diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 2a94a8c82..7b863e096 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -9,6 +9,7 @@ Scenario Outline: Documents that should be valid are pass Then I should have valid results "" Examples: | valid_file | +| fedramp-ssp-example.oscal.xml | # | ssp-all-VALID.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | diff --git a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml index a8272221a..732bbc089 100644 --- a/src/validations/constraints/content/fedramp-ssp-example.oscal.xml +++ b/src/validations/constraints/content/fedramp-ssp-example.oscal.xml @@ -1,7 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -13,8 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -23,15 +21,14 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 - + @@ -287,7 +284,8 @@

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role - via responsible-party.

+ via responsible-party. +

@@ -563,8 +561,7 @@ - +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

@@ -574,7 +571,7 @@ - F00000000 + F00000000 System's Full Name System's Short Name or Acronym @@ -608,10 +605,10 @@ - + - + fips-199-moderate @@ -777,16 +774,16 @@ AwesomeCloud Commercial(IaaS) - - + + +

For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records based on the "leveraged-system-identifier" property's value.

 - +

For now, this is a required field. In the future we intend to pull this information directly from FedRAMP's records @@ -807,9 +804,17 @@ + + + + + system-poc-technical - - none + Admin + +

admin user

+ + administration

The user assembly is being reviewed for continued applicability @@ -820,31 +825,57 @@ - + + + + + + system-poc-technical Add/Remove Admins This can add and remove admins. - + + + + + system-poc-technical - - add/remove non-privliged admins + Admin + +

admin user

+ + administration - + + + + + system-poc-technical - - Manage services and components within the virtual cloud environment. + Admin + +

admin user

+ + administration - + + + + + system-owner - - Add and remove users from the virtual cloud environment. + Admin + +

admin user

+ + administration @@ -883,16 +914,16 @@ - - + +

If 'yes', describe the authentication method.

If 'no', explain why no authentication is used.

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

 - - + + @@ -905,8 +936,8 @@ - - + +

This is a leveraged system within which this system operates. @@ -942,7 +973,7 @@

Links to the vendor website describing the system are encouraged, but not required.

- +

Services

A service within the scope of the leveraged system's authorization boundary is considered an "authorized service". Any other service offered by the @@ -961,12 +992,13 @@ a "poam-item" link that references a corrisponding entry in this system's POA&M. - +

Both authorized and non-authorized leveraged services include:

  • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. - (Example: "#11111111-2222-4000-8000-009000100001")
    • + (Example: "#11111111-2222-4000-8000-009000100001") +
  • the name of the service in the title (for authorized services this should be exactly as it appears in the FedRAMP Marketplace
  • an "implementation-point" core property with a value of "external"
    • @@ -978,7 +1010,7 @@
  • a status with a state value of "operational"
  • At least one responsible-role (other than "provider") that indicates any authorized users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
    • + a user assembly entry.

Although SSP Table 7.1 also requires data categoriation and hosting @@ -996,13 +1028,13 @@ - - + + - - + +

This is a service offered by a leveraged system and used by this system. @@ -1017,7 +1049,8 @@ leveraged-authorization entry

  • an "implementation-point" property with a value of "external"; and
  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +

    Where relevant, this component should also have:

    @@ -1055,23 +1088,27 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method.

    If 'no', explain why no authentication is used.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - + + + + + - + + + + 33333333-2222-4000-8000-004000000001

    This is a service offered by a leveraged system and used by this system. @@ -1092,7 +1129,8 @@ POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) in an OSCAL-based POA&M.

  • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") +
  • @@ -1101,7 +1139,7 @@ tools are able to distinguish between authorized and non-authorized services from the same leveraged provider.

    - +

    Where relevant, this component should also have:

    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly @@ -1118,7 +1156,7 @@
    • Package ID, Authorization Type, Impact Level

    - +

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for their system (such as in an OSCAL-based CRM).

    Link(s) to the vendor's web site describing the service are encouraged, but not @@ -1138,20 +1176,20 @@ - + Other Cloud SaaS

    An external system to which this system shares an interconnection.

    - + - + 33333333-2222-4000-8000-004000000001 - + 11111111-2222-4000-8000-004000000008 @@ -1183,7 +1221,7 @@ remote listening ports, one or more "protocol" assemblies must be provided. - +

    While not required, each "system" component should have:

    • an "inherited-uuid" property if the value was provided by the system owner
      • @@ -1192,7 +1230,7 @@
    • an "system-owner" responsible-role
    • an "system-poc-management" responsible-role
    • an "system-poc-technical" responsible-role
      • -
    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1202,50 +1240,50 @@ - + [EXAMPLE]Authorized Connection Information System Name

    Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

    - - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - - - - - + + + + + +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

         - - - - + + + + - + - - + + + - - + 44444444-2222-4000-8000-004000000001 @@ -1293,7 +1331,7 @@
  • a "compliance" property/extension if appropriate
  • an "system-poc-management" responsible-role
  • an "system-poc-technical" responsible-role
    • - +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions for these roles, instead favor the core OSCAL responsible-roles constructs, and the NIST-standard roles of @@ -1309,13 +1347,13 @@

    - - + + - + - + 11111111-2222-4000-8000-004000000010 @@ -1337,8 +1375,8 @@ here.

    For an external system, the "implementation-point" property must always be present with a value of "external".

    - - + +

    Each interconnection must be defined with both an "system" component and an "interconnection" component.

    Must include all leveraged services and features from the leveraged authorization @@ -1354,17 +1392,18 @@

    Describe the service and what it is used for.

    - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - - + +

    This can only be known if provided by the leveraged system. @@ -1374,20 +1413,21 @@ - - - 11111111-2222-4000-8000-c0040000000a - + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 + + 33333333-2222-4000-8000-004000000001 + + - + - +

    This is a service provided by an external system other than the leveraged system.

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1404,7 +1444,8 @@

    - An "implementation-point" property with a value of "external".

    - A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

    -

    - Example: "#11111111-2222-4000-8000-009000100001"

    +

    - Example: "#11111111-2222-4000-8000-009000100001" +

    - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, this property is blocked from proper use.

    - a status with a state value of "operational"

    @@ -1435,50 +1476,58 @@ Service C +

    A service provided by an external system other than the leveraged system.

    Describe the service and what it is used for.

     + - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

         - +

    Either describe a risk associated with this service, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     - +     + + + 11111111-2222-4000-8000-004000000018 + + Remote API Service +

    This is a service provided by an external system other than the leveraged system.

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    - +

    As a result, the "leveraged-authorization-uuid" property is not applicable and must @@ -1490,10 +1539,10 @@

    If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

    - - - - + + + +     @@ -1505,32 +1554,33 @@ - - + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

     -     - - - + + + +

    Either describe a risk associated with this CLI, or indicate there is no identified risk.

    If there is no risk, please explain your basis for that conclusion.

         - +

    If there are one or more identified risks, describe any resulting impact.

         - +

    If there are one or more identified risks, describe any mitigating factors.

     -     +

    @@ -1538,6 +1588,9 @@ + + 11111111-2222-4000-8000-004000000018 + @@ -1570,16 +1623,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1591,16 +1642,14 @@ compliance (e.g., Module in Process).

