff0-9bb8-4e96-b3ea-8ee6c7ae189e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "80e0c1ad-0366-4d71-a228-e81f553daf70", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1500,7 +1590,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2f0f0bfa-fa0e-4245-b54a-926b349f5f6b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "1b8d9da7-1c8e-4b05-af8c-b4887adcfe2a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1529,7 +1621,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3c52d224-4181-42e6-a477-96862a7547ea", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c803d36a-1e21-4f51-9380-29fdaca0c823", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1561,7 +1655,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5bf37408-0101-487e-82d3-6aef883b259d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ad041938-5dff-484d-8ecd-3888b3f30781", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1593,7 +1689,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "f5ac2d2d-abeb-4ad5-be32-83225ff6a8da", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "373974c4-c109-4b09-81f7-bf16ab35794d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1634,7 +1732,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "e93f9b10-7017-4bbb-beb2-c0c60a11570e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c5ca7ce6-d6bd-4b15-bfff-222f9c04b23a", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1662,7 +1762,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4e1cfda5-3463-4dff-ab6f-ee82d4fc12d4", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "01a0d189-d163-42ef-971e-f483eb1a89e3", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1703,7 +1805,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5f8020ca-afa5-41d3-8b8c-29372db8af1d", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "febe4d8a-4107-4e8f-9bca-c9a0c96d7cb0", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1721,7 +1825,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5b81c845-e335-4854-9189-bbbdeeb8c220", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "920d4c86-6f4a-4b57-a991-3ec6c62a5cfd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1757,7 +1863,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c463ebb0-ec05-4bdf-af2e-b44b0ab9ed7e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "5643f75d-672b-465b-869e-c6c80962c9be", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1775,7 +1883,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "0a8cdb94-3fbc-4c0e-a4a1-5bbbeb85aca2", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "3301e8bd-5cdc-4cc6-835e-ac8af07d7f5c", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1793,7 +1903,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8b94c5b1-f4c9-47e4-b2e6-1b3ba3ff0808", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "cfeb89af-a484-49c4-9988-96237c86944e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1811,7 +1923,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2f9fe10b-ba9e-4291-98b5-13bb6fc0c58c", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e7024325-6340-4e1f-a4b8-c741d1e36bb4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1871,7 +1985,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3b3ecf6b-d4a9-499c-a5d1-2887b4987aca", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "542b2329-5497-456f-b117-746e798b9929", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1889,7 +2005,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "ead33ba5-eb15-48e3-900e-8a3e9cf289d9", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "96ff07de-683f-4181-8813-ae4498d66f05", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1907,7 +2025,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "66ece908-ee7b-468b-a5b4-e900aa724ea1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f4c09934-895b-40e8-b122-aa08ea9b50ba", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1925,7 +2045,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2db60ecd-c0a9-4be8-a6b5-c4bb45d9ec49", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "81660f14-0393-4219-98ac-9e2c8f7142f6", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1943,7 +2065,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "72dfa4c9-d24a-4ac2-8c66-46e0992e9158", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "0a453bbe-cb88-45c8-b6ae-5033bc09feff", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1961,7 +2085,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "27000dc4-4d7c-4e0c-aa8a-581babfe7745", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e7799c91-b885-4d4e-b198-a7988c76c3ad", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -1979,7 +2105,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "2040d1a5-ddd0-405d-8edd-e58f77a59ad3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "92842d62-9ca0-46f9-a431-abf9e6b4f594", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2012,7 +2140,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "6d925c2b-0462-4a75-aa45-03b73c017307", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "c2ac04dc-acb4-418a-84e5-b58730f01dee", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2047,7 +2177,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bec2e74d-c33d-4232-a4ac-424abf2637ff", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "cd19a3a6-00e2-4a44-9c63-bf795f9c93d1", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2075,7 +2207,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4a99e9c6-ff33-4a37-abc9-b6b9ca7d4657", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "259c0c8f-3bb9-4e43-877b-c896a20aee7d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2113,7 +2247,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "6fd8dba3-df21-4c25-9994-95a66c3c74be", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f5320fa1-6ce9-4ef6-a6a8-422f619a41f9", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2131,7 +2267,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4d196aef-1385-4bf2-8b00-28258e22b677", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "b62d1197-e6c0-4b42-8f77-02b311b8faab", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2149,7 +2287,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "c148993e-862d-40b1-b670-f19db4114e95", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "25356503-3b18-4a0e-b97a-cf243e4e174c", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2178,7 +2318,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "70e9c839-37dc-48c9-ac6a-d34bf6dbaa17", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e9a252ad-ff10-43ca-a790-024d5c8771ae", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2210,7 +2352,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "8727a64e-a367-4b17-86b1-742dada3a0c1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "59b5f4ea-33eb-4000-a636-aaa4004e29b0", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2248,7 +2392,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "83d8d2e9-abb0-442a-a232-b6b3ade4040e", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9301b521-7676-45eb-9d3c-a7466b652b84", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2266,7 +2412,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "36ab955e-ac9b-4fd5-83a9-2cc35c5fa5b8", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "dc217439-df1e-4d91-ae4c-10b790b961e4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2295,7 +2443,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "5e212f76-bae7-47ce-b7bc-c093b7133dfc", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "2079e0b4-5fb6-403b-a69a-1f39fd96c0b7", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2323,7 +2473,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "476a42e2-6778-4b2b-8f9b-77aec5a538dd", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "20679a94-74fe-4055-b7d8-3a2014dcc049", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2358,7 +2510,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d1b09916-2698-4642-bddd-7e3f6b69e1e1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "f556c40b-a2d8-4f2a-bdaa-5a37073548fe", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2376,7 +2530,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7600b228-0413-4e7b-91ae-24537ad02f25", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "291bebf7-594a-401d-a2c0-d24d2aac6bf2", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2394,7 +2550,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "b8c7793c-8209-4280-97ec-8637c6e55fd3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "b37cec5a-2b40-477f-976d-f0e264dd2b8e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2427,7 +2585,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4e691a77-ec56-4ad4-b532-7ed71b9b08aa", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "01f1d712-a58c-40b5-aa5b-ea123f03d7dc", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2455,7 +2615,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7a0ef9ab-66e7-47a6-b25a-3db8378d04f8", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "d6d16f6d-5ac5-4c94-8066-d9bc1c67eb82", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2483,7 +2645,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7153a18a-1c44-43f9-b897-a7c51f024d40", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "956fb932-4841-402b-9b3d-3393ad295dfd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2511,7 +2675,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "12f7481f-055d-46d3-bb53-86d7e3651e26", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "178d5628-b2fc-40ee-ad44-ba6b95888b99", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2546,7 +2712,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "d68dcfcc-48bd-440d-a7e0-8c0699449ad6", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9f2515b3-e250-4449-9779-28bcd6faf77d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2581,7 +2749,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4ede96a6-6cac-4dfb-9769-40f341192bea", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "e28bff74-96a4-454d-98d7-c59e122d63fb", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2609,7 +2779,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "47f93be9-2806-4939-b7cb-4dc13784717a", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "d7caf3b3-f81b-42ef-9afc-926cee762d34", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2647,7 +2819,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "bd8d9613-c072-44fe-8674-147d13925382", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "24d459a8-dd81-4881-ae25-6f69a155a174", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2665,7 +2839,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "e126ea00-6678-4b2d-a171-d75a0a0f3d9a", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "9ff9038d-e1f7-4d3f-a5b0-ff301848eeaf", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2694,7 +2870,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "20c0da71-a712-46c1-84a2-856fd428f7f3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "a1ef191c-a130-4145-82ca-fa1895af11dd", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2722,7 +2900,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "3b39a1d5-d58b-40cc-a800-126c564f7da4", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "ac93fa47-dd7d-445a-a407-cb93947580ca", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2754,7 +2934,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "00c98ea4-1a92-4f46-ad19-49934bbba173", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "7b581e32-56d2-4243-9057-8d57c7ec842e", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2786,7 +2968,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "f8d231f5-d9be-42cc-be78-dad690e480c1", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "4bb45439-3b70-4a5c-adcd-e4becd0b14c9", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2821,7 +3005,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "965e16bb-a4b1-4396-b523-baa8e0b9a5bc", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "311bf6f3-8920-44bf-a216-3aad35b27614", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2839,7 +3025,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "7091b24c-1aa1-49d7-9ad6-bae60f88d0e3", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "7fd2e269-a354-440d-bc52-6a158fb2dbd4", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2857,7 +3045,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "4df3485f-407d-42b8-ab8e-8c634216c51b", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "81f4d2b6-91de-48eb-a0ad-8afe37eccd2d", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." @@ -2890,7 +3080,9 @@ "by-components" : [ { "component-uuid" : "463e6979-b660-4e61-b475-90777d228307", "uuid" : "15a1aa21-71d2-4728-9b0b-38fbe10f8b86", + "description" : "TBD", "export" : { + "description" : "TBD", "provided" : [ { "uuid" : "78a2ecba-1b3b-4aac-ad0b-f0ce572aea46", "description" : "This control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure. For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate." diff --git a/oscal-content/xml/profile/blossom_moderate_profile_resolved.xml b/oscal-content/xml/catalog/blossom_moderate_profile_resolved_to_catalog.xml similarity index 99% rename from oscal-content/xml/profile/blossom_moderate_profile_resolved.xml rename to oscal-content/xml/catalog/blossom_moderate_profile_resolved_to_catalog.xml index 145e83d..3f127d0 100644 --- a/oscal-content/xml/profile/blossom_moderate_profile_resolved.xml +++ b/oscal-content/xml/catalog/blossom_moderate_profile_resolved_to_catalog.xml @@ -1,12 +1,13 @@ - - + + NIST BloSS@M Tailored Moderate Baseline - 2024-03-20T21:24:47.769914Z + 2024-05-30T18:28:59.688431Z 0.0.1 1.1.2 - diff --git a/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml b/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml index 47ceebe..5aee1fa 100644 --- a/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml +++ b/oscal-content/xml/ssp/aws_leveraged_authorization_ssp.xml @@ -181,7 +181,7 @@ Corrective Action (Policy/Regulation) - +

TBD

 C.2.1.1 @@ -206,11 +206,11 @@ - +

TBD

 - +

TBD

 @@ -323,7 +323,7 @@

TBD:

 - +

TBD

TBD:

@@ -361,9 +361,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -387,9 +387,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -426,9 +426,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -452,9 +452,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -478,9 +478,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -504,9 +504,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -530,9 +530,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -556,9 +556,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -588,9 +588,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -619,9 +619,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -650,9 +650,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -685,9 +685,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -711,9 +711,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -737,9 +737,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -763,9 +763,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -796,9 +796,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -822,9 +822,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -848,9 +848,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -874,9 +874,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -900,9 +900,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -932,9 +932,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -964,9 +964,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -990,9 +990,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1022,9 +1022,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1054,9 +1054,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1080,9 +1080,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1106,9 +1106,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1139,9 +1139,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1165,9 +1165,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1203,9 +1203,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1244,9 +1244,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1270,9 +1270,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1308,9 +1308,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1346,9 +1346,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1372,9 +1372,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1411,9 +1411,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1437,9 +1437,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1476,9 +1476,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1502,9 +1502,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1528,9 +1528,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1554,9 +1554,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1586,9 +1586,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1624,9 +1624,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1650,9 +1650,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1682,9 +1682,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1716,9 +1716,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1750,9 +1750,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1793,9 +1793,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1824,9 +1824,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1865,9 +1865,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1891,9 +1891,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1927,9 +1927,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1953,9 +1953,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -1979,9 +1979,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2005,9 +2005,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2065,9 +2065,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2091,9 +2091,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2117,9 +2117,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2143,9 +2143,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2169,9 +2169,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2195,9 +2195,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2221,9 +2221,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2256,9 +2256,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2293,9 +2293,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2324,9 +2324,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2362,9 +2362,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2388,9 +2388,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2414,9 +2414,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2446,9 +2446,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2480,9 +2480,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2518,9 +2518,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2544,9 +2544,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2576,9 +2576,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2607,9 +2607,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2642,9 +2642,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2668,9 +2668,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2694,9 +2694,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2729,9 +2729,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2760,9 +2760,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2791,9 +2791,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2822,9 +2822,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2859,9 +2859,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2896,9 +2896,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2927,9 +2927,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2965,9 +2965,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -2991,9 +2991,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3023,9 +3023,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3054,9 +3054,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3088,9 +3088,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3122,9 +3122,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3157,9 +3157,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3183,9 +3183,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3209,9 +3209,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either @@ -3244,9 +3244,9 @@ - +

TBD

 - +

TBD

This control associated with hardware components within AWS is generally either diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index 8531014..00bfaa2 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -581,7 +581,7 @@ -

FedRAMP SSP Template Section 13

+

This is a palceholder for the FedRAMP SSP Template Section 13

This description field is required by OSCAL.

FedRAMP does not require any specific information here.

