From a5ae41360b1ebab7f7f6b7eb0bca55312133994a Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 8 Nov 2024 14:41:13 -0500 Subject: [PATCH 01/52] example-ssp WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 3567 +++++++++++++++++ 1 file changed, 3567 insertions(+) create mode 100644 src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml new file mode 100644 index 000000000..ea6450d2c --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -0,0 +1,3567 @@ + + + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

Initial publication.

+ + + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

Minor prop updates.

+ + + + + + + + FedRAMP Program Management Office + +

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process and maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.

+ + + + Prepared By + +

The organization that prepared this SSP. If developed in-house, this is the CSP itself.

+ + + + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+ + + + System Security Plan Approval + +

The individual or individuals accountable for the accuracy of this SSP.

+ + + + Cloud Service Provider + CSP + + + + Information System Owner + +

The individual within the CSP who is ultimately accountable for everything related to this system.

+ + + + Authorizing Official + +

The individual or individuals who must grant this system an authorization to operate.

+ + + + Authorizing Official's Point of Contact + +

The individual representing the authorizing official.

+ + + + Information System Management Point of Contact (POC) + +

The highest level manager who responsible for system operation on behalf of the System Owner.

+ + + + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+ + + + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+ + + + + System Information System Security Officer (or Equivalent) + +

The individual accountable for the security posture of the system on behalf of the system owner.

+ + + + Privacy Official's Point of Contact + +

The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment.

+ + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

The point of contact for an interconnection on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + +

The point of contact for an interconnection on behalf of this external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + +

Responsible for signing an interconnection security agreement on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + +

Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + Consultant + +

Any consultants involved with developing or maintaining this content.

+ + + + Customer + +

Represents any customers of this system as may be necessary for assigning customer responsibility.

+ + + + [SAMPLE]Unix Administrator + +

This is a sample role.

+ + + + [SAMPLE]Client Administrator + +

This is a sample role.

+ + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 00000000-0000-4000-8001-c00400000001 + +

Replace sample CSP information.

+

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

+ + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+ + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + + + poc@example.com +
+ 3333 Corporate Way + Washington + DC + 00000 + US +
+ + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 00000000-0000-4000-8001-c00400000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 00000000-0000-4000-8001-c00400000001 + 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000004 + + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + 00000000-0000-4000-8001-c00400000001 + +

Exactly one

+ + + + + 00000000-0000-4000-8001-c00400000010 + +

Exactly one

+ + + + + 00000000-0000-4000-8001-c00400000001 + + + + 00000000-0000-4000-8001-c00400000010 + 00000000-0000-4000-8001-c00400000011 + +

One or more

+ + + + + 00000000-0000-4000-8001-c00400000010 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000003 + 00000000-0000-4000-8001-c00400000015 + +

One or more

+ + + + 00000000-0000-4000-8001-c00400000012 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000013 + +

Exactly one

+ + + + + 00000000-0000-4000-8001-c00400000014 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000015 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000016 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000002 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000003 + +

Exactly one

+ + + +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and High baselines.

+

Guidance for OSCAL-based FedRAMP Tailored Low Impact - Software as a Service (LI-SaaS) content has not yet been developed.

+ + + + +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

+

Must adjust accordingly for applicable baseline and revision.

+ + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] offering using a multi-tenant [insert based on the Deployment Model above] cloud computing environment. It is available to [Insert scope of customers in accordance with instructions above (for example, the public, federal, state, local, and tribal governments, as well as research institutions, federal contractors, government contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be added here. This includes any narrative text usually included in section 9.1 of the SSP.

+

NOTE: The description is expected to be at least 32 words in length.

+ + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.

+ + + + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

A description of the information.

+ + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

Remarks are optional if status/state is "operational".

+

Remarks are required otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + + + + + + + GovCloud + + + + + + + + + + 00000000-0000-4000-8001-c00400000009 + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.

+

The link fields are optional, but preferred when known. Often, a leveraging system's SSP author will not have access to the leveraged system's SSP, but should have access to the leveraged system's CRM.

+ + + + + + [SAMPLE]Unix System Administrator + + + + + + admin-unix + + Full administrative access (root) + Add/remove users and hardware + install and configure software + OS updates, patches and hotfixes + perform backups + + + + [SAMPLE]Client Administrator + + + + + + admin-client + + Portal administration + Add/remove client users + Create, modify and delete client applications + + + + [SAMPLE]Program Director + + + + + + information-system-security-officer + isa-poc-local + isa-authorizing-official-local + + Administrative Access Approver + Approves access requests for administrative accounts. + + + Access Approver + Approves access requests for administrative accounts. + + + + [SAMPLE]ISA POC + + + + + + isa-poc-remote + isa-authorizing-official-remote + + External System Access Provider + Authorizes access to external interconnected system. + + + + + + This System + +

The entire system as depicted in the system authorization boundary

+

Email is employed

+ + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + + + + Name of Leveraged System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + + + + + + + + + + + + + + + + + + + + + + + Service Provided by Leveraged System + +

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + + + + + + + + + + + [EXAMPLE]Authorized Connection Information System Name + +

Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + +

Optional notes about this interconnection

+ + + + + + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 00000000-0000-4000-8001-c00400000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + 00000000-0000-4000-8001-c00400000017 + + + 00000000-0000-4000-8001-c00400000011 + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + + + + + + + + Database Sample + +

None

+ + + + + + + + + Appliance Sample + +

None

+ + + + + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + [EXAMPLE]Policies + +

[EXAMPLE]component representing a collection of policies in appendix A.

+ + + + + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

+ + + + + [EXAMPLE]Procedures + +

[EXAMPLE]component representing a collection of procedures in appendix A.

+ + + + + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

+ + + + + + [SAMPLE]Service Name + +

Describe the service

+ + Describe the reason the service is needed. + + + + + + + + + + +

Section 10.2, Table 10-1. Ports, Protocols and Services

+

+ SERVICES ARE NOW COMPONENTS WITH type='service' +

+ + + + [EXAMPLE]Authorized Connection Information System Name + +

Briefly describe the interconnection.

+ + + + + + + + + + + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + +

Optional notes about this interconnection

+ + + + IPv4 Production Subnet + +

IPv4 Production Subnet.

+ + + + + + + + IPv4 Management Subnet + +

IPv4 Management Subnet.

+ + + + + + + + + Email Service + +

Email Service

+ + + + + + + + + + +

Legacy Example (No implemented-component).

+ + + + + + + + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + + 00000000-0000-4000-8001-c00400000016 + + + 00000000-0000-4000-8001-c00400000017 + + + +

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

+ + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remark.

+ + + + + 00000000-0000-4000-8001-c00400000010 + + + 00000000-0000-4000-8001-c00400000017 + + + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + +

None.

+ + + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

Email-Service

+ + + + + + + + + + + + + + + + +

Appendix A - FedRAMP SSP Rev5 Template

+

This description field is required by OSCAL.

+

FedRAMP does not require any specific information here.

+ + + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

Describe how Part a is satisfied within the system.

+

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

+

In this case, a link must be provided to the policy.

+

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

+ + + + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Identity Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + + + + +

There

+ + + + +

Describe the plan to complete the implementation.

+ + + + + +

Describe how this policy currently satisfies part a.

+ + + +

Describe the plan for addressing the missing policy elements.

+ + + + +

Identify what is currently missing from this policy.

+ + + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + 00000000-0000-4000-8001-c00400000010 + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + + + + + + +

Describe how AC-2, part a is satisfied within this system.

+

This points to the "This System" component, and is used any time a more specific component reference is not available.

+ + + + +

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

+ + + + +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the by-component for "this system".

+ + + 00000000-0000-4000-8001-c00400000001 + + + + + + +

For the portion of the control satisfied by the application component of this system, describe how the control is met.

+ + + + +

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part a.

+ + + 00000000-0000-4000-8001-c00400000005 + + + + +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

+

In the context of the application component in satisfaction of AC-2, part a.

+ + + 00000000-0000-4000-8001-c00400000005 + + + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

+

While the "this system" component is not explicitly required within every statement, it will typically be present.

+ + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

+ + + +

Optional description.

+

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

+

In the context of this component in satisfaction of AC-2, part a.

+

The provided-uuid links this to the same statement in the leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+ + + + +

Description of how the responsibility was satisfied.

+

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer responsibility statements have a corresponding satisfied statement in the leveraging system's SSP.

+

Tool developers should be mindful that

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

Describe how Part a is satisfied.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + + + + 00000000-0000-4000-8001-c00400000018 + + + + +

Describe how the control is satisfied within the system.

+

DMARC is employed.

+

SPF is employed.

+

DKIM is employed.

+ + + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + to include chief privacy and ISSO and/or similar role or designees + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + + + + + Resolution Resource + + + + + +

This "resolution resource" is used by FedRAMP as a local, authoritative indicator of what version SSP (rev 4 or rev 5) this OSCAL document is for.

+ + + + + +

SSP Signature

+ + + + + 00000000 + +

FedRAMP is formulating guidelines for handling digital/electronic signatures in OSCAL, and welcome feedback on solutions.

+

For now, FedRAMP recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, scanned, and attached.
    • +
+

If your organization prefers another approach, please seek prior approval from the FedRAMP PMO.

+ + + + + FedRAMP Applicable Laws and Regulations + + + + 00000000 + +

Must be present in a FedRAMP SAP.

+ + + + + + FedRAMP Master Acronym and Glossary + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + + Access Control Policy Title + +

AC Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Awareness and Training Policy Title + +

AT Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Audit and Accountability Policy Title + +

AU Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Security Assessment and Authorization Policy Title + +

CA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Configuration Management Policy Title + +

CM Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Contingency Planning Policy Title + +

CP Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Identification and Authentication Policy Title + +

IA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Incident Response Policy Title + +

IR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Maintenance Policy Title + +

MA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Media Protection Policy Title + +

MP Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Physical and Environmental Protection Policy Title + +

PE Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Planning Policy Title + +

PL Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Personnel Security Policy Title + +

PS Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Risk Adjustment Policy Title + +

RA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Service Acquisition Policy Title + +

SA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Communications Protection Policy Title + +

SC Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Information Integrity Policy Title + +

SI Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Supply Chain Risk Policy Title + +

SR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Access Control Procedure Title + +

AC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Awareness and Training Procedure Title + +

AT Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Audit and Accountability Procedure Title + +

AU Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Security Assessment and Authorization Procedure Title + +

CA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Configuration Management Procedure Title + +

CM Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Contingency Planning Procedure Title + +

CP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Identification and Authentication Procedure Title + +

IA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Incident Response Procedure Title + +

IR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Maintenance Procedure Title + +

MA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Media Protection Procedure Title + +

MP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Physical and Environmental Protection Procedure Title + +

PE Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Planning Procedure Title + +

PL Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Personnel Security Procedure Title + +

PS Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Risk Adjustment Procedure Title + +

RA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Service Acquisition Procedure Title + +

SA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Communications Protection Procedure Title + +

SC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Information Integrity Procedure Title + +

SI Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Supply Chain Risk Procedure Title + +

SR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + User's Guide + +

User's Guide

+ + + + + + + +

Table 12-1 Attachments: User's Guide Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + + + Document Title + +

Rules of Behavior

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Document Title + +

Contingency Plan (CP)

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Document Title + +

Configuration Management (CM) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Document Title + +

Incident Response (IR) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + + + + + [SAMPLE] Laws and Regulations + + + + Identification Number + + 00000000 + + + + + + + Document Title + +

Continuous Monitoring Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + [SAMPLE]Plan of Actions and Milestones (POAM) + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

Supply Chain Risk Management Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

FedRAMP Logo

+ + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + CSP Logo + +

CSP Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + 3PAO Logo + +

3PAO Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + + Boundary Diagram + +

The primary authorization boundary diagram.

+ + + 00000000 + +

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000054"

+

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + Network Diagram + +

The primary network diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-2 Network Diagram (graphic)

+

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000055"

+

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + Data Flow Diagram + +

The primary data flow diagram.

+ + + 00000000 + +

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000056"

+

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + + Separation of Duties Matrix + +

Separation of Duties Matrix

+ + + + + + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+ + + + From 31e979eef500e1f34213491f0770529c6c258fb3 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 8 Nov 2024 15:54:27 -0500 Subject: [PATCH 02/52] Example UUID Legend Creation --- .../examples/UUIDs_for_Examples_Legend.md | 139 ++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 src/content/rev5/examples/UUIDs_for_Examples_Legend.md diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md new file mode 100644 index 000000000..000404912 --- /dev/null +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -0,0 +1,139 @@ +# UUIDs for Examples + +Example content with UUIDs can be difficult to follow due to the long, intentionally-random naure of UUIDs. It is possible to craft UUID values that are treated as valid by OSCAL validation tools, yet are easier to follow for developers. + +# Example UUID Format + +OSCAL allows v4 or v5 UUIDs as defined in [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122). +Please note that UUID values are hexidecimal. Any digit may contain the numbers 0 - 9 and the lower-case letters a - f. + +The format used for examples is v4 compliant as follows: + +``` +00000000-0000-4000-80SS-MFFF0TT00### + ^ ^ +``` + +The first group of eight characters and the second group of four characters is always set to zeros (`00000000-0000-`) + +**^**: indicates a UUID v4 required digit. +- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID. +- the first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`. + + +`SS`: indicates whether the UUID is for the primary system represented in the example or another, external system. + `01` = this system + `02` - `ff` = other systems + +`M`: The model being represented in the example (useful for when a POA&M or SAR points to content in an SSP) + `a` = catalog + `b` = profile + `c` = ssp + `d` = poam + `e` = sap + `f` = sar + `0` = component defintions + +`FFF`: Indicates the OSCAL field name associated with the UUID + +**Metadata and Back Matter ** +`000`=root +`001`=resource +`002`=prop +`003`=location +`004`=party +`005`=action + +**SSP** +`006`=information-type +`007`=diagram +`008`=user +`009`=component +`010`=protocol +`011`=inventory-item +`012`=implemented-requirement +`013`=statement +`014`=by-component +`015`=provided +`016`=responsibility +`017`=inherited +`018`=satisfied +`019`=leveraged-authorization + +_Fields for other models to be added as we work with those models._ + + +`TT`: Used to further distinguish a field that can have multiple types. + +**Component Types** (`TT`) +`0`=This System +`1`=System +`2`=Interconnection +`3`=Software +`4`=Hardware +`5`=Service +`6`=Policy +`7`=Physical +`8`=Process/Procedure +`9`=Plan +`10`=Guidance +`11`=Standard +`12`=Validation +`13`=Network + +**Enumeration** +`###`: A simple sequence number. (`001`, `002`, through `fff`) +- Start a new sequence for each system/model/field. + + +# Examples: + +In all example UUIDs, the first 18 digits are always: `00000000-0000-4000-80` + +### Resource UUIDs + +All parties in example SSP content use: +`00000000-0000-4000-8001-c00100000###`, where the first resource is `00000000-0000-4000-8001-c00100000001`, the second party is `00000000-0000-4000-8001-c00100000002`, etc. + + +Backmatter resources in an SSP will always appear as: +`00000000-0000-4000-8001-c00100000###` + +Only the final 14 digits (`01-c00400000###`) are relevant. + +Looking just the relevant digits above: +`01` represents the primary system in the example. +`c` indicates this is in an SSP model. +`001` indicates it is for a resource. +The final three digits are assigned in sequence to each resource. + +### Parties + +All parties in example SSP content use: +`00000000-0000-4000-8001-c00400000###`, where the first party is `00000000-0000-4000-8001-c00400000001`, the second party is `00000000-0000-4000-8001-c00400000002`, etc. + +Only the final 14 digits (`01-c00400000###`) are relevant. + +Looking just the relevant digits above: +`01` represents the primary system in the example. +`c` indicates this is in an SSP model. +`004` indicates it is for a party. +The final three digits are assigned in sequence to each party. + +### Components + +All components in example SSP content use: +`00000000-0000-4000-8001-c00900120###`, where the first resource is `00000000-0000-4000-8001-c00900080001`, the second party is `00000000-0000-4000-8001-c00900120002`, etc. + +Only the final 14 digits (`01-c00400000###`) are relevant. + +Looking just the relevant digits above: +`01` represents the primary system in the example. +`c` indicates this is in an SSP model. +`009` indicates it is for a component. +The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero. + +`012` indicates the UUID is for a `validation` component +`008` indicates the UUID is for a `process-procedure` component + + From dfb251cbd1cc509a123a4930d29e31329232d7b9 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 8 Nov 2024 19:12:29 -0500 Subject: [PATCH 03/52] WIP --- .../rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index ea6450d2c..c9d83b72e 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -228,7 +228,7 @@ Cloud Service Provider (CSP) Name CSP Acronym/Short Name - 00000000-0000-4000-8001-c00400000001 + 00000000-0000-4000-8001-c00300000001

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

@@ -314,7 +314,7 @@ name@example.com 2020000001 - 00000000-0000-4000-8001-c00400000001 + 00000000-0000-4000-8001-c00300000001 00000000-0000-4000-8001-c00400000001 From 0a3a6e10f34d01be253614a8c1e293b081c43705 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Sat, 9 Nov 2024 16:40:33 -0500 Subject: [PATCH 04/52] oscal-cli validation cleanup --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 48 +++++++------------ 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index c9d83b72e..bc25de1c3 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -483,18 +483,13 @@

Exactly one

 - - 00000000-0000-4000-8001-c00400000003 - -

Exactly one

- - +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and High baselines.