    - - - + + + - + @@ -1618,7 +1667,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1639,7 +1688,7 @@

    FUNCTION: Describe typical component function.

    - + @@ -1661,8 +1710,8 @@

    FUNCTION: Describe typical component function.

    - - + + @@ -1683,18 +1732,18 @@

    None

    - + - + Database Sample

    None

     - + @@ -1710,9 +1759,8 @@

    None

    - - + + @@ -2126,8 +2174,8 @@ - - + +

    If no, explain why. If yes, omit remarks field.

    @@ -2187,7 +2235,7 @@

    If no, explain why. If yes, omit remark.

         - + 11111111-2222-4000-8000-004000000010 @@ -2213,9 +2261,8 @@ - - + + @@ -2228,9 +2275,8 @@ - - + + @@ -2243,9 +2289,8 @@ - - + + @@ -2262,8 +2307,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2276,9 +2320,8 @@ - - + + @@ -2295,8 +2338,7 @@

    Asset wasn't running at time of scan.

         - + @@ -2309,9 +2351,8 @@ - - + + @@ -2327,7 +2368,7 @@

    FedRAMP does not require any specific information here.

    - + @@ -2342,8 +2383,7 @@ - +

    Describe how Part a is satisfied within the system.

    Legacy approach. If no policy component is defined, describe here how the @@ -2361,8 +2401,7 @@ component is associated with the component representing the system.

     - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Identity @@ -2374,26 +2413,22 @@ - +

    There

    - +

    Describe the plan to complete the implementation.

         - +

    Describe how this policy currently satisfies part a.

     - +

    Describe the plan for addressing the missing policy elements.

     @@ -2406,8 +2441,7 @@     - +

    Describe how Part b-1 is satisfied.

     @@ -2415,8 +2449,7 @@     - +

    Describe how Part b-2 is satisfied.

     @@ -2425,16 +2458,15 @@     - - + +

    Describe the plan to complete the implementation.

         - - + +

    Describe any customer-configured requirements for satisfying this control.

     @@ -2446,8 +2478,7 @@ 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2466,8 +2497,7 @@     - +

    Describe how AC-2, part a is satisfied within this system.

    This points to the "This System" component, and is used any time a more @@ -2480,8 +2510,7 @@ leveraging systems to satisfy AC-2, part a.

     - +

    Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

    @@ -2494,8 +2523,7 @@     - +

    For the portion of the control satisfied by the application component of this system, describe how the control is met.

    @@ -2512,8 +2540,7 @@ 11111111-2222-4000-8000-004000000005 - +

    Leveraging system's responsibilities with respect to inheriting this capability from this application.

    @@ -2532,17 +2559,15 @@

    This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

    While the "this system" component is not explicitly required within every - statement, it will typically be present.

    + statement, it will typically be present.

     - +

    For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

     - +

    Optional description.

    Consumer-appropriate description of what may be inherited as provided by the @@ -2554,8 +2579,7 @@ CRM (Inheritance and Responsibility Model).

         - +

    Description of how the responsibility was satisfied.

    The responsibility-uuid links this to the same statement in the @@ -2563,8 +2587,8 @@

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

    Tools should use this to ensure all identified customer - responsibility statements have a corresponding - satisfied statement in the leveraging system's SSP.

    + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

    Tool developers should be mindful that

    @@ -2572,21 +2596,20 @@ - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2602,14 +2625,12 @@     - +

    Describe how Part a is satisfied.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2617,8 +2638,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2628,16 +2648,14 @@     - +

    Describe how Part b-1 is satisfied.

         - +

    Describe how Part b-2 is satisfied.

     @@ -2645,21 +2663,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2675,16 +2692,14 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2692,8 +2707,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2703,42 +2717,39 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2754,15 +2765,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2770,8 +2779,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2781,40 +2789,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2830,15 +2835,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2846,8 +2849,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2857,38 +2859,35 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2904,15 +2903,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2920,8 +2917,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -2931,40 +2927,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -2980,15 +2973,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -2996,8 +2987,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3007,40 +2997,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3056,15 +3043,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3072,8 +3057,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3083,40 +3067,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3132,15 +3113,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3148,8 +3127,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3159,40 +3137,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3208,15 +3183,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3224,8 +3197,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3235,40 +3207,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3284,15 +3253,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3300,8 +3267,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3311,40 +3277,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3360,15 +3323,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3376,8 +3337,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3387,40 +3347,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3436,15 +3393,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3452,8 +3407,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3463,40 +3417,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3512,15 +3463,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3528,8 +3477,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3539,40 +3487,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3588,15 +3533,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3604,8 +3547,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3615,40 +3557,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3664,15 +3603,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3680,8 +3617,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3691,40 +3627,37 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3740,15 +3673,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3756,8 +3687,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3767,35 +3697,32 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - - + + 11111111-2222-4000-8000-004000000018 - +

    Describe how the control is satisfied within the system.

    DMARC is employed.

    @@ -3815,21 +3742,20 @@     - - + +

    Describe the plan to complete the implementation.

         - + 11111111-2222-4000-8000-004000000011 - +

    Describe how the control is satisfied within the system.

     @@ -3845,15 +3771,13 @@     - +

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    + how the control is met.

         - +

    Describe how this policy component satisfies part a.

    Component approach. This links to a component representing the Policy.

    @@ -3861,8 +3785,7 @@ here too.

         - +

    Describe how this procedure component satisfies part a.

    Component approach. This links to a component representing the procedure.

    @@ -3902,8 +3825,7 @@ FedRAMP Applicable Laws and Regulations - +

    Must be present in a FedRAMP SSP.

     @@ -3925,7 +3847,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3942,7 +3865,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3959,7 +3883,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3976,7 +3901,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -3993,7 +3919,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4011,7 +3938,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4028,7 +3956,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4045,7 +3974,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4062,7 +3992,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4079,7 +4010,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4096,7 +4028,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4113,7 +4046,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4130,7 +4064,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4147,7 +4082,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4164,7 +4100,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4181,7 +4118,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4198,7 +4136,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4215,7 +4154,8 @@

    Table 12-1 Attachments: Policy Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4233,7 +4173,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4250,7 +4191,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4267,7 +4209,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4284,7 +4227,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4301,7 +4245,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4318,7 +4263,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4335,7 +4281,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4352,7 +4299,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4369,7 +4317,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4386,7 +4335,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4403,7 +4353,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4420,7 +4371,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4437,7 +4389,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4454,7 +4407,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4471,7 +4425,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4488,7 +4443,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4505,7 +4461,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4522,7 +4479,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4539,7 +4497,8 @@

    Table 12-1 Attachments: User's Guide Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4559,7 +4518,8 @@

    Table 12-1 Attachments: Rules of Behavior (ROB)

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4577,7 +4537,8 @@

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4595,7 +4556,8 @@

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4613,7 +4575,8 @@

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4652,7 +4615,8 @@

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4682,7 +4646,8 @@

    Table 12-1 Attachments: Procedure Attachment

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    @@ -4703,7 +4668,7 @@

    FedRAMP Logo

     - + 00000000 @@ -4720,7 +4685,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4735,7 +4701,8 @@ 00000000

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4756,7 +4723,8 @@ system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4777,7 +4745,8 @@ system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4796,7 +4765,8 @@

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

    May use rlink with a relative path, or embedded as - base64.