 From 7561d636003b759662c0a36fa1ec8e9f25394bca Mon Sep 17 00:00:00 2001 From: Iorga Date: Wed, 5 Jun 2024 07:45:54 -0400 Subject: [PATCH 09/36] Update of account_workflow document --- .gitignore | 1 + account_workflow.md | 27 +++++++++++++++++++++------ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 579c978..29ffb99 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .DS_Store .vscode/* +.history/* *.pyc __pycache__/ draft-* diff --git a/account_workflow.md b/account_workflow.md index b814f97..f51ead5 100644 --- a/account_workflow.md +++ b/account_workflow.md @@ -1,8 +1,23 @@ # Account Management Workflow -Document that explains the workflow of GitHub actions used to automate account management. -The requester creates a new GitHub issue (Account Request Form) to request an account for the Account Holder.\ -The Blossom Management group is automatically notified to review this request through GitHub.\ -A Blossom Management member reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED\ -If ACCOUNT_APPROVED, the Blossom Sysdevs group is automatically notified to implement the account and submit a new issue (Account Management Authorization Form) for the Account Holder.\ -If ACCOUNT_REJECTED, the account request issue is automatically closed. \ No newline at end of file +This document explains the workflow of GitHub actions used to automate Blossom service's accounts management. + +## Account Request and Creation +-[ ] The requester requests an account for the Account Holder by creating a new GitHub issue using the Account Request Form. +-[ ] The Blossom Management group is automatically notified to review the request through GitHub. +-[ ] One of the Blossom Management (a member of the Blossom Management group) reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED +-[ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified to implement the account. +-[ ] Upon completion of creating the account requested, the Blossom Sysdev submits a new GitHub issue using the Account Management Authorization Form for the Account Holder. +-[ ] If ACCOUNT_REJECTED, the account request issue is automatically closed. + +## Account Disable +[TBD] + +## Account Enable +[TBD] + +## Account Change +[TBD] + +## Account Deletion +[TBD] From f00644d5e7ccf704d0a9d5b7e2eb37498c78d93a Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Wed, 12 Jun 2024 13:47:45 -0400 Subject: [PATCH 10/36] Removed authorization form --- ...account_management_authorization_form.yaml | 81 ------------------- .../workflows/account_request_approve.yaml | 10 +-- .../workflows/account_request_authorize.yaml | 28 ------- .github/workflows/account_request_open.yaml | 2 +- .github/workflows/account_request_reject.yaml | 2 +- account_workflow.md | 15 ++-- 6 files changed, 16 insertions(+), 122 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/account_management_authorization_form.yaml delete mode 100644 .github/workflows/account_request_authorize.yaml diff --git a/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml b/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml deleted file mode 100644 index 2d26f8e..0000000 --- a/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml +++ /dev/null @@ -1,81 +0,0 @@ -name: Account Management Authorization Form -description: Submit an account related authorization -labels: ['ACCOUNT_AUTHORIZED_RECORD'] -body: - - type: input - id: account-holder-full-name - attributes: - label: Account holder full name - placeholder: Type here account holder full name as it appears in his/her ID. - validations: - required: true - - type: dropdown - id: account-type - attributes: - label: What role/attribute is requested for the account holder - description: Select the action from the drop-down - options: - - System Owner - - License Owner - - Authorizing Official - - System Sec Assessor - - System Administrator - - Technical Point of Contact - multiple: false - validations: - required: true - - type: dropdown - id: account-privilege - attributes: - label: What account privilege is requested - description: Select the action from the drop-down - options: - - non-privileged (user:read/write) - - privileged (root:read/write/execute) - multiple: false - validations: - required: true - - type: dropdown - id: account-created - attributes: - label: Account creation - description: Select the action from the drop-down - options: - - Created - - Modified - - Disabled - - Enabled - - Deleted - - Not done - multiple: false - validations: - required: true - - type: dropdown - id: account-created-by - attributes: - label: Account creation by - description: Select the action from the drop-down - options: - - System Administrator - - Accounts Manager - multiple: false - validations: - required: true - - type: dropdown - id: account-approved-by - attributes: - label: Account approved by - description: Select the action from the drop-down - options: - - Program Manager (for privileged accounts) - - System Owner (for non-privileged accounts) - multiple: false - validations: - required: true - - type: textarea - id: comments - attributes: - label: Comments - placeholder: (optional) Type in here any additional information related to this authorization. - validations: - required: false diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index fd0f4a3..e7fb304 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -14,12 +14,12 @@ jobs: issues: write steps: - name: Notify Blossom Sysdevs about Approved Account - run: gh issue close "$NUMBER" --comment "$COMMENT" --reason "completed" + run: gh issue comment "$NUMBER" --body "$BODY" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} - COMMENT: > - Account management request APPROVED by Blossom Management. Closing request as "completed".\ - @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP.\ - Then submit the [Account Management Authorization Form](https://github.com/usnistgov/blossom-oscal/issues/new?assignees=&labels=ACCOUNT_AUTHORIZED_RECORD&projects=&template=account_management_authorization_form.yaml) \ No newline at end of file + BODY: > + Account management request APPROVED by Blossom Management. + @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP. + Link this account request issue to the PR with the implementation. \ No newline at end of file diff --git a/.github/workflows/account_request_authorize.yaml b/.github/workflows/account_request_authorize.yaml deleted file mode 100644 index 45e0390..0000000 --- a/.github/workflows/account_request_authorize.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: Account Request Authorize - -on: - issues: - types: - - labeled - -jobs: - # When an issue is created by account management authorization form - # Label of account management request form is ACCOUNT_AUTHORIZED_RECORD - request-authorized: - if: github.event.label.name == 'ACCOUNT_AUTHORIZED_RECORD' - runs-on: ubuntu-20.04 - permissions: - issues: write - steps: - - name: Add comment - run: gh issue comment "$NUMBER" --body "$BODY" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.issue.number }} - BODY: > - @usnistgov/blossom-management An approved account modification has been implemented. - - -# Contact AWS Cognito to show users -# Check is user contained in ACL is in AWS response with grep diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml index 5640336..8071943 100644 --- a/.github/workflows/account_request_open.yaml +++ b/.github/workflows/account_request_open.yaml @@ -21,6 +21,6 @@ jobs: GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} BODY: > - Account management request CREATED.\ + Account management request CREATED. @usnistgov/blossom-management please review and approve/reject this request by adding ACCOUNT_APPROVED or ACCOUNT_REJECTED label to this issue. \ No newline at end of file diff --git a/.github/workflows/account_request_reject.yaml b/.github/workflows/account_request_reject.yaml index a0e7e3b..cd74553 100644 --- a/.github/workflows/account_request_reject.yaml +++ b/.github/workflows/account_request_reject.yaml @@ -20,5 +20,5 @@ jobs: GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} COMMENT: > - Account management request REJECTED by Blossom Management.\ + Account management request REJECTED by Blossom Management. Closing request as "not planned". diff --git a/account_workflow.md b/account_workflow.md index f51ead5..3df13d4 100644 --- a/account_workflow.md +++ b/account_workflow.md @@ -3,12 +3,15 @@ This document explains the workflow of GitHub actions used to automate Blossom service's accounts management. ## Account Request and Creation --[ ] The requester requests an account for the Account Holder by creating a new GitHub issue using the Account Request Form. --[ ] The Blossom Management group is automatically notified to review the request through GitHub. --[ ] One of the Blossom Management (a member of the Blossom Management group) reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED --[ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified to implement the account. --[ ] Upon completion of creating the account requested, the Blossom Sysdev submits a new GitHub issue using the Account Management Authorization Form for the Account Holder. --[ ] If ACCOUNT_REJECTED, the account request issue is automatically closed. +- [ ] The requester requests an account for the Account Holder by creating a new GitHub issue using the Account Request Form. +- [ ] The Blossom Management group is automatically notified to review the request through GitHub. +- [ ] One of the Blossom Management (a member of the Blossom Management group) reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED +- [ ] If ACCOUNT_REJECTED, the account request issue is automatically closed. +- [ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified to implement the account. +- [ ] Upon completion of creating the account requested, the Blossom Sysdev links the Account Request issue to the Pull Request that implements the account. +- [ ] Upon merging the Pull Request that implements the account, the relevant updated controls are re-assessed automatically. The Blossom Assessors group is then notified to monitor the automated assessment. +- [ ] TBD: STEPS FOR AUTOMATED ASSESSMENT + ## Account Disable [TBD] From f3b5863516a0d9be2aecc25abe1350d5d7d00fbb Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Mon, 17 Jun 2024 11:17:05 -0400 Subject: [PATCH 11/36] Add actions for implement and assessment --- .../workflows/account_request_approve.yaml | 3 ++- .../workflows/account_request_assessment.yaml | 21 ++++++++++++++++ .../workflows/account_request_implement.yaml | 24 +++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/account_request_assessment.yaml create mode 100644 .github/workflows/account_request_implement.yaml diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index e7fb304..ddbafb4 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -22,4 +22,5 @@ jobs: BODY: > Account management request APPROVED by Blossom Management. @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP. - Link this account request issue to the PR with the implementation. \ No newline at end of file + When implemented, add the ACCOUNT_IMPLEMENTED label and + link this account request issue to the PR with the implementation. \ No newline at end of file diff --git a/.github/workflows/account_request_assessment.yaml b/.github/workflows/account_request_assessment.yaml new file mode 100644 index 0000000..de52e40 --- /dev/null +++ b/.github/workflows/account_request_assessment.yaml @@ -0,0 +1,21 @@ +name: Account Request Assessment + +on: + pull_request: + types: + - closed + paths: + - 'blossom_admin_member_ssp.xml' + +# If a Pull Request updating the SSP is merged +jobs: + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-20.04 + permissions: + issues: write + steps: + - name: Run automated assessment + run: echo "assessment" + # 1. dump empty file to s3 bucket, to initiate connection + # 2. query chaincode, code to execute on chaincode for list of supported roles, API command diff --git a/.github/workflows/account_request_implement.yaml b/.github/workflows/account_request_implement.yaml new file mode 100644 index 0000000..5f300a2 --- /dev/null +++ b/.github/workflows/account_request_implement.yaml @@ -0,0 +1,24 @@ +name: Account Request Implement + +on: + issues: + types: + - labeled + +jobs: + # When ACCOUNT_IMPLEMENTED label is added to account management request + request-implemented: + if: github.event.label.name == 'ACCOUNT_IMPLEMENTED' + runs-on: ubuntu-20.04 + permissions: + issues: write + steps: + - name: Notify Blossom Assessors about Implemented Account + run: gh issue comment "$NUMBER" --body "$BODY" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: > + @usnistgov/blossom-assessors An edit to the ACL and/or SSP has been implemented. + Please monitor the automated assessment. \ No newline at end of file From 5eaa3619fa425f2096e828eddf9021d304e74bcc Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Mon, 24 Jun 2024 23:32:37 -0400 Subject: [PATCH 12/36] Add a simulation directory --- .sims/acl.xml | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .sims/acl.xml diff --git a/.sims/acl.xml b/.sims/acl.xml new file mode 100644 index 0000000..c6e0889 --- /dev/null +++ b/.sims/acl.xml @@ -0,0 +1,56 @@ + + + + Owner-canonical-user-ID + System Owner (SO) + + + + + Owner-canonical-user-ID + System Owner (SO) + + FULL_CONTROL + + + + user1-canonical-user-ID + System Administrator (SA) + + WRITE + + + + user1-canonical-user-ID + System Administrator (SA) + + WRITE + + + + user1-canonical-user-ID + Authorizing Official (AO) + + READ + + + + user1-canonical-user-ID + System Security Assessor (SSA) + + READ + + + + http://acs.amazonaws.com/groups/global/AllUsers + + READ + + + + http://acs.amazonaws.com/groups/s3/LogDelivery + + WRITE + + + \ No newline at end of file From 6e16e7d54ac11e2fb18e5170718614dae3f0ee21 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 2 Jul 2024 15:59:11 -0400 Subject: [PATCH 13/36] Created ATO support directories. --- .sims/{acl.xml => acl-ato.xml} | 0 ato/oscal-artifacts/README.md | 3 +++ ato/secops/README.md | 2 ++ 3 files changed, 5 insertions(+) rename .sims/{acl.xml => acl-ato.xml} (100%) create mode 100644 ato/oscal-artifacts/README.md create mode 100644 ato/secops/README.md diff --git a/.sims/acl.xml b/.sims/acl-ato.xml similarity index 100% rename from .sims/acl.xml rename to .sims/acl-ato.xml diff --git a/ato/oscal-artifacts/README.md b/ato/oscal-artifacts/README.md new file mode 100644 index 0000000..1058ac2 --- /dev/null +++ b/ato/oscal-artifacts/README.md @@ -0,0 +1,3 @@ +# blossom-oscal +This directory contains OSCAL artifacts created during automatic assessment process. + diff --git a/ato/secops/README.md b/ato/secops/README.md new file mode 100644 index 0000000..041f7a7 --- /dev/null +++ b/ato/secops/README.md @@ -0,0 +1,2 @@ +# Blossom Security Operations +This directory contains operational artifacts created to automate the system security assessment and authorization (A&A) processes and ATO issuance. From e8f2075e62dd4a6a4f1ea691f725a0e638d8c9dd Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 2 Jul 2024 16:04:33 -0400 Subject: [PATCH 14/36] Updated readme file in the oscal-artifact directory. --- ato/oscal-artifacts/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ato/oscal-artifacts/README.md b/ato/oscal-artifacts/README.md index 1058ac2..afe6d21 100644 --- a/ato/oscal-artifacts/README.md +++ b/ato/oscal-artifacts/README.md @@ -1,3 +1,3 @@ -# blossom-oscal +# Blossom ATO Artifacts in OSCAL This directory contains OSCAL artifacts created during automatic assessment process. From 128541cb6906db3c3148d0b2dc2985e077d0069e Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Mon, 24 Jun 2024 23:32:37 -0400 Subject: [PATCH 15/36] Add a simulation directory --- .sims/acl.xml | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .sims/acl.xml diff --git a/.sims/acl.xml b/.sims/acl.xml new file mode 100644 index 0000000..c6e0889 --- /dev/null +++ b/.sims/acl.xml @@ -0,0 +1,56 @@ + + + + Owner-canonical-user-ID + System Owner (SO) + + + + + Owner-canonical-user-ID + System Owner (SO) + + FULL_CONTROL + + + + user1-canonical-user-ID + System Administrator (SA) + + WRITE + + + + user1-canonical-user-ID + System Administrator (SA) + + WRITE + + + + user1-canonical-user-ID + Authorizing Official (AO) + + READ + + + + user1-canonical-user-ID + System Security Assessor (SSA) + + READ + + + + http://acs.amazonaws.com/groups/global/AllUsers + + READ + + + + http://acs.amazonaws.com/groups/s3/LogDelivery + + WRITE + + + \ No newline at end of file From fee26b10a3cb83a04e8603ce3056b40f1b65fbce Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 2 Jul 2024 15:59:11 -0400 Subject: [PATCH 16/36] Created ATO support directories. --- .sims/{acl.xml => acl-ato.xml} | 0 ato/oscal-artifacts/README.md | 3 +++ ato/secops/README.md | 2 ++ 3 files changed, 5 insertions(+) rename .sims/{acl.xml => acl-ato.xml} (100%) create mode 100644 ato/oscal-artifacts/README.md create mode 100644 ato/secops/README.md diff --git a/.sims/acl.xml b/.sims/acl-ato.xml similarity index 100% rename from .sims/acl.xml rename to .sims/acl-ato.xml diff --git a/ato/oscal-artifacts/README.md b/ato/oscal-artifacts/README.md new file mode 100644 index 0000000..1058ac2 --- /dev/null +++ b/ato/oscal-artifacts/README.md @@ -0,0 +1,3 @@ +# blossom-oscal +This directory contains OSCAL artifacts created during automatic assessment process. + diff --git a/ato/secops/README.md b/ato/secops/README.md new file mode 100644 index 0000000..041f7a7 --- /dev/null +++ b/ato/secops/README.md @@ -0,0 +1,2 @@ +# Blossom Security Operations +This directory contains operational artifacts created to automate the system security assessment and authorization (A&A) processes and ATO issuance. From b1c51ba2e5a597bba309cf88a3699fb261eb6d9f Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 2 Jul 2024 16:04:33 -0400 Subject: [PATCH 17/36] Updated readme file in the oscal-artifact directory. --- ato/oscal-artifacts/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ato/oscal-artifacts/README.md b/ato/oscal-artifacts/README.md index 1058ac2..afe6d21 100644 --- a/ato/oscal-artifacts/README.md +++ b/ato/oscal-artifacts/README.md @@ -1,3 +1,3 @@ -# blossom-oscal +# Blossom ATO Artifacts in OSCAL This directory contains OSCAL artifacts created during automatic assessment process. From fa8386602d7959d360986b52e67990f0f6ba7170 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Wed, 3 Jul 2024 22:22:40 -0400 Subject: [PATCH 18/36] More progress made witht the SSP and ACL artifacts --- .sims/acl.xml | 117 +++++ .../xml/ssp/blossom_admin_member_ssp.xml | 409 +++++++++++++----- 2 files changed, 407 insertions(+), 119 deletions(-) create mode 100644 .sims/acl.xml diff --git a/.sims/acl.xml b/.sims/acl.xml new file mode 100644 index 0000000..6370f3c --- /dev/null +++ b/.sims/acl.xml @@ -0,0 +1,117 @@ + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + READ + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + READ_ACP + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + WRITE + + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + READ + + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + READ_ACP + + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + WRITE + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + READ + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + WRITE + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + READ_ACP + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + WRITE_ACP + + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + System Security Assessor + + READ + + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + System Security Assessor + + READ_ACP + + + + user1-canonical-user-ID + System Security Assessor + + READ + + + + user1-canonical-user-ID + System Security Assessor + + READ_ACP + + + + http://acs.amazonaws.com/groups/global/AllUsers + + READ + + + \ No newline at end of file diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index 00bfaa2..a1762b7 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -10,39 +10,58 @@ System Owner (SO) -

The individual within the organization who is ultimately accountable for everything related to the deployment, assessemnt, authorization and operations of the Blossom Member which provides the software assets leasing service (here in known as "this system").

- - - - License Owner (LO) - -

The individual within the service provider organization who is accountable for managing the pool of software resources made available for leasing to USG agencies.

-

The License Owner role exists only within the service provider agency.

+

The individual within the organization who is ultimately accountable for + everything related to the deployment, assessemnt, authorization and operations + of the Blossom Member which provides the software assets leasing service (here + in known as "this system").

 Authorizing Official -

The individual or individuals who are ultimatly accountable for reviewing the assessemnt package, discuss with the SO the findings and grant an authorization to operate (ATO) to "this system".

-

The Authorizing Official is the only entity responsible for the security posture of the system that gets access to the ATO channel (chainecode). The AO signs the MOU on behalf of the agency.

+

The individual or individuals who are ultimatly accountable for reviewing the + assessemnt package, discuss with the SO the findings and grant an authorization + to operate (ATO) to "this system".

+

The Authorizing Official is the only entity responsible for the security posture + of the system that gets access to the ATO channel (chainecode). The AO signs the + MOU on behalf of the agency.

 System Security Assessor (SSA) -

The individual accountable for assessing the security posture of the system on behalf of the system owner.

+

The individual accountable for assessing the security posture of the system on + behalf of the system owner.

 Technical Point of Contact (TPOC) -

The individual accountable for managing leased licenses (checkout, install, uninstall, return).

+

The individual accountable for managing leased licenses (checkout, install, + uninstall, return).

 System Administrator (SA) -

The individual accountable for the deployment, configuration, testing and operations of the system on behalf of the System Owner.

+

The individual accountable for the deployment, configuration, testing and + operations of the system on behalf of the System Owner.

+ + + + License Owner (LO) + +

The individual within the service provider organization who is accountable for + managing the pool of software resources made available for leasing to USG + agencies.

+

The License Owner role exists only within the service provider agency.

+ + + + Acquisition Officer + +

The individual within the Agency which is responsible for approving and + processing the payment of the leased pool of software licenses.

 @@ -86,18 +105,22 @@ Stan Owens + + blossom@nist.gov 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Licenta Owens - + + ManoGiana Bloom + blossom@nist.gov 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Aurelian Officman - + + Simmon Admino + + + blossom@nist.gov 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba @@ -105,59 +128,99 @@ Steve S. Asesoro + + blossom@nist.gov 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Tom Poc - + + + Aurelian Officeman + + + blossom@nist.gov 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Simon Admino - + + Licenta Owens + + + blossom@nist.gov - 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - ManoGiana Bloom - + + Acquia Officiale + + + blossom@nist.gov 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + Tom Pock + + + + blossom@nist.gov + 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b 551b9706-d6a4-4d25-8207-f2ccec541016 - - 51588d7c-aa79-43aa-9f22-25182c2cd22d - 551b9706-d6a4-4d25-8207-f2ccec541016 - - - 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

This party has development, deployment, configuration and operations + responsibilities for "this system" supporting the system owner.