Guidance for OSCAL-based FedRAMP Tailored Low Impact - Software as a Service (LI-SaaS) content has not yet been developed.

 - +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

Must adjust accordingly for applicable baseline and revision.

@@ -776,7 +771,7 @@ - + Name of Leveraged System

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

@@ -799,7 +794,7 @@ - + @@ -811,7 +806,7 @@

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + @@ -1131,7 +1126,7 @@

Legacy Example (No implemented-component).

 - + @@ -1189,7 +1184,7 @@

Component Inventory Example

 - + @@ -1227,7 +1222,7 @@

None.

 - + @@ -1242,7 +1237,7 @@

None.

 - + @@ -1256,7 +1251,7 @@

None.

 - + @@ -1270,7 +1265,7 @@

None.

 - + @@ -1287,7 +1282,7 @@

None.

 - + @@ -1301,7 +1296,7 @@

None.

 - + @@ -1318,7 +1313,7 @@

Email-Service

 - + @@ -1477,7 +1472,7 @@

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

- +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

Not associated with inheritance, thus associated this with the by-component for "this system".

@@ -1502,7 +1497,7 @@ 00000000-0000-4000-8001-c00400000005 - +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

In the context of the application component in satisfaction of AC-2, part a.

@@ -2667,17 +2662,6 @@ - - - Resolution Resource - - - - - -

This "resolution resource" is used by FedRAMP as a local, authoritative indicator of what version SSP (rev 4 or rev 5) this OSCAL document is for.

- - From bc4b2cd53adf508164906106d17f7da8953eeda7 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Sun, 10 Nov 2024 23:49:15 -0500 Subject: [PATCH 05/52] Leveraged Authorization revisions --- .../examples/UUIDs_for_Examples_Legend.md | 162 +- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 1306 +++++++++-------- 2 files changed, 755 insertions(+), 713 deletions(-) diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md index 000404912..09280bc23 100644 --- a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -10,130 +10,126 @@ Please note that UUID values are hexidecimal. Any digit may contain the numbers The format used for examples is v4 compliant as follows: ``` -00000000-0000-4000-80SS-MFFF0TT00### - ^ ^ +00000000-0000-4000-8000-FFF0TTT00### + FILE MODEL ^ ^ FIELD SEQUENCE ``` -The first group of eight characters and the second group of four characters is always set to zeros (`00000000-0000-`) +**FILE**: The first grouping represents the OSCAL file. All digits are the same. +- If an example involves the SSP of two systems, the first system's SSP will use UUID values that starts with all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the second system will use UUID values that start with all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`) +- If an example involves a catalog and a profile, the catalog will use all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the prifle will use all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`). -**^**: indicates a UUID v4 required digit. -- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID. -- the first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`. + +**MODEL**: The second group of characters represents the model as follows: +- The values are as follows: + - `0000`: Catalog + - `1111`: Profile + - `2222`: SSP + - `3333`: Component Definition + - `4444`: SAP + - `5555`: SAR + - `6666`: POA&M +- - If an example involves the SSP of two systems, both SSPs will use UUID values that have all 2's in the second grouping (`11111111-2222-4000-8000-xxxxxxxxxxxx` and `22222222-2222-4000-8000-xxxxxxxxxxxx`) -`SS`: indicates whether the UUID is for the primary system represented in the example or another, external system. - `01` = this system - `02` - `ff` = other systems +**^**: indicates a UUID v4 required digit. +- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID. +- The first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`. +- We will always use `4000` for the third grouping. +- We will always use `8000` for the forth grouping. -`M`: The model being represented in the example (useful for when a POA&M or SAR points to content in an SSP) - `a` = catalog - `b` = profile - `c` = ssp - `d` = poam - `e` = sap - `f` = sar - `0` = component defintions -`FFF`: Indicates the OSCAL field name associated with the UUID +**FIELD**: `FFF`: Indicates the OSCAL field name associated with the UUID -**Metadata and Back Matter ** -`000`=root -`001`=resource -`002`=prop -`003`=location -`004`=party -`005`=action +**Metadata and Back Matter** +- `-0000`=root +- `-0010`=resource +- `-0020`=prop +- `-0030`=location +- `-0040`=party +- `-0050`=action **SSP** -`006`=information-type -`007`=diagram -`008`=user -`009`=component -`010`=protocol -`011`=inventory-item -`012`=implemented-requirement -`013`=statement -`014`=by-component -`015`=provided -`016`=responsibility -`017`=inherited -`018`=satisfied -`019`=leveraged-authorization +- `-0060`=information-type +- `-0070`=diagram +- `-0080`=user +- `-0090`=component +- `-0100`=protocol +- `-0110`=inventory-item +- `-0120`=implemented-requirement +- `-0130`=statement +- `-0140`=by-component +- `-0150`=provided +- `-0160`=responsibility +- `-0170`=inherited +- `-0180`=satisfied +- `-0190`=leveraged-authorization _Fields for other models to be added as we work with those models._ -`TT`: Used to further distinguish a field that can have multiple types. +- `TT`: Used to further distinguish a field that can have multiple types. It is optional and may be difficult to manage. Only use when this clarity is helpful or necessary. **Component Types** (`TT`) -`0`=This System -`1`=System -`2`=Interconnection -`3`=Software -`4`=Hardware -`5`=Service -`6`=Policy -`7`=Physical -`8`=Process/Procedure -`9`=Plan -`10`=Guidance -`11`=Standard -`12`=Validation -`13`=Network +- `0000`=This System +- `0010`=System +- `0020`=Interconnection +- `0030`=Software +- `0040`=Hardware +- `0050`=Service +- `0060`=Policy +- `0070`=Physical +- `0080`=Process/Procedure +- `0090`=Plan +- `0100`=Guidance +- `0110`=Standard +- `0120`=Validation +- `0130`=Network **Enumeration** -`###`: A simple sequence number. (`001`, `002`, through `fff`) +- `0###`: A simple sequence number. (`001`, `002`, through `fff`) - Start a new sequence for each system/model/field. # Examples: -In all example UUIDs, the first 18 digits are always: `00000000-0000-4000-80` ### Resource UUIDs All parties in example SSP content use: -`00000000-0000-4000-8001-c00100000###`, where the first resource is `00000000-0000-4000-8001-c00100000001`, the second party is `00000000-0000-4000-8001-c00100000002`, etc. +- `11111111-2222-4000-8001-001000000###`, where the first resource is `11111111-2222-4000-8001-001000000001`, the second party is `11111111-2222-4000-8001-001000000002`, etc. Backmatter resources in an SSP will always appear as: -`00000000-0000-4000-8001-c00100000###` +- `11111111-2222-4000-8001-001000000###` -Only the final 14 digits (`01-c00400000###`) are relevant. - -Looking just the relevant digits above: -`01` represents the primary system in the example. -`c` indicates this is in an SSP model. -`001` indicates it is for a resource. -The final three digits are assigned in sequence to each resource. +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `-0010` indicates it is for a resource. +- The final three digits are assigned in sequence to each resource. ### Parties All parties in example SSP content use: -`00000000-0000-4000-8001-c00400000###`, where the first party is `00000000-0000-4000-8001-c00400000001`, the second party is `00000000-0000-4000-8001-c00400000002`, etc. - -Only the final 14 digits (`01-c00400000###`) are relevant. +- `11111111-2222-4000-8001-004000000###`, where the first party is `11111111-2222-4000-8001-004000000001`, the second party is `-004000000002`, etc. -Looking just the relevant digits above: -`01` represents the primary system in the example. -`c` indicates this is in an SSP model. -`004` indicates it is for a party. -The final three digits are assigned in sequence to each party. +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `0040` indicates it is for a party. +- The final three digits are assigned in sequence to each party. ### Components All components in example SSP content use: -`00000000-0000-4000-8001-c00900120###`, where the first resource is `00000000-0000-4000-8001-c00900080001`, the second party is `00000000-0000-4000-8001-c00900120002`, etc. - -Only the final 14 digits (`01-c00400000###`) are relevant. +- `11111111-2222-4000-8001-0090TTT00###`, where the first resource is `11111111-2222-4000-8001-009000800001`, the second resource is `11111111-2222-4000-8001-009001200002`, etc. -Looking just the relevant digits above: -`01` represents the primary system in the example. -`c` indicates this is in an SSP model. -`009` indicates it is for a component. -The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero. +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `-00900120` indicates it is for a component of type `validation`. +- `-00900080` indicates it is for a component of type `process-procedure` +- The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero. -`012` indicates the UUID is for a `validation` component -`008` indicates the UUID is for a `process-procedure` component diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index bc25de1c3..06a516636 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1,6 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -12,7 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -21,7 +21,7 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 @@ -174,7 +174,7 @@

This is a sample role.

 - + CSP HQ
Suite 0000 @@ -187,7 +187,7 @@

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

- + Primary Data Center
2222 Main Street @@ -205,7 +205,7 @@

The type property must also have a class of "primary" or "alternate".

- + Secondary Data Center
3333 Small Road @@ -223,23 +223,23 @@

The type property must also have a class of "primary" or "alternate".

- + Cloud Service Provider (CSP) Name CSP Acronym/Short Name - - 00000000-0000-4000-8001-c00300000001 + + 11111111-2222-4000-8000-c00300000001

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

 - + Federal Risk and Authorization Management Program: Program Management Office FedRAMP PMO - - - + + + info@fedramp.gov
1800 F St. NW @@ -253,35 +253,35 @@

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

- + Federal Risk and Authorization Management Program: Joint Authorization Board FedRAMP JAB - +

This party entry must be present in a FedRAMP SSP.

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

 - + External Organization External

Generic placeholder for any external organization.

 - + Agency Name A.N.

Generic placeholder for an authorizing agency.

 - + Name of Consulting Org NOCO - + poc@example.com
3333 Corporate Way @@ -291,33 +291,33 @@ US
- + [SAMPLE]Remote System Org Name - + [SAMPLE]ICA POC's Name person@ica.example.org 2025551212 - 00000000-0000-4000-8001-c00400000007 + 11111111-2222-4000-8000-c00400000007 - + [SAMPLE]Example IaaS Provider E.I.P.

Underlying service provider. Leveraged Authorization.

 - + [SAMPLE]Person Name 1 name@example.com 2020000001 - 00000000-0000-4000-8001-c00300000001 - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00300000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 2 name@example.com @@ -329,9 +329,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 3 name@example.com @@ -343,9 +343,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 4 name@example.com @@ -357,9 +357,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 5 name@example.com @@ -371,9 +371,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 6 name@example.com @@ -385,9 +385,9 @@ 00000 US - 00000000-0000-4000-8001-c00400000004 + 11111111-2222-4000-8000-c00400000004 - + [SAMPLE]Person Name 7 name@example.com @@ -399,86 +399,86 @@ 00000 US - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE] IT Department - + [SAMPLE]Security Team - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001

Exactly one

 - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010

Exactly one

 - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - 00000000-0000-4000-8001-c00400000010 - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-c00400000011

One or more

 - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010

Exactly one

 - 00000000-0000-4000-8001-c00400000003 - 00000000-0000-4000-8001-c00400000015 + 11111111-2222-4000-8000-c00400000003 + 11111111-2222-4000-8000-c00400000015

One or more

 - 00000000-0000-4000-8001-c00400000012 + 11111111-2222-4000-8000-c00400000012

Exactly one

 - 00000000-0000-4000-8001-c00400000013 + 11111111-2222-4000-8000-c00400000013

Exactly one

 - 00000000-0000-4000-8001-c00400000014 + 11111111-2222-4000-8000-c00400000014

Exactly one

 - 00000000-0000-4000-8001-c00400000015 + 11111111-2222-4000-8000-c00400000015

Exactly one

 - 00000000-0000-4000-8001-c00400000016 + 11111111-2222-4000-8000-c00400000016

Exactly one

 - 00000000-0000-4000-8001-c00400000002 + 11111111-2222-4000-8000-c00400000002

Exactly one

 @@ -498,7 +498,7 @@ - F00000000 + F00000000 System's Full Name System's Short Name or Acronym @@ -524,16 +524,16 @@ - + - + fips-199-moderate - + Information Type Name

A description of the information.

@@ -586,11 +586,11 @@

A holistic, top-level explanation of the FedRAMP authorization boundary.

 - +

A diagram-specific explanation.

 - + Authorization Boundary Diagram @@ -600,11 +600,11 @@

A holistic, top-level explanation of the network architecture.

 - +

A diagram-specific explanation.

 - + Network Diagram @@ -614,34 +614,52 @@

A holistic, top-level explanation of the system's data flows.

 - +

A diagram-specific explanation.

 - + Data Flow Diagram - - - - + + + + - + GovCloud - - - - + + - - - + + + +

Describe the features used from Service A.

+

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

+ + + + +

Describe the features used from Service B.

+

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

+ + + + + + +

If 'yes', describe the user authentication method.

+

If 'no', explain why no user authentication is used.

+

If 'not-applicable', attest that no users access the leveraged system.

+ + + - 00000000-0000-4000-8001-c00400000009 + 22222222-2222-4000-8000-c0040000000a 2015-01-01

Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.

@@ -650,12 +668,12 @@ - + [SAMPLE]Unix System Administrator - + - + admin-unix @@ -666,12 +684,12 @@ perform backups - + [SAMPLE]Client Administrator - + - + admin-client @@ -680,12 +698,12 @@ Create, modify and delete client applications - + [SAMPLE]Program Director - + - + information-system-security-officer isa-poc-local @@ -699,12 +717,12 @@ Approves access requests for administrative accounts. - + [SAMPLE]ISA POC - + - + isa-poc-remote isa-authorizing-official-remote @@ -715,7 +733,7 @@ - + This System

The entire system as depicted in the system authorization boundary

@@ -730,7 +748,7 @@ - + [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

@@ -738,9 +756,9 @@

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

 - - - + + + @@ -749,16 +767,16 @@ - + [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

 - - - + + + @@ -767,89 +785,117 @@ + - + Name of Leveraged System

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + + + + + + + + + + + + + + + + + + + + + + + + + Name of Interconnected System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + - + - + - - + - + + - - - - + + Service Provided by Leveraged System

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + - + - + [EXAMPLE]Authorized Connection Information System Name

Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).