    + base64. +

    FedRAMP prefers base64 for images and diagrams.

    Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

    @@ -4813,7 +4783,8 @@ 41 CFR 201 - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. @@ -4830,5 +4801,32 @@ and the value is "citation".

     + + CSP Reference + + + +

    CSP-specific reference. Note the "type" property's class is "reference" + and the value is "citation".

    +     +     + + Separation of Duties Matrix + +

    Separation of Duties Matrix

    +     + + + + + 00000000 + +

    May use rlink with a relative path, or embedded as base64. +

    +     +     + + +     \ No newline at end of file diff --git a/src/validations/constraints/content/fedramp-ssp-example.xml b/src/validations/constraints/content/fedramp-ssp-example.xml deleted file mode 100644 index 732bbc089..000000000 --- a/src/validations/constraints/content/fedramp-ssp-example.xml +++ /dev/null @@ -1,4832 +0,0 @@ - - - - - FedRAMP [Baseline Name] System Security Plan (SSP) - 2024-12-31T23:59:59Z - 2024-11-05T02:24:00Z - fedramp3.0.0-oscal1.1.4 - 1.1.2 - - - 2023-06-30T00:00:00Z - 1.0 - 1.0.4 - - -

    Initial publication.

    -     -     - - 2023-07-06T00:00:00Z - 1.1 - 1.0.4 - - -

    Minor prop updates.

    -     -     -     - - - - - - FedRAMP Program Management Office - -

    The FedRAMP PMO resides within GSA and supports agencies and cloud service providers - through the FedRAMP authorization process and maintains a secure repository of - FedRAMP authorizations to enable reuse of security packages.

    -     -     - - Prepared By - -

    The organization that prepared this SSP. If developed in-house, this is the CSP - itself.

    -     -     - - Prepared For - -

    The organization for which this SSP was prepared. Typically the CSP.

    -     -     - - System Security Plan Approval - -

    The individual or individuals accountable for the accuracy of this SSP.

    -     -     - - Cloud Service Provider - CSP - - - - Information System Owner - -

    The individual within the CSP who is ultimately accountable for everything related to - this system.

    -     -     - - Authorizing Official - -

    The individual or individuals who must grant this system an authorization to - operate.

    -     -     - - Authorizing Official's Point of Contact - -

    The individual representing the authorizing official.

    -     -     - - Information System Management Point of Contact (POC) - -

    The highest level manager who responsible for system operation on behalf of the - System Owner.

    -     -     - - Information System Technical Point of Contact - -

    The individual or individuals leading the technical operation of the system.

    -     -     - - General Point of Contact (POC) - -

    A general point of contact for the system, designated by the system owner.

    -     -     - - - System Information System Security Officer (or Equivalent) - -

    The individual accountable for the security posture of the system on behalf of the - system owner.

    -     -     - - Privacy Official's Point of Contact - -

    The individual responsible for the privacy threshold analysis and if necessary the - privacy impact assessment.

    -     -     - - Owner of an inventory item within the system. - - - Administrative responsibility an inventory item within the system. - - - ICA POC (Local) - -

    The point of contact for an interconnection on behalf of this system.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - ICA POC (Remote) - -

    The point of contact for an interconnection on behalf of this external system to - which this system connects.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - ICA Signatory (Local) - -

    Responsible for signing an interconnection security agreement on behalf of this - system.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - ICA Signatory (Remote) - -

    Responsible for signing an interconnection security agreement on behalf of the - external system to which this system connects.

    -     - -

    Remove this role if there are no ICAs.

    -     -     - - Consultant - -

    Any consultants involved with developing or maintaining this content.

    -     -     - - Customer - -

    Represents any customers of this system as may be necessary for assigning customer - responsibility.

    -     -     - - Provider - -

    The provider of a leveraged system, external service, API, CLI.

    -     -     - - [SAMPLE]Unix Administrator - -

    This is a sample role.

    -     -     - - [SAMPLE]Client Administrator - -

    This is a sample role.

    -     -     - - Leveraged Authorization Users - -

    Any internal users of a leveraged authorization.

    -     -     - - External System Owner - -

    The owner of an external system.

    -     -     - - External System Management Point of Contact (POC) - -

    The highest level manager who responsible for an external system's operation on - behalf of the System Owner.

    -     -     - - External System Technical Point of Contact - -

    The individual or individuals leading the technical operation of an external - system.

    -     -     - - Approver - -

    An internal approving authority.

    -     -     - - CSP HQ -
    - Suite 0000 - 1234 Some Street - Haven - ME - 00000 -
    - -

    There must be one location identifying the CSP's primary business address, such as - the CSP's HQ, or the address of the system owner's primary business location.

    -     -     - - Primary Data Center -
    - 2222 Main Street - Anywhere - -- - 00000-0000 - US -
    - - -

    There must be one location for each data center.

    -

    There must be at least two data center locations.

    -

    For a data center, briefly summarize the components at this location.

    -

    All data centers must have a "type" property with a value of "data-center".

    -

    The type property must also have a class of "primary" or "alternate".

    -     -     - - Secondary Data Center -
    - 3333 Small Road - Anywhere - -- - 00000-0000 - US -
    - - -

    There must be one location for each data center.

    -

    There must be at least two data center locations.

    -

    For a data center, briefly summarize the components at this location.

    -

    All data centers must have a "type" property with a value of "data-center".

    -

    The type property must also have a class of "primary" or "alternate".

    -     -     - - - Cloud Service Provider (CSP) Name - CSP Acronym/Short Name - - 11111111-2222-4000-8000-003000000001 - -

    Replace sample CSP information.

    -

    CSP information must be present and associated with the "cloud-service-provider" role - via responsible-party. -

    -     -     - - Federal Risk and Authorization Management Program: Program Management Office - FedRAMP PMO - - - - info@fedramp.gov -
    - 1800 F St. NW - Washington - DC - 20006 - US -
    - -

    This party entry must be present in a FedRAMP SSP.

    -

    The uuid may be different; however, the uuid must be associated with the - "fedramp-pmo" role in the responsible-party assemblies.

    -     -     - - Federal Risk and Authorization Management Program: Joint Authorization Board - FedRAMP JAB - - -

    This party entry must be present in a FedRAMP SSP.

    -

    The uuid may be different; however, the uuid must be associated with the - "fedramp-jab" role in the responsible-party assemblies.

    -     -     - - - External Organization - External - -

    Generic placeholder for any external organization.

    -     -     - - Agency Name - A.N. - -

    Generic placeholder for an authorizing agency.

    -     -     - - Name of Consulting Org - NOCO - - - poc@example.com -
    - 3333 Corporate Way - Washington - DC - 00000 - US -
    -     - - [SAMPLE]Remote System Org Name - - - [SAMPLE]ICA POC's Name - - person@ica.example.org - 2025551212 - 11111111-2222-4000-8000-004000000007 - - - [SAMPLE]Example IaaS Provider - E.I.P. - -

    Underlying service provider. Leveraged Authorization.