+ + 132953a9-640c-46f7-9de9-3fa15ec99361 -

The party responsible to assess the security controls on behalf of the system owner.

+

The party responsible to assess the security controls on behalf of the system + owner.

 + + + + 51588d7c-aa79-43aa-9f22-25182c2cd22d + + c46e27d1-7a65-47ea-bd76-df574fded5fd -

Manages leased liceses for the agency and is responsible to checkout, install, uninstall and return licenses to the pool for each order the agency places.

+

Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

 - - 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + + c46e27d1-7a65-47ea-bd76-df574fded5fd -

This party has development, deployment, configuration and operations responsibilities for "this system" supporting the system owner.

+

Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

 + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 +

This SSP was created using a simplified version of OSCAL-based FedRAMP SSP Template for the FedRAMP Low, Moderate, and High baselines.

@@ -508,7 +571,8 @@

A diagram-specific explanation.

 - + Data Flow Diagram @@ -516,7 +580,7 @@ AWS Managed Blockchain (AMB) - + e63e870d-bf43-40dc-98a0-37d5e39b2dd1 2024-01-01 @@ -534,18 +598,45 @@ System Administrator - + system-administrator Full administrative access rights - add and remove users and hardware + add and remove users, software-name and hardware install and configure deployments system updates, patches and hotfixes perform backups + + System Owner + + + + system-owner + + Privileged access rights + add and remove users, software-name and hardware + install and configure deployments + system updates, patches and hotfixes + perform backups + + + + System Security Assessor + + + + sys-sec-assessor + + Non-privileged access rights (read only) + review system documentation and security configurations + review if system updates, patches and hotfixes are documented and successfully completed + review disaster recovery procedures and system backups existance + + This System @@ -562,7 +653,9 @@ - + @@ -586,7 +679,8 @@

FedRAMP does not require any specific information here.

- - + + -

AMB provides access control to the infrastracter for the entities identified below. The Consumer's responsibility is to update the ACL ith the identities authorized to access the resource.

+

Per the documentation available in the Blossom Wiki, the AWS Managed + Blockchain (AMB) provides access control to the infrastracture for the + entities identified below which require access to IaaS to maintain and + deploy system components. The blockchain's chaincode is implementing Next + Generation Access Control (NGAC) standard to manage the access to resources + for the roles docuemnted in the Blossom specification. Access control policy + machines are implemented for the two private channels of the AMB: the ATO or + "Authorization" channel and the "Businness" channel.

 - - + --> + + + + business need + + + business need + + + System Owner (SO) + + + Types of User Accounts for Blossom + + + System Owner (SO) + + + 1 business day + + + 1 business day + + + 1 business day + + + System Owner (SO) + + + every 6 months + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 09ad840f-aa79-43aa-9f22-25182c2ab11b - - + + -

The NGAC implementation in the two chaincodes manages the access control for the Blossom business layer users and the BC Member's ATO-related accounts.

+

For the IAM entities that have a business need, and which have accounts created in Cognito, the Policy machines which implement NGAC in the two chaincodes are managing the access control for the Blossom business layer users and the BC Member's Authorizing Official that is uploading the ATO Attestation to the Authorization channel.

 - - business need - - - business need - - - System Owner (SO) - - - Types of User Accounts for Blossom - - - System Owner (SO) - - - 1 business day - - - 1 business day - - - 1 business day - - - System Owner (SO) - - - every 6 months - + + +

The Blossom system System Owner and System Administrator are repsonsible for approving, creating and managing access by maintainit accurate information in Cognito and updating the access control policies in the chaincode for each channel.

+ + + + + +

AWS provide access to the system to approved entities, for deployment, maintenance, and operations.

+ + + +

Keep the ACL list current at all times.

+ + @@ -764,18 +888,21 @@

These accounts are managed by the NGAC implementation in the chaincodes for the ATO and for the assets management (business) processes.

The following accounts are supported for the business operations (assets management):

    -
  • Privileged accounts: -
      License Owner (LO)
    +
  • Privileged accounts: +
      License Owner
    • -
  • Non-Privileged accounts: -
      Acquisition Officer (ACQ)
    -
      Technical Point of Contact (TPOC)
    +
  • Non-Privileged accounts: +
      Acquisition Officer
    +
      Technical Point of Contact
-

The following account is supported for the ATO process (ATO attestation submission and review of other Blossom members):

+

The Authorizing Official is responsible for reviewing the ATO package prepared by the System Owner and signing/authorizing the system to operate.

+

The System Owner remains the custodian of all system ATO related artifacts.

+

Upon approval, teh AO is responsible for generating automatically the ATO attestation and upload it to the ATO channel.

+

The following account is supported for the ATO processes. :

    -
  • Non-Privileged accounts: -
      Authorizing Official (AO)
    +
  • Privileged accounts: +
      Authorizing Official
@@ -784,15 +911,20 @@ -

The accounts of the Blossom Member managed by the Leveraged AWS IaaS are:

+

The following accounts of the Blossom System of NIST Member managed by the Leveraged AWS IaaS are:

    -
  • Privileged accounts: -
      System Owner (SO)
    -
      System Administrator (SA)
    +
  • Privileged accounts: +
      System Owner
    +
      System Administrator
    • -
  • Non-Privileged accounts: -
      System Security Assessor (SSA)
    -
      Authorizing Official (AO)
    +
  • Non-Privileged accounts: +
      System Security Assessor
    +
@@ -800,13 +932,21 @@ provided-uuid="11111111-0000-4000-9009-002001002001">

TBD: provided-uuid needs to match the one in the AWS' SSP.

-

All privileged and non-privileged accounts that are granted access to the AWS infrastructure and are responsible for the Blossom member (this sysstem), are managed by the AWS IaaS (leveraged ATO system) which uses an Access Control List (ACL) for the NIST employees assigned Blossom roles.

+

All privileged and non-privileged accounts that are granted access to + the AWS infrastructure and are responsible for the Blossom System deployment and maintenance + (this system), are managed by the AWS IaaS (leveraged ATO system) + which uses an Access Control List (ACL) for the NIST employees + assigned Blossom roles.

 -

For all responsible parties with roles managed by the AWS IaaS system, accounts creation/deletion are requested, approved/revoked by the System Owner or the Blossom PM and are added to or delete from the ACL list.

+

The Access Control List (ACL) updates are Blossom system's responsibility (as customers of AWS) + For all roles listed above which are managed by the AWS IaaS + system, account creation/revokation/deletion requests are approved + by the Blossom system's System Owner or the Blossom PM and are added to or delete + from the ACL list by the System Administrator.

 @@ -815,7 +955,9 @@ -

Assign account managers

+

For this system, the entity with the System Administratore role + acts as the Accounts Manager and is responsible for creating, + revoking, delete accounts per decissions made by the System Owner.

 @@ -823,7 +965,9 @@ -

Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;

+

Require [Assignment: + organization-defined prerequisites and criteria] for group and role + membership;

 @@ -856,7 +1000,8 @@ uuid="37e94c9b-acb8-458f-8a95-c1d110ead856">

Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;

+ id-ref="ac-2_prm_2" />[Assignment: organization-defined attributes + (as required)] for each account;

 @@ -864,7 +1009,9 @@ -

Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;

+

Require approvals by [Assignment: + organization-defined personnel or roles] for requests to create + accounts;

 @@ -873,7 +1020,8 @@ uuid="02d4c648-5a86-4155-bd73-02c3439262b4">

Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];

+ type="param" id-ref="ac-2_prm_4" />[Assignment: organization-defined + policy, procedures, prerequisites, and criteria];

 @@ -889,7 +1037,8 @@ -

Notify account managers and [Assignment: organization-defined personnel or roles] within:

+

Notify account managers and [Assignment: + organization-defined personnel or roles] within:

 @@ -897,7 +1046,9 @@ -

Notify account managers and [Assignment: system owner] within:[Assignment: 1 business day] when accounts are no longer required;

+

Notify account managers and [Assignment: + system owner] within:[Assignment: + 1 business day] when accounts are no longer required;

 @@ -905,7 +1056,9 @@ -

[Assignment: organization-defined time period] when users are terminated or transferred;

+

[Assignment: + organization-defined time period] when users are terminated or + transferred;

@@ -913,7 +1066,9 @@ -

[Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;

+

[Assignment: + organization-defined time period] when system usage or need-to-know + changes for an individual;

 @@ -945,7 +1100,8 @@ -

[Assignment: organization-defined attributes (as required)];

+

[Assignment: + organization-defined attributes (as required)];

 @@ -954,7 +1110,8 @@ uuid="b7932e43-9aa3-4bba-86a8-439a74e1e79a">

Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];

+ type="param" id-ref="ac-2_prm_10" />[Assignment: + organization-defined frequency];

 @@ -962,7 +1119,9 @@ -

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+

Establish and implement a process for changing shared or group account + authenticators (if deployed) when individuals are removed from the + group;

 @@ -970,13 +1129,25 @@ -

Align account management processes with personnel termination and transfer processes.

+

Align account management processes with personnel termination and + transfer processes.

 + + +

Blossom Wiki

+ + + +

Project's Wiki which provides descriptions for the ATO and business processes.

+ +

National Institute of Standards and Technology's Logo

From 6e2b6b7dbd4973096a418800f845465cfe7ab68d Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Wed, 3 Jul 2024 22:22:40 -0400 Subject: [PATCH 19/36] More progress made witht the SSP and ACL artifacts --- .sims/acl.xml | 117 +++++ .../xml/ssp/blossom_admin_member_ssp.xml | 409 +++++++++++++----- 2 files changed, 407 insertions(+), 119 deletions(-) create mode 100644 .sims/acl.xml diff --git a/.sims/acl.xml b/.sims/acl.xml new file mode 100644 index 0000000..6370f3c --- /dev/null +++ b/.sims/acl.xml @@ -0,0 +1,117 @@ + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + READ + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + READ_ACP + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + System Owner + + WRITE + + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + READ + + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + READ_ACP + + + + 551b9706-d6a4-4d25-8207-f2ccec541016 + System Owner + + WRITE + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + READ + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + WRITE + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + READ_ACP + + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + System Administrator + + WRITE_ACP + + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + System Security Assessor + + READ + + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + System Security Assessor + + READ_ACP + + + + user1-canonical-user-ID + System Security Assessor + + READ + + + + user1-canonical-user-ID + System Security Assessor + + READ_ACP + + + + http://acs.amazonaws.com/groups/global/AllUsers + + READ + + + \ No newline at end of file diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index 00bfaa2..a1762b7 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -10,39 +10,58 @@ System Owner (SO) -

The individual within the organization who is ultimately accountable for everything related to the deployment, assessemnt, authorization and operations of the Blossom Member which provides the software assets leasing service (here in known as "this system").

- - - - License Owner (LO) - -

The individual within the service provider organization who is accountable for managing the pool of software resources made available for leasing to USG agencies.

-

The License Owner role exists only within the service provider agency.

+

The individual within the organization who is ultimately accountable for + everything related to the deployment, assessemnt, authorization and operations + of the Blossom Member which provides the software assets leasing service (here + in known as "this system").

 Authorizing Official -

The individual or individuals who are ultimatly accountable for reviewing the assessemnt package, discuss with the SO the findings and grant an authorization to operate (ATO) to "this system".

-

The Authorizing Official is the only entity responsible for the security posture of the system that gets access to the ATO channel (chainecode). The AO signs the MOU on behalf of the agency.

+

The individual or individuals who are ultimatly accountable for reviewing the + assessemnt package, discuss with the SO the findings and grant an authorization + to operate (ATO) to "this system".

+

The Authorizing Official is the only entity responsible for the security posture + of the system that gets access to the ATO channel (chainecode). The AO signs the + MOU on behalf of the agency.

 System Security Assessor (SSA) -

The individual accountable for assessing the security posture of the system on behalf of the system owner.

+

The individual accountable for assessing the security posture of the system on + behalf of the system owner.

 Technical Point of Contact (TPOC) -

The individual accountable for managing leased licenses (checkout, install, uninstall, return).

+

The individual accountable for managing leased licenses (checkout, install, + uninstall, return).

 System Administrator (SA) -

The individual accountable for the deployment, configuration, testing and operations of the system on behalf of the System Owner.

+

The individual accountable for the deployment, configuration, testing and + operations of the system on behalf of the System Owner.

+ + + + License Owner (LO) + +

The individual within the service provider organization who is accountable for + managing the pool of software resources made available for leasing to USG + agencies.

+

The License Owner role exists only within the service provider agency.

+ + + + Acquisition Officer + +

The individual within the Agency which is responsible for approving and + processing the payment of the leased pool of software licenses.

 @@ -86,18 +105,22 @@ Stan Owens + + blossom@nist.gov 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Licenta Owens - + + ManoGiana Bloom + blossom@nist.gov 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Aurelian Officman - + + Simmon Admino + + + blossom@nist.gov 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba @@ -105,59 +128,99 @@ Steve S. Asesoro + + blossom@nist.gov 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Tom Poc - + + + Aurelian Officeman + + + blossom@nist.gov 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - Simon Admino - + + Licenta Owens + + + blossom@nist.gov - 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - ManoGiana Bloom - + + Acquia Officiale + + + blossom@nist.gov 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + Tom Pock + + + + blossom@nist.gov + 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b 551b9706-d6a4-4d25-8207-f2ccec541016 - - 51588d7c-aa79-43aa-9f22-25182c2cd22d - 551b9706-d6a4-4d25-8207-f2ccec541016 - - - 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

This party has development, deployment, configuration and operations + responsibilities for "this system" supporting the system owner.

+ + 132953a9-640c-46f7-9de9-3fa15ec99361 -

The party responsible to assess the security controls on behalf of the system owner.

+

The party responsible to assess the security controls on behalf of the system + owner.

 + + + + 51588d7c-aa79-43aa-9f22-25182c2cd22d + + c46e27d1-7a65-47ea-bd76-df574fded5fd -

Manages leased liceses for the agency and is responsible to checkout, install, uninstall and return licenses to the pool for each order the agency places.

+

Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

 - - 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + + c46e27d1-7a65-47ea-bd76-df574fded5fd -

This party has development, deployment, configuration and operations responsibilities for "this system" supporting the system owner.

+

Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

 + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 +

This SSP was created using a simplified version of OSCAL-based FedRAMP SSP Template for the FedRAMP Low, Moderate, and High baselines.

@@ -508,7 +571,8 @@

A diagram-specific explanation.

 - + Data Flow Diagram @@ -516,7 +580,7 @@ AWS Managed Blockchain (AMB) - + e63e870d-bf43-40dc-98a0-37d5e39b2dd1 2024-01-01 @@ -534,18 +598,45 @@ System Administrator - + system-administrator Full administrative access rights - add and remove users and hardware + add and remove users, software-name and hardware install and configure deployments system updates, patches and hotfixes perform backups + + System Owner + + + + system-owner + + Privileged access rights + add and remove users, software-name and hardware + install and configure deployments + system updates, patches and hotfixes + perform backups + + + + System Security Assessor + + + + sys-sec-assessor + + Non-privileged access rights (read only) + review system documentation and security configurations + review if system updates, patches and hotfixes are documented and successfully completed + review disaster recovery procedures and system backups existance + + This System @@ -562,7 +653,9 @@ - + @@ -586,7 +679,8 @@

FedRAMP does not require any specific information here.

 - - + + -

AMB provides access control to the infrastracter for the entities identified below. The Consumer's responsibility is to update the ACL ith the identities authorized to access the resource.

+

Per the documentation available in the Blossom Wiki, the AWS Managed + Blockchain (AMB) provides access control to the infrastracture for the + entities identified below which require access to IaaS to maintain and + deploy system components. The blockchain's chaincode is implementing Next + Generation Access Control (NGAC) standard to manage the access to resources + for the roles docuemnted in the Blossom specification. Access control policy + machines are implemented for the two private channels of the AMB: the ATO or + "Authorization" channel and the "Businness" channel.

 - - + --> + + + + business need + + + business need + + + System Owner (SO) + + + Types of User Accounts for Blossom + + + System Owner (SO) + + + 1 business day + + + 1 business day + + + 1 business day + + + System Owner (SO) + + + every 6 months + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 09ad840f-aa79-43aa-9f22-25182c2ab11b - - + + -

The NGAC implementation in the two chaincodes manages the access control for the Blossom business layer users and the BC Member's ATO-related accounts.

+

For the IAM entities that have a business need, and which have accounts created in Cognito, the Policy machines which implement NGAC in the two chaincodes are managing the access control for the Blossom business layer users and the BC Member's Authorizing Official that is uploading the ATO Attestation to the Authorization channel.

 - - business need - - - business need - - - System Owner (SO) - - - Types of User Accounts for Blossom - - - System Owner (SO) - - - 1 business day - - - 1 business day - - - 1 business day - - - System Owner (SO) - - - every 6 months - + + +

The Blossom system System Owner and System Administrator are repsonsible for approving, creating and managing access by maintainit accurate information in Cognito and updating the access control policies in the chaincode for each channel.