 - + - + - + - + - + - + - + - + - + - - + + - + - + @@ -860,26 +906,26 @@ - - - + + +

If "other", remarks are required. Optional otherwise.

 - + - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008

Optional notes about this interconnection

@@ -891,78 +937,78 @@ - + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

 - + - + - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010

COMMENTS: Provide other comments as needed.

 - + [SAMPLE]Product

FUNCTION: Describe typical component function.

 - - + + - 00000000-0000-4000-8001-c00400000017 + 11111111-2222-4000-8000-c00400000017 - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011

COMMENTS: Provide other comments as needed.

 - + OS Sample

None

 - + - + Database Sample

None

 - + - + Appliance Sample

None

 - - + + @@ -973,56 +1019,56 @@ - + [EXAMPLE]Policies

[EXAMPLE]component representing a collection of policies in appendix A.

 - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

 - + [EXAMPLE]Procedures

[EXAMPLE]component representing a collection of procedures in appendix A.

 - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

@@ -1030,19 +1076,19 @@ - + [SAMPLE]Service Name

Describe the service

 Describe the reason the service is needed. - - + + - + - + @@ -1052,44 +1098,44 @@

- + [EXAMPLE]Authorized Connection Information System Name

Briefly describe the interconnection.

 - + - - - + + +

If "other", remarks are required. Optional otherwise.

 - + - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008

Optional notes about this interconnection

 - + IPv4 Production Subnet

IPv4 Production Subnet.

@@ -1099,7 +1145,7 @@ - + IPv4 Management Subnet

IPv4 Management Subnet.

@@ -1110,19 +1156,19 @@ - + Email Service

Email Service

 - + - +

Legacy Example (No implemented-component).

 @@ -1145,8 +1191,8 @@ - - + +

If no, explain why. If yes, omit remarks field.

@@ -1164,14 +1210,14 @@

Optional, longer, formatted description.

 - + - 00000000-0000-4000-8001-c00400000016 + 11111111-2222-4000-8000-c00400000016 - 00000000-0000-4000-8001-c00400000017 + 11111111-2222-4000-8000-c00400000017 - +

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

 @@ -1180,7 +1226,7 @@

COMMENTS: Additional information about this item.

 - +

Component Inventory Example

 @@ -1204,21 +1250,21 @@

If no, explain why. If yes, omit remark.

 - + - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010 - 00000000-0000-4000-8001-c00400000017 + 11111111-2222-4000-8000-c00400000017 - +

COMMENTS: If needed, provide additional information about this inventory item.

 - +

None.

 @@ -1230,10 +1276,10 @@ - - + + - +

None.

 @@ -1244,10 +1290,10 @@ - - + + - +

None.

 @@ -1258,10 +1304,10 @@ - - + + - +

None.

 @@ -1276,9 +1322,9 @@

Asset wasn't running at time of scan.

 - + - +

None.

 @@ -1289,10 +1335,10 @@ - - + + - +

None.

 @@ -1307,9 +1353,9 @@

Asset wasn't running at time of scan.

 - + - +

Email-Service

 @@ -1320,8 +1366,8 @@ - - + + @@ -1336,10 +1382,10 @@

This description field is required by OSCAL.

FedRAMP does not require any specific information here.

- - - - + + + + organization-defined personnel or roles @@ -1351,23 +1397,23 @@ at least annually - - + +

Describe how Part a is satisfied within the system.

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

In this case, a link must be provided to the policy.

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

 - - + +

The specified component is the system itself.

Any control implementation response that can not be associated with another component is associated with the component representing the system.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Identity Management and Access Control Policy.

@@ -1376,23 +1422,23 @@ - - + +

There

- +

Describe the plan to complete the implementation.

 - +

Describe how this policy currently satisfies part a.

 - +

Describe the plan for addressing the missing policy elements.

 @@ -1404,16 +1450,16 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 @@ -1421,28 +1467,28 @@ - - - + + +

Describe the plan to complete the implementation.

 - - + +

Describe any customer-configured requirements for satisfying this control.

 - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010 - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1460,50 +1506,50 @@ - - + +

Describe how AC-2, part a is satisfied within this system.

This points to the "This System" component, and is used any time a more specific component reference is not available.

 - +

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

 - +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

Not associated with inheritance, thus associated this with the by-component for "this system".

 - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - +

For the portion of the control satisfied by the application component of this system, describe how the control is met.

 - +

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

In the context of the application component in satisfaction of AC-2, part a.

 - 00000000-0000-4000-8001-c00400000005 + 11111111-2222-4000-8000-c00400000005 - +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

In the context of the application component in satisfaction of AC-2, part a.

 - 00000000-0000-4000-8001-c00400000005 + 11111111-2222-4000-8000-c00400000005 @@ -1514,11 +1560,11 @@

While the "this system" component is not explicitly required within every statement, it will typically be present.

 - +

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

 - +

Optional description.

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

@@ -1527,7 +1573,7 @@

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

 - +

Description of how the responsibility was satisfied.

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

@@ -1539,21 +1585,21 @@ - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1568,20 +1614,20 @@ - - + +

Describe how Part a is satisfied.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1589,36 +1635,36 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1633,21 +1679,21 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1655,38 +1701,38 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1701,20 +1747,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1722,36 +1768,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1766,20 +1812,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1787,34 +1833,34 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1829,20 +1875,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1850,36 +1896,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1894,20 +1940,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1915,36 +1961,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1959,20 +2005,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1980,36 +2026,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2024,20 +2070,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2045,36 +2091,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2089,20 +2135,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2110,36 +2156,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2154,20 +2200,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2175,36 +2221,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - + - + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2219,20 +2265,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2240,36 +2286,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2284,20 +2330,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2305,36 +2351,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2349,20 +2395,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2370,36 +2416,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2414,20 +2460,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2435,36 +2481,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2479,20 +2525,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2500,36 +2546,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2544,20 +2590,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2565,31 +2611,31 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - + + - 00000000-0000-4000-8001-c00400000018 + 11111111-2222-4000-8000-c00400000018 - - + +

Describe how the control is satisfied within the system.

DMARC is employed.

@@ -2608,21 +2654,21 @@ - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2637,20 +2683,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2663,11 +2709,11 @@ - +

SSP Signature

 - + 00000000 @@ -2682,9 +2728,9 @@ - + FedRAMP Applicable Laws and Regulations - + 00000000 @@ -2694,9 +2740,9 @@ - + FedRAMP Master Acronym and Glossary - + 00000000 @@ -2705,7 +2751,7 @@ - + Access Control Policy Title

AC Policy document

@@ -2722,7 +2768,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Policy Title

AT Policy document

@@ -2738,7 +2784,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Policy Title

AU Policy document

@@ -2754,7 +2800,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Policy Title

CA Policy document

@@ -2770,7 +2816,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Policy Title

CM Policy document

@@ -2786,7 +2832,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Policy Title

CP Policy document

@@ -2803,7 +2849,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Policy Title

IA Policy document

@@ -2819,7 +2865,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Policy Title

IR Policy document

@@ -2835,7 +2881,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Policy Title

MA Policy document

@@ -2851,7 +2897,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Policy Title

MP Policy document

@@ -2867,7 +2913,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Policy Title

PE Policy document

@@ -2883,7 +2929,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Policy Title

PL Policy document

@@ -2899,7 +2945,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Policy Title

PS Policy document

@@ -2915,7 +2961,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Policy Title

RA Policy document

@@ -2931,7 +2977,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Policy Title

SA Policy document

@@ -2947,7 +2993,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Policy Title

SC Policy document

@@ -2963,7 +3009,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Policy Title

SI Policy document

@@ -2979,7 +3025,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Policy Title

SR Policy document

@@ -2996,7 +3042,7 @@ - + Access Control Procedure Title

AC Procedure document

@@ -3012,7 +3058,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Procedure Title

AT Procedure document

@@ -3028,7 +3074,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Procedure Title

AU Procedure document

@@ -3044,7 +3090,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Procedure Title

CA Procedure document

@@ -3060,7 +3106,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Procedure Title

CM Procedure document

@@ -3076,7 +3122,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Procedure Title

CP Procedure document

@@ -3092,7 +3138,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Procedure Title

IA Procedure document

@@ -3108,7 +3154,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Procedure Title

IR Procedure document

@@ -3124,7 +3170,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Procedure Title

MA Procedure document

@@ -3140,7 +3186,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Procedure Title

MP Procedure document

@@ -3156,7 +3202,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Procedure Title

PE Procedure document

@@ -3172,7 +3218,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Procedure Title

PL Procedure document

@@ -3188,7 +3234,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Procedure Title

PS Procedure document

@@ -3204,7 +3250,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Procedure Title

RA Procedure document

@@ -3220,7 +3266,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Procedure Title

SA Procedure document

@@ -3236,7 +3282,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Procedure Title

SC Procedure document

@@ -3252,7 +3298,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Procedure Title

SI Procedure document

@@ -3268,7 +3314,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Procedure Title

SR Procedure document

@@ -3285,7 +3331,7 @@ - + User's Guide

User's Guide

@@ -3303,7 +3349,7 @@ - + Document Title

Rules of Behavior

@@ -3320,7 +3366,7 @@ - + Document Title

Contingency Plan (CP)

@@ -3337,7 +3383,7 @@ - + Document Title

Configuration Management (CM) Plan

@@ -3354,7 +3400,7 @@ - + Document Title

Incident Response (IR) Plan

@@ -3375,7 +3421,7 @@ - + [SAMPLE] Laws and Regulations @@ -3388,7 +3434,7 @@ - + Document Title

Continuous Monitoring Plan

@@ -3405,7 +3451,7 @@ - + [SAMPLE]Plan of Actions and Milestones (POAM) @@ -3416,7 +3462,7 @@ - + Supply Chain Risk Management Plan

Supply Chain Risk Management Plan

@@ -3435,7 +3481,7 @@ - + [SAMPLE]Interconnection Security Agreement Title @@ -3445,12 +3491,12 @@ 00000000 - + FedRAMP Logo

FedRAMP Logo

 - + 00000000 @@ -3458,7 +3504,7 @@

Must be present in a FedRAMP SSP.

 - + CSP Logo

CSP Logo

@@ -3471,7 +3517,7 @@

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + 3PAO Logo

3PAO Logo

@@ -3485,7 +3531,7 @@ - + Boundary Diagram

The primary authorization boundary diagram.

@@ -3494,13 +3540,13 @@ 00000000

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

-

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000054"

+

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000054"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Network Diagram

The primary network diagram.

@@ -3510,13 +3556,13 @@ 00000000

Section 8.1, Figure 8-2 Network Diagram (graphic)

-

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000055"

+

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000055"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Data Flow Diagram

The primary data flow diagram.

@@ -3525,19 +3571,19 @@ 00000000

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

-

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000056"

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000056"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Separation of Duties Matrix

Separation of Duties Matrix

 - + From 24a7caf48f7ee1d08cbfc5d0dfc867037544fae4 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 14 Nov 2024 00:39:08 -0500 Subject: [PATCH 06/52] WIP SSP Example, Made AwesomeCloudSSP2.xml XML Schema valid --- .../awesome-cloud/xml/AwesomeCloudSSP2.xml | 44 +- .../examples/UUIDs_for_Examples_Legend.md | 4 + .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 1669 ++++++++++------- 3 files changed, 1007 insertions(+), 710 deletions(-) diff --git a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml index 9da0b5937..6f3b24487 100644 --- a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml +++ b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml @@ -146,25 +146,37 @@ - + +

+ - + +

+ - + +

+ - + +

+ - + +

+ - + +

+ @@ -272,7 +284,9 @@ The AwesomeCloud Software as a Service (SaaS) Solution - + +

+ @@ -659,7 +673,9 @@ - + +

+ @@ -737,19 +753,25 @@ Authorization Boundary Diagram - + +

+ Network Architecture Diagram - + +

+ Data Flow Diagram - + +

+ diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md index 09280bc23..db71de47b 100644 --- a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -92,6 +92,10 @@ _Fields for other models to be added as we work with those models._ # Examples: +### "This System" + +Always `11111111-2222-4000-8000-009000000000` in its SSP. + ### Resource UUIDs diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 06a516636..6cd41764b 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1,6 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -12,7 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -21,7 +21,7 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 @@ -162,6 +162,12 @@

Represents any customers of this system as may be necessary for assigning customer responsibility.

 + + Provider + +

The provider of a leveraged system, external service, API, CLI.

+ + [SAMPLE]Unix Administrator @@ -174,7 +180,19 @@

This is a sample role.

 - + + Leveraged Authorization Users + +

Any internal users of a leveraged authorization.

+ + + + Approver + +

An internal approving authority.

+ + + CSP HQ
Suite 0000 @@ -187,7 +205,7 @@

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

- + Primary Data Center
2222 Main Street @@ -205,7 +223,7 @@

The type property must also have a class of "primary" or "alternate".

- + Secondary Data Center
3333 Small Road @@ -223,23 +241,23 @@

The type property must also have a class of "primary" or "alternate".

- + Cloud Service Provider (CSP) Name CSP Acronym/Short Name - - 11111111-2222-4000-8000-c00300000001 + + 11111111-2222-4000-8000-003000000001

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

 - + Federal Risk and Authorization Management Program: Program Management Office FedRAMP PMO - - + + info@fedramp.gov
1800 F St. NW @@ -253,35 +271,35 @@

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

- + Federal Risk and Authorization Management Program: Joint Authorization Board FedRAMP JAB - +

This party entry must be present in a FedRAMP SSP.

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

 - + External Organization External

Generic placeholder for any external organization.

 - + Agency Name A.N.

Generic placeholder for an authorizing agency.

 - + Name of Consulting Org NOCO - + poc@example.com
3333 Corporate Way @@ -291,15 +309,15 @@ US
- + [SAMPLE]Remote System Org Name - + [SAMPLE]ICA POC's Name person@ica.example.org 2025551212 - 11111111-2222-4000-8000-c00400000007 + 11111111-2222-4000-8000-004000000007 [SAMPLE]Example IaaS Provider @@ -308,16 +326,16 @@

Underlying service provider. Leveraged Authorization.

 - + [SAMPLE]Person Name 1 name@example.com 2020000001 - 11111111-2222-4000-8000-c00300000001 - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 2 name@example.com @@ -329,9 +347,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 3 name@example.com @@ -343,9 +361,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 4 name@example.com @@ -357,9 +375,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 5 name@example.com @@ -371,9 +389,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 6 name@example.com @@ -385,9 +403,9 @@ 00000 US - 11111111-2222-4000-8000-c00400000004 + 11111111-2222-4000-8000-004000000004 - + [SAMPLE]Person Name 7 name@example.com @@ -399,95 +417,105 @@ 00000 US - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE] IT Department - + [SAMPLE]Security Team + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 -

Exactly one

+

Zero or more

 - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010

Exactly one

 - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - 11111111-2222-4000-8000-c00400000010 - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011

One or more

 - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010

Exactly one

 - 11111111-2222-4000-8000-c00400000003 - 11111111-2222-4000-8000-c00400000015 + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015

One or more

 - 11111111-2222-4000-8000-c00400000012 + 11111111-2222-4000-8000-004000000012

Exactly one

 - 11111111-2222-4000-8000-c00400000013 + 11111111-2222-4000-8000-004000000013

Exactly one

 - 11111111-2222-4000-8000-c00400000014 + 11111111-2222-4000-8000-004000000014

Exactly one

 - 11111111-2222-4000-8000-c00400000015 + 11111111-2222-4000-8000-004000000015

Exactly one

 - 11111111-2222-4000-8000-c00400000016 - -

Exactly one

- - - - 11111111-2222-4000-8000-c00400000002 + 11111111-2222-4000-8000-004000000016

Exactly one

 - -

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and High baselines.