    -     -     - - [SAMPLE]Person Name 1 - - - name@example.com - 2020000001 - 11111111-2222-4000-8000-003000000001 - 11111111-2222-4000-8000-004000000001 - - - [SAMPLE]Person Name 2 - - name@example.com - 2020000002 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 3 - - name@example.com - 2020000003 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 4 - - name@example.com - 2020000004 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 5 - - name@example.com - 2020000005 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE]Person Name 6 - - name@example.com - 2020000006 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000004 -     - - [SAMPLE]Person Name 7 - - name@example.com - 2020000007 -
    - Address Line - City - ST - 00000 - US -
    - 11111111-2222-4000-8000-004000000001 -     - - [SAMPLE] IT Department - - - [SAMPLE]Security Team - - - Leveraged Authorization User - - - - - - Name of Leveraged System A Provider - - - Name of Leveraged System B Provider - - - Name of Leveraged System C Provider - - - Name of Service Provider - - - Name of Telco Provider - - - 11111111-2222-4000-8000-004000000018 - - - 11111111-2222-4000-8000-004000000001 - 22222222-2222-4000-8000-004000000001 - -

    Zero or more

    -     -     - - - 11111111-2222-4000-8000-004000000010 - -

    Exactly one

    -     -     - - - 11111111-2222-4000-8000-004000000001 - - - - 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-004000000011 - -

    One or more

    -     -     - - - 11111111-2222-4000-8000-004000000010 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000003 - 11111111-2222-4000-8000-004000000015 - -

    One or more

    -     -     - - 11111111-2222-4000-8000-004000000012 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000013 - -

    Exactly one

    -     -     - - - 11111111-2222-4000-8000-004000000014 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000015 - -

    Exactly one

    -     -     - - 11111111-2222-4000-8000-004000000016 - -

    Exactly one

    -     -     - - -     - - -

    This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official - FedRAMP 3.0.0 release.

    -

    Must adjust accordingly for applicable baseline and revision.

    -     -     - - - - F00000000 - System's Full Name - System's Short Name or Acronym - - -

    [Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] - offering using a multi-tenant [insert based on the Deployment Model above] cloud - computing environment. It is available to [Insert scope of customers in accordance with - instructions above (for example, the public, federal, state, local, and tribal - governments, as well as research institutions, federal contractors, government - contractors etc.)].

    -

    NOTE: Additional description, including the purpose and functions of this system may be - added here. This includes any narrative text usually included in section 9.1 of the - SSP.

    -

    NOTE: The description is expected to be at least 32 words in length.

    -     - - - -

    Remarks are required if service model is "other". Optional otherwise.

    -     -     - - - -

    Remarks are required if deployment model is "hybrid-cloud" or "other". Optional - otherwise.

    -     -     - - - - - - - - - - - fips-199-moderate - - - - - Information Type Name - -

    A description of the information.

    -     - - C.2.4.1 - - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-low - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     -     - - Information Type Name - -

    A description of the information.

    -     - - C.3.5.1 - - - fips-199-moderate - fips-199-low - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-high - -

    Required if the base and selected values do not match.

    -     -     -     - - Information Type Name - -

    A description of the information.

    -     - - C.3.5.8 - - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     - - fips-199-moderate - fips-199-moderate - -

    Required if the base and selected values do not match.

    -     -     -     - - -     - - - fips-199-moderate - fips-199-moderate - fips-199-moderate - - - - - -

    Remarks are optional if status/state is "operational".

    -

    Remarks are required otherwise.

    -     -     - - - - - -

    A holistic, top-level explanation of the FedRAMP authorization boundary.

    -     - - - -

    A diagram-specific explanation.

    -     - - Authorization Boundary Diagram -     -     - - - -

    A holistic, top-level explanation of the network architecture.

    -     - - - -

    A diagram-specific explanation.

    -     - - Network Diagram -     -     - - - -

    A holistic, top-level explanation of the system's data flows.

    -     - - - -

    A diagram-specific explanation.

    -     - - Data Flow Diagram -     -     -     - - - - - - - - AwesomeCloud Commercial(IaaS) - - - - -

    For now, this is a required field. In the future we intend - to pull this information directly from FedRAMP's records - based on the "leveraged-system-identifier" property's value.

    -     -     - - -

    For now, this is a required field. In the future we intend - to pull this information directly from FedRAMP's records - based on the "leveraged-system-identifier" property's value.

    -     -     - - 11111111-2222-4000-8000-c0040000000a - 2015-01-01 - -

    Use one leveraged-authorization assembly for each underlying authorized - cloud system or general support system (GSS).

    -

    For each leveraged authorization there must also be a "system" component. - The corrisponding "system" component must include a - "leveraged-authorization-uuid" property - that links it to this leveraged authorization.

    -     -     - - - - - - - system-poc-technical - - Admin - -

    admin user

    -     - administration -     - -

    The user assembly is being reviewed for continued applicability - under FedRAMP's adoption of Rev 5.

    -

    Currently, FedRAMP will only process user content if it includes the - FedRAMP "separation-of-duties-matrix" property/extension. All other user - entries will be ignored by validation rules, but may be displayed by tools.

    -     -     - - - - - - - system-poc-technical - - Add/Remove Admins - This can add and remove admins. - - - - - - - - system-poc-technical - - Admin - -

    admin user

    -     - administration -     -     - - - - - - system-poc-technical - - Admin - -

    admin user

    -     - administration -     -     - - - - - - system-owner - - Admin - -

    admin user

    -     - administration -     -     - - - - - - This System - -

    This component represents the entire authorization boundary, - as depicted in the system authorization boundary diagram.

    -

    FedRAMP requires exactly one "this-system" component, which is used - in control implementation responses and interconnections.

    -     - - -

    A FedRAMP SSP must always have exactly one "this-system" component - that represents the whole system.

    -

    It does not need system details, as those exist elsewhere in this SSP.

    -     -     - - - - - - - - - - - Awesome Cloud IaaS (Leveraged Authorized System) - -

    Briefly describe the leveraged system.

    -     - - - - - - -

    If 'yes', describe the authentication method.

    -

    If 'no', explain why no authentication is used.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - 11111111-2222-4000-8000-c0040000000a - -

    The "provider" role is required for the component representing - a leveraged system. It must reference exactly one party - (via party-uuid), which points to a party of type "organization" - representing the organization that owns the leveraged system.

    -     -     - - - - - -

    This is a leveraged system within which this system operates. - It is explicitly listed on the FedRAMP marketplace with a status of - "FedRAMP Authorized".

    -

    Requirements

    -

    Each leveraged system must be expressed as a "system" component, and must have:

    -
      -
    • the name of the system in the title - exactly as it appears in the FedRAMP - Marketplace
      • -
    • a "leveraged authorization-uuid" core property that links this component to the - leveraged-authorization entry
      • -
    • an "implementation-point" core property with a value of "external"
      • -
    • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is - "other", use the proeprty's remarks to descibe the agreement.
      • -
    • an "authentication-method" property/extension with a value of "yes", "no" or - "not-applicable" with commentary in the remarks.
      • -
    • One or more "information-type" property/extensions, where the a - llowed values are the 800-63 - information type identifiers.
      • -
    • A "provider" responsible-role with exactly one party-uuid entry - that indicates which organization is the provider of this leveraged system.
      • -
    • a status with a state value of "operational"
      • -
    • At least one responsible-role (other than "provider") that indicates any authorized - users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
      • -
    -

    -

    Where relevant, this component should also have:

    -
      -
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).
      • -
    -

    -

    Links to the vendor website describing the system are encouraged, but not required.