+ + + + + +

AWS provide access to the system to approved entities, for deployment, maintenance, and operations.

+ + + +

Keep the ACL list current at all times.

+ + @@ -764,18 +888,21 @@

These accounts are managed by the NGAC implementation in the chaincodes for the ATO and for the assets management (business) processes.

The following accounts are supported for the business operations (assets management):

    -
  • Privileged accounts: -
      License Owner (LO)
    +
  • Privileged accounts: +
      License Owner
    • -
  • Non-Privileged accounts: -
      Acquisition Officer (ACQ)
    -
      Technical Point of Contact (TPOC)
    +
  • Non-Privileged accounts: +
      Acquisition Officer
    +
      Technical Point of Contact
-

The following account is supported for the ATO process (ATO attestation submission and review of other Blossom members):

+

The Authorizing Official is responsible for reviewing the ATO package prepared by the System Owner and signing/authorizing the system to operate.

+

The System Owner remains the custodian of all system ATO related artifacts.

+

Upon approval, teh AO is responsible for generating automatically the ATO attestation and upload it to the ATO channel.

+

The following account is supported for the ATO processes. :

    -
  • Non-Privileged accounts: -
      Authorizing Official (AO)
    +
  • Privileged accounts: +
      Authorizing Official
@@ -784,15 +911,20 @@ -

The accounts of the Blossom Member managed by the Leveraged AWS IaaS are:

+

The following accounts of the Blossom System of NIST Member managed by the Leveraged AWS IaaS are:

    -
  • Privileged accounts: -
      System Owner (SO)
    -
      System Administrator (SA)
    +
  • Privileged accounts: +
      System Owner
    +
      System Administrator
    • -
  • Non-Privileged accounts: -
      System Security Assessor (SSA)
    -
      Authorizing Official (AO)
    +
  • Non-Privileged accounts: +
      System Security Assessor
    +
@@ -800,13 +932,21 @@ provided-uuid="11111111-0000-4000-9009-002001002001">

TBD: provided-uuid needs to match the one in the AWS' SSP.

-

All privileged and non-privileged accounts that are granted access to the AWS infrastructure and are responsible for the Blossom member (this sysstem), are managed by the AWS IaaS (leveraged ATO system) which uses an Access Control List (ACL) for the NIST employees assigned Blossom roles.

+

All privileged and non-privileged accounts that are granted access to + the AWS infrastructure and are responsible for the Blossom System deployment and maintenance + (this system), are managed by the AWS IaaS (leveraged ATO system) + which uses an Access Control List (ACL) for the NIST employees + assigned Blossom roles.

 -

For all responsible parties with roles managed by the AWS IaaS system, accounts creation/deletion are requested, approved/revoked by the System Owner or the Blossom PM and are added to or delete from the ACL list.

+

The Access Control List (ACL) updates are Blossom system's responsibility (as customers of AWS) + For all roles listed above which are managed by the AWS IaaS + system, account creation/revokation/deletion requests are approved + by the Blossom system's System Owner or the Blossom PM and are added to or delete + from the ACL list by the System Administrator.

 @@ -815,7 +955,9 @@ -

Assign account managers

+

For this system, the entity with the System Administratore role + acts as the Accounts Manager and is responsible for creating, + revoking, delete accounts per decissions made by the System Owner.

 @@ -823,7 +965,9 @@ -

Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;

+

Require [Assignment: + organization-defined prerequisites and criteria] for group and role + membership;

 @@ -856,7 +1000,8 @@ uuid="37e94c9b-acb8-458f-8a95-c1d110ead856">

Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;

+ id-ref="ac-2_prm_2" />[Assignment: organization-defined attributes + (as required)] for each account;

 @@ -864,7 +1009,9 @@ -

Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;

+

Require approvals by [Assignment: + organization-defined personnel or roles] for requests to create + accounts;

 @@ -873,7 +1020,8 @@ uuid="02d4c648-5a86-4155-bd73-02c3439262b4">

Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];

+ type="param" id-ref="ac-2_prm_4" />[Assignment: organization-defined + policy, procedures, prerequisites, and criteria];

 @@ -889,7 +1037,8 @@ -

Notify account managers and [Assignment: organization-defined personnel or roles] within:

+

Notify account managers and [Assignment: + organization-defined personnel or roles] within:

 @@ -897,7 +1046,9 @@ -

Notify account managers and [Assignment: system owner] within:[Assignment: 1 business day] when accounts are no longer required;

+

Notify account managers and [Assignment: + system owner] within:[Assignment: + 1 business day] when accounts are no longer required;

 @@ -905,7 +1056,9 @@ -

[Assignment: organization-defined time period] when users are terminated or transferred;

+

[Assignment: + organization-defined time period] when users are terminated or + transferred;

@@ -913,7 +1066,9 @@ -

[Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;

+

[Assignment: + organization-defined time period] when system usage or need-to-know + changes for an individual;

 @@ -945,7 +1100,8 @@ -

[Assignment: organization-defined attributes (as required)];

+

[Assignment: + organization-defined attributes (as required)];

 @@ -954,7 +1110,8 @@ uuid="b7932e43-9aa3-4bba-86a8-439a74e1e79a">

Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];

+ type="param" id-ref="ac-2_prm_10" />[Assignment: + organization-defined frequency];

 @@ -962,7 +1119,9 @@ -

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+

Establish and implement a process for changing shared or group account + authenticators (if deployed) when individuals are removed from the + group;

 @@ -970,13 +1129,25 @@ -

Align account management processes with personnel termination and transfer processes.

+

Align account management processes with personnel termination and + transfer processes.

 + + +

Blossom Wiki

+ + + +

Project's Wiki which provides descriptions for the ATO and business processes.

+ +

National Institute of Standards and Technology's Logo

From e5ea1a3eba40322b0dd9c316b92d460cd8208f73 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Tue, 2 Jul 2024 17:37:01 -0400 Subject: [PATCH 20/36] Add handshake to S3 bucket --- .github/workflows/account_request_implement.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/account_request_implement.yaml b/.github/workflows/account_request_implement.yaml index 5f300a2..5d52eff 100644 --- a/.github/workflows/account_request_implement.yaml +++ b/.github/workflows/account_request_implement.yaml @@ -21,4 +21,16 @@ jobs: NUMBER: ${{ github.event.issue.number }} BODY: > @usnistgov/blossom-assessors An edit to the ACL and/or SSP has been implemented. - Please monitor the automated assessment. \ No newline at end of file + Please monitor the automated assessment. + + - name: Checkout repo to access handshake file + uses: actions/checkout@v3 + + - name: Initiate handshake to S3 bucket + uses: shallwefootball/s3-upload-action@v1.3.3 + with: + aws_key_id: ${{ secrets.AWS_ACCESS_KEY }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_KEY }} + aws_bucket: ${{ secrets.AWS_BUCKET }} + source_dir: '.sims/handshake' + destination_dir: '' \ No newline at end of file From 6ca1e2d93553f9407da5227d655cd432d17e8c1c Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Fri, 5 Jul 2024 15:25:12 -0400 Subject: [PATCH 21/36] Add handshake empty file --- .sims/handshake | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .sims/handshake diff --git a/.sims/handshake b/.sims/handshake new file mode 100644 index 0000000..e69de29 From 5c9047eb9e25ff6eb8c1486b3ba81f3cf6f81aa3 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Mon, 8 Jul 2024 10:04:01 -0400 Subject: [PATCH 22/36] Create handshake directory to upload to S3 --- .sims/{handshake => handshake/handshake_empty} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .sims/{handshake => handshake/handshake_empty} (100%) diff --git a/.sims/handshake b/.sims/handshake/handshake_empty similarity index 100% rename from .sims/handshake rename to .sims/handshake/handshake_empty From 04cb0ab5cb24ee2178b0d12b2c51422660b7d835 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Tue, 9 Jul 2024 12:42:24 -0400 Subject: [PATCH 23/36] Handshake using AWS cli --- .../workflows/account_request_implement.yaml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/account_request_implement.yaml b/.github/workflows/account_request_implement.yaml index 5d52eff..241473e 100644 --- a/.github/workflows/account_request_implement.yaml +++ b/.github/workflows/account_request_implement.yaml @@ -26,11 +26,15 @@ jobs: - name: Checkout repo to access handshake file uses: actions/checkout@v3 - - name: Initiate handshake to S3 bucket - uses: shallwefootball/s3-upload-action@v1.3.3 + - name: Configure AWS CLI + uses: aws-actions/configure-aws-credentials@v4 with: - aws_key_id: ${{ secrets.AWS_ACCESS_KEY }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_KEY }} - aws_bucket: ${{ secrets.AWS_BUCKET }} - source_dir: '.sims/handshake' - destination_dir: '' \ No newline at end of file + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} + + - name: Copy handshake to bucket + run: | + aws s3 cp .sims/handshake/handshake_empty s3://"$AWS_BUCKET" + env: + AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file From 34b3e36a43ef05801336b8d74a74ddd867c98514 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 9 Jul 2024 15:32:54 -0400 Subject: [PATCH 24/36] More progress made on AC-2 in the SSP and ACL --- .sims/acl-ato.xml | 56 ----------- .sims/acl.xml | 20 +--- .../xml/ssp/blossom_admin_member_ssp.xml | 96 ++++++++++++------- 3 files changed, 64 insertions(+), 108 deletions(-) delete mode 100644 .sims/acl-ato.xml diff --git a/.sims/acl-ato.xml b/.sims/acl-ato.xml deleted file mode 100644 index c6e0889..0000000 --- a/.sims/acl-ato.xml +++ /dev/null @@ -1,56 +0,0 @@ - - - - Owner-canonical-user-ID - System Owner (SO) - - - - - Owner-canonical-user-ID - System Owner (SO) - - FULL_CONTROL - - - - user1-canonical-user-ID - System Administrator (SA) - - WRITE - - - - user1-canonical-user-ID - System Administrator (SA) - - WRITE - - - - user1-canonical-user-ID - Authorizing Official (AO) - - READ - - - - user1-canonical-user-ID - System Security Assessor (SSA) - - READ - - - - http://acs.amazonaws.com/groups/global/AllUsers - - READ - - - - http://acs.amazonaws.com/groups/s3/LogDelivery - - WRITE - - - \ No newline at end of file diff --git a/.sims/acl.xml b/.sims/acl.xml index 6370f3c..50523c2 100644 --- a/.sims/acl.xml +++ b/.sims/acl.xml @@ -21,21 +21,21 @@ 09ad840f-aa79-43aa-9f22-25182c2ab11b System Owner - READ_ACP + WRITE 09ad840f-aa79-43aa-9f22-25182c2ab11b System Owner - WRITE + READ_ACP 551b9706-d6a4-4d25-8207-f2ccec541016 System Owner - READ + WRITE_ACP @@ -93,20 +93,6 @@ READ_ACP - - - user1-canonical-user-ID - System Security Assessor - - READ - - - - user1-canonical-user-ID - System Security Assessor - - READ_ACP - http://acs.amazonaws.com/groups/global/AllUsers diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index a1762b7..fb848c2 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -7,6 +7,9 @@ 2024-03-27T00:00:00Z 0.1 1.1.2 + System Owner (SO) @@ -16,15 +19,11 @@ in known as "this system").

 - - Authorizing Official + + System Administrator (SA) -

The individual or individuals who are ultimatly accountable for reviewing the - assessemnt package, discuss with the SO the findings and grant an authorization - to operate (ATO) to "this system".

-

The Authorizing Official is the only entity responsible for the security posture - of the system that gets access to the ATO channel (chainecode). The AO signs the - MOU on behalf of the agency.

+

The individual accountable for the deployment, configuration, testing and + operations of the system on behalf of the System Owner.

 @@ -34,6 +33,20 @@ behalf of the system owner.

 + + Authorizing Official + +

The individual or individuals who are ultimatly accountable for reviewing the + assessemnt package, discuss with the SO the findings and grant an authorization + to operate (ATO) to Blosom, a.ka "this system".

+

The Authorizing Official is the only entity responsible for the security posture + of the system and has access to the ATO channel (chaincode) to upload the ATO Attestation Memo (AAM). + The AO signs the AAM on behalf of the agency.

+ + + Technical Point of Contact (TPOC) @@ -41,13 +54,6 @@ uninstall, return).

 - - System Administrator (SA) - -

The individual accountable for the deployment, configuration, testing and - operations of the system on behalf of the System Owner.

- - License Owner (LO) @@ -134,9 +140,11 @@ 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - + Any update in Cognito will have to trigger an update of the SSP + ### --> Aurelian Officeman @@ -173,8 +181,10 @@ - + ### --> + 09ad840f-aa79-43aa-9f22-25182c2ab11b 551b9706-d6a4-4d25-8207-f2ccec541016 @@ -186,7 +196,9 @@ responsibilities for "this system" supporting the system owner.

 - + 132953a9-640c-46f7-9de9-3fa15ec99361 @@ -197,15 +209,23 @@ - + 51588d7c-aa79-43aa-9f22-25182c2cd22d + +

The license owner is responsible for managing the licenses a Blossom Member leases, and is also responsible for uploading to the asset chaincode the MOA signed by the TPOC and Acquisition Officer.

+ - + c46e27d1-7a65-47ea-bd76-df574fded5fd

Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

+

The TPOC is also responsible for reviewing and signing the initial Memorandum of Aggrement (MOA) stating the rules on engagemnet whith Blossom service around ATO automation and assets leasing.

 @@ -571,8 +591,9 @@

A diagram-specific explanation.

 - + Data Flow Diagram @@ -823,7 +844,7 @@ --> - business need + have an organization-sponsored email address to demonstrate employment and have been approved by the System Owner based on the business need of the individual business need @@ -847,7 +868,7 @@ 1 business day - System Owner (SO) + System Owner every 6 months @@ -865,13 +886,13 @@ -

The Blossom system System Owner and System Administrator are repsonsible for approving, creating and managing access by maintainit accurate information in Cognito and updating the access control policies in the chaincode for each channel.

+

The Blossom system's System Owner and System Administrator are repsonsible for approving, creating and managing accounts and grant or denie access to the system by maintaining accurate information in Cognito and updating the access control policies access control lists (ACLs).

 -

AWS provide access to the system to approved entities, for deployment, maintenance, and operations.

+

AWS manages the access to approved entities to the system's infrastructure, for deployment, maintenance, and operations.

 @@ -919,12 +940,12 @@
  • Non-Privileged accounts:
      System Security Assessor
    - + ##### -->
    • @@ -955,7 +976,7 @@ -

    For this system, the entity with the System Administratore role +

    For this system, the entity with the System Administrator role acts as the Accounts Manager and is responsible for creating, revoking, delete accounts per decissions made by the System Owner.

     @@ -965,9 +986,11 @@ -

    Require [Assignment: - organization-defined prerequisites and criteria] for group and role - membership;

    + +

    For each identified role, access to the system for each role will be individually + analyzed and granted if the requesters proves they + for the respective group and role membership.

         @@ -975,7 +998,10 @@ -

    Specify:

    +

    1. All authorized users are listed and accuratelly maintained in this SSP in the "metadata", as "party" elements of type="person".

    +

    2. All roles supported by the Blossom system are documented in this SSP in the "metadata", as "role" elements with "id" identifying the role. + This system does not support groups.

    +

    3. All access authorizations are docuemnted in this SSP in the "metadata" as "responsible-party" with "role-id" mathing the respective roles or attributes.

         From 39bc59278f938a806f683821a0c992d7d9683084 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 9 Jul 2024 15:32:54 -0400 Subject: [PATCH 25/36] More progress made on AC-2 in the SSP and ACL --- .sims/acl-ato.xml | 56 ----------- .sims/acl.xml | 20 +--- .../xml/ssp/blossom_admin_member_ssp.xml | 96 ++++++++++++------- 3 files changed, 64 insertions(+), 108 deletions(-) delete mode 100644 .sims/acl-ato.xml diff --git a/.sims/acl-ato.xml b/.sims/acl-ato.xml deleted file mode 100644 index c6e0889..0000000 --- a/.sims/acl-ato.xml +++ /dev/null @@ -1,56 +0,0 @@ - - - - Owner-canonical-user-ID - System Owner (SO) - - - - - Owner-canonical-user-ID - System Owner (SO) - - FULL_CONTROL - - - - user1-canonical-user-ID - System Administrator (SA) - - WRITE - - - - user1-canonical-user-ID - System Administrator (SA) - - WRITE - - - - user1-canonical-user-ID - Authorizing Official (AO) - - READ - - - - user1-canonical-user-ID - System Security Assessor (SSA) - - READ - - - - http://acs.amazonaws.com/groups/global/AllUsers - - READ - - - - http://acs.amazonaws.com/groups/s3/LogDelivery - - WRITE - - - \ No newline at end of file diff --git a/.sims/acl.xml b/.sims/acl.xml index 6370f3c..50523c2 100644 --- a/.sims/acl.xml +++ b/.sims/acl.xml @@ -21,21 +21,21 @@ 09ad840f-aa79-43aa-9f22-25182c2ab11b System Owner - READ_ACP + WRITE 09ad840f-aa79-43aa-9f22-25182c2ab11b System Owner - WRITE + READ_ACP 551b9706-d6a4-4d25-8207-f2ccec541016 System Owner - READ + WRITE_ACP @@ -93,20 +93,6 @@ READ_ACP - - - user1-canonical-user-ID - System Security Assessor - - READ - - - - user1-canonical-user-ID - System Security Assessor - - READ_ACP - http://acs.amazonaws.com/groups/global/AllUsers diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index a1762b7..fb848c2 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -7,6 +7,9 @@ 2024-03-27T00:00:00Z 0.1 1.1.2 + System Owner (SO) @@ -16,15 +19,11 @@ in known as "this system").