-

Guidance for OSCAL-based FedRAMP Tailored Low Impact - Software as a Service (LI-SaaS) content has not yet been developed.

- + @@ -533,7 +561,7 @@ - + Information Type Name

A description of the information.

@@ -586,11 +614,11 @@

A holistic, top-level explanation of the FedRAMP authorization boundary.

 - +

A diagram-specific explanation.

 - + Authorization Boundary Diagram @@ -600,11 +628,11 @@

A holistic, top-level explanation of the network architecture.

- +

A diagram-specific explanation.

 - + Network Diagram @@ -614,42 +642,26 @@

A holistic, top-level explanation of the system's data flows.

- +

A diagram-specific explanation.

 - + Data Flow Diagram - - - - - - - - GovCloud - + + + + + + + AwesomeCloud Commercial(IaaS) + - - - - -

Describe the features used from Service A.

-

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

- - - - -

Describe the features used from Service B.

-

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

- - - - +

If 'yes', describe the user authentication method.

@@ -657,169 +669,154 @@

If 'not-applicable', attest that no users access the leveraged system.

 - - - 22222222-2222-4000-8000-c0040000000a + 11111111-2222-4000-8000-c0040000000a 2015-01-01 -

Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.

-

The link fields are optional, but preferred when known. Often, a leveraging system's SSP author will not have access to the leveraged system's SSP, but should have access to the leveraged system's CRM.

+

Use one leveraged-authorization assembly for each underlying authorized cloud system or general support system (GSS).

 + - - [SAMPLE]Unix System Administrator - - - - + + General Users - admin-unix - - Full administrative access (root) - Add/remove users and hardware - install and configure software - OS updates, patches and hotfixes - perform backups - - - - [SAMPLE]Client Administrator - - - - - - admin-client - - Portal administration - Add/remove client users - Create, modify and delete client applications - - - - [SAMPLE]Program Director - - - - - - information-system-security-officer - isa-poc-local - isa-authorizing-official-local - - Administrative Access Approver - Approves access requests for administrative accounts. - - - Access Approver - Approves access requests for administrative accounts. - - - - [SAMPLE]ISA POC - - - - - - isa-poc-remote - isa-authorizing-official-remote - - External System Access Provider - Authorizes access to external interconnected system. - + +

The user content is currently being investigated as it may no longer be necessary under FedRAMP's adoption of Rev 5.

+ + - - + + + This System

The entire system as depicted in the system authorization boundary

-

Email is employed

+

FedRAMP requires exactly one "this-system" component.

+

This is used in SSP control responses.

 + +

When applicable, components must specify services, ports, and protocols.

+

All components that use or implement encryption must reference a "validation" component.

+ - - - - - - - [SAMPLE]Cryptographic Module Name + + + + + Awesome Cloud PaaS -

Provide a description and any pertinent note regarding the use of this CM.

-

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

-

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

 - - - - - - - - - + + + + + +

For a leveraged authoriation, describe the information being transferred.

+ + + + + + +

System development information

+ + + + +

System and network monitoring information

+ + + + + +

For a leveraged authorization, this property must always be present to link this component to the leveraged authorization.

+ + + + +

For a leveraged system, this property must always be present with a value of "external".

+ + + + +

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

+ + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + - - - [SAMPLE]Cryptographic Module Name + + + + + + Authorized Service Provided by Leveraged System -

Provide a description and any pertinent note regarding the use of this CM.

-

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

- - - - - - - - - + + + + +

This is a service provided by the leveraged system.

+

It is explicitly listed on the FedRAMP marketplace as being an authorized service.

+

As a result, this service includes both the "provided-by" link and the "leveraged-authorization-uuid" property.

+ - - + + - - - Name of Leveraged System + + Non-Authorized Service Provided by Leveraged System -

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - - - - - - - - - - - - - - + + +

This is a service provided by the leveraged system.

+

It is NOT explicitly listed on the FedRAMP marketplace as being an authorized service.

+

As a result, this service still includes the "provided-by" link, but omits the "leveraged-authorization-uuid" property.

+ - + + + + + Service Provided by Leveraged System + +

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + + + + + - - + Name of Interconnected System

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

@@ -846,23 +843,22 @@ - + Service Provided by Leveraged System

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + - - + - + [EXAMPLE]Authorized Connection Information System Name @@ -913,31 +909,95 @@

If "other", remarks are required. Optional otherwise.

 - + - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008 - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008 - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008 - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008

Optional notes about this interconnection

 + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + - + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

@@ -948,16 +1008,18 @@ - + - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010

COMMENTS: Provide other comments as needed.

 - + + + [SAMPLE]Product

FUNCTION: Describe typical component function.

@@ -970,16 +1032,16 @@ - 11111111-2222-4000-8000-c00400000017 + 11111111-2222-4000-8000-004000000017 - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011

COMMENTS: Provide other comments as needed.

 - + OS Sample

None

@@ -990,7 +1052,7 @@ - + Database Sample

None

@@ -1001,7 +1063,7 @@ - + Appliance Sample

None

@@ -1019,123 +1081,332 @@ - - [EXAMPLE]Policies - -

[EXAMPLE]component representing a collection of policies in appendix A.

- - - - - - - - - - - - - - - - - - + + AC Policy + +

The Access Control Policy governs how access is managed and approved.

+ + - -

Links to the components, attached as a resource in back-matter.

- - - - [EXAMPLE]Procedures - -

[EXAMPLE]component representing a collection of procedures in appendix A.

- - - - - - - - - - - - - - - - - - + + AT Policy + +

The Awareness and Training Policy governs how access is managed and approved.

+ + - -

Links to the components, attached as a resource in back-matter.

- - + + + AU Policy + +

The Audit and Accountability governs how access is managed and approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Policy governs how access is managed and approved.

+ + + + + + CM Policy + +

The Configuration Management Policy governs how access is managed and approved.

+ + + + + + CP Policy + +

The Contingency Planning Policy governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Policy governs how access is managed and approved.

+ + + + + + IR Policy + +

The Incident Response Policy governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Policy governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Policy governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Policy governs how access is managed and approved.

+ + + + + + PL Policy + +

The Planning Policy governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Policy governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Policy governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Policy governs how access is managed and approved.

+ + + + + + RA Policy + +

The Risk Assessment Policy governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Policy governs how access is managed and approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Policy governs how access is managed and approved.

+ + + + + + SI Policy + +

The System and Information Integrity Policy governs how access is managed and approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Policy governs how access is managed and approved.

+ + + + - - - [SAMPLE]Service Name + + + AC Policy -

Describe the service

+

The Access Control Procedure governs how access is managed and approved.

 - Describe the reason the service is needed. - - + - - - - - - - -

Section 10.2, Table 10-1. Ports, Protocols and Services

-

- SERVICES ARE NOW COMPONENTS WITH type='service' -

- - - [EXAMPLE]Authorized Connection Information System Name + + AT Policy -

Briefly describe the interconnection.

+

The Awareness and Training Procedure governs how access is managed and approved.

 - - - - - - - - - - - -

If "other", remarks are required. Optional otherwise.

- - - + + + + + AU Policy + +

The Audit and Accountability Procedure governs how access is managed and approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Procedure governs how access is managed and approved.

+ + + + + + CM Policy + +

The Configuration Management Procedure governs how access is managed and approved.

+ + + + + + CP Policy + +

The Contingency Planning Procedure governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Procedure governs how access is managed and approved.

+ + + + + + IR Policy + +

The Incident Response Procedure governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Procedure governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Procedure governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Procedure governs how access is managed and approved.

+ + + + + + PL Policy + +

The Planning Procedure governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Procedure governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Procedure governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Procedure governs how access is managed and approved.

+ + + + + + RA Policy + +

The Risk Assessment Procedure governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Procedure governs how access is managed and approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Procedure governs how access is managed and approved.

+ + + + + + SI Policy + +

The System and Information Integrity Procedure governs how access is managed and approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Procedure governs how access is managed and approved.

+ + - - 11111111-2222-4000-8000-c00400000008 - - - 11111111-2222-4000-8000-c00400000008 - - - 11111111-2222-4000-8000-c00400000008 - - - 11111111-2222-4000-8000-c00400000008 - - -

Optional notes about this interconnection

- - + + + + IPv4 Production Subnet

IPv4 Production Subnet.

@@ -1145,7 +1416,7 @@ - + IPv4 Management Subnet

IPv4 Management Subnet.

@@ -1156,19 +1427,19 @@ - + Email Service

Email Service

 - + - +

Legacy Example (No implemented-component).

 @@ -1210,14 +1481,14 @@

Optional, longer, formatted description.

- + - 11111111-2222-4000-8000-c00400000016 + 11111111-2222-4000-8000-004000000016 - 11111111-2222-4000-8000-c00400000017 + 11111111-2222-4000-8000-004000000017 - +

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

 @@ -1226,7 +1497,7 @@

COMMENTS: Additional information about this item.

 - +

Component Inventory Example

 @@ -1252,19 +1523,19 @@ - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-c00400000017 + 11111111-2222-4000-8000-004000000017 - +

COMMENTS: If needed, provide additional information about this inventory item.

 - +

None.

 @@ -1277,9 +1548,9 @@ - + - +

None.

 @@ -1291,9 +1562,9 @@ - + - +

None.

 @@ -1305,9 +1576,9 @@ - + - +

None.

 @@ -1322,9 +1593,9 @@

Asset wasn't running at time of scan.

- + - +

None.

 @@ -1336,9 +1607,9 @@ - + - +

None.

 @@ -1353,9 +1624,9 @@

Asset wasn't running at time of scan.

- + - +

Email-Service

 @@ -1367,7 +1638,7 @@ - + @@ -1382,10 +1653,10 @@

This description field is required by OSCAL.

FedRAMP does not require any specific information here.

- + - - + + organization-defined personnel or roles @@ -1397,23 +1668,23 @@ at least annually - - + +

Describe how Part a is satisfied within the system.

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

In this case, a link must be provided to the policy.

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

 - - + +

The specified component is the system itself.

Any control implementation response that can not be associated with another component is associated with the component representing the system.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Identity Management and Access Control Policy.

@@ -1422,8 +1693,8 @@ - - + +

There

@@ -1434,7 +1705,7 @@ - +

Describe how this policy currently satisfies part a.

 @@ -1450,16 +1721,16 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 @@ -1467,7 +1738,7 @@ - + @@ -1482,13 +1753,13 @@ - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1506,50 +1777,50 @@ - - + +

Describe how AC-2, part a is satisfied within this system.

This points to the "This System" component, and is used any time a more specific component reference is not available.

 - +

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

 - +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

Not associated with inheritance, thus associated this with the by-component for "this system".

 - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - +

For the portion of the control satisfied by the application component of this system, describe how the control is met.

 - +

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

In the context of the application component in satisfaction of AC-2, part a.

 - 11111111-2222-4000-8000-c00400000005 + 11111111-2222-4000-8000-004000000005 - +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

In the context of the application component in satisfaction of AC-2, part a.

 - 11111111-2222-4000-8000-c00400000005 + 11111111-2222-4000-8000-004000000005 @@ -1560,11 +1831,11 @@

While the "this system" component is not explicitly required within every statement, it will typically be present.

 - +

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

 - +

Optional description.

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

@@ -1573,7 +1844,7 @@

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

 - +

Description of how the responsibility was satisfied.

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

@@ -1585,7 +1856,7 @@ - + @@ -1593,13 +1864,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1614,20 +1885,20 @@ - - + +

Describe how Part a is satisfied.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1635,22 +1906,22 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 - + @@ -1658,13 +1929,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1679,21 +1950,21 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1701,24 +1972,24 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - + @@ -1726,13 +1997,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1747,20 +2018,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1768,22 +2039,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1791,13 +2062,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1812,20 +2083,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1833,22 +2104,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1857,10 +2128,10 @@ - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1875,20 +2146,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1896,22 +2167,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1919,13 +2190,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1940,20 +2211,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1961,22 +2232,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1984,13 +2255,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2005,20 +2276,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2026,22 +2297,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2049,13 +2320,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2070,20 +2341,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2091,22 +2362,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2114,13 +2385,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2135,20 +2406,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2156,22 +2427,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2179,13 +2450,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2200,20 +2471,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2221,22 +2492,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2245,12 +2516,12 @@ - + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2265,20 +2536,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2286,22 +2557,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2309,13 +2580,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2330,20 +2601,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2351,22 +2622,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2374,13 +2645,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2395,20 +2666,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2416,22 +2687,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2439,13 +2710,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2460,20 +2731,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2481,22 +2752,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2504,13 +2775,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2525,20 +2796,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2546,22 +2817,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2569,13 +2840,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2590,20 +2861,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2611,31 +2882,31 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - 11111111-2222-4000-8000-c00400000018 + 11111111-2222-4000-8000-004000000018 - - + +

Describe how the control is satisfied within the system.

DMARC is employed.

@@ -2654,7 +2925,7 @@ - + @@ -2662,13 +2933,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2683,20 +2954,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2709,7 +2980,7 @@ - +

SSP Signature

 @@ -2728,7 +2999,7 @@ - + FedRAMP Applicable Laws and Regulations @@ -2740,7 +3011,7 @@ - + FedRAMP Master Acronym and Glossary @@ -2751,7 +3022,7 @@ - + Access Control Policy Title

AC Policy document

@@ -2768,7 +3039,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Policy Title

AT Policy document

@@ -2784,7 +3055,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Policy Title

AU Policy document

@@ -2800,7 +3071,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Policy Title

CA Policy document

@@ -2816,7 +3087,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Policy Title

CM Policy document

@@ -2832,7 +3103,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Policy Title

CP Policy document

@@ -2849,7 +3120,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Policy Title

IA Policy document

@@ -2865,7 +3136,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Policy Title

IR Policy document

@@ -2881,7 +3152,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Policy Title

MA Policy document

@@ -2897,7 +3168,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Policy Title

MP Policy document

@@ -2913,7 +3184,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Policy Title

PE Policy document

@@ -2929,7 +3200,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Policy Title

PL Policy document

@@ -2945,7 +3216,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Policy Title

PS Policy document

@@ -2961,7 +3232,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Policy Title

RA Policy document

@@ -2977,7 +3248,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Policy Title

SA Policy document

@@ -2993,7 +3264,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Policy Title

SC Policy document

@@ -3009,7 +3280,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Policy Title

SI Policy document

@@ -3025,7 +3296,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Policy Title

SR Policy document

@@ -3042,7 +3313,7 @@ - + Access Control Procedure Title

AC Procedure document

@@ -3058,7 +3329,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Procedure Title

AT Procedure document

@@ -3074,7 +3345,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Procedure Title

AU Procedure document

@@ -3090,7 +3361,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Procedure Title

CA Procedure document

@@ -3106,7 +3377,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Procedure Title

CM Procedure document

@@ -3122,7 +3393,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Procedure Title

CP Procedure document

@@ -3138,7 +3409,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Procedure Title

IA Procedure document

@@ -3154,7 +3425,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Procedure Title

IR Procedure document

@@ -3170,7 +3441,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Procedure Title

MA Procedure document

@@ -3186,7 +3457,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Procedure Title

MP Procedure document

@@ -3202,7 +3473,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Procedure Title

PE Procedure document

@@ -3218,7 +3489,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Procedure Title

PL Procedure document

@@ -3234,7 +3505,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Procedure Title

PS Procedure document

@@ -3250,7 +3521,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Procedure Title

RA Procedure document

@@ -3266,7 +3537,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Procedure Title

SA Procedure document

@@ -3282,7 +3553,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Procedure Title

SC Procedure document

@@ -3298,7 +3569,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Procedure Title

SI Procedure document

@@ -3314,7 +3585,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Procedure Title

SR Procedure document

@@ -3331,7 +3602,7 @@ - + User's Guide

User's Guide

@@ -3349,7 +3620,7 @@ - + Document Title

Rules of Behavior

@@ -3366,7 +3637,7 @@ - + Document Title

Contingency Plan (CP)

@@ -3383,7 +3654,7 @@ - + Document Title

Configuration Management (CM) Plan

@@ -3400,7 +3671,7 @@ - + Document Title

Incident Response (IR) Plan

@@ -3421,7 +3692,7 @@ - + [SAMPLE] Laws and Regulations @@ -3434,7 +3705,7 @@ - + Document Title

Continuous Monitoring Plan

@@ -3451,7 +3722,7 @@ - + [SAMPLE]Plan of Actions and Milestones (POAM) @@ -3462,7 +3733,7 @@ - + Supply Chain Risk Management Plan

Supply Chain Risk Management Plan

@@ -3481,7 +3752,7 @@ - + [SAMPLE]Interconnection Security Agreement Title @@ -3491,7 +3762,7 @@ 00000000 - + FedRAMP Logo

FedRAMP Logo

@@ -3504,7 +3775,7 @@

Must be present in a FedRAMP SSP.