    - -

    Services

    -

    A service within the scope of the leveraged system's authorization boundary - is considered an "authorized service". Any other service offered by the - leveraged system is considered a "non-authorized service"

    -

    Represent each authorized or non-authorized leveraged services using a - "service" component. Both authorized and non-authorized service components - are represented the same in OSCAL with the following exceptions:

    -
      -
    • The component for an authorized servcie includes a - "leveraged-authorization-uuid" property. This - property must be excluded from the component of a - non-authorized leveraged service.
      • -
    • The component for a non-authorized service must include - a "still-supported" property/extension.
      • -
    • The component for a non-authorized service must have - a "poam-item" link that references a corrisponding entry in this system's - POA&M.
      • -
    - -

    Both authorized and non-authorized leveraged services include:

    -
      -
    • a "provided-by" link with a URI fragment that points - to the "system" component representing the leveraged system. - (Example: "#11111111-2222-4000-8000-009000100001") -
      • -
    • the name of the service in the title (for authorized services this should be - exactly as it appears in the FedRAMP Marketplace
      • -
    • an "implementation-point" core property with a value of "external"
      • -
    • an "authentication-method" property/extension with a value of "yes", "no" or - "not-applicable" with commentary in the remarks.
      • -
    • One or more "information-type" property/extensions, where the a - llowed values are the 800-63 - information type identifiers.
      • -
    • a status with a state value of "operational"
      • -
    • At least one responsible-role (other than "provider") that indicates any authorized - users. This must have one or more "privilege-uuid" property/extensions. Each references - a user assembly entry.
      • -
    - -

    Although SSP Table 7.1 also requires data categoriation and hosting - environment information about non-authorized leveraged services, - these datails are derived from other content in this SSP.

    -     -     - - - - Service A - -

    An authorized service provided by the Awesome Cloud leveraged authorization.

    -

    Describe the service and what it is used for.

    -     - - - - - - - - - - - -

    This is a service offered by a leveraged system and used by this system. - It is explicitly listed on the FedRAMP marketplace as being included in the - scope of this leveraged system's ATO, thus is considered an "Authorized Service.

    -

    -

    Each leveraged service must be expressed as a "service" component, and must have:

    -
      -
    • the name of the service in the title - exactly as it appears in the FedRAMP - Marketplace
      • -
    • a "leveraged authorization-uuid" property that links this component to the - leveraged-authorization entry
      • -
    • an "implementation-point" property with a value of "external"; and
      • -
    • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") -
      • -
    -

    -

    Where relevant, this component should also have:

    -
      -
    • One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.
      • -
    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.
      • -
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).
      • -
    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -
      -
    • Package ID, Authorization Type, Impact Level
      • -
    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - "system" component representing the leveraged system as a whole:

    -

    - Nature of Agreement, CSP Name

    -     -     - - - - - - - Service B - -

    An non-authorized service provided by the Awesome Cloud leveraged authorization.

    -

    Describe the service and what it is used for.

    -     - - - - - - -

    If 'yes', describe the authentication method.

    -

    If 'no', explain why no authentication is used.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - - - - - - 33333333-2222-4000-8000-004000000001 - - -

    This is a service offered by a leveraged system and used by this system. - It is NOT explicitly listed on the FedRAMP marketplace as being included - in the scope of the leveraged system's ATO, thus is treated as a - non-authorized, leveraged service.

    -

    -

    Each non-authorized leveraged service must be expressed as a "service" component, and must have:

    -
      -
    • the name of the service in the title - exactly as it appears in the FedRAMP - Marketplace
      • -
    • an "implementation-point" property with a value of "external"; and
      • -
    • one or two "direction" prperty/extensions
      • -
    • One or more "information-type" property/extensions, where the allowed values are the 800-63 - information type identifiers, and the cited types are included full list of system information types.
      • -
    • exactly one "poam-item" link, with an href value that references the - POA&M and a resource-fragment that represents the - POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) - in an OSCAL-based POA&M.
      • -
    • a "provided-by" link with a URI fragment that points to the - "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") -
      • -
    • -
    • - -
    -

    The "leveraged-authorization-uuid" property must NOT be present, as this is how - tools are able to distinguish between authorized and non-authorized services - from the same leveraged provider.

    -

    - -

    Where relevant, this component should also have:

    -
      -
    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.
      • -
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).
      • -
    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -
      -
    • Package ID, Authorization Type, Impact Level
      • -
    -

    - -

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -

    - Package ID, Authorization Type, Impact Level

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - "system" component assembly:

    -

    - Nature of Agreement, CSP Name

    -

    -

    An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

    -     -     - - - - - Other Cloud SaaS - -

    An external system to which this system shares an interconnection.

    -     - - - - - - - - 33333333-2222-4000-8000-004000000001 - - - 11111111-2222-4000-8000-004000000008 - - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - - - 11111111-2222-4000-8000-004000000012 - - - services - - - -

    Each interconnection to one or more remote systems must have:

    -
      -
    • a "system" component (this component)
      • -
    • an "interconnection" component
      • -
    -

    Each "system" component must have:

    -
      -
    • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
      • -
    • an "implementation-point" property with a value of "external"
      • -
    • a "status" field with a state value of "operational"
      • -
    • if an interconnection exists with this system and there are - remote listening ports, one or more "protocol" assemblies must - be provided.
      • -
    - -

    While not required, each "system" component should have:

    -
      -
    • an "inherited-uuid" property if the value was provided by the system owner
      • -
    • a "compliance" property/extension if appropriate
      • -
    • an "authorizing-official" responsible-role
      • -
    • an "system-owner" responsible-role
      • -
    • an "system-poc-management" responsible-role
      • -
    • an "system-poc-technical" responsible-role
      • -
    -

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP - properties/extensions for these roles, instead favor the core OSCAL - responsible-roles constructs, and the NIST-standard roles of - "authorizing-official", "system-owner", "system-poc-management - and "system-poc-technical"

    -     -     - - - - - [EXAMPLE]Authorized Connection Information System Name - -

    Describe the purpose of the external system/service; specifically, provide reasons - for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

    -     - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - - -

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    -     -     - - - - - - - - - - - - - - - - - - - 44444444-2222-4000-8000-004000000001 - - - 11111111-2222-4000-8000-004000000008 - - - 11111111-2222-4000-8000-004000000008 - - - - Incoming FTP Service - - - -

    Each interconnection to one or more remote systems must have:

    -
      -
    • one "system" component for each remote system sharing the connection
      • -
    • an "interconnection" component (this component)
      • -
    -

    Each "interconnection" component must have:

    -
      -
    • an "implementation-point" property with a value of "external"
      • -
    • a "status" field with a state value of "operational"
      • -
    • one or two "direction" properties
      • -
    • a "nature-of-agreement" property/extension
      • -
    • one or more "authentication-method" properties/extensions.
      • -
    • a "hosting-environment" proptery/extension
      • -
    • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
      • -
    • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
      • -
    • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
      • -
    • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
      • -
    • exactly one "used-by" link with an href value that refers to the "this-system" component.
      • -
    • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
      • -
    • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
      • -
    -

    Authentication methods must address both system-authentication as well as - user authentication mechanisms.