         - - Authorizing Official + + System Administrator (SA) -

    The individual or individuals who are ultimatly accountable for reviewing the - assessemnt package, discuss with the SO the findings and grant an authorization - to operate (ATO) to "this system".

    -

    The Authorizing Official is the only entity responsible for the security posture - of the system that gets access to the ATO channel (chainecode). The AO signs the - MOU on behalf of the agency.

    +

    The individual accountable for the deployment, configuration, testing and + operations of the system on behalf of the System Owner.

         @@ -34,6 +33,20 @@ behalf of the system owner.

     + + Authorizing Official + +

    The individual or individuals who are ultimatly accountable for reviewing the + assessemnt package, discuss with the SO the findings and grant an authorization + to operate (ATO) to Blosom, a.ka "this system".

    +

    The Authorizing Official is the only entity responsible for the security posture + of the system and has access to the ATO channel (chaincode) to upload the ATO Attestation Memo (AAM). + The AO signs the AAM on behalf of the agency.

    +     +     + Technical Point of Contact (TPOC) @@ -41,13 +54,6 @@ uninstall, return).

         - - System Administrator (SA) - -

    The individual accountable for the deployment, configuration, testing and - operations of the system on behalf of the System Owner.

    -     -     License Owner (LO) @@ -134,9 +140,11 @@ 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 8aed7ffd-5158-445d-8d7c-eec5cf240cba - + Any update in Cognito will have to trigger an update of the SSP + ### --> Aurelian Officeman @@ -173,8 +181,10 @@ - + ### --> + 09ad840f-aa79-43aa-9f22-25182c2ab11b 551b9706-d6a4-4d25-8207-f2ccec541016 @@ -186,7 +196,9 @@ responsibilities for "this system" supporting the system owner.

     - + 132953a9-640c-46f7-9de9-3fa15ec99361 @@ -197,15 +209,23 @@ - + 51588d7c-aa79-43aa-9f22-25182c2cd22d + +

    The license owner is responsible for managing the licenses a Blossom Member leases, and is also responsible for uploading to the asset chaincode the MOA signed by the TPOC and Acquisition Officer.

    +     - + c46e27d1-7a65-47ea-bd76-df574fded5fd

    Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

    +

    The TPOC is also responsible for reviewing and signing the initial Memorandum of Aggrement (MOA) stating the rules on engagemnet whith Blossom service around ATO automation and assets leasing.

         @@ -571,8 +591,9 @@

    A diagram-specific explanation.

     - + Data Flow Diagram @@ -823,7 +844,7 @@ --> - business need + have an organization-sponsored email address to demonstrate employment and have been approved by the System Owner based on the business need of the individual business need @@ -847,7 +868,7 @@ 1 business day - System Owner (SO) + System Owner every 6 months @@ -865,13 +886,13 @@ -

    The Blossom system System Owner and System Administrator are repsonsible for approving, creating and managing access by maintainit accurate information in Cognito and updating the access control policies in the chaincode for each channel.

    +

    The Blossom system's System Owner and System Administrator are repsonsible for approving, creating and managing accounts and grant or denie access to the system by maintaining accurate information in Cognito and updating the access control policies access control lists (ACLs).

         -

    AWS provide access to the system to approved entities, for deployment, maintenance, and operations.

    +

    AWS manages the access to approved entities to the system's infrastructure, for deployment, maintenance, and operations.

     @@ -919,12 +940,12 @@
  • Non-Privileged accounts:
      System Security Assessor
    - + ##### -->
    • @@ -955,7 +976,7 @@ -

    For this system, the entity with the System Administratore role +

    For this system, the entity with the System Administrator role acts as the Accounts Manager and is responsible for creating, revoking, delete accounts per decissions made by the System Owner.

     @@ -965,9 +986,11 @@ -

    Require [Assignment: - organization-defined prerequisites and criteria] for group and role - membership;

    + +

    For each identified role, access to the system for each role will be individually + analyzed and granted if the requesters proves they + for the respective group and role membership.

         @@ -975,7 +998,10 @@ -

    Specify:

    +

    1. All authorized users are listed and accuratelly maintained in this SSP in the "metadata", as "party" elements of type="person".

    +

    2. All roles supported by the Blossom system are documented in this SSP in the "metadata", as "role" elements with "id" identifying the role. + This system does not support groups.

    +

    3. All access authorizations are docuemnted in this SSP in the "metadata" as "responsible-party" with "role-id" mathing the respective roles or attributes.

         From 0bfa2c26b39488455b1a58fce59e4d051165d8b5 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Wed, 10 Jul 2024 18:55:02 -0400 Subject: [PATCH 26/36] More progress with the controls in the SSP. --- .../xml/ssp/blossom_admin_member_ssp.xml | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index fb848c2..c75a4c5 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -843,34 +843,34 @@     --> - + have an organization-sponsored email address to demonstrate employment and have been approved by the System Owner based on the business need of the individual - + business need - + System Owner (SO) - + Types of User Accounts for Blossom - + System Owner (SO) - + 1 business day - + 1 business day - + 1 business day - + System Owner - + every 6 months @@ -986,10 +986,10 @@ -

    For each identified role, access to the system for each role will be individually - analyzed and granted if the requesters proves they + analyzed and granted if the requesters proves they for the respective group and role membership.

         @@ -1001,7 +1001,7 @@

    1. All authorized users are listed and accuratelly maintained in this SSP in the "metadata", as "party" elements of type="person".

    2. All roles supported by the Blossom system are documented in this SSP in the "metadata", as "role" elements with "id" identifying the role. This system does not support groups.

    -

    3. All access authorizations are docuemnted in this SSP in the "metadata" as "responsible-party" with "role-id" mathing the respective roles or attributes.

    +

    3. All access authorizations are documented in this SSP in the "metadata" as "responsible-party" with "role-id" mathing the respective roles or attributes.

     @@ -1026,7 +1026,7 @@ uuid="37e94c9b-acb8-458f-8a95-c1d110ead856">

    Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes + id-ref="ac-02_odp.0_2" />[Assignment: organization-defined attributes (as required)] for each account;

     @@ -1035,7 +1035,7 @@ -

    Require approvals by [Assignment: +

    Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;

     @@ -1046,7 +1046,7 @@ uuid="02d4c648-5a86-4155-bd73-02c3439262b4">

    Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined + type="param" id-ref="ac-02_odp.04" />[Assignment: organization-defined policy, procedures, prerequisites, and criteria];

         @@ -1063,7 +1063,7 @@ -

    Notify account managers and [Assignment: +

    Notify account managers and [Assignment: organization-defined personnel or roles] within:

         @@ -1072,8 +1072,8 @@ -

    Notify account managers and [Assignment: - system owner] within:[Assignment: +

    Notify account managers and [Assignment: + system owner] within:[Assignment: 1 business day] when accounts are no longer required;

         @@ -1082,7 +1082,7 @@ -

    [Assignment: +

    [Assignment: organization-defined time period] when users are terminated or transferred;

    @@ -1092,7 +1092,7 @@ -

    [Assignment: +

    [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;

     @@ -1126,7 +1126,7 @@ -

    [Assignment: +

    [Assignment: organization-defined attributes (as required)];

         @@ -1136,7 +1136,7 @@ uuid="b7932e43-9aa3-4bba-86a8-439a74e1e79a">

    Review accounts for compliance with account management requirements [Assignment: + type="param" id-ref="ac-02_odp.10" />[Assignment: organization-defined frequency];

         From 7ba77716a7e3d93f206539380570e43b99501844 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Thu, 18 Jul 2024 14:25:42 -0400 Subject: [PATCH 27/36] Python script to create yaml file with user info --- ato/secops/create_user.py | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 ato/secops/create_user.py diff --git a/ato/secops/create_user.py b/ato/secops/create_user.py new file mode 100644 index 0000000..7428e95 --- /dev/null +++ b/ato/secops/create_user.py @@ -0,0 +1,33 @@ +import click +import yaml +from datetime import datetime + +@click.command() +@click.option('--user-name', required=True, help='Name of user to create') +@click.option('--user-email', required=True, help='Email of user to create') +@click.option('--user-role', required=True, help='Role of user to create') +@click.option('--location-uuid', default='00000000-0000-0000-0000-000000000000', help='UUID of physical location of user') +@click.option('--org-member', default='00000000-0000-0000-0000-000000000000', help='UUID of organization that user is member of') +def create_user(user_name, user_email, user_role, location_uuid, org_member): + # Structure of yaml file + cmd = { + "command" : "create-acl-user|create-cognito-user", + "user" : { + "name" : f"{user_name}", + "email-address":f"{user_email}", + "role":f"{user_role}", + "location-uuid":f"{location_uuid}", + "member-of-organization":f"{org_member}", + }, + } + + # Include timestamp in filename + timestamp = datetime.now().strftime("%Y%m%d-%H%M%S") + filename = "ato/oscal-artifacts/created_users/created_user_" + timestamp + ".yaml" + + # Write to yaml file + with open(filename, 'w') as f: + print(f"\n\n{yaml.safe_dump(cmd, default_flow_style=False)}", file=f) + +if __name__ == '__main__': + create_user() \ No newline at end of file From 11c842ba178fff3b0ec83b2941c66434bf24d949 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Thu, 18 Jul 2024 14:37:34 -0400 Subject: [PATCH 28/36] Add user email input to account request form --- .../account_management_request_form.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml index 2c4ebfd..096e662 100644 --- a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml +++ b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml @@ -3,19 +3,26 @@ description: Submit an account related request labels: ['ACCOUNT_REQUEST_RECORD'] body: - type: input - id: first-name + id: user-first-name attributes: label: Account Holder First Name placeholder: Type here user's first name as it appears in his/her ID. validations: required: true - type: input - id: last-name + id: user-last-name attributes: label: Account Holder Last Name placeholder: Type here user's last name as it appears in his/her ID. validations: required: true + - type: input + id: user-email + attributes: + label: Account Holder Email + placeholder: Type here user's email + validations: + required: true - type: input id: requester-name attributes: From 204d9f90c88c000dd655c47fddce6a0199c1a057 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Fri, 19 Jul 2024 16:44:01 -0400 Subject: [PATCH 29/36] Implement action to send yaml to S3 --- .../workflows/account_request_implement.yaml | 50 +++++++++++++------ ato/secops/create_user.py | 4 +- 2 files changed, 36 insertions(+), 18 deletions(-) diff --git a/.github/workflows/account_request_implement.yaml b/.github/workflows/account_request_implement.yaml index 241473e..acd9449 100644 --- a/.github/workflows/account_request_implement.yaml +++ b/.github/workflows/account_request_implement.yaml @@ -10,21 +10,29 @@ jobs: request-implemented: if: github.event.label.name == 'ACCOUNT_IMPLEMENTED' runs-on: ubuntu-20.04 - permissions: - issues: write + # permissions: + # issues: write steps: - - name: Notify Blossom Assessors about Implemented Account - run: gh issue comment "$NUMBER" --body "$BODY" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.issue.number }} - BODY: > - @usnistgov/blossom-assessors An edit to the ACL and/or SSP has been implemented. - Please monitor the automated assessment. - - name: Checkout repo to access handshake file - uses: actions/checkout@v3 + uses: actions/checkout@v4 + + - name: Parse issue body + uses: stefanbuck/github-issue-parser@v3.2.1 + id: issue-parser + with: + template-path: ".github/ISSUE_TEMPLATE/account_management_request_form.yaml" + + - name: Ensure directory exists for created users + run: | + mkdir -p ato/oscal-artifacts/created_users/ + + - name: Create yaml file for automated user creation + env: + USER_NAME: "${{ steps.issue-parser.outputs.issueparser_user-first-name }} ${{ steps.issue-parser.outputs.issueparser_user-last-name }}" + USER_EMAIL: ${{ steps.issue-parser.outputs.issueparser_user-email }} + USER_ROLE: ${{ steps.issue-parser.outputs.issueparser_account-type }} + run: | + python ato/secops/create_user.py --user-name "$USER_NAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" - name: Configure AWS CLI uses: aws-actions/configure-aws-credentials@v4 @@ -33,8 +41,18 @@ jobs: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} - - name: Copy handshake to bucket + - name: Copy user yaml to bucket run: | - aws s3 cp .sims/handshake/handshake_empty s3://"$AWS_BUCKET" + aws s3 cp --recursive ato/oscal-artifacts/created_users/ s3://"$AWS_BUCKET" env: - AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file + AWS_BUCKET: ${{ secrets.AWS_BUCKET }} + + # - name: Notify Blossom Assessors about Implemented Account + # run: gh issue comment "$NUMBER" --body "$BODY" + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # GH_REPO: ${{ github.repository }} + # NUMBER: ${{ github.event.issue.number }} + # BODY: > + # @usnistgov/blossom-assessors An edit to the ACL and/or SSP has been implemented. + # Please monitor the automated assessment. \ No newline at end of file diff --git a/ato/secops/create_user.py b/ato/secops/create_user.py index 7428e95..8eb237c 100644 --- a/ato/secops/create_user.py +++ b/ato/secops/create_user.py @@ -6,8 +6,8 @@ @click.option('--user-name', required=True, help='Name of user to create') @click.option('--user-email', required=True, help='Email of user to create') @click.option('--user-role', required=True, help='Role of user to create') -@click.option('--location-uuid', default='00000000-0000-0000-0000-000000000000', help='UUID of physical location of user') -@click.option('--org-member', default='00000000-0000-0000-0000-000000000000', help='UUID of organization that user is member of') +@click.option('--location-uuid', help='UUID of physical location of user') +@click.option('--org-member', help='UUID of organization that user is member of') def create_user(user_name, user_email, user_role, location_uuid, org_member): # Structure of yaml file cmd = { From 610398a6d6817ee4dade10a29a4b57547d589ca7 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Mon, 22 Jul 2024 23:34:25 -0400 Subject: [PATCH 30/36] Updates provided by Ned --- .../xml/ssp/blossom_admin_member_ssp.xml | 2481 ++++++++--------- 1 file changed, 1235 insertions(+), 1246 deletions(-) diff --git a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml index c75a4c5..d0a25ca 100644 --- a/oscal-content/xml/ssp/blossom_admin_member_ssp.xml +++ b/oscal-content/xml/ssp/blossom_admin_member_ssp.xml @@ -1,1247 +1,1236 @@ - - - - BloSS@M System Security Plan - 2022-04-05T00:00:00Z - 2024-03-27T00:00:00Z - 0.1 - 1.1.2 - - - System Owner (SO) - -

    The individual within the organization who is ultimately accountable for - everything related to the deployment, assessemnt, authorization and operations - of the Blossom Member which provides the software assets leasing service (here - in known as "this system").

    -     -     - - System Administrator (SA) - -

    The individual accountable for the deployment, configuration, testing and - operations of the system on behalf of the System Owner.

    -     -     - - System Security Assessor (SSA) - -

    The individual accountable for assessing the security posture of the system on - behalf of the system owner.

    -     -     - - Authorizing Official - -

    The individual or individuals who are ultimatly accountable for reviewing the - assessemnt package, discuss with the SO the findings and grant an authorization - to operate (ATO) to Blosom, a.ka "this system".

    -

    The Authorizing Official is the only entity responsible for the security posture - of the system and has access to the ATO channel (chaincode) to upload the ATO Attestation Memo (AAM). - The AO signs the AAM on behalf of the agency.

    -     -     - - - Technical Point of Contact (TPOC) - -

    The individual accountable for managing leased licenses (checkout, install, - uninstall, return).

    -     -     - - License Owner (LO) - -

    The individual within the service provider organization who is accountable for - managing the pool of software resources made available for leasing to USG - agencies.

    -

    The License Owner role exists only within the service provider agency.

    -     -     - - Acquisition Officer - -

    The individual within the Agency which is responsible for approving and - processing the payment of the leased pool of software licenses.

    -     -     - - National Institute of Standards and Technology -
    - 100 Bureau Drive - Gaithersburg - MD - 20899 -
    - -

    NIST ITL Computer Security Division's Secure Systems and Applications Group is - the primary CSP for this project.

