Update control statements for sc7

doc/compliance/oscal/control-statements/sc/sc-7.md

@@ -20,6 +20,10 @@ x-trestle-comp-def-rules:
       description: Production spaces should disable ssh access
     - name: ssh-access-disabled
       description: Production spaces should disable ssh access
+  cg-egress-proxy:
+    - name: prod-space-restricted
+      description: The production space where the system app is running must not have
+        the public-networks-egress ASG applied to it
 x-trestle-rules-params:
   DevTools Cloud.gov:
     - name: gov.cloud.space-names
@@ -191,4 +195,20 @@ Application owners are responsible for ensuring their application does not excha
 
 #### Implementation Status: partial
 
+### cg-egress-proxy
+
+eg-egress-proxy provides a control point for allowing network traffic to specific hostnames or IP addresses. Outbound connections are compared to the following list in order:
+
+1. A `deny_file` list of hostnames and/or IP addresses to deny connections to.
+1. An `allow_file` list of hostnames and/or IP addresses to allow connections to.
+1. A `deny all` rule to deny all connections that did not match one of the first two rules.
+
+The connection is allowed or denied based on the first matching rule.
+
+#### Rules:
+
+  - prod-space-restricted
+
+#### Implementation Status: implemented
+
 ______________________________________________________________________

doc/compliance/oscal/system-security-plans/continuous_monitoring/system-security-plan.json

@@ -1086,6 +1086,14 @@
                   "implementation-status": {
                     "state": "implemented"
                   }
+                },
+                {
+                  "component-uuid": "1acb8ab7-4191-46c6-b79f-659a2f195b5a",
+                  "uuid": "be70b12c-2fe6-4723-9b2f-16d957c5cf8a",
+                  "description": "eg-egress-proxy provides a control point for allowing network traffic to specific hostnames or IP addresses. Outbound connections are compared to the following list in order:\n\n1. A `deny_file` list of hostnames and/or IP addresses to deny connections to.\n1. An `allow_file` list of hostnames and/or IP addresses to allow connections to.\n1. A `deny all` rule to deny all connections that did not match one of the first two rules.\n\nThe connection is allowed or denied based on the first matching rule.",
+                  "implementation-status": {
+                    "state": "implemented"
+                  }
                 }
               ]
             }

doc/compliance/oscal/system-security-plans/continuous_monitoring/system-security-plan/metadata.json

@@ -1,7 +1,7 @@
 {
   "metadata": {
     "title": "Continuous Monitoring Proof of Concept SSPP",
-    "last-modified": "2024-09-26T14:56:30.202245+00:00",
+    "last-modified": "2024-10-03T17:04:19.631173+00:00",
     "version": "0.0.1",
     "oscal-version": "1.1.2",
     "roles": [

doc/compliance/oscal/system-security-plans/continuous_monitoring/system-security-plan/system-implementation.json

@@ -285,6 +285,27 @@
           "state": "operational"
         }
       },
+      {
+        "uuid": "1acb8ab7-4191-46c6-b79f-659a2f195b5a",
+        "type": "software",
+        "title": "cg-egress-proxy",
+        "description": "The cg-egress-proxy caddy server with forward_proxy configured",
+        "props": [
+          {
+            "name": "Rule_Id",
+            "value": "prod-space-restricted",
+            "remarks": "rule_prod_space_restricted"
+          },
+          {
+            "name": "Rule_Description",
+            "value": "The production space where the system app is running must not have the public-networks-egress ASG applied to it",
+            "remarks": "rule_prod_space_restricted"
+          }
+        ],
+        "status": {
+          "state": "operational"
+        }
+      },
       {
         "uuid": "3dd05e37-06f1-4f8b-a4b7-7a80f2a0101b",
         "type": "this-system",