    -

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    -

    If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

    -

    -

    While not required, each "interconnection" component should have:

    -
      -
    • an "inherited-uuid" property if the value was provided by the system owner
      • -
    • a "compliance" property/extension if appropriate
      • -
    • an "system-poc-management" responsible-role
      • -
    • an "system-poc-technical" responsible-role
      • -
    -

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP - properties/extensions for these roles, instead favor the core OSCAL - responsible-roles constructs, and the NIST-standard roles of - "system-poc-management" and "system-poc-technical". With an interconnection, - the system POC roles reference parties that represent the connection provider.

    -     -     - - - - - Other Cloud SaaS - -

    - - - - - - - - - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - - - 11111111-2222-4000-8000-004000000012 - - -

    For each external system with which this system connects:

    -

    Must have a "system" component (this component).

    -

    Must have an "interconnection" component that connects this component with the - "this-system" component.

    -

    If the leveraged system owner provides a UUID for their system (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

    -

    Must include all leveraged services and features from the leveraged authorization - here.

    -

    For an external system, the "implementation-point" property must always be present - with a value of "external".

    - - -

    Each interconnection must be defined with both an "system" component and an - "interconnection" component.

    -

    Must include all leveraged services and features from the leveraged authorization - here.

    - -     - - - - Service C - -

    A service provided by an external system other than the leveraged system.

    -

    Describe the service and what it is used for.

    -     - - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - -

    This can only be known if provided by the leveraged system. - such as via an OSCAL-based CRM, component definition, - or as a result to the leveraged system's OSCAL-based SSP.

    -     -     - - - - - 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-004000000011 - 11111111-2222-4000-8000-004000000012 - - - 33333333-2222-4000-8000-004000000001 - - - - - - - - -

    This is a service provided by an external system other than the leveraged system.

    -

    As a result, the "leveraged-authorization-uuid" property is not applicable and must - NOT be used.

    -

    -

    Each external service used from a leveraged authorization must have:

    -

    - a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

    -

    - a "service" component (this component).

    -

    -

    This component must always have:

    -

    - The name of the service in the title - preferably exactly as it appears on the - vendor's web site

    -

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    -

    - An "implementation-point" property with a value of "external".

    -

    - A "provided-by" link with a URI fragment that points to the UUID of the above - "system" component.

    -

    - Example: "#11111111-2222-4000-8000-009000100001" -

    -

    - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, - this property is blocked from proper use.

    -

    - a status with a state value of "operational"

    -

    -

    Where relevant, this component should also have:

    -

    - One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

    -

    - A responsible-role with a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

    -

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

    -

    Link(s) to the vendor's web site describing the service are encouraged, but not - required.

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorization assembly:

    -

    - Package ID, Authorization Type, Impact Level

    -

    -

    The following fields from the Leveraged Authorization Table are handled in the - "system" component assembly:

    -

    - Nature of Agreement, CSP Name

    -

    -

    An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

    -     -     - - - - Service C - - -

    A service provided by an external system other than the leveraged system.

    -

    Describe the service and what it is used for.

    -     - - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - -

    Either describe a risk associated with this service, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    -     -     - - -

    If there are one or more identified risks, describe any resulting impact.

    -     -     - - -

    If there are one or more identified risks, describe any mitigating factors.

    -     -     - - - - - - 11111111-2222-4000-8000-004000000018 - - - - Remote API Service - - - - -

    This is a service provided by an external system other than the leveraged system.

    - - - -

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    - - - -

    As a result, the "leveraged-authorization-uuid" property is not applicable and must - NOT be used.

    -

    All services require the "implementation-point" property. In this case, the property - value is set to "external.

    -

    All external services would normally require a "provided-by" link; however, a known - bug in core OSCAL syntax prevents the use of this property at this time.

    -

    If the leveraged system owner provides a UUID for their service (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

    - - - - -     -     - - - - Management CLI - -

    None

    -     - - - - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - -

    Either describe a risk associated with this CLI, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    -     -     - - -

    If there are one or more identified risks, describe any resulting impact.

    -     -     - - -

    If there are one or more identified risks, describe any mitigating factors.

    -     -     - - -

    - - - - - - 11111111-2222-4000-8000-004000000018 - - - - - - - - - - Service D - -

    A service that exists within the authorization boundary.

    -

    Describe the service and what it is used for.

    - - - -     - - - - - - - - [SAMPLE]Cryptographic Module Name - -

    Provide a description and any pertinent note regarding the use of this CM.

    -

    For data-at-rest modules, describe type of encryption implemented (e.g., full disk, - file, record-level, etc.)

    -

    Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS - compliance (e.g., Module in Process).

    -     - - - - - - - - - - -     - - - [SAMPLE]Cryptographic Module Name - -

    Provide a description and any pertinent note regarding the use of this CM.

    -

    For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS - compliance (e.g., Module in Process).

    -     - - - - - - - - - - -     - - - - - - - - - - - [SAMPLE]Product Name - -

    FUNCTION: Describe typical component function.

    -     - - - - - - - - - - 11111111-2222-4000-8000-004000000010 - - -

    COMMENTS: Provide other comments as needed.

    -     -     - - - [SAMPLE]Product Name - -

    FUNCTION: Describe typical component function.

    -     - - - - - - - - - - 11111111-2222-4000-8000-004000000010 - - -

    COMMENTS: Provide other comments as needed.

    -     -     - - - - [SAMPLE]Product - -

    FUNCTION: Describe typical component function.

    -     - - - - - - - - - 11111111-2222-4000-8000-004000000017 - - - 11111111-2222-4000-8000-004000000011 - - -

    COMMENTS: Provide other comments as needed.

    -     -     - - OS Sample - -

    None

    -     - - - - - -     - - Database Sample - -

    None

    -     - - - - - - - - - - -     - - Appliance Sample - -

    None

    -     - - - - - - -

    Vendor appliance. No admin-level access.

    -     -     - -     - - - - AC Policy - -

    The Access Control Policy governs how access is managed and approved.

    -     - - -     - - AT Policy - -

    The Awareness and Training Policy governs how access is managed and approved.

    -     - - -     - - AU Policy - -

    The Audit and Accountability governs how access is managed and approved.

    -     - - -     - - CA Policy - -

    The Assessment, Authorization, and Monitoring Policy governs how access is managed - and approved.

    -     - - -     - - CM Policy - -

    The Configuration Management Policy governs how access is managed and approved.

    -     - - -     - - CP Policy - -

    The Contingency Planning Policy governs how access is managed and approved.

    -     - - -     - - IA Policy - -

    The Identificaiton and Authentication Policy governs how access is managed and - approved.