    -     -     - - AWS US East/West -
    - 13200 Woodland Park Rd - Herndon - VA - 20171 -
    - - -

    This title must be kept as-is to match FedRAMP Marketplace listing. This is a a - FedRAMP requirement. This official mailing address of Amazon's AWS commercial - offering for the us-east-1 is provided, as Amazon not disclose the address of - data-centers either on a region or availability zone basis.

    -     -     - - National Institute of Standards and Technology IT Lab Computer Security Division Secure Systems and Applications Group - NIST - - 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 - -

    Blossom network provider.

    -     -     - - Stan Owens - - - - blossom@nist.gov - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - ManoGiana Bloom - - blossom@nist.gov - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - Simmon Admino - - - - blossom@nist.gov - 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - Steve S. Asesoro - - - - blossom@nist.gov - 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - - Aurelian Officeman - - - - blossom@nist.gov - 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - Licenta Owens - - - - blossom@nist.gov - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - Acquia Officiale - - - - blossom@nist.gov - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - Tom Pock - - - - blossom@nist.gov - 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 - 8aed7ffd-5158-445d-8d7c-eec5cf240cba - - - - - 09ad840f-aa79-43aa-9f22-25182c2ab11b - 551b9706-d6a4-4d25-8207-f2ccec541016 - - - 4fded5fd-7a65-47ea-bd76-df57c46e27d1 - -

    This party has development, deployment, configuration and operations - responsibilities for "this system" supporting the system owner.

    -     -     - - - 132953a9-640c-46f7-9de9-3fa15ec99361 - -

    The party responsible to assess the security controls on behalf of the system - owner.

    -     -     - - - - 51588d7c-aa79-43aa-9f22-25182c2cd22d - -

    The license owner is responsible for managing the licenses a Blossom Member leases, and is also responsible for uploading to the asset chaincode the MOA signed by the TPOC and Acquisition Officer.

    -     -     - - - c46e27d1-7a65-47ea-bd76-df574fded5fd - -

    Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

    -

    The TPOC is also responsible for reviewing and signing the initial Memorandum of Aggrement (MOA) stating the rules on engagemnet whith Blossom service around ATO automation and assets leasing.

    -     -     - - c46e27d1-7a65-47ea-bd76-df574fded5fd - -

    Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

    -     -     - - - - 3360e343-9860-4bda-9dfc-ff427c3dfab6 - - -

    This SSP was created using a simplified version of OSCAL-based FedRAMP SSP Template - for the FedRAMP Low, Moderate, and High baselines.

    -     -     - - -

    This example points to the tailored FedRAMP Moderate 800-53 rev 5 baseline, adjusted - accordingly for BloSS@M.

    -     -     - - 8101e04d-8305-4e73-bb95-6b59f645b143 - Blockchain-based Secure Software Assets Management - Blossom - -

    TBD: Describe the purpose and functions of this system here.

    -     - - - - - - fips-199-moderate - - - - - - - - Blockchain-based Software Assets Management - -

    BloSS@M stores the minimally required identity and authorization metadata to - authenitcate and authorize federal users of the system.

    -     - - C.2.8.12 - - - fips-199-low - fips-199-moderate - - - fips-199-low - fips-199-moderate - -

    The NIST Privacy Office and Office of Information Systems Management - categorizes personal identity and authentication information with as - FIPS-199 Low impact for integrity concerns. - This categorization is limited to federal employees when this data is - for identification of these federal employees only.

    -     -     - - fips-199-low - fips-199-low - -     - - Inventory control information - -

    TBD

    -     - - C.3.4.2 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - -     - - Logistics management information - -

    TBD

    -     - - C.3.4.3 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - -     - - Services acquisition information - -

    TBD

    -     - - C.3.4.4 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - -     - - Lifecycle and change management information - -

    TBD

    -     - - C.3.5.2 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-moderate - - - fips-199-moderate - fips-199-low - -     - - Information security information - -

    TBD

    -     - - C.3.5.5 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-moderate - - - fips-199-moderate - fips-199-low - -     - - Record retention information - -

    TBD

    -     - - C.3.5.6 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - -     - - Information management information - -

    TBD:

    -     - - C.3.5.7 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-moderate - - - fips-199-moderate - fips-199-low - -     - - Information sharing information - -

    TBD

    -     - - C.3.5.9 - - - fips-199-moderate - fips-199-moderate - -

    This information has no base recommendation in SP 800-60 Volume 2 - Revision 1 guidance. - The Office of Information Systems Management's consulted the BloSS@M - Team and the NIST system owner, who categorized this information sharing - at FIPS-199 Moderate impact.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    This information has no base recommendation in SP 800-60 Volume 2 - Revision 1 guidance. - The Office of Information Systems Management's consulted the BloSS@M - Team and the NIST system owner, who categorized this information sharing - at FIPS-199 Moderate impact.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    This information has no base recommendation in SP 800-60 Volume 2 - Revision 1 guidance. - The Office of Information Systems Management's consulted the BloSS@M - Team and the NIST system owner, who categorized this information sharing - at FIPS-199 Moderate impact.

    -     -     -     - - Scientific and technological research and innovation information - -

    TBD

    -     - - D.19.1 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-moderate - - - fips-199-moderate - fips-199-low - -     - - Research and development information - -

    TBD

    -     - - D.20.1 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-moderate - - - fips-199-moderate - fips-199-moderate - -     - - Research and development information - -

    TBD

    -     - - D.20.4 - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - - - fips-199-moderate - fips-199-low - -     -     - - fips-199-moderate - fips-199-moderate - fips-199-low - - - - -

    TBD: A holistic, top-level explanation of the system's authorization boundary.

    -     - - -

    A diagram-specific explanation.

    -     - - Authorization Boundary Diagram -     -     - - -

    A holistic, top-level explanation of the network architecture.

    -     - - -

    A diagram-specific explanation.

    -     - - Network Diagram -     -     - - -

    A holistic, top-level explanation of the system's data flows.

    -     - - -

    A diagram-specific explanation.

    -     - - Data Flow Diagram -     -     -     - - - AWS Managed Blockchain (AMB) - - - e63e870d-bf43-40dc-98a0-37d5e39b2dd1 - 2024-01-01 - -

    TBD: ssp-uuid: 73a7ca56-ac02-43b9-8664-62bcb05a7e91 will need to be added for - oscal 1.2.0.

    -

    The leveraged authorization assembly is supposed to have a required uuid flag - instead of an optional id flag. This will be fixed in the syntax shortly.

    -

    Use one leveraged-authorization assembly for each underlying system. (In the - legacy world, these may be general support systems.

    -

    The link fields are optional, but preferred where known. Often, a leveraging - system's SSP author will not have access to the leveraged system's SSP, but - should have access to the leveraged system's CRM.

    -     -     - - System Administrator - - - - system-administrator - - Full administrative access rights - add and remove users, software-name and hardware - install and configure deployments - system updates, patches and hotfixes - perform backups - - - - System Owner - - - - system-owner - - Privileged access rights - add and remove users, software-name and hardware - install and configure deployments - system updates, patches and hotfixes - perform backups - - - - System Security Assessor - - - - sys-sec-assessor - - Non-privileged access rights (read only) - review system documentation and security configurations - review if system updates, patches and hotfixes are documented and successfully completed - review disaster recovery procedures and system backups existance - - - - This System - -

    The entire Blossom system as depicted in the system authorization boundary

    -     - -     - - AWS Managed Blockchain (AMB) - Leveraged System - -

    TBD: If the leveraged system owner provides a UUID for their system (such as in - an OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

    -     - - - - - -     - - -

    TBD: Description of Blossom inventory items 1

    -     - - - - - - - -     -     - - -

    This is a palceholder for the FedRAMP SSP Template Section 13

    -

    This description field is required by OSCAL.

    -

    FedRAMP does not require any specific information here.

    -     - - - - - - - - -

    Per the documentation available in the Blossom Wiki, the AWS Managed - Blockchain (AMB) provides access control to the infrastracture for the - entities identified below which require access to IaaS to maintain and - deploy system components. The blockchain's chaincode is implementing Next - Generation Access Control (NGAC) standard to manage the access to resources - for the roles docuemnted in the Blossom specification. Access control policy - machines are implemented for the two private channels of the AMB: the ATO or - "Authorization" channel and the "Businness" channel.

    -     -     - - -

    The policy machines are controling the access to the two chaincodes - (Authorization and Business) used by the system.

    -     -     - - - - - have an organization-sponsored email address to demonstrate employment and have been approved by the System Owner based on the business need of the individual - - - business need - - - System Owner (SO) - - - Types of User Accounts for Blossom - - - System Owner (SO) - - - 1 business day - - - 1 business day - - - 1 business day - - - System Owner - - - every 6 months - - - 4fded5fd-7a65-47ea-bd76-df57c46e27d1 - - - 09ad840f-aa79-43aa-9f22-25182c2ab11b - - - - -

    For the IAM entities that have a business need, and which have accounts created in Cognito, the Policy machines which implement NGAC in the two chaincodes are managing the access control for the Blossom business layer users and the BC Member's Authorizing Official that is uploading the ATO Attestation to the Authorization channel.

    -     - - -

    The Blossom system's System Owner and System Administrator are repsonsible for approving, creating and managing accounts and grant or denie access to the system by maintaining accurate information in Cognito and updating the access control policies access control lists (ACLs).

    -     -     -     - - -

    AWS manages the access to approved entities to the system's infrastructure, for deployment, maintenance, and operations.

    -     - - -

    Keep the ACL list current at all times.

    -     -     -     -     - - - -

    The system has privileged and non-privileged accounts associated with the business layer and the ATO processes.

    -

    These accounts are managed by the NGAC implementation in the chaincodes for the ATO and for the assets management (business) processes.

    -

    The following accounts are supported for the business operations (assets management):

    -
      -
    • Privileged accounts: -
        License Owner
      -
      • -
    • Non-Privileged accounts: -
        Acquisition Officer
      -
        Technical Point of Contact
      -
      • -
    -

    The Authorizing Official is responsible for reviewing the ATO package prepared by the System Owner and signing/authorizing the system to operate.

    -

    The System Owner remains the custodian of all system ATO related artifacts.

    -

    Upon approval, teh AO is responsible for generating automatically the ATO attestation and upload it to the ATO channel.

    -

    The following account is supported for the ATO processes. :

    -
      -
    • Privileged accounts: -
        Authorizing Official
      -
      • -
    -     - -     - - -

    The following accounts of the Blossom System of NIST Member managed by the Leveraged AWS IaaS are:

    -
      -
    • Privileged accounts: -
        System Owner
      -
        System Administrator
      -
      • -
    • Non-Privileged accounts: -
        System Security Assessor
      - -
      • -
    -     - - -

    TBD: provided-uuid needs to match the one in the AWS' SSP.

    -

    All privileged and non-privileged accounts that are granted access to - the AWS infrastructure and are responsible for the Blossom System deployment and maintenance - (this system), are managed by the AWS IaaS (leveraged ATO system) - which uses an Access Control List (ACL) for the NIST employees - assigned Blossom roles.

    -     -     - - -

    The Access Control List (ACL) updates are Blossom system's responsibility (as customers of AWS) - For all roles listed above which are managed by the AWS IaaS - system, account creation/revokation/deletion requests are approved - by the Blossom system's System Owner or the Blossom PM and are added to or delete - from the ACL list by the System Administrator.

    -     -     -     -     - - - -

    For this system, the entity with the System Administrator role - acts as the Accounts Manager and is responsible for creating, - revoking, delete accounts per decissions made by the System Owner.

    -     -     -     - - - - -

    For each identified role, access to the system for each role will be individually - analyzed and granted if the requesters proves they - for the respective group and role membership.

    -     -     -     - - - -

    1. All authorized users are listed and accuratelly maintained in this SSP in the "metadata", as "party" elements of type="person".

    -

    2. All roles supported by the Blossom system are documented in this SSP in the "metadata", as "role" elements with "id" identifying the role. - This system does not support groups.

    -

    3. All access authorizations are documented in this SSP in the "metadata" as "responsible-party" with "role-id" mathing the respective roles or attributes.

    -     -     -     - - - -

    Authorized users of the system

    -     -     -     - - - -

    Group and role membership

    -     -     -     - - - -

    Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes - (as required)] for each account;

    -     -     -     - - - -

    Require approvals by [Assignment: - organization-defined personnel or roles] for requests to create - accounts;

    -     -     -     - - - -

    Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined - policy, procedures, prerequisites, and criteria];

    -     -     -     - - - -

    Monitor the use of accounts;

    -     -     -     - - - -

    Notify account managers and [Assignment: - organization-defined personnel or roles] within:

    -     -     -     - - - -

    Notify account managers and [Assignment: - system owner] within:[Assignment: - 1 business day] when accounts are no longer required;

    -     -     -     - - - -

    [Assignment: - organization-defined time period] when users are terminated or - transferred;

    -     -     -     - - - -

    [Assignment: - organization-defined time period] when system usage or need-to-know - changes for an individual;

    -     -     -     - - - -

    Authorize access to the system based on:

    -     -     -     - - - -

    A valid access authorization;

    -     -     -     - - - -

    Intended system usage;

    -     -     -     - - - -

    [Assignment: - organization-defined attributes (as required)];

    -     -     -     - - - -

    Review accounts for compliance with account management requirements [Assignment: - organization-defined frequency];

    -     -     -     - - - -

    Establish and implement a process for changing shared or group account - authenticators (if deployed) when individuals are removed from the - group;

    -     -     -     - - - -

    Align account management processes with personnel termination and - transfer processes.

    -     -     -     -     -     - - - -

    Blossom Wiki

    -     - - -

    Project's Wiki which provides descriptions for the ATO and business processes.

    -     -     - - -

    National Institute of Standards and Technology's Logo

    -     - - 00000000 - -

    May use rlink with a relative path, or embedded as base64 - .

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a - browser via HTML5.

    -     -     - - -

    The primary authorization boundary diagram.

    -     - - 00000000 - -

    Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)

    -

    This should be referenced in the - system-characteristics/authorization-boundary/diagram/link/@href flag using a - value of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"

    -

    May use rlink with a relative path, or embedded as base64 - .

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a - browser via HTML5.

    -     -     - - -

    The primary network diagram.

    -     - - 00000000 - -

    Section 9.4, Figure 9-2 Network Diagram (graphic)

    -

    This should be referenced in the - system-characteristics/network-architecture/diagram/link/@href flag using a - value of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"

    -

    May use rlink with a relative path, or embedded as base64 - .

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a - browser via HTML5.

    -     -     - - Privacy Impact Assessment - - - - - - 00000000 - -

    Table 15-1 Attachments: Privacy Impact Assessment

    -

    May use rlink with a relative path, or embedded as base64 - .

    -     -     -     + + + + BloSS@M System Security Plan + 2022-04-05T00:00:00Z + 2024-03-27T00:00:00Z + 0.1 + 1.1.2 + + + System Owner (SO) + +

    The individual within the organization who is ultimately accountable for + everything related to the deployment, assessemnt, authorization and operations + of the Blossom Member which provides the software assets leasing service (here + in known as "this system").

    +     +     + + System Administrator (SA) + +

    The individual accountable for the deployment, configuration, testing and + operations of the system on behalf of the System Owner.

    +     +     + + System Security Assessor (SSA) + +

    The individual accountable for assessing the security posture of the system on + behalf of the system owner.

    +     +     + + Authorizing Official + +

    The individual or individuals who are ultimatly accountable for reviewing the + assessemnt package, discuss with the SO the findings and grant an authorization + to operate (ATO) to Blosom, a.ka "this system".

    +

    The Authorizing Official is the only entity responsible for the security posture + of the system and has access to the ATO channel (chaincode) to upload the ATO Attestation Memo (AAM). + The AO signs the AAM on behalf of the agency.

    +     +     + + + Technical Point of Contact (TPOC) + +

    The individual accountable for managing leased licenses (checkout, install, + uninstall, return).

    +     +     + + License Owner (LO) + +

    The individual within the service provider organization who is accountable for + managing the pool of software resources made available for leasing to USG + agencies.

    +

    The License Owner role exists only within the service provider agency.

    +     +     + + Acquisition Officer + +

    The individual within the Agency which is responsible for approving and + processing the payment of the leased pool of software licenses.

    +     +     + + National Institute of Standards and Technology +
    + 100 Bureau Drive + Gaithersburg + MD + 20899 +
    + +

    NIST ITL Computer Security Division's Secure Systems and Applications Group is + the primary CSP for this project.

    +     +     + + AWS US East/West +
    + 13200 Woodland Park Rd + Herndon + VA + 20171 +
    + + +

    This title must be kept as-is to match FedRAMP Marketplace listing. This is a a + FedRAMP requirement. This official mailing address of Amazon's AWS commercial + offering for the us-east-1 is provided, as Amazon not disclose the address of + data-centers either on a region or availability zone basis.

    +     +     + + National Institute of Standards and Technology IT Lab Computer Security Division Secure Systems and Applications Group + NIST + + 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 + +

    Blossom network provider.