 - + CSP Logo

CSP Logo

@@ -3517,7 +3788,7 @@

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + 3PAO Logo

3PAO Logo

@@ -3531,7 +3802,7 @@ - + Boundary Diagram

The primary authorization boundary diagram.

@@ -3540,13 +3811,13 @@ 00000000

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

-

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000054"

+

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Network Diagram

The primary network diagram.

@@ -3556,13 +3827,13 @@ 00000000

Section 8.1, Figure 8-2 Network Diagram (graphic)

-

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000055"

+

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Data Flow Diagram

The primary data flow diagram.

@@ -3571,14 +3842,14 @@ 00000000

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

-

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000056"

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Separation of Duties Matrix

Separation of Duties Matrix

From 7bdcf523336b64a6897e80bba482ffd4b2be9432 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 14 Nov 2024 19:33:22 -0500 Subject: [PATCH 07/52] Component WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 114 +++++++++--------- 1 file changed, 59 insertions(+), 55 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 6cd41764b..3cffdb406 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -686,8 +686,7 @@ - - + This System @@ -703,26 +702,28 @@ + + + - - - Awesome Cloud PaaS + Awesome Cloud IaaS (Leveraged Authorized System)

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - - + + +

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

+ + -

For a leveraged authoriation, describe the information being transferred.

+

Describe the information being transferred in the @value field.

 - -

System development information

@@ -756,66 +757,72 @@ 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 + +

Must have a "system" component for each FedRAMP Authorized System leveraged by this system as an underlying service provider.

+ - - - Authorized Service Provided by Leveraged System + Service A -

+

An authorized service provided by Awesome Cloud

+

Describe the service and what it is used for.

 - +

This is a service provided by the leveraged system.

-

It is explicitly listed on the FedRAMP marketplace as being an authorized service.

-

As a result, this service includes both the "provided-by" link and the "leveraged-authorization-uuid" property.

+

The service is explicitly listed on the FedRAMP marketplace as being included in the scope of the leveraged system's ATO.

+

As a result, this service includes the "leveraged-authorization-uuid" property.

+

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

 - - - - Non-Authorized Service Provided by Leveraged System + Service B -

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

A non-authorized service provided by an authorized, leveraged system.

+

Describe the service and what it is used for.

 - +

This is a service provided by the leveraged system.

-

It is NOT explicitly listed on the FedRAMP marketplace as being an authorized service.

-

As a result, this service still includes the "provided-by" link, but omits the "leveraged-authorization-uuid" property.

+

It is NOT explicitly listed on the FedRAMP marketplace as being within the scope of leveraged system's ATO.

+

As a result, the "leveraged-authorization-uuid" property must NOT be used.

+

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

 - - - - Service Provided by Leveraged System + Service C -

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

 - - + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT be used.

+

All services require the "implementation-point" property. In this case, the property value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+ - - Name of Interconnected System @@ -823,41 +830,22 @@

Must include all leveraged services and features from the leveraged authorization here.

 - - - - - - - - - - - Service Provided by Leveraged System - -

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

- - - - - [EXAMPLE]Authorized Connection Information System Name @@ -928,6 +916,22 @@ + + + + + + Service D + +

A service that exists within the authorization boundary.

+

Describe the service and what it is used for.

+ + + + + + + From 7c9384374aba2341c78f8bc92d60a0d5cf731a67 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 15 Nov 2024 00:19:00 -0500 Subject: [PATCH 08/52] Ch 7 External WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 3cffdb406..7a55f0a63 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -186,6 +186,24 @@

Any internal users of a leveraged authorization.

 + + External System Owner + +

The owner of an external system.

+ + + + External System Management Point of Contact (POC) + +

The highest level manager who responsible for an external system's operation on behalf of the System Owner.

+ + + + External System Technical Point of Contact + +

The individual or individuals leading the technical operation of an external system.

+ + Approver @@ -425,6 +443,12 @@ [SAMPLE]Security Team + + Leveraged Authorization User + + + + Name of Leveraged System A Provider @@ -752,6 +776,9 @@ + + 11111111-2222-4000-8000-c0040000000a + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 @@ -773,6 +800,9 @@ + + 11111111-2222-4000-8000-c0040000000a +

This is a service provided by the leveraged system.

The service is explicitly listed on the FedRAMP marketplace as being included in the scope of the leveraged system's ATO.

@@ -822,6 +852,62 @@ + + + Other Cloud SaaS + +

+ + + + +

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

+ + + + +

Describe the information being transferred in the @value field.

+ + + + +

System development information

+ + + + +

System and network monitoring information

+ + + + + +

For a leveraged system, this property must always be present with a value of "external".

+ + + + +

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

+ + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

Each interconnection must be defined with both an "system" component and an "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + Name of Interconnected System @@ -916,6 +1002,23 @@ + + Management CLI + +

None

+ + + + + + +

+ + + + + + From d5f45947390d4ae124b1bb3d99c7f9eb3de86462 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 15 Nov 2024 13:13:15 -0500 Subject: [PATCH 09/52] External system/service WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 1687 ++++++++++++----- 1 file changed, 1162 insertions(+), 525 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 7a55f0a63..3aeae9b15 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1,18 +1,20 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) - 2024-12-31T23:59:59Z - 2024-11-05T02:24:00Z - fedramp3.0.0-oscal1.1.4 - 1.1.2 + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -21,7 +23,8 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 @@ -33,13 +36,16 @@ FedRAMP Program Management Office -

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process and maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.

+

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

 Prepared By -

The organization that prepared this SSP. If developed in-house, this is the CSP itself.

+

The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

 @@ -62,13 +68,15 @@ Information System Owner -

The individual within the CSP who is ultimately accountable for everything related to this system.

+

The individual within the CSP who is ultimately accountable for everything related to + this system.

 Authorizing Official -

The individual or individuals who must grant this system an authorization to operate.

+

The individual or individuals who must grant this system an authorization to + operate.

 @@ -80,7 +88,8 @@ Information System Management Point of Contact (POC) -

The highest level manager who responsible for system operation on behalf of the System Owner.

+

The highest level manager who responsible for system operation on behalf of the + System Owner.

 @@ -99,13 +108,15 @@ System Information System Security Officer (or Equivalent) -

The individual accountable for the security posture of the system on behalf of the system owner.

+

The individual accountable for the security posture of the system on behalf of the + system owner.

 Privacy Official's Point of Contact -

The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment.

+

The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

 @@ -126,7 +137,8 @@ ICA POC (Remote) -

The point of contact for an interconnection on behalf of this external system to which this system connects.

+

The point of contact for an interconnection on behalf of this external system to + which this system connects.

Remove this role if there are no ICAs.

@@ -135,7 +147,8 @@ ICA Signatory (Local) -

Responsible for signing an interconnection security agreement on behalf of this system.

+

Responsible for signing an interconnection security agreement on behalf of this + system.

Remove this role if there are no ICAs.

@@ -144,7 +157,8 @@ ICA Signatory (Remote) -

Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects.

+

Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

Remove this role if there are no ICAs.

@@ -159,7 +173,8 @@ Customer -

Represents any customers of this system as may be necessary for assigning customer responsibility.

+

Represents any customers of this system as may be necessary for assigning customer + responsibility.

 @@ -195,13 +210,15 @@ External System Management Point of Contact (POC) -

The highest level manager who responsible for an external system's operation on behalf of the System Owner.

+

The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

 External System Technical Point of Contact -

The individual or individuals leading the technical operation of an external system.

+

The individual or individuals leading the technical operation of an external + system.

 @@ -220,7 +237,8 @@ 00000 -

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+

There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

 @@ -267,7 +285,8 @@ 11111111-2222-4000-8000-003000000001

Replace sample CSP information.

-

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

+

CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party.

 @@ -286,7 +305,8 @@

This party entry must be present in a FedRAMP SSP.

-

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

 @@ -295,7 +315,8 @@

This party entry must be present in a FedRAMP SSP.

-

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

 @@ -446,9 +467,9 @@ Leveraged Authorization User - - - + + + Name of Leveraged System A Provider @@ -541,9 +562,11 @@ - + -

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

+

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

Must adjust accordingly for applicable baseline and revision.

 @@ -555,8 +578,15 @@ System's Short Name or Acronym -

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] offering using a multi-tenant [insert based on the Deployment Model above] cloud computing environment. It is available to [Insert scope of customers in accordance with instructions above (for example, the public, federal, state, local, and tribal governments, as well as research institutions, federal contractors, government contractors etc.)].

-

NOTE: Additional description, including the purpose and functions of this system may be added here. This includes any narrative text usually included in section 9.1 of the SSP.

+

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

NOTE: The description is expected to be at least 32 words in length.

 @@ -568,7 +598,8 @@ -

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.

+

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

 @@ -576,7 +607,8 @@ - + @@ -676,14 +708,15 @@ - + - + AwesomeCloud Commercial(IaaS) - + @@ -696,33 +729,39 @@ 11111111-2222-4000-8000-c0040000000a 2015-01-01 -

Use one leveraged-authorization assembly for each underlying authorized cloud system or general support system (GSS).

+

Use one leveraged-authorization assembly for each underlying authorized cloud system + or general support system (GSS).

 - + General Users -

The user content is currently being investigated as it may no longer be necessary under FedRAMP's adoption of Rev 5.

+

The user content is currently being investigated as it may no longer be necessary + under FedRAMP's adoption of Rev 5.

 - - - + + + + + This System

The entire system as depicted in the system authorization boundary

FedRAMP requires exactly one "this-system" component.

-

This is used in SSP control responses.

+

This is used in SSP control responses and may be used in interconnection + linkages.

When applicable, components must specify services, ports, and protocols.

-

All components that use or implement encryption must reference a "validation" component.

+

All components that use or implement encryption must reference a "validation" + component.

 @@ -730,50 +769,20 @@ - + + + Awesome Cloud IaaS (Leveraged Authorized System) -

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

Briefly describe the leveraged system.

 - - - -

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

- - - - -

Describe the information being transferred in the @value field.

- - - - -

System development information

- - - - -

System and network monitoring information

- - - - - -

For a leveraged authorization, this property must always be present to link this component to the leveraged authorization.

- - - - -

For a leveraged system, this property must always be present with a value of "external".

- - - - -

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

- - + + + + + + @@ -785,86 +794,177 @@ 11111111-2222-4000-8000-004000000012 -

Must have a "system" component for each FedRAMP Authorized System leveraged by this system as an underlying service provider.

+

Each leveraged authorization must have:

+

a "leveraged-authorization" entry.

+

a "system" component (this component).

+

+

This component must always have:

+

- The name of the leveraged system in the title - exactly as it appears in the + FedRAMP Marketplace

+

- A "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry.

+

- An "implementation-point" property with a value of "external".

+

- A responsible-role with a role-id of "provider" and exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.

+

- A "nature-of-agreement" property with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- C.3.5.1 is System development information

+

- C.3.5.8 is System and network monitoring information

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

+

Create a separate "service" component for each service used from the leveraged + system.

+

- If the service is included in the ATO scope and listed on the FedRAMP marketplace, + use the "leveraged-authorization-uuid" property in the "service" component to link it + directly to the leveraged authorization.

+

- If the service is not included in the ATO scope or not listed on the FedRAMP + marketplace, the "leveraged-authorization-uuid" property must be omitted from the + "service" component.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorizationo assembly:

+

- Package ID, Authorization Type, Impact Level

 - + Service A -

An authorized service provided by Awesome Cloud

+

An authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

 - + + + - - 11111111-2222-4000-8000-c0040000000a - -

This is a service provided by the leveraged system.

-

The service is explicitly listed on the FedRAMP marketplace as being included in the scope of the leveraged system's ATO.

-

As a result, this service includes the "leveraged-authorization-uuid" property.

-

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

-

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

+

This service is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO.

+

+

Each service used from a leveraged authorization must have:

+

- a "leveraged-authorization" entry.

+

- a "system" component linked to the leveraged-authorization entry.

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - exactly as it appears in the FedRAMP + Marketplace

+

- A "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry.

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

 - + + + Service B -

A non-authorized service provided by an authorized, leveraged system.

+

An non-authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

 - + + + -

This is a service provided by the leveraged system.

-

It is NOT explicitly listed on the FedRAMP marketplace as being within the scope of leveraged system's ATO.

-

As a result, the "leveraged-authorization-uuid" property must NOT be used.

-

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

-

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

-

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

This service is provided by the leveraged system; however, it is NOT explicitly + listed on the FedRAMP marketplace as being included in the scope of this leveraged + system's ATO.

+

As a result, the "leveraged-authorization-uuid" property must NOT be present.

+

+

Each NON-authorized service used from a leveraged authorization must have:

+

- a "leveraged-authorization" entry.

+

- a "system" component linked to the leveraged-authorization entry.

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - preferably exactly as it appears on the + vendor's web site

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

 - - - Service C - -

A service provided by an external system other than the leveraged system.

-

Describe the service and what it is used for.

- - - - - -

This is a service provided by an external system other than the leveraged system.

-

As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT be used.

-

All services require the "implementation-point" property. In this case, the property value is set to "external.

-

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

-

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

- - - - + + Other Cloud SaaS -

+

-

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

+

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, + etc

 - +

Describe the information being transferred in the @value field.

 @@ -882,16 +982,18 @@ -

For a leveraged system, this property must always be present with a value of "external".

+

For a leveraged system, this property must always be present with a value of + "external".

 -

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

+

Include this property if available, such as through an OSCAL-based CRM, component + definition, or direct access to the leveraged system's SSP.

 - + 11111111-2222-4000-8000-004000000010 @@ -902,18 +1004,35 @@ 11111111-2222-4000-8000-004000000012 -

Each interconnection must be defined with both an "system" component and an "interconnection" component.

-

Must include all leveraged services and features from the leveraged authorization here.

+

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

 - - + Name of Interconnected System -

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

 @@ -922,7 +1041,8 @@ - + @@ -930,13 +1050,14 @@ - - + [EXAMPLE]Authorized Connection Information System Name -

Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).

+

Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, + etc.).

 @@ -947,23 +1068,30 @@ - + - + - + - + - - + + - + @@ -976,7 +1104,8 @@ - + @@ -1002,28 +1131,212 @@ - + + + + Other Cloud SaaS + +

+ + + + +

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, + etc

+ + + + +

Describe the information being transferred in the @value field.

+ + + + +

System development information

+ + + + +

System and network monitoring information

+ + + + + +

For a leveraged system, this property must always be present with a value of + "external".