    -     - - -     - - IR Policy - -

    The Incident Response Policy governs how access is managed and approved.

    -     - - -     - - MA Policy - -

    The Maintenance Policy governs how access is managed and approved.

    -     - - -     - - MP Policy - -

    The Media Protection Policy governs how access is managed and approved.

    -     - - -     - - PE Policy - -

    The Physical and Enviornmental Protection Policy governs how access is managed and - approved.

    -     - - -     - - PL Policy - -

    The Planning Policy governs how access is managed and approved.

    -     - - -     - - PM Policy - -

    The Program Management Policy governs how access is managed and approved.

    -     - - -     - - PS Policy - -

    The Personnel Security Policy governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Policy governs how access is managed and - approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Policy governs how access is managed and approved.

    -     - - -     - - SA Policy - -

    The System and Services Acquisition Policy governs how access is managed and - approved.

    -     - - -     - - S3 Policy - -

    The System and Communication Protection Policy governs how access is managed and - approved.

    -     - - -     - - SI Policy - -

    The System and Information Integrity Policy governs how access is managed and - approved.

    -     - - -     - - SR Policy - -

    The Supply Chain Risk Management Policy governs how access is managed and - approved.

    -     - - -     - - - - AC Policy - -

    The Access Control Procedure governs how access is managed and approved.

    -     - - -     - - AT Policy - -

    The Awareness and Training Procedure governs how access is managed and approved.

    -     - - -     - - AU Policy - -

    The Audit and Accountability Procedure governs how access is managed and - approved.

    -     - - -     - - CA Policy - -

    The Assessment, Authorization, and Monitoring Procedure governs how access is managed - and approved.

    -     - - -     - - CM Policy - -

    The Configuration Management Procedure governs how access is managed and - approved.

    -     - - -     - - CP Policy - -

    The Contingency Planning Procedure governs how access is managed and approved.

    -     - - -     - - IA Policy - -

    The Identificaiton and Authentication Procedure governs how access is managed and - approved.

    -     - - -     - - IR Policy - -

    The Incident Response Procedure governs how access is managed and approved.

    -     - - -     - - MA Policy - -

    The Maintenance Procedure governs how access is managed and approved.

    -     - - -     - - MP Policy - -

    The Media Protection Procedure governs how access is managed and approved.

    -     - - -     - - PE Policy - -

    The Physical and Enviornmental Protection Procedure governs how access is managed and - approved.

    -     - - -     - - PL Policy - -

    The Planning Procedure governs how access is managed and approved.

    -     - - -     - - PM Policy - -

    The Program Management Procedure governs how access is managed and approved.

    -     - - -     - - PS Policy - -

    The Personnel Security Procedure governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Procedure governs how access is managed and - approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Procedure governs how access is managed and approved.

    -     - - -     - - SA Policy - -

    The System and Services Acquisition Procedure governs how access is managed and - approved.

    -     - - -     - - S3 Policy - -

    The System and Communication Protection Procedure governs how access is managed and - approved.

    -     - - -     - - SI Policy - -

    The System and Information Integrity Procedure governs how access is managed and - approved.

    -     - - -     - - SR Policy - -

    The Supply Chain Risk Management Procedure governs how access is managed and - approved.

    -     - - -     - - - - - IPv4 Production Subnet - -

    IPv4 Production Subnet.

    -     - - - - -     - - IPv4 Management Subnet - -

    IPv4 Management Subnet.

    -     - - - - - -     - - Email Service - -

    Email Service

    -     - - - - - - - - -     - - - - -

    Legacy Example (No implemented-component).

    -     - - - - - - - - - - - - - - - - - - - - - - - -

    If no, explain why. If yes, omit remarks field.

    -     -     - - - - -

    If no, explain why. If yes, omit remarks field.

    -     -     - - -

    Optional, longer, formatted description.

    -     -     - - - 11111111-2222-4000-8000-004000000016 - - - 11111111-2222-4000-8000-004000000017 - - - -

    This links to a FIPS 140-2 validated software component that is used by this - inventory item. This type of linkage to a validation through the component is - preferable to the link[rel='validation'] example above.

    -     -     - -

    COMMENTS: Additional information about this item.

    -     -     - - -

    Component Inventory Example

    -     - - - - - - - - - - - - - - - - - -

    If no, explain why. If yes, omit remark.

    -     -     - - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000017 - - - - - -

    COMMENTS: If needed, provide additional information about this inventory item.

    -     -     - - -

    None.

    -     - - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - -

    Asset wasn't running at time of scan.

    -     -     - -     - - -

    None.

    -     - - - - - - - - - -     - - -

    None.

    -     - - - - - - - - -

    Asset wasn't running at time of scan.

    -     -     - -     - - -

    Email-Service

    -     - - - - - - - - - -     -     - - - - -

    Appendix A - FedRAMP SSP Rev5 Template

    -

    This description field is required by OSCAL.

    -

    FedRAMP does not require any specific information here.

    -     - - - - - - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - - - - - -

    Describe how Part a is satisfied within the system.

    -

    Legacy approach. If no policy component is defined, describe here how the - policy satisfies part a.

    -

    In this case, a link must be provided to the policy.

    -

    FedRAMP prefers all policies and procedures be attached as a resource in the - back-matter. The link points to a resource.

    -     - - - - -

    The specified component is the system itself.

    -

    Any control implementation response that can not be associated with another - component is associated with the component representing the system.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Identity - Management and Access Control Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     - -     -     - - - -

    There

    -     - - - -

    Describe the plan to complete the implementation.

    -     -     -     - - -

    Describe how this policy currently satisfies part a.

    -     - - -

    Describe the plan for addressing the missing policy elements.

    -     -     - - -

    Identify what is currently missing from this policy.

    -     -     -     -     - - - -

    Describe how Part b-1 is satisfied.

    -     - -     -     - - - -

    Describe how Part b-2 is satisfied.

    -     - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - -

    Describe any customer-configured requirements for satisfying this control.

    -     -     - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - [SAMPLE]privileged, non-privileged - - - [SAMPLE]all - - - [SAMPLE]The Access Control Procedure - - - at least annually - -     -     - - - -

    Describe how AC-2, part a is satisfied within this system.

    -

    This points to the "This System" component, and is used any time a more - specific component reference is not available.

    -     - - - -

    Leveraged system's statement of capabilities which may be inherited by a - leveraging systems to satisfy AC-2, part a.

    -     -     - - -

    Leveraged system's statement of a leveraging system's responsibilities in - satisfaction of AC-2, part a.

    -

    Not associated with inheritance, thus associated this with the - by-component for "this system".

    -     - - 11111111-2222-4000-8000-004000000001 - -     -     -     - - -

    For the portion of the control satisfied by the application component of this - system, describe how the control is met.

    -     - - - -

    Consumer-appropriate description of what may be inherited from this - application component by a leveraging system.

    -

    In the context of the application component in satisfaction of AC-2, part - a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     - - -

    Leveraging system's responsibilities with respect to inheriting this - capability from this application.

    -

    In the context of the application component in satisfaction of AC-2, part - a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     -     - -

    The component-uuid above points to the "this system" component.