    +     +     + + Stan Owens + + + + blossom@nist.gov + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + ManoGiana Bloom + + blossom@nist.gov + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + Simmon Admino + + + + blossom@nist.gov + 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + Steve S. Asesoro + + + + blossom@nist.gov + 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + + Aurelian Officeman + + + + blossom@nist.gov + 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + Licenta Owens + + + + blossom@nist.gov + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + Acquia Officiale + + + + blossom@nist.gov + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + Tom Pock + + + + blossom@nist.gov + 1ef39fd9-d184-44c4-8ef4-36d2dbad70a2 + 8aed7ffd-5158-445d-8d7c-eec5cf240cba + + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + 551b9706-d6a4-4d25-8207-f2ccec541016 + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

    This party has development, deployment, configuration and operations + responsibilities for "this system" supporting the system owner.

    +     +     + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + +

    The party responsible to assess the security controls on behalf of the system + owner.

    +     +     + + + + 51588d7c-aa79-43aa-9f22-25182c2cd22d + +

    The license owner is responsible for managing the licenses a Blossom Member leases, and is also responsible for uploading to the asset chaincode the MOA signed by the TPOC and Acquisition Officer.

    +     +     + + + c46e27d1-7a65-47ea-bd76-df574fded5fd + +

    Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

    +

    The TPOC is also responsible for reviewing and signing the initial Memorandum of Aggrement (MOA) stating the rules on engagemnet whith Blossom service around ATO automation and assets leasing.

    +     +     + + c46e27d1-7a65-47ea-bd76-df574fded5fd + +

    Interfaces with the other agencies and need only read access to the ledger to review the assets (licenses) processed.

    +     +     + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + +

    This SSP was created using a simplified version of OSCAL-based FedRAMP SSP Template + for the FedRAMP Low, Moderate, and High baselines.

    +     +     + + +

    This example points to the tailored FedRAMP Moderate 800-53 rev 5 baseline, adjusted + accordingly for BloSS@M.

    +     +     + + 8101e04d-8305-4e73-bb95-6b59f645b143 + Blockchain-based Secure Software Assets Management + Blossom + +

    TBD: Describe the purpose and functions of this system here.

    +     + + + + + + fips-199-moderate + + + + + + + + Blockchain-based Software Assets Management + +

    BloSS@M stores the minimally required identity and authorization metadata to + authenitcate and authorize federal users of the system.

    +     + + C.2.8.12 + + + fips-199-low + fips-199-moderate + + + fips-199-low + fips-199-moderate + +

    The NIST Privacy Office and Office of Information Systems Management + categorizes personal identity and authentication information with as + FIPS-199 Low impact for integrity concerns. + This categorization is limited to federal employees when this data is + for identification of these federal employees only.

    +     +     + + fips-199-low + fips-199-low + +     + + Inventory control information + +

    TBD

    +     + + C.3.4.2 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + +     + + Logistics management information + +

    TBD

    +     + + C.3.4.3 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + +     + + Services acquisition information + +

    TBD

    +     + + C.3.4.4 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + +     + + Lifecycle and change management information + +

    TBD

    +     + + C.3.5.2 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-moderate + + + fips-199-moderate + fips-199-low + +     + + Information security information + +

    TBD

    +     + + C.3.5.5 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-moderate + + + fips-199-moderate + fips-199-low + +     + + Record retention information + +

    TBD

    +     + + C.3.5.6 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + +     + + Information management information + +

    TBD:

    +     + + C.3.5.7 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-moderate + + + fips-199-moderate + fips-199-low + +     + + Information sharing information + +

    TBD

    +     + + C.3.5.9 + + + fips-199-moderate + fips-199-moderate + +

    This information has no base recommendation in SP 800-60 Volume 2 + Revision 1 guidance. + The Office of Information Systems Management's consulted the BloSS@M + Team and the NIST system owner, who categorized this information sharing + at FIPS-199 Moderate impact.

    +     +     + + fips-199-moderate + fips-199-moderate + +

    This information has no base recommendation in SP 800-60 Volume 2 + Revision 1 guidance. + The Office of Information Systems Management's consulted the BloSS@M + Team and the NIST system owner, who categorized this information sharing + at FIPS-199 Moderate impact.

    +     +     + + fips-199-moderate + fips-199-moderate + +

    This information has no base recommendation in SP 800-60 Volume 2 + Revision 1 guidance. + The Office of Information Systems Management's consulted the BloSS@M + Team and the NIST system owner, who categorized this information sharing + at FIPS-199 Moderate impact.

    +     +     +     + + Scientific and technological research and innovation information + +

    TBD

    +     + + D.19.1 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-moderate + + + fips-199-moderate + fips-199-low + +     + + Research and development information + +

    TBD

    +     + + D.20.1 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-moderate + + + fips-199-moderate + fips-199-moderate + +     + + Research and development information + +

    TBD

    +     + + D.20.4 + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + + + fips-199-moderate + fips-199-low + +     +     + + fips-199-moderate + fips-199-moderate + fips-199-low + + + + +

    TBD: A holistic, top-level explanation of the system's authorization boundary.

    +     + + +

    A diagram-specific explanation.

    +     + + Authorization Boundary Diagram +     +     + + +

    A holistic, top-level explanation of the network architecture.

    +     + + +

    A diagram-specific explanation.

    +     + + Network Diagram +     +     + + +

    A holistic, top-level explanation of the system's data flows.

    +     + + +

    A diagram-specific explanation.

    +     + + Data Flow Diagram +     +     +     + + + AWS Managed Blockchain (AMB) + + + e63e870d-bf43-40dc-98a0-37d5e39b2dd1 + 2024-01-01 + +

    TBD: ssp-uuid: 73a7ca56-ac02-43b9-8664-62bcb05a7e91 will need to be added for + oscal 1.2.0.

    +

    The leveraged authorization assembly is supposed to have a required uuid flag + instead of an optional id flag. This will be fixed in the syntax shortly.

    +

    Use one leveraged-authorization assembly for each underlying system. (In the + legacy world, these may be general support systems.

    +

    The link fields are optional, but preferred where known. Often, a leveraging + system's SSP author will not have access to the leveraged system's SSP, but + should have access to the leveraged system's CRM.

    +     +     + + System Administrator + + + + system-administrator + + Full administrative access rights + add and remove users, software-name and hardware + install and configure deployments + system updates, patches and hotfixes + perform backups + + + + System Owner + + + + system-owner + + Privileged access rights + add and remove users, software-name and hardware + install and configure deployments + system updates, patches and hotfixes + perform backups + + + + System Security Assessor + + + + sys-sec-assessor + + Non-privileged access rights (read only) + review system documentation and security configurations + review if system updates, patches and hotfixes are documented and successfully completed + review disaster recovery procedures and system backups existance + + + + This System + +

    The entire Blossom system as depicted in the system authorization boundary

    +     + +     + + AWS Managed Blockchain (AMB) - Leveraged System + +

    TBD: If the leveraged system owner provides a UUID for their system (such as in + an OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

    +     + + + + + +     + + +

    TBD: Description of Blossom inventory items 1

    +     + + + + + + + +     +     + + +

    This is a palceholder for the FedRAMP SSP Template Section 13

    +

    This description field is required by OSCAL.

    +

    FedRAMP does not require any specific information here.

    +     + + + + + + + + +

    Per the documentation available in the Blossom Wiki, the AWS Managed + Blockchain (AMB) provides access control to the infrastracture for the + entities identified below which require access to IaaS to maintain and + deploy system components. The blockchain's chaincode is implementing Next + Generation Access Control (NGAC) standard to manage the access to resources + for the roles docuemnted in the Blossom specification. Access control policy + machines are implemented for the two private channels of the AMB: the ATO or + "Authorization" channel and the "Businness" channel.

    +     +     + + +

    The policy machines are controling the access to the two chaincodes + (Authorization and Business) used by the system.

    +     +     + + + + + have an organization-sponsored email address to demonstrate employment,complete training, and have been approved by the System Owner based on the business need of the individual + + + Access tagging + + + Accounts Manager(s): System Owner and Program Manager. + + + Organizational access control policies, standards and procedures, as documented in the AC-02.a statement implementation (statement-id="ac-2_smt.a", uuid="24a85abb-25ad-4686-850c-5c0e8ab69a0c"). + + + + System Administrator + + + 1 business day + + + within one hour + + + within openxmlformats-officedocument hours + + + + need to know + + + every 6 months or when a change takes place + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + + +

    For the IAM entities that have a business need, and which have accounts created in Cognito, the Policy machines which implement NGAC in the two chaincodes are managing the access control for the Blossom business layer users and the BC Member's Authorizing Official that is uploading the ATO Attestation to the Authorization channel.

    +     + + +

    The Blossom system's System Owner and System Administrator are repsonsible for approving, creating and managing accounts and grant or denie access to the system by maintaining accurate information in Cognito and updating the access control policies access control lists (ACLs).

    +     +     +     + + +

    AWS manages the access to approved entities to the system's infrastructure, for deployment, maintenance, and operations.

    +     + + +

    Keep the ACL list current at all times.

    +     +     +     +     + + + +

    The system has privileged and non-privileged accounts associated with the business layer and the ATO processes.

    +

    These accounts are managed by the NGAC implementation in the chaincodes for the ATO and for the assets management (business) processes.

    +

    The following accounts are supported for the business operations (assets management):

    +
      +
    • Privileged accounts: +
        License Owner
      +
      • +
    • Non-Privileged accounts: +
        Acquisition Officer
      +
        Technical Point of Contact
      +
      • +
    +

    The Authorizing Official is responsible for reviewing the ATO package prepared by the System Owner and signing/authorizing the system to operate.

    +

    The System Owner remains the custodian of all system ATO related artifacts.

    +

    Upon approval, the Authorizing official is responsible for automatically generating the ATO attestation and uploading it to the ATO channel.

    +

    The following account is supported for the ATO processes.

    +
      +
    • Privileged accounts: +
        Authorizing Official
      +
      • +
    +     + +     + + +

    The following accounts of the NIST Member of the Blossom System are managed by the Leveraged AWS IaaS:

    +
      +
    • Privileged accounts: +
        System Owner
      +
        System Administrator
      +
      • +
    • Non-Privileged accounts: +
        System Security Assessor
      + +
      • +
    +     + + +

    TBD: provided-uuid needs to match the one in the AWS' SSP.

    +

    All privileged and non-privileged accounts that are granted access to + the AWS infrastructure and are responsible for the Blossom System deployment and maintenance + (this system), are managed by the AWS IaaS (leveraged ATO system) + which uses an Access Control List (ACL) for the NIST employees + assigned Blossom roles.

    +     +     + + +

    The Access Control List (ACL) updates are Blossom system's responsibility (as customers of AWS) + For all roles listed above which are managed by the AWS IaaS + system, account creation/revokation/deletion requests are approved + by the Blossom system's System Owner or the Program Manager and are added to or delete + from the ACL list by the System Administrator.

    +     +     +     +     + + + +

    For this system, the entity with the System Administrator role + acts as the Accounts Manager and is responsible for creating, + revoking, deleting accounts per decisions made by the System Owner and the Program Manager.

    +     +     +     + + + + +

    For each identified role, access to the system for each role will be individually + analyzed and granted if the requesters proves they + for the respective group and role membership.

    +     +     +     + + + +

    1. All authorized users are listed and accuratelly maintained in this SSP in the "metadata", as "party" elements of type="person".

    +

    2. All roles supported by the Blossom system are documented in this SSP in the "metadata", as "role" elements with "id" identifying the role. + This system does not support groups.

    +

    3. All access authorizations are documented in this SSP in the "metadata" as "responsible-party" with "role-id" mathing the respective roles or attributes.

    +     +     +     + + + +

    Authorized Blossom users are documented in the Blossom SSP.

    +     +     +     + + + +

    Group and role membership

    +     +     +     + + + +

    Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes + (as required)] for each account;

    +     +     +     + + + +

    Request to create accounts are approved by the System Owner and the Program Manager;

    +     +     +     + + + +

    Blossom user accounts are created, enabled, modified, disabled, and removed according to the types of Blossom accounts (privileged or non-privileged);

    +     +     +     + + + +

    Monitor the use of accounts;

    +     +     +     + + + +

    Account managers, System Owner, and Program Manager are notified within:

    +     +     +     + + + +

    Account managers, System Owner, and Program Manager are notified within1 business day when accounts are no longer required;

    +     +     +     + + + +

    within 1 business day when users are terminated or + transferred;

    +     +     +     + + + +

    within 1 business day when system usage or need-to-know + changes for an individual;

    +     +     +     + + + +

    System access authorization is based on:

    +     +     +     + + + +

    A valid access authorization;

    +     +     +     + + + +

    Intended system usage;

    +     +     +     + + + +

    Business need of the individual;

    +     +     +     + + + +

    Accounts are reviewed for compliance with account management requirements every 6 months.;

    +     +     +     + + + +

    There are no group or shared accounts created for accessing Blossom;

    +     +     +     + + + +

    All Blossom user accounts are updated by the system administrator when they are terminated or are transferred where their Blossom account is not required.

    +     +     +     +     +     + + + +

    Blossom Wiki

    +     + + +

    Project's Wiki which provides descriptions for the ATO and business processes.

    +     +     + + +

    National Institute of Standards and Technology's Logo

    +     + + 00000000 + +

    May use rlink with a relative path, or embedded as base64 + .

    +

    FedRAMP prefers base64 for images and diagrams.

    +

    Images must be in sufficient resolution to read all detail when rendered in a + browser via HTML5.

    +     +     + + +

    The primary authorization boundary diagram.

    +     + + 00000000 + +

    Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)

    +

    This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a + value of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"

    +

    May use rlink with a relative path, or embedded as base64 + .

    +

    FedRAMP prefers base64 for images and diagrams.

    +

    Images must be in sufficient resolution to read all detail when rendered in a + browser via HTML5.

    +     +     + + +

    The primary network diagram.

    +     + + 00000000 + +

    Section 9.4, Figure 9-2 Network Diagram (graphic)

    +

    This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a + value of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"

    +

    May use rlink with a relative path, or embedded as base64 + .

    +

    FedRAMP prefers base64 for images and diagrams.

    +

    Images must be in sufficient resolution to read all detail when rendered in a + browser via HTML5.

    +     +     + + Privacy Impact Assessment + + + + + + 00000000 + +

    Table 15-1 Attachments: Privacy Impact Assessment

    +

    May use rlink with a relative path, or embedded as base64 + .