    -

    Any control response content that does not cleanly fit another system component - is placed here. This includes customer responsibility content.

    -

    This can also be used to provide a summary, such as a holistic overview of how - multiple components work together.

    -

    While the "this system" component is not explicitly required within every - statement, it will typically be present.

    -     -     - - -

    For the portion inherited from an underlying FedRAMP-authorized provider, - describe what is inherited.

    -     - - -

    Optional description.

    -

    Consumer-appropriate description of what may be inherited as provided by the - leveraged system.

    -

    In the context of this component in satisfaction of AC-2, part a.

    -

    The provided-uuid links this to the same statement in the - leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).

    -     -     - - -

    Description of how the responsibility was satisfied.

    -

    The responsibility-uuid links this to the same statement in the - leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).

    -

    Tools should use this to ensure all identified customer - responsibility statements have a corresponding - satisfied statement in the leveraging system's SSP.

    -

    Tool developers should be mindful that

    -     -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    Describe how Part a is satisfied.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    Describe how Part b-1 is satisfied.

    -     -     -     - - - -

    Describe how Part b-2 is satisfied.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - - - - 11111111-2222-4000-8000-004000000018 - - - - -

    Describe how the control is satisfied within the system.

    -

    DMARC is employed.

    -

    SPF is employed.

    -

    DKIM is employed.

    -     - - organization-defined personnel or roles - - - [specify frequency] - - - [specify frequency] - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - to include chief privacy and ISSO and/or similar role or designees - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     -     -     - - - - - Signed System Security Plan - -

    SSP Signature

    -     - - - - 00000000 - -

    The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in - OSCAL, and welcome feedback on solutions.

    -

    For now, the PMO recommends one of the following:

    -
      -
    • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
      • -
    • Render the OSCAL SSP content as a printed page that is physically signed, - scanned, and attached.
      • -
    -

    If your organization prefers another approach, please seek prior approval from the - FedRAMP PMO.

    -     -     - - - FedRAMP Applicable Laws and Regulations - - - -

    Must be present in a FedRAMP SSP.

    -     -     - - - - Access Control Policy Title - -

    AC Policy document

    -     - - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Awareness and Training Policy Title - -

    AT Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Audit and Accountability Policy Title - -

    AU Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Security Assessment and Authorization Policy Title - -

    CA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Configuration Management Policy Title - -

    CM Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Contingency Planning Policy Title - -

    CP Policy document

    -     - - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Identification and Authentication Policy Title - -

    IA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Incident Response Policy Title - -

    IR Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Maintenance Policy Title - -

    MA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Media Protection Policy Title - -

    MP Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Physical and Environmental Protection Policy Title - -

    PE Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Planning Policy Title - -

    PL Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Personnel Security Policy Title - -

    PS Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Risk Adjustment Policy Title - -

    RA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Service Acquisition Policy Title - -

    SA Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Communications Protection Policy Title - -

    SC Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Information Integrity Policy Title - -

    SI Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Supply Chain Risk Policy Title - -

    SR Policy document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Access Control Procedure Title - -

    AC Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Awareness and Training Procedure Title - -

    AT Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Audit and Accountability Procedure Title - -

    AU Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Security Assessment and Authorization Procedure Title - -

    CA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Configuration Management Procedure Title - -

    CM Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Contingency Planning Procedure Title - -

    CP Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Identification and Authentication Procedure Title - -

    IA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Incident Response Procedure Title - -

    IR Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Maintenance Procedure Title - -

    MA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Media Protection Procedure Title - -

    MP Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Physical and Environmental Protection Procedure Title - -

    PE Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Planning Procedure Title - -

    PL Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Personnel Security Procedure Title - -

    PS Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Risk Adjustment Procedure Title - -

    RA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Service Acquisition Procedure Title - -

    SA Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Communications Protection Procedure Title - -

    SC Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - System and Information Integrity Procedure Title - -

    SI Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - Supply Chain Risk Procedure Title - -

    SR Procedure document

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - User's Guide - -

    User's Guide

    -     - - - - - - -

    Table 12-1 Attachments: User's Guide Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - - - Document Title - -

    Rules of Behavior

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Rules of Behavior (ROB)

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Document Title - -

    Contingency Plan (CP)

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Document Title - -

    Configuration Management (CM) Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Document Title - -

    Incident Response (IR) Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - - - - - CSP-specific Law Citation - - - - Identification Number - - 00000000 - -

    A CSP-specific law citation

    -

    The "type" property must be present and contain the value "law".

    -     - -     - - - - - Document Title - -

    Continuous Monitoring Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - Plan of Actions and Milestones (POAM) - - - - - - - 00000000 - - - - - Supply Chain Risk Management Plan - -

    Supply Chain Risk Management Plan

    -     - - - - - - 00000000 - -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    -     -     - - - - - [SAMPLE]Interconnection Security Agreement Title - - - - - - - 00000000 - - - FedRAMP Logo - -

    FedRAMP Logo

    -     - - - - 00000000 - -

    Must be present in a FedRAMP SSP.

    -     -     - - CSP Logo - -

    CSP Logo

    -     - - 00000000 - -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - 3PAO Logo - -

    3PAO Logo

    -     - - 00000000 - -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - - Boundary Diagram - -

    The primary authorization boundary diagram.

    -     - - - 00000000 - -

    Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

    -

    This should be referenced in the - system-characteristics/authorization-boundary/diagram/link/@href flag using a value - of "#11111111-2222-4000-8000-001000000054"

    -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - Network Diagram - -

    The primary network diagram.

    -     - - - - 00000000 - -

    Section 8.1, Figure 8-2 Network Diagram (graphic)

    -

    This should be referenced in the - system-characteristics/network-architecture/diagram/link/@href flag using a value of - "#11111111-2222-4000-8000-001000000055"

    -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - Data Flow Diagram - -

    The primary data flow diagram.

    -     - - - 00000000 - -

    Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

    -

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href - flag using a value of "#11111111-2222-4000-8000-001000000056"

    -

    May use rlink with a relative path, or embedded as - base64. -

    -

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser - via HTML5.

    -     -     - - Interconneciton Security Agreement (ISA) - - - - - - - 41 CFR 201 - - - - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. - - - -

    CSP-specific citation. Note the "type" property's class is "law" - and the value is "citation".

    -     -     - - CSP Acronyms - - - -

    CSP-specific citation. Note the "type" property's class is "acronyms" - and the value is "citation".

    -     -     - - CSP Reference - - - -

    CSP-specific reference. Note the "type" property's class is "reference" - and the value is "citation".

    -     -     - - Separation of Duties Matrix - -

    Separation of Duties Matrix

    -     - - - - - 00000000 - -

    May use rlink with a relative path, or embedded as base64. -

    -     -     - - - -     -     \ No newline at end of file diff --git a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml index cd6831c3e..271327849 100644 --- a/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml +++ b/src/validations/constraints/unit-tests/missing-response-components-PASS.yaml @@ -3,7 +3,7 @@ test-case: description: >- This test case validates the behavior of constraint missing-response-components - content: ../content/fedramp-ssp-example.xml + content: ../content/fedramp-ssp-example.oscal.xml expectations: - constraint-id: missing-response-components result: pass