    +     +     +     \ No newline at end of file From f45b836b434f9e7c2114e8f244b24dcdaa6e2138 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Fri, 26 Jul 2024 17:21:44 -0400 Subject: [PATCH 31/36] Implement reference user yaml in S3 --- .../workflows/account_request_approve.yaml | 57 ++++++++++++++++++- .../workflows/account_request_implement.yaml | 54 ++++-------------- ato/secops/create_user.py | 31 +++++++++- 3 files changed, 94 insertions(+), 48 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index ddbafb4..93948af 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -23,4 +23,59 @@ jobs: Account management request APPROVED by Blossom Management. @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP. When implemented, add the ACCOUNT_IMPLEMENTED label and - link this account request issue to the PR with the implementation. \ No newline at end of file + link this account request issue to the PR with the implementation. + create-user: + needs: request-approved + runs-on: ubuntu-20.04 + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Parse issue body + uses: stefanbuck/github-issue-parser@v3.2.1 + id: issue-parser + with: + template-path: ".github/ISSUE_TEMPLATE/account_management_request_form.yaml" + + - name: Ensure directory exists for created users + run: | + mkdir -p ato/oscal-artifacts/created_users/ + + - name: Ensure directory exists for created users references + run: | + mkdir -p ato/oscal-artifacts/reference_created_users/ + + - name: Create yaml file for automated user creation + env: + USER_NAME: "${{ steps.issue-parser.outputs.issueparser_user-first-name }} ${{ steps.issue-parser.outputs.issueparser_user-last-name }}" + USER_EMAIL: ${{ steps.issue-parser.outputs.issueparser_user-email }} + USER_ROLE: ${{ steps.issue-parser.outputs.issueparser_account-type }} + ISSUE_NUMBER: ${{ github.event.issue.number }} + run: | + python ato/secops/create_user.py --user-name "$USER_NAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" --issue-number "$ISSUE_NUMBER" + + - name: Store user yaml in repo + run: | + git config --global user.name "create-user-action[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git checkout -b "$BRANCH_NAME" + git add "ato/oscal-artifacts/created_users/*" + git add "ato/oscal-artifacts/reference_created_users/*" + git commit -m "Create user request #$ISSUE_NUMBER" + git push origin "$BRANCH_NAME" + env: + ISSUE_NUMBER: ${{ github.event.issue.number }} + BRANCH_NAME: "account-request-${{ github.event.issue.number }}" + + - name: Configure AWS CLI + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} + + - name: Copy reference yaml to bucket + run: | + aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET" + env: + AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file diff --git a/.github/workflows/account_request_implement.yaml b/.github/workflows/account_request_implement.yaml index acd9449..5f300a2 100644 --- a/.github/workflows/account_request_implement.yaml +++ b/.github/workflows/account_request_implement.yaml @@ -10,49 +10,15 @@ jobs: request-implemented: if: github.event.label.name == 'ACCOUNT_IMPLEMENTED' runs-on: ubuntu-20.04 - # permissions: - # issues: write + permissions: + issues: write steps: - - name: Checkout repo to access handshake file - uses: actions/checkout@v4 - - - name: Parse issue body - uses: stefanbuck/github-issue-parser@v3.2.1 - id: issue-parser - with: - template-path: ".github/ISSUE_TEMPLATE/account_management_request_form.yaml" - - - name: Ensure directory exists for created users - run: | - mkdir -p ato/oscal-artifacts/created_users/ - - - name: Create yaml file for automated user creation - env: - USER_NAME: "${{ steps.issue-parser.outputs.issueparser_user-first-name }} ${{ steps.issue-parser.outputs.issueparser_user-last-name }}" - USER_EMAIL: ${{ steps.issue-parser.outputs.issueparser_user-email }} - USER_ROLE: ${{ steps.issue-parser.outputs.issueparser_account-type }} - run: | - python ato/secops/create_user.py --user-name "$USER_NAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" - - - name: Configure AWS CLI - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} - - - name: Copy user yaml to bucket - run: | - aws s3 cp --recursive ato/oscal-artifacts/created_users/ s3://"$AWS_BUCKET" + - name: Notify Blossom Assessors about Implemented Account + run: gh issue comment "$NUMBER" --body "$BODY" env: - AWS_BUCKET: ${{ secrets.AWS_BUCKET }} - - # - name: Notify Blossom Assessors about Implemented Account - # run: gh issue comment "$NUMBER" --body "$BODY" - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # GH_REPO: ${{ github.repository }} - # NUMBER: ${{ github.event.issue.number }} - # BODY: > - # @usnistgov/blossom-assessors An edit to the ACL and/or SSP has been implemented. - # Please monitor the automated assessment. \ No newline at end of file + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: > + @usnistgov/blossom-assessors An edit to the ACL and/or SSP has been implemented. + Please monitor the automated assessment. \ No newline at end of file diff --git a/ato/secops/create_user.py b/ato/secops/create_user.py index 8eb237c..1daaab6 100644 --- a/ato/secops/create_user.py +++ b/ato/secops/create_user.py @@ -8,7 +8,20 @@ @click.option('--user-role', required=True, help='Role of user to create') @click.option('--location-uuid', help='UUID of physical location of user') @click.option('--org-member', help='UUID of organization that user is member of') -def create_user(user_name, user_email, user_role, location_uuid, org_member): +@click.option('--issue-number', help='Issue number of user account request') +def create_user(user_name, user_email, user_role, location_uuid, org_member, issue_number): + """ + Creates a yaml file containing information about a new user + + Args: + user_name (string): String containing name of new user + user_email (string): String containing email of new user + user_role (string): String containing role of new user + location_uuid (string): String containing UUID of physical location of user + org_member (string): String containing UUID of organization that user is member of + issue_number (string): String containing issue number of user account request + """ + # Structure of yaml file cmd = { "command" : "create-acl-user|create-cognito-user", @@ -23,11 +36,23 @@ def create_user(user_name, user_email, user_role, location_uuid, org_member): # Include timestamp in filename timestamp = datetime.now().strftime("%Y%m%d-%H%M%S") + + # Write to user yaml file (stored in repo) filename = "ato/oscal-artifacts/created_users/created_user_" + timestamp + ".yaml" - - # Write to yaml file with open(filename, 'w') as f: print(f"\n\n{yaml.safe_dump(cmd, default_flow_style=False)}", file=f) + + # Structure of yaml file referencing user yaml file + reference = { + "file": f"{filename}", + "issue_number": f"{issue_number}", + "branch_name": f"account-request-{issue_number}" + } + + # Write to user reference yaml file (sent to S3) + filename_reference = "ato/oscal-artifacts/reference_created_users/reference_created_user_" + timestamp + ".yaml" + with open(filename_reference, 'w') as f: + print(f"\n\n{yaml.safe_dump(reference, default_flow_style=False)}", file=f) if __name__ == '__main__': create_user() \ No newline at end of file From 28f818a0916825b58ccc07f32c2c065ab2bc7ed7 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Tue, 30 Jul 2024 17:12:17 -0400 Subject: [PATCH 32/36] Improve conditionals --- .../workflows/account_request_approve.yaml | 27 ++++++++++++++++--- .../workflows/account_workflow.md | 0 2 files changed, 23 insertions(+), 4 deletions(-) rename account_workflow.md => .github/workflows/account_workflow.md (100%) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index 93948af..f58dfa2 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -24,12 +24,23 @@ jobs: @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP. When implemented, add the ACCOUNT_IMPLEMENTED label and link this account request issue to the PR with the implementation. - create-user: + + parse-issue: needs: request-approved runs-on: ubuntu-20.04 + outputs: + account-modification: ${{ steps.issue-parser.outputs.issueparser_account-modification }} + user-first-name: ${{ steps.issue-parser.outputs.issueparser_user-first-name }} + user-last-name: ${{ steps.issue-parser.outputs.issueparser_user-last-name }} + user-email: ${{ steps.issue-parser.outputs.issueparser_user-email }} + account-type: ${{ steps.issue-parser.outputs.issueparser_account-type }} steps: - name: Checkout repo uses: actions/checkout@v4 + with: + sparse-checkout: | + .github/ISSUE_TEMPLATE/account_management_request_form.yaml + sparse-checkout-cone-mode: false - name: Parse issue body uses: stefanbuck/github-issue-parser@v3.2.1 @@ -37,6 +48,14 @@ jobs: with: template-path: ".github/ISSUE_TEMPLATE/account_management_request_form.yaml" + create-user: + needs: parse-issue + if: ${{ needs.parse-issue.outputs.account-modification == 'Create' }} + runs-on: ubuntu-20.04 + steps: + - name: Checkout repo + uses: actions/checkout@v4 + - name: Ensure directory exists for created users run: | mkdir -p ato/oscal-artifacts/created_users/ @@ -47,9 +66,9 @@ jobs: - name: Create yaml file for automated user creation env: - USER_NAME: "${{ steps.issue-parser.outputs.issueparser_user-first-name }} ${{ steps.issue-parser.outputs.issueparser_user-last-name }}" - USER_EMAIL: ${{ steps.issue-parser.outputs.issueparser_user-email }} - USER_ROLE: ${{ steps.issue-parser.outputs.issueparser_account-type }} + USER_NAME: "${{ needs.parse-issue.outputs.user-first-name }} ${{ needs.parse-issue.outputs.user-last-name }}" + USER_EMAIL: ${{ needs.parse-issue.outputs.user-email }} + USER_ROLE: ${{ needs.parse-issue.outputs.account-type }} ISSUE_NUMBER: ${{ github.event.issue.number }} run: | python ato/secops/create_user.py --user-name "$USER_NAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" --issue-number "$ISSUE_NUMBER" diff --git a/account_workflow.md b/.github/workflows/account_workflow.md similarity index 100% rename from account_workflow.md rename to .github/workflows/account_workflow.md From d18d56376f182116682c57048707fa8b93466ba2 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Wed, 31 Jul 2024 11:41:06 -0400 Subject: [PATCH 33/36] Add username --- .../account_management_request_form.yaml | 7 +++++ .../workflows/account_request_approve.yaml | 26 ++++++++++--------- ato/secops/create_user.py | 5 +++- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml index 096e662..bae6ce9 100644 --- a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml +++ b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml @@ -23,6 +23,13 @@ body: placeholder: Type here user's email validations: required: true + - type: input + id: user-username + attributes: + label: Account Holder Username + placeholder: Type here user's username + validations: + required: true - type: input id: requester-name attributes: diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index f58dfa2..63a2f8b 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -32,6 +32,7 @@ jobs: account-modification: ${{ steps.issue-parser.outputs.issueparser_account-modification }} user-first-name: ${{ steps.issue-parser.outputs.issueparser_user-first-name }} user-last-name: ${{ steps.issue-parser.outputs.issueparser_user-last-name }} + user-username: ${{ steps.issue-parser.outputs.issueparser_user-username }} user-email: ${{ steps.issue-parser.outputs.issueparser_user-email }} account-type: ${{ steps.issue-parser.outputs.issueparser_account-type }} steps: @@ -67,11 +68,12 @@ jobs: - name: Create yaml file for automated user creation env: USER_NAME: "${{ needs.parse-issue.outputs.user-first-name }} ${{ needs.parse-issue.outputs.user-last-name }}" + USER_USERNAME: ${{ needs.parse-issue.outputs.user-username }} USER_EMAIL: ${{ needs.parse-issue.outputs.user-email }} USER_ROLE: ${{ needs.parse-issue.outputs.account-type }} ISSUE_NUMBER: ${{ github.event.issue.number }} run: | - python ato/secops/create_user.py --user-name "$USER_NAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" --issue-number "$ISSUE_NUMBER" + python ato/secops/create_user.py --user-name "$USER_NAME" --user-username "$USER_USERNAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" --issue-number "$ISSUE_NUMBER" - name: Store user yaml in repo run: | @@ -86,15 +88,15 @@ jobs: ISSUE_NUMBER: ${{ github.event.issue.number }} BRANCH_NAME: "account-request-${{ github.event.issue.number }}" - - name: Configure AWS CLI - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} + # - name: Configure AWS CLI + # uses: aws-actions/configure-aws-credentials@v4 + # with: + # aws-region: ${{ secrets.AWS_REGION }} + # aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} + # aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} - - name: Copy reference yaml to bucket - run: | - aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET" - env: - AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file + # - name: Copy reference yaml to bucket + # run: | + # aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET" + # env: + # AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file diff --git a/ato/secops/create_user.py b/ato/secops/create_user.py index 1daaab6..32891df 100644 --- a/ato/secops/create_user.py +++ b/ato/secops/create_user.py @@ -4,17 +4,19 @@ @click.command() @click.option('--user-name', required=True, help='Name of user to create') +@click.option('--user-username', required=True, help='Name of user to create') @click.option('--user-email', required=True, help='Email of user to create') @click.option('--user-role', required=True, help='Role of user to create') @click.option('--location-uuid', help='UUID of physical location of user') @click.option('--org-member', help='UUID of organization that user is member of') @click.option('--issue-number', help='Issue number of user account request') -def create_user(user_name, user_email, user_role, location_uuid, org_member, issue_number): +def create_user(user_name, user_username, user_email, user_role, location_uuid, org_member, issue_number): """ Creates a yaml file containing information about a new user Args: user_name (string): String containing name of new user + user_username (string): String containing username of new user user_email (string): String containing email of new user user_role (string): String containing role of new user location_uuid (string): String containing UUID of physical location of user @@ -27,6 +29,7 @@ def create_user(user_name, user_email, user_role, location_uuid, org_member, iss "command" : "create-acl-user|create-cognito-user", "user" : { "name" : f"{user_name}", + "username" : f"{user_username}", "email-address":f"{user_email}", "role":f"{user_role}", "location-uuid":f"{location_uuid}", From 8a1ff9c6a4515e05e21264f5fac7a427bcfbae08 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Wed, 31 Jul 2024 12:19:17 -0400 Subject: [PATCH 34/36] Clean up --- .../workflows/account_request_approve.yaml | 22 +++++++++---------- .../workflows/account_request_assessment.yaml | 7 +++--- .github/workflows/account_workflow.md | 7 ++++-- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index 63a2f8b..7b54927 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -88,15 +88,15 @@ jobs: ISSUE_NUMBER: ${{ github.event.issue.number }} BRANCH_NAME: "account-request-${{ github.event.issue.number }}" - # - name: Configure AWS CLI - # uses: aws-actions/configure-aws-credentials@v4 - # with: - # aws-region: ${{ secrets.AWS_REGION }} - # aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} - # aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} + - name: Configure AWS CLI + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} - # - name: Copy reference yaml to bucket - # run: | - # aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET" - # env: - # AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file + - name: Copy reference yaml to bucket + run: | + aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET" + env: + AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file diff --git a/.github/workflows/account_request_assessment.yaml b/.github/workflows/account_request_assessment.yaml index de52e40..2384b60 100644 --- a/.github/workflows/account_request_assessment.yaml +++ b/.github/workflows/account_request_assessment.yaml @@ -12,10 +12,9 @@ jobs: if_merged: if: github.event.pull_request.merged == true runs-on: ubuntu-20.04 - permissions: - issues: write +# permissions: +# issues: write steps: - name: Run automated assessment run: echo "assessment" - # 1. dump empty file to s3 bucket, to initiate connection - # 2. query chaincode, code to execute on chaincode for list of supported roles, API command + # query chaincode, code to execute on chaincode for list of supported roles, API command diff --git a/.github/workflows/account_workflow.md b/.github/workflows/account_workflow.md index df4dfa6..ac07e57 100644 --- a/.github/workflows/account_workflow.md +++ b/.github/workflows/account_workflow.md @@ -7,8 +7,11 @@ This document explains the workflow of GitHub actions used to automate Blossom s - [ ] The Blossom Management group is automatically notified to review the request through GitHub. - [ ] One of the Blossom Management (a member of the Blossom Management group) reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED - [ ] If ACCOUNT_REJECTED, the account request issue is automatically closed. -- [ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified to implement the account. -- [ ] Upon completion of creating the account requested, the Blossom Sysdev links the Account Request issue to the Pull Request that implements the account. +- [ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified about implementation. +- [ ] A YAML file is automatically created from information submitted through the Account Request Form, which is pushed to the GitHub repo as a new branch and a condensed version is sent to S3 bucket. +- [ ] S3 bucket receives the file about the new user to create and sends a trigger to EC2, which implements the new user in Cognito, SSM, ACL, AMB as necessary. +- [ ] The new user is inserted into the SSP, which is pushed into the GitHub repo to the new branch. +- [ ] Upon completion of creating the account requested, a Pull Request is automatically created, to link the branch with the Account Request issue. - [ ] Upon merging the Pull Request that implements the account, the relevant updated controls are re-assessed automatically. The Blossom Assessors group is then notified to monitor the automated assessment. - [ ] TBD: STEPS FOR AUTOMATED ASSESSMENT From 0034903036f670c443e97ab2d9472730cd9918b3 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Fri, 9 Aug 2024 12:07:42 -0400 Subject: [PATCH 35/36] Clarify requirements to run workflows --- .github/workflows/account_request_approve.yaml | 2 +- .github/workflows/account_workflow.md | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index 7b54927..0e1a953 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -21,7 +21,7 @@ jobs: NUMBER: ${{ github.event.issue.number }} BODY: > Account management request APPROVED by Blossom Management. - @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP. + @usnistgov/blossom-sysdevs please review the automated update to the ACL and/or SSP and user modification in AWS. When implemented, add the ACCOUNT_IMPLEMENTED label and link this account request issue to the PR with the implementation. diff --git a/.github/workflows/account_workflow.md b/.github/workflows/account_workflow.md index ac07e57..a664e6d 100644 --- a/.github/workflows/account_workflow.md +++ b/.github/workflows/account_workflow.md @@ -2,6 +2,10 @@ This document explains the workflow of GitHub actions used to automate Blossom service's accounts management. +## Requirements to run Actions +- [ ] Repository secrets: AWS_ACCESS_KEY, AWS_SECRET_KEY, AWS_REGION, AWS_BUCKET +- [ ] Issue labels: ACCOUNT_REQUEST_RECORD, ACCOUNT_APPROVED, ACCOUNT_REJECTED, ACCOUNT_IMPLEMENTED + ## Account Request and Creation - [ ] The requester requests an account for the Account Holder by creating a new GitHub issue using the Account Request Form. - [ ] The Blossom Management group is automatically notified to review the request through GitHub. From 2f5d5c9ebc86f54ff041e76935a96c6af4b325df Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Fri, 9 Aug 2024 12:55:53 -0400 Subject: [PATCH 36/36] Update account_request_approve.yaml --- .github/workflows/account_request_approve.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml index 0e1a953..5714bb0 100644 --- a/.github/workflows/account_request_approve.yaml +++ b/.github/workflows/account_request_approve.yaml @@ -21,7 +21,7 @@ jobs: NUMBER: ${{ github.event.issue.number }} BODY: > Account management request APPROVED by Blossom Management. - @usnistgov/blossom-sysdevs please review the automated update to the ACL and/or SSP and user modification in AWS. + @usnistgov/blossom-sysdevs please ensure the ACL and/or Cognito are updated and the SSP is in sync with the update. When implemented, add the ACCOUNT_IMPLEMENTED label and link this account request issue to the PR with the implementation. @@ -99,4 +99,4 @@ jobs: run: | aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET" env: - AWS_BUCKET: ${{ secrets.AWS_BUCKET }} \ No newline at end of file + AWS_BUCKET: ${{ secrets.AWS_BUCKET }}