+ + + + +

Include this property if available, such as through an OSCAL-based CRM, component + definition, or direct access to the leveraged system's SSP.

+ + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

+ + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + + + + + + + 11111111-2222-4000-8000-c0040000000a + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

+

Each external service used from a leveraged authorization must have:

+

- a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - preferably exactly as it appears on the + vendor's web site

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, + this property is blocked from proper use.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + +

All services require the "implementation-point" property. In this case, the property + value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+ + +

Link(s) to the vendor's web site describing the service are encouraged, but not + required..

+ + + + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

All services require the "implementation-point" property. In this case, the property + value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+ + + + + Management CLI

None

 - + -

+

- + - + Service D

A service that exists within the authorization boundary.

@@ -1032,7 +1345,7 @@ - + @@ -1042,18 +1355,22 @@ [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

-

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

-

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

 - + - + @@ -1061,20 +1378,23 @@ [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

-

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

 - + - + - + @@ -1083,7 +1403,7 @@ - + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

@@ -1103,8 +1423,8 @@

COMMENTS: Provide other comments as needed.

 - - + + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

@@ -1148,7 +1468,7 @@

COMMENTS: Provide other comments as needed.

 - + OS Sample

None

@@ -1159,7 +1479,7 @@ - + Database Sample

None

@@ -1170,14 +1490,15 @@ - + Appliance Sample

None

 - + @@ -1203,7 +1524,7 @@ - + AU Policy @@ -1211,15 +1532,16 @@ - + CA Policy -

The Assessment, Authorization, and Monitoring Policy governs how access is managed and approved.

+

The Assessment, Authorization, and Monitoring Policy governs how access is managed + and approved.

 - + CM Policy @@ -1227,7 +1549,7 @@ - + CP Policy @@ -1235,15 +1557,16 @@ - + IA Policy -

The Identificaiton and Authentication Policy governs how access is managed and approved.

+

The Identificaiton and Authentication Policy governs how access is managed and + approved.

 - + IR Policy @@ -1251,7 +1574,7 @@ - + MA Policy @@ -1259,7 +1582,7 @@ - + MP Policy @@ -1267,15 +1590,16 @@ - + PE Policy -

The Physical and Enviornmental Protection Policy governs how access is managed and approved.

+

The Physical and Enviornmental Protection Policy governs how access is managed and + approved.

 - + PL Policy @@ -1283,7 +1607,7 @@ - + PM Policy @@ -1291,7 +1615,7 @@ - + PS Policy @@ -1299,15 +1623,16 @@ - + PT Policy -

The PII Processing and Transparency Policy governs how access is managed and approved.

+

The PII Processing and Transparency Policy governs how access is managed and + approved.

 - + RA Policy @@ -1315,39 +1640,43 @@ - + SA Policy -

The System and Services Acquisition Policy governs how access is managed and approved.

+

The System and Services Acquisition Policy governs how access is managed and + approved.

 - + S3 Policy -

The System and Communication Protection Policy governs how access is managed and approved.

+

The System and Communication Protection Policy governs how access is managed and + approved.

 - + SI Policy -

The System and Information Integrity Policy governs how access is managed and approved.

+

The System and Information Integrity Policy governs how access is managed and + approved.

 - + SR Policy -

The Supply Chain Risk Management Policy governs how access is managed and approved.

+

The Supply Chain Risk Management Policy governs how access is managed and + approved.

 - + @@ -1365,31 +1694,34 @@ - + AU Policy -

The Audit and Accountability Procedure governs how access is managed and approved.

+

The Audit and Accountability Procedure governs how access is managed and + approved.

 - + CA Policy -

The Assessment, Authorization, and Monitoring Procedure governs how access is managed and approved.

+

The Assessment, Authorization, and Monitoring Procedure governs how access is managed + and approved.

 - + CM Policy -

The Configuration Management Procedure governs how access is managed and approved.

+

The Configuration Management Procedure governs how access is managed and + approved.

 - + CP Policy @@ -1397,15 +1729,16 @@ - + IA Policy -

The Identificaiton and Authentication Procedure governs how access is managed and approved.

+

The Identificaiton and Authentication Procedure governs how access is managed and + approved.

 - + IR Policy @@ -1413,7 +1746,7 @@ - + MA Policy @@ -1421,7 +1754,7 @@ - + MP Policy @@ -1429,15 +1762,16 @@ - + PE Policy -

The Physical and Enviornmental Protection Procedure governs how access is managed and approved.

+

The Physical and Enviornmental Protection Procedure governs how access is managed and + approved.

 - + PL Policy @@ -1445,7 +1779,7 @@ - + PM Policy @@ -1453,7 +1787,7 @@ - + PS Policy @@ -1461,15 +1795,16 @@ - + PT Policy -

The PII Processing and Transparency Procedure governs how access is managed and approved.

+

The PII Processing and Transparency Procedure governs how access is managed and + approved.

 - + RA Policy @@ -1477,35 +1812,39 @@ - + SA Policy -

The System and Services Acquisition Procedure governs how access is managed and approved.

+

The System and Services Acquisition Procedure governs how access is managed and + approved.

 - + S3 Policy -

The System and Communication Protection Procedure governs how access is managed and approved.

+

The System and Communication Protection Procedure governs how access is managed and + approved.

 - + SI Policy -

The System and Information Integrity Procedure governs how access is managed and approved.

+

The System and Information Integrity Procedure governs how access is managed and + approved.

 - + SR Policy -

The Supply Chain Risk Management Procedure governs how access is managed and approved.

+

The Supply Chain Risk Management Procedure governs how access is managed and + approved.

 @@ -1534,7 +1873,7 @@ - + Email Service

Email Service

@@ -1597,7 +1936,9 @@ -

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

+

This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

 @@ -1655,7 +1996,8 @@ - + @@ -1669,7 +2011,8 @@ - + @@ -1683,7 +2026,8 @@ - + @@ -1700,7 +2044,8 @@

Asset wasn't running at time of scan.

 - + @@ -1714,7 +2059,8 @@ - + @@ -1731,7 +2077,8 @@

Asset wasn't running at time of scan.

 - + @@ -1745,7 +2092,8 @@ - + @@ -1776,47 +2124,58 @@ - +

Describe how Part a is satisfied within the system.

-

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

+

Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

In this case, a link must be provided to the policy.

-

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

+

FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

 - +

The specified component is the system itself.

-

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+

Any control implementation response that can not be associated with another + component is associated with the component representing the system.

 - +

Describe how this policy component satisfies part a.

-

Component approach. This links to a component representing the Identity Management and Access Control Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

Component approach. This links to a component representing the Identity + Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - + - +

There

- +

Describe the plan to complete the implementation.

 - +

Describe how this policy currently satisfies part a.

 - +

Describe the plan for addressing the missing policy elements.

 @@ -1829,19 +2188,21 @@ - +

Describe how Part b-1 is satisfied.

 - + - +

Describe how Part b-2 is satisfied.

 - + @@ -1854,7 +2215,8 @@ - +

Describe any customer-configured requirements for satisfying this control.

 @@ -1866,7 +2228,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -1885,21 +2248,27 @@ - +

Describe how AC-2, part a is satisfied within this system.

-

This points to the "This System" component, and is used any time a more specific component reference is not available.

+

This points to the "This System" component, and is used any time a more + specific component reference is not available.

 -

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

+

Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

 - + -

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

-

Not associated with inheritance, thus associated this with the by-component for "this system".

+

Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the + by-component for "this system".

 11111111-2222-4000-8000-004000000001 @@ -1907,24 +2276,31 @@ - + -

For the portion of the control satisfied by the application component of this system, describe how the control is met.

+

For the portion of the control satisfied by the application component of this + system, describe how the control is met.

 -

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

-

In the context of the application component in satisfaction of AC-2, part a.

+

Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part + a.

 11111111-2222-4000-8000-004000000005 - + -

Leveraging system's responsibilities with respect to inheriting this capability from this application.

-

In the context of the application component in satisfaction of AC-2, part a.

+

Leveraging system's responsibilities with respect to inheriting this + capability from this application.

+

In the context of the application component in satisfaction of AC-2, part + a.

 11111111-2222-4000-8000-004000000005 @@ -1933,30 +2309,44 @@

The component-uuid above points to the "this system" component.

-

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

-

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

-

While the "this system" component is not explicitly required within every statement, it will typically be present.

+

Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

+

While the "this system" component is not explicitly required within every + statement, it will typically be present.

 - + -

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

+

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

 - +

Optional description.

-

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

+

Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

In the context of this component in satisfaction of AC-2, part a.

-

The provided-uuid links this to the same statement in the leveraged system's SSP.

-

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+

The provided-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

 - +

Description of how the responsibility was satisfied.

-

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

-

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

-

Tools should use this to ensure all identified customer responsibility statements have a corresponding satisfied statement in the leveraging system's SSP.

+

The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

Tool developers should be mindful that

@@ -1977,7 +2367,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -1993,35 +2384,42 @@ - +

Describe how Part a is satisfied.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - +

Describe how Part b-1 is satisfied.

 - +

Describe how Part b-2 is satisfied.

 @@ -2042,7 +2440,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2058,39 +2457,49 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2110,7 +2519,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2126,37 +2536,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2175,7 +2595,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2191,37 +2612,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2238,7 +2669,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2254,37 +2686,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2303,7 +2745,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2319,37 +2762,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2368,7 +2821,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2384,37 +2838,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2433,7 +2897,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2449,37 +2914,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2498,7 +2973,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2514,37 +2990,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2563,7 +3049,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2579,37 +3066,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2628,7 +3125,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2644,37 +3142,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2693,7 +3201,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2709,37 +3218,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2758,7 +3277,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2774,37 +3294,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2823,7 +3353,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2839,37 +3370,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2888,7 +3429,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2904,37 +3446,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2953,7 +3505,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2969,37 +3522,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -3013,7 +3576,8 @@ 11111111-2222-4000-8000-004000000018 - +

Describe how the control is satisfied within the system.

DMARC is employed.

@@ -3046,7 +3610,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -3062,23 +3627,29 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 @@ -3096,22 +3667,27 @@ 00000000 -

FedRAMP is formulating guidelines for handling digital/electronic signatures in OSCAL, and welcome feedback on solutions.

+

FedRAMP is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

For now, FedRAMP recommends one of the following:

  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • -
  • Render the OSCAL SSP content as a printed page that is physically signed, scanned, and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
-

If your organization prefers another approach, please seek prior approval from the FedRAMP PMO.

+

If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

 FedRAMP Applicable Laws and Regulations - + - 00000000 + 00000000

Must be present in a FedRAMP SAP.

 @@ -3121,9 +3697,11 @@ FedRAMP Master Acronym and Glossary - + - 00000000 + 00000000

Must be present in a FedRAMP SSP.

 @@ -3143,7 +3721,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3159,7 +3738,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3175,7 +3755,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3191,7 +3772,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3207,7 +3789,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3224,7 +3807,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3240,7 +3824,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3256,7 +3841,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3272,7 +3858,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3288,7 +3875,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3304,7 +3892,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3320,7 +3909,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3336,7 +3926,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3352,7 +3943,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3368,7 +3960,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3384,7 +3977,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3400,7 +3994,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3416,7 +4011,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3433,7 +4029,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3449,7 +4046,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3465,7 +4063,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3481,7 +4080,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3497,7 +4097,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3513,7 +4114,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3529,7 +4131,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3545,7 +4148,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3561,7 +4165,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3577,7 +4182,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3593,7 +4199,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3609,7 +4216,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3625,7 +4233,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3641,7 +4250,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3657,7 +4267,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3673,7 +4284,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3689,7 +4301,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3705,7 +4318,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3721,7 +4335,8 @@

Table 12-1 Attachments: User's Guide Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3740,7 +4355,8 @@ 00000000

Table 12-1 Attachments: Rules of Behavior (ROB)

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3757,7 +4373,8 @@ 00000000

Table 12-1 Attachments: Contingency Plan (CP) Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3774,7 +4391,8 @@ 00000000

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3791,7 +4409,8 @@ 00000000

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3825,7 +4444,8 @@ 00000000

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3853,7 +4473,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3890,9 +4511,11 @@ 00000000 -

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3903,9 +4526,11 @@ 00000000 -

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3918,10 +4543,14 @@ 00000000

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

-

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

-

May use rlink with a relative path, or embedded as base64.

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3934,10 +4563,14 @@ 00000000

Section 8.1, Figure 8-2 Network Diagram (graphic)

-

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

-

May use rlink with a relative path, or embedded as base64.

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3949,10 +4582,13 @@ 00000000

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

-

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

-

May use rlink with a relative path, or embedded as base64.

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3968,7 +4604,8 @@ 00000000 -

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 From a13306df8d4ddccbf557ffef677ad2b189621876 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 15 Nov 2024 17:00:00 -0500 Subject: [PATCH 10/52] Table 7.1 WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 235 +++++++++++------- 1 file changed, 142 insertions(+), 93 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 3aeae9b15..5016d98de 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -734,14 +734,9 @@ - - - General Users - -

The user content is currently being investigated as it may no longer be necessary - under FedRAMP's adoption of Rev 5.

+

The user assembly is being reviewed for continued applicability under FedRAMP's adoption of Rev 5.

 @@ -769,6 +764,7 @@ + @@ -891,6 +887,7 @@ + @@ -901,8 +898,25 @@

Describe the service and what it is used for.

 + + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + @@ -920,6 +934,7 @@

- The name of the service in the title - preferably exactly as it appears on the vendor's web site

- An "implementation-point" property with a value of "external".

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

- A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

- Example: "#11111111-2222-4000-8000-009000100001"

@@ -979,7 +994,22 @@

System and network monitoring information

 - + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ +

For a leveraged system, this property must always be present with a value of @@ -994,6 +1024,9 @@ + + 33333333-2222-4000-8000-004000000001 + 11111111-2222-4000-8000-004000000010 @@ -1016,104 +1049,70 @@

For an external system, the "implementation-point" property must always be present with a value of "external".

-

Each interconnection must be defined with both an "system" component and an "interconnection" component.

Must include all leveraged services and features from the leveraged authorization here.

+ +

The risk associated with an external system must be quantified within the context of an interconnection, service, or cli, thus risk, impact, and mitigation properties are applied to those component types.

 - Name of Interconnected System - -

If the leveraged system owner provides a UUID for their system (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

-

Must include all leveraged services and features from the leveraged authorization - here.

- - - - - - - - - - - - - - - - - - [EXAMPLE]Authorized Connection Information System Name

Describe the purpose of the external system/service; specifically, provide reasons - for connectivity (e.g., system monitoring, system alerting, download updates, - etc.).

+ for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

 - - + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - +

If "other", remarks are required. Optional otherwise.

 + + + +

Either describe a risk associated with this interconnection, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + + + + 44444444-2222-4000-8000-004000000001 + 11111111-2222-4000-8000-004000000008 @@ -1126,6 +1125,9 @@ 11111111-2222-4000-8000-004000000008 + + +

Optional notes about this interconnection

 @@ -1214,9 +1216,27 @@

Describe the service and what it is used for.

+ + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + @@ -1243,6 +1263,7 @@

This component must always have:

- The name of the service in the title - preferably exactly as it appears on the vendor's web site

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

- An "implementation-point" property with a value of "external".

- A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

@@ -1271,21 +1292,6 @@

- Nature of Agreement, CSP Name

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

- - -

All services require the "implementation-point" property. In this case, the property - value is set to "external.

-

All external services would normally require a "provided-by" link; however, a known - bug in core OSCAL syntax prevents the use of this property at this time.

-

If the leveraged system owner provides a UUID for their service (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

- - -

Link(s) to the vendor's web site describing the service are encouraged, but not - required..

- - @@ -1297,10 +1303,34 @@

Describe the service and what it is used for.

+ + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + +

This is a service provided by an external system other than the leveraged system.

+ + + +

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+ + +

As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT be used.

All services require the "implementation-point" property. In this case, the property @@ -1310,6 +1340,10 @@

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+ + + + @@ -1321,8 +1355,23 @@ - + + + +

Either describe a risk associated with this CLI, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ +

From a53d3b7574e110a72e559f2278946e438068e254 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 19 Nov 2024 09:10:30 -0500 Subject: [PATCH 11/52] Table 7.1 examples WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 66 ++++++++++--------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 5016d98de..a1ee72d2e 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -843,7 +843,7 @@ - +

This service is explicitly listed on the FedRAMP marketplace as being included in the @@ -897,10 +897,11 @@

An non-authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

- - - - + + + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

@@ -917,8 +918,8 @@

If there are one or more identified risks, describe any mitigating factors.

 - - + +

This service is provided by the leveraged system; however, it is NOT explicitly listed on the FedRAMP marketplace as being included in the scope of this leveraged @@ -969,21 +970,10 @@ Other Cloud SaaS -

+

An external system to which this system shares an interconnection.

- - - -

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, - etc

- - - - -

Describe the information being transferred in the @value field.

- - + +

System development information

@@ -1024,7 +1014,7 @@ - + 33333333-2222-4000-8000-004000000001 @@ -1068,13 +1058,13 @@ - - - + + + @@ -1083,7 +1073,7 @@ - +

If "other", remarks are required. Optional otherwise.

 @@ -1107,7 +1097,8 @@ - + + @@ -1125,8 +1116,9 @@ 11111111-2222-4000-8000-004000000008 - - + + services +

Optional notes about this interconnection

@@ -1216,7 +1208,7 @@

Describe the service and what it is used for.

- + @@ -1238,7 +1230,7 @@ - + @@ -1302,7 +1294,8 @@

A service provided by an external system other than the leveraged system.

Describe the service and what it is used for.

- + +

Either describe a risk associated with this service, or indicate there is no identified risk.

@@ -1321,7 +1314,12 @@ + + + Remote API Service + +

This is a service provided by an external system other than the leveraged system.

@@ -1354,6 +1352,9 @@

None

+ + + @@ -1377,6 +1378,7 @@

+ From d7743f09b6172df2afc174aa6fd95e15d6b603d4 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 08:02:03 -0500 Subject: [PATCH 12/52] Tables 6.1 and 7.1 WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 345 ++++++++++++------ 1 file changed, 240 insertions(+), 105 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index a1ee72d2e..2237334bf 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -717,15 +717,21 @@ AwesomeCloud Commercial(IaaS) - - - + -

If 'yes', describe the user authentication method.

-

If 'no', explain why no user authentication is used.

-

If 'not-applicable', attest that no users access the leveraged system.

+

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

 + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + 11111111-2222-4000-8000-c0040000000a 2015-01-01 @@ -739,7 +745,31 @@

The user assembly is being reviewed for continued applicability under FedRAMP's adoption of Rev 5.

 - + + + + Add/Remove Admins + This can add and remove admins. + + + + + + add/remove non-privliged admins + + + + + + Manage services and components within the virtual cloud environment. + + + + + + Add and remove users from the virtual cloud environment. + + @@ -754,9 +784,8 @@ -

When applicable, components must specify services, ports, and protocols.

-

All components that use or implement encryption must reference a "validation" - component.

+

A FedRAMP SSP must always have exactly one component that represents the whole system. + It should be the only component with the "this-system" component type.

 @@ -776,59 +805,102 @@ + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + - + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+ + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ - - 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-004000000011 - 11111111-2222-4000-8000-004000000012 + + + -

Each leveraged authorization must have:

-

a "leveraged-authorization" entry.

-

a "system" component (this component).

-

-

This component must always have:

-

- The name of the leveraged system in the title - exactly as it appears in the - FedRAMP Marketplace

-

- A "leveraged authorization-uuid" property that links this component to the - leveraged-authorization entry.

-

- An "implementation-point" property with a value of "external".

-

- A responsible-role with a role-id of "provider" and exactly one party-uuid entry - that indicates which organization is the provider of this leveraged system.

-

- A "nature-of-agreement" property with an appropriate allowed value. If the value is - "other", use the proeprty's remarks to descibe the agreement.

-

- a status with a state value of "operational"

+

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment, which points to the "system" + component that represents the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • a "user-authentication" property/extension
    • +
  • A responsible-role with a role-id of "provider" and exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • A "nature-of-agreement" property with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • a status with a state value of "operational"
    • +

Where relevant, this component should also have:

-

- One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

-

- C.3.5.1 is System development information

-

- C.3.5.8 is System and network monitoring information

-

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

-

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

-

-

Create a separate "service" component for each service used from the leveraged - system.

-

- If the service is included in the ATO scope and listed on the FedRAMP marketplace, - use the "leveraged-authorization-uuid" property in the "service" component to link it - directly to the leveraged authorization.

-

- If the service is not included in the ATO scope or not listed on the FedRAMP - marketplace, the "leveraged-authorization-uuid" property must be omitted from the - "service" component.

+
    +
  • +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
      +
    • C.3.5.1 is System development information
      • +
    • C.3.5.8 is System and network monitoring information
      • +
    • +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +

-

The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorizationo assembly:

-

- Package ID, Authorization Type, Impact Level

+

Links to the vendor website describing the system are encouraged, but not required.

+

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized services using a "service" component. + Both authorized and non-authorized service components are represented the same + in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property, while this + property must be excluded from the component of a + non-authorized service.
    • +
  • The component for a non-authorized service must include + properties/extensions to indicate if the service is still + suported, to cite other compliance programs the service may + have satisifed, and to identify any relevant + risks/impacts/mitigations.
    • +
  • Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other SSP content.
    • +
+

The components for both authorized and non-authorized services + must include a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001")

 @@ -845,44 +917,46 @@ + + + + -

This service is explicitly listed on the FedRAMP marketplace as being included in the - scope of this leveraged system's ATO.

-

-

Each service used from a leveraged authorization must have:

-

- a "leveraged-authorization" entry.

-

- a "system" component linked to the leveraged-authorization entry.

-

- a "service" component (this component).

+

This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

-

This component must always have:

-

- The name of the service in the title - exactly as it appears in the FedRAMP - Marketplace

-

- A "leveraged authorization-uuid" property that links this component to the - leveraged-authorization entry.

-

- An "implementation-point" property with a value of "external".

-

- A "provided-by" link with a URI fragment that points to the UUID of the above - "system" component.

-

- Example: "#11111111-2222-4000-8000-009000100001"

-

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

-

- a status with a state value of "operational"

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +

Where relevant, this component should also have:

-

- One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

-

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly +

    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

    -

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

    + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +

Link(s) to the vendor's web site describing the service are encouraged, but not required.

-

The following fields from the Leveraged Authorization Table are handled in the leveraged-authorization assembly:

-

- Package ID, Authorization Type, Impact Level

+
    +
  • Package ID, Authorization Type, Impact Level
    • +

The following fields from the Leveraged Authorization Table are handled in the - "system" component assembly:

+ "system" component representing the leveraged system as a whole:

- Nature of Agreement, CSP Name

 @@ -900,6 +974,13 @@ + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + @@ -921,27 +1002,33 @@ -

This service is provided by the leveraged system; however, it is NOT explicitly - listed on the FedRAMP marketplace as being included in the scope of this leveraged - system's ATO.

-

As a result, the "leveraged-authorization-uuid" property must NOT be present.

+

This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of this leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

-

Each NON-authorized service used from a leveraged authorization must have:

-

- a "leveraged-authorization" entry.

-

- a "system" component linked to the leveraged-authorization entry.

-

- a "service" component (this component).

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • One or more "risk" property/extension for each identified risk; or, + one "risk" property/extension that asserts there is no identified risk, + and provides a basis for that assertion.
    • +
  • +
  • +
  • +
  • +
  • +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

This component must always have:

-

- The name of the service in the title - preferably exactly as it appears on the - vendor's web site

-

- An "implementation-point" property with a value of "external".

-

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

-

- A "provided-by" link with a URI fragment that points to the UUID of the above - "system" component.

-

- Example: "#11111111-2222-4000-8000-009000100001"

-

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

-

- a status with a state value of "operational"

-

+

Where relevant, this component should also have:

- One or more "information-type" properties, where the allowed values are the 800-63 information type identifiers.

@@ -1008,15 +1095,30 @@ -

Include this property if available, such as through an OSCAL-based CRM, component - definition, or direct access to the leveraged system's SSP.

+

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

 - + 33333333-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-002000000010 + + + + + + 11111111-2222-4000-8000-002000000010 + + + + 11111111-2222-4000-8000-004000000010 @@ -1060,6 +1162,13 @@ + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + @@ -1164,8 +1273,9 @@ -

Include this property if available, such as through an OSCAL-based CRM, component - definition, or direct access to the leveraged system's SSP.

+

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

 @@ -1210,6 +1320,13 @@ + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + @@ -1227,9 +1344,14 @@

If there are one or more identified risks, describe any mitigating factors.

 - - - + + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+ + @@ -1296,6 +1418,13 @@ + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ +

Either describe a risk associated with this service, or indicate there is no identified risk.

@@ -1354,7 +1483,13 @@ - + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + From 8522fbe0320f14e61ff756aefb5dc3bfb1b51d35 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 12:07:39 -0500 Subject: [PATCH 13/52] Table 6.1 and 7.1 WIP --- .../rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 2237334bf..9101913a8 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -753,18 +753,21 @@ + add/remove non-privliged admins + Manage services and components within the virtual cloud environment. + Add and remove users from the virtual cloud environment. From 0f59992b97b8e0c1bb2d8f060a0f573356da30b3 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 8 Nov 2024 14:41:13 -0500 Subject: [PATCH 14/52] example-ssp WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 3567 +++++++++++++++++ 1 file changed, 3567 insertions(+) create mode 100644 src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml new file mode 100644 index 000000000..ea6450d2c --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -0,0 +1,3567 @@ + + + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

Initial publication.

+ + + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

Minor prop updates.

+ + + + + + + + FedRAMP Program Management Office + +

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process and maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.

+ + + + Prepared By + +

The organization that prepared this SSP. If developed in-house, this is the CSP itself.

+ + + + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+ + + + System Security Plan Approval + +

The individual or individuals accountable for the accuracy of this SSP.

+ + + + Cloud Service Provider + CSP + + + + Information System Owner + +

The individual within the CSP who is ultimately accountable for everything related to this system.

+ + + + Authorizing Official + +

The individual or individuals who must grant this system an authorization to operate.

+ + + + Authorizing Official's Point of Contact + +

The individual representing the authorizing official.

+ + + + Information System Management Point of Contact (POC) + +

The highest level manager who responsible for system operation on behalf of the System Owner.

+ + + + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+ + + + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+ + + + + System Information System Security Officer (or Equivalent) + +

The individual accountable for the security posture of the system on behalf of the system owner.

+ + + + Privacy Official's Point of Contact + +

The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment.

+ + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

The point of contact for an interconnection on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + +

The point of contact for an interconnection on behalf of this external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + +

Responsible for signing an interconnection security agreement on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + +

Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + Consultant + +

Any consultants involved with developing or maintaining this content.

+ + + + Customer + +

Represents any customers of this system as may be necessary for assigning customer responsibility.

+ + + + [SAMPLE]Unix Administrator + +

This is a sample role.

+ + + + [SAMPLE]Client Administrator + +

This is a sample role.

+ + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 00000000-0000-4000-8001-c00400000001 + +

Replace sample CSP information.

+

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

+ + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+ + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + + + poc@example.com +
+ 3333 Corporate Way + Washington + DC + 00000 + US +
+ + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 00000000-0000-4000-8001-c00400000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 00000000-0000-4000-8001-c00400000001 + 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000004 + + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
+ Address Line + City + ST + 00000 + US +
+ 00000000-0000-4000-8001-c00400000001 + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + 00000000-0000-4000-8001-c00400000001 + +

Exactly one

+ + + + + 00000000-0000-4000-8001-c00400000010 + +

Exactly one

+ + + + + 00000000-0000-4000-8001-c00400000001 + + + + 00000000-0000-4000-8001-c00400000010 + 00000000-0000-4000-8001-c00400000011 + +

One or more

+ + + + + 00000000-0000-4000-8001-c00400000010 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000003 + 00000000-0000-4000-8001-c00400000015 + +

One or more

+ + + + 00000000-0000-4000-8001-c00400000012 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000013 + +

Exactly one

+ + + + + 00000000-0000-4000-8001-c00400000014 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000015 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000016 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000002 + +

Exactly one

+ + + + 00000000-0000-4000-8001-c00400000003 + +

Exactly one

+ + + +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and High baselines.

+

Guidance for OSCAL-based FedRAMP Tailored Low Impact - Software as a Service (LI-SaaS) content has not yet been developed.

+ + + + +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

+

Must adjust accordingly for applicable baseline and revision.

+ + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] offering using a multi-tenant [insert based on the Deployment Model above] cloud computing environment. It is available to [Insert scope of customers in accordance with instructions above (for example, the public, federal, state, local, and tribal governments, as well as research institutions, federal contractors, government contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be added here. This includes any narrative text usually included in section 9.1 of the SSP.

+

NOTE: The description is expected to be at least 32 words in length.

+ + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.

+ + + + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

A description of the information.

+ + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + + +

Remarks are optional if status/state is "operational".

+

Remarks are required otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + + + + + + + GovCloud + + + + + + + + + + 00000000-0000-4000-8001-c00400000009 + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.

+

The link fields are optional, but preferred when known. Often, a leveraging system's SSP author will not have access to the leveraged system's SSP, but should have access to the leveraged system's CRM.

+ + + + + + [SAMPLE]Unix System Administrator + + + + + + admin-unix + + Full administrative access (root) + Add/remove users and hardware + install and configure software + OS updates, patches and hotfixes + perform backups + + + + [SAMPLE]Client Administrator + + + + + + admin-client + + Portal administration + Add/remove client users + Create, modify and delete client applications + + + + [SAMPLE]Program Director + + + + + + information-system-security-officer + isa-poc-local + isa-authorizing-official-local + + Administrative Access Approver + Approves access requests for administrative accounts. + + + Access Approver + Approves access requests for administrative accounts. + + + + [SAMPLE]ISA POC + + + + + + isa-poc-remote + isa-authorizing-official-remote + + External System Access Provider + Authorizes access to external interconnected system. + + + + + + This System + +

The entire system as depicted in the system authorization boundary

+

Email is employed

+ + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + + + + Name of Leveraged System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + + + + + + + + + + + + + + + + + + + + + + + Service Provided by Leveraged System + +

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + + + + + + + + + + + [EXAMPLE]Authorized Connection Information System Name + +

Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + +

Optional notes about this interconnection

+ + + + + + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 00000000-0000-4000-8001-c00400000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + 00000000-0000-4000-8001-c00400000017 + + + 00000000-0000-4000-8001-c00400000011 + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + + + + + + + + Database Sample + +

None

+ + + + + + + + + Appliance Sample + +

None

+ + + + + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + [EXAMPLE]Policies + +

[EXAMPLE]component representing a collection of policies in appendix A.

+ + + + + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

+ + + + + [EXAMPLE]Procedures + +

[EXAMPLE]component representing a collection of procedures in appendix A.

+ + + + + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

+ + + + + + [SAMPLE]Service Name + +

Describe the service

+ + Describe the reason the service is needed. + + + + + + + + + + +

Section 10.2, Table 10-1. Ports, Protocols and Services

+

+ SERVICES ARE NOW COMPONENTS WITH type='service' +

+ + + + [EXAMPLE]Authorized Connection Information System Name + +

Briefly describe the interconnection.

+ + + + + + + + + + + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + + 00000000-0000-4000-8001-c00400000008 + + +

Optional notes about this interconnection

+ + + + IPv4 Production Subnet + +

IPv4 Production Subnet.

+ + + + + + + + IPv4 Management Subnet + +

IPv4 Management Subnet.

+ + + + + + + + + Email Service + +

Email Service

+ + + + + + + + + + +

Legacy Example (No implemented-component).

+ + + + + + + + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + + 00000000-0000-4000-8001-c00400000016 + + + 00000000-0000-4000-8001-c00400000017 + + + +

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

+ + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remark.

+ + + + + 00000000-0000-4000-8001-c00400000010 + + + 00000000-0000-4000-8001-c00400000017 + + + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + +

None.

+ + + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

Email-Service

+ + + + + + + + + + + + + + + + +

Appendix A - FedRAMP SSP Rev5 Template

+

This description field is required by OSCAL.

+

FedRAMP does not require any specific information here.

+ + + + + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

Describe how Part a is satisfied within the system.

+

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

+

In this case, a link must be provided to the policy.

+

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

+ + + + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Identity Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + + + + +

There

+ + + + +

Describe the plan to complete the implementation.

+ + + + + +

Describe how this policy currently satisfies part a.

+ + + +

Describe the plan for addressing the missing policy elements.

+ + + + +

Identify what is currently missing from this policy.

+ + + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + 00000000-0000-4000-8001-c00400000010 + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + + + + + + +

Describe how AC-2, part a is satisfied within this system.

+

This points to the "This System" component, and is used any time a more specific component reference is not available.

+ + + + +

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

+ + + + +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the by-component for "this system".

+ + + 00000000-0000-4000-8001-c00400000001 + + + + + + +

For the portion of the control satisfied by the application component of this system, describe how the control is met.

+ + + + +

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part a.

+ + + 00000000-0000-4000-8001-c00400000005 + + + + +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

+

In the context of the application component in satisfaction of AC-2, part a.

+ + + 00000000-0000-4000-8001-c00400000005 + + + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

+

While the "this system" component is not explicitly required within every statement, it will typically be present.

+ + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

+ + + +

Optional description.

+

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

+

In the context of this component in satisfaction of AC-2, part a.

+

The provided-uuid links this to the same statement in the leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+ + + + +

Description of how the responsibility was satisfied.

+

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer responsibility statements have a corresponding satisfied statement in the leveraging system's SSP.

+

Tool developers should be mindful that

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

Describe how Part a is satisfied.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + + + + + + + + 00000000-0000-4000-8001-c00400000018 + + + + +

Describe how the control is satisfied within the system.

+

DMARC is employed.

+

SPF is employed.

+

DKIM is employed.

+ + + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + 00000000-0000-4000-8001-c00400000011 + + + + +

Describe how the control is satisfied within the system.

+ + + to include chief privacy and ISSO and/or similar role or designees + + + at least every 3 years + + + at least annually + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + + + + + + + + Resolution Resource + + + + + +

This "resolution resource" is used by FedRAMP as a local, authoritative indicator of what version SSP (rev 4 or rev 5) this OSCAL document is for.

+ + + + + +

SSP Signature

+ + + + + 00000000 + +

FedRAMP is formulating guidelines for handling digital/electronic signatures in OSCAL, and welcome feedback on solutions.

+

For now, FedRAMP recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, scanned, and attached.
    • +
+

If your organization prefers another approach, please seek prior approval from the FedRAMP PMO.

+ + + + + FedRAMP Applicable Laws and Regulations + + + + 00000000 + +

Must be present in a FedRAMP SAP.

+ + + + + + FedRAMP Master Acronym and Glossary + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + + Access Control Policy Title + +

AC Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Awareness and Training Policy Title + +

AT Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Audit and Accountability Policy Title + +

AU Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Security Assessment and Authorization Policy Title + +

CA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Configuration Management Policy Title + +

CM Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Contingency Planning Policy Title + +

CP Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Identification and Authentication Policy Title + +

IA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Incident Response Policy Title + +

IR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Maintenance Policy Title + +

MA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Media Protection Policy Title + +

MP Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Physical and Environmental Protection Policy Title + +

PE Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Planning Policy Title + +

PL Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Personnel Security Policy Title + +

PS Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Risk Adjustment Policy Title + +

RA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Service Acquisition Policy Title + +

SA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Communications Protection Policy Title + +

SC Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Information Integrity Policy Title + +

SI Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Supply Chain Risk Policy Title + +

SR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Access Control Procedure Title + +

AC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Awareness and Training Procedure Title + +

AT Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Audit and Accountability Procedure Title + +

AU Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Security Assessment and Authorization Procedure Title + +

CA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Configuration Management Procedure Title + +

CM Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Contingency Planning Procedure Title + +

CP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Identification and Authentication Procedure Title + +

IA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Incident Response Procedure Title + +

IR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Maintenance Procedure Title + +

MA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Media Protection Procedure Title + +

MP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Physical and Environmental Protection Procedure Title + +

PE Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Planning Procedure Title + +

PL Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Personnel Security Procedure Title + +

PS Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Risk Adjustment Procedure Title + +

RA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Service Acquisition Procedure Title + +

SA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Communications Protection Procedure Title + +

SC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + System and Information Integrity Procedure Title + +

SI Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + Supply Chain Risk Procedure Title + +

SR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + User's Guide + +

User's Guide

+ + + + + + + +

Table 12-1 Attachments: User's Guide Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + + + Document Title + +

Rules of Behavior

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Document Title + +

Contingency Plan (CP)

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Document Title + +

Configuration Management (CM) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + Document Title + +

Incident Response (IR) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + + + + + [SAMPLE] Laws and Regulations + + + + Identification Number + + 00000000 + + + + + + + Document Title + +

Continuous Monitoring Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + [SAMPLE]Plan of Actions and Milestones (POAM) + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

Supply Chain Risk Management Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

May use rlink with a relative path, or embedded as base64.

+ + + + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

FedRAMP Logo

+ + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + CSP Logo + +

CSP Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + 3PAO Logo + +

3PAO Logo

+ + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + + Boundary Diagram + +

The primary authorization boundary diagram.

+ + + 00000000 + +

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000054"

+

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + Network Diagram + +

The primary network diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-2 Network Diagram (graphic)

+

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000055"

+

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + Data Flow Diagram + +

The primary data flow diagram.

+ + + 00000000 + +

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000056"

+

May use rlink with a relative path, or embedded as base64.

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+ + + + + Separation of Duties Matrix + +

Separation of Duties Matrix

+ + + + + + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+ + + + From 939402be29ba217c7ff27e20854ffa511748795f Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 8 Nov 2024 15:54:27 -0500 Subject: [PATCH 15/52] Example UUID Legend Creation --- .../examples/UUIDs_for_Examples_Legend.md | 139 ++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 src/content/rev5/examples/UUIDs_for_Examples_Legend.md diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md new file mode 100644 index 000000000..000404912 --- /dev/null +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -0,0 +1,139 @@ +# UUIDs for Examples + +Example content with UUIDs can be difficult to follow due to the long, intentionally-random naure of UUIDs. It is possible to craft UUID values that are treated as valid by OSCAL validation tools, yet are easier to follow for developers. + +# Example UUID Format + +OSCAL allows v4 or v5 UUIDs as defined in [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122). +Please note that UUID values are hexidecimal. Any digit may contain the numbers 0 - 9 and the lower-case letters a - f. + +The format used for examples is v4 compliant as follows: + +``` +00000000-0000-4000-80SS-MFFF0TT00### + ^ ^ +``` + +The first group of eight characters and the second group of four characters is always set to zeros (`00000000-0000-`) + +**^**: indicates a UUID v4 required digit. +- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID. +- the first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`. + + +`SS`: indicates whether the UUID is for the primary system represented in the example or another, external system. + `01` = this system + `02` - `ff` = other systems + +`M`: The model being represented in the example (useful for when a POA&M or SAR points to content in an SSP) + `a` = catalog + `b` = profile + `c` = ssp + `d` = poam + `e` = sap + `f` = sar + `0` = component defintions + +`FFF`: Indicates the OSCAL field name associated with the UUID + +**Metadata and Back Matter ** +`000`=root +`001`=resource +`002`=prop +`003`=location +`004`=party +`005`=action + +**SSP** +`006`=information-type +`007`=diagram +`008`=user +`009`=component +`010`=protocol +`011`=inventory-item +`012`=implemented-requirement +`013`=statement +`014`=by-component +`015`=provided +`016`=responsibility +`017`=inherited +`018`=satisfied +`019`=leveraged-authorization + +_Fields for other models to be added as we work with those models._ + + +`TT`: Used to further distinguish a field that can have multiple types. + +**Component Types** (`TT`) +`0`=This System +`1`=System +`2`=Interconnection +`3`=Software +`4`=Hardware +`5`=Service +`6`=Policy +`7`=Physical +`8`=Process/Procedure +`9`=Plan +`10`=Guidance +`11`=Standard +`12`=Validation +`13`=Network + +**Enumeration** +`###`: A simple sequence number. (`001`, `002`, through `fff`) +- Start a new sequence for each system/model/field. + + +# Examples: + +In all example UUIDs, the first 18 digits are always: `00000000-0000-4000-80` + +### Resource UUIDs + +All parties in example SSP content use: +`00000000-0000-4000-8001-c00100000###`, where the first resource is `00000000-0000-4000-8001-c00100000001`, the second party is `00000000-0000-4000-8001-c00100000002`, etc. + + +Backmatter resources in an SSP will always appear as: +`00000000-0000-4000-8001-c00100000###` + +Only the final 14 digits (`01-c00400000###`) are relevant. + +Looking just the relevant digits above: +`01` represents the primary system in the example. +`c` indicates this is in an SSP model. +`001` indicates it is for a resource. +The final three digits are assigned in sequence to each resource. + +### Parties + +All parties in example SSP content use: +`00000000-0000-4000-8001-c00400000###`, where the first party is `00000000-0000-4000-8001-c00400000001`, the second party is `00000000-0000-4000-8001-c00400000002`, etc. + +Only the final 14 digits (`01-c00400000###`) are relevant. + +Looking just the relevant digits above: +`01` represents the primary system in the example. +`c` indicates this is in an SSP model. +`004` indicates it is for a party. +The final three digits are assigned in sequence to each party. + +### Components + +All components in example SSP content use: +`00000000-0000-4000-8001-c00900120###`, where the first resource is `00000000-0000-4000-8001-c00900080001`, the second party is `00000000-0000-4000-8001-c00900120002`, etc. + +Only the final 14 digits (`01-c00400000###`) are relevant. + +Looking just the relevant digits above: +`01` represents the primary system in the example. +`c` indicates this is in an SSP model. +`009` indicates it is for a component. +The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero. + +`012` indicates the UUID is for a `validation` component +`008` indicates the UUID is for a `process-procedure` component + + From 20c578ea52866c7a48798f538dd449f4f0fe506b Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 8 Nov 2024 19:12:29 -0500 Subject: [PATCH 16/52] WIP --- .../rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index ea6450d2c..c9d83b72e 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -228,7 +228,7 @@ Cloud Service Provider (CSP) Name CSP Acronym/Short Name - 00000000-0000-4000-8001-c00400000001 + 00000000-0000-4000-8001-c00300000001

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

@@ -314,7 +314,7 @@ name@example.com 2020000001 - 00000000-0000-4000-8001-c00400000001 + 00000000-0000-4000-8001-c00300000001 00000000-0000-4000-8001-c00400000001 From 911164149d00e6ad76c86c1c85dc0b89b858e8dc Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Sat, 9 Nov 2024 16:40:33 -0500 Subject: [PATCH 17/52] oscal-cli validation cleanup --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 48 +++++++------------ 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index c9d83b72e..bc25de1c3 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -483,18 +483,13 @@

Exactly one

 - - 00000000-0000-4000-8001-c00400000003 - -

Exactly one

- - +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and High baselines.

Guidance for OSCAL-based FedRAMP Tailored Low Impact - Software as a Service (LI-SaaS) content has not yet been developed.

 - +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

Must adjust accordingly for applicable baseline and revision.

@@ -776,7 +771,7 @@ - + Name of Leveraged System

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

@@ -799,7 +794,7 @@ - + @@ -811,7 +806,7 @@

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + @@ -1131,7 +1126,7 @@

Legacy Example (No implemented-component).

 - + @@ -1189,7 +1184,7 @@

Component Inventory Example

 - + @@ -1227,7 +1222,7 @@

None.

 - + @@ -1242,7 +1237,7 @@

None.

 - + @@ -1256,7 +1251,7 @@

None.

 - + @@ -1270,7 +1265,7 @@

None.

 - + @@ -1287,7 +1282,7 @@

None.

 - + @@ -1301,7 +1296,7 @@

None.

 - + @@ -1318,7 +1313,7 @@

Email-Service

 - + @@ -1477,7 +1472,7 @@

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

- +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

Not associated with inheritance, thus associated this with the by-component for "this system".

@@ -1502,7 +1497,7 @@ 00000000-0000-4000-8001-c00400000005 - +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

In the context of the application component in satisfaction of AC-2, part a.

@@ -2667,17 +2662,6 @@ - - - Resolution Resource - - - - - -

This "resolution resource" is used by FedRAMP as a local, authoritative indicator of what version SSP (rev 4 or rev 5) this OSCAL document is for.

- - From e17dae5c53e152dcdc5abbec1cc00942fdb8ae83 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Sun, 10 Nov 2024 23:49:15 -0500 Subject: [PATCH 18/52] Leveraged Authorization revisions --- .../examples/UUIDs_for_Examples_Legend.md | 162 +- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 1306 +++++++++-------- 2 files changed, 755 insertions(+), 713 deletions(-) diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md index 000404912..09280bc23 100644 --- a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -10,130 +10,126 @@ Please note that UUID values are hexidecimal. Any digit may contain the numbers The format used for examples is v4 compliant as follows: ``` -00000000-0000-4000-80SS-MFFF0TT00### - ^ ^ +00000000-0000-4000-8000-FFF0TTT00### + FILE MODEL ^ ^ FIELD SEQUENCE ``` -The first group of eight characters and the second group of four characters is always set to zeros (`00000000-0000-`) +**FILE**: The first grouping represents the OSCAL file. All digits are the same. +- If an example involves the SSP of two systems, the first system's SSP will use UUID values that starts with all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the second system will use UUID values that start with all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`) +- If an example involves a catalog and a profile, the catalog will use all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the prifle will use all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`). -**^**: indicates a UUID v4 required digit. -- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID. -- the first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`. + +**MODEL**: The second group of characters represents the model as follows: +- The values are as follows: + - `0000`: Catalog + - `1111`: Profile + - `2222`: SSP + - `3333`: Component Definition + - `4444`: SAP + - `5555`: SAR + - `6666`: POA&M +- - If an example involves the SSP of two systems, both SSPs will use UUID values that have all 2's in the second grouping (`11111111-2222-4000-8000-xxxxxxxxxxxx` and `22222222-2222-4000-8000-xxxxxxxxxxxx`) -`SS`: indicates whether the UUID is for the primary system represented in the example or another, external system. - `01` = this system - `02` - `ff` = other systems +**^**: indicates a UUID v4 required digit. +- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID. +- The first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`. +- We will always use `4000` for the third grouping. +- We will always use `8000` for the forth grouping. -`M`: The model being represented in the example (useful for when a POA&M or SAR points to content in an SSP) - `a` = catalog - `b` = profile - `c` = ssp - `d` = poam - `e` = sap - `f` = sar - `0` = component defintions -`FFF`: Indicates the OSCAL field name associated with the UUID +**FIELD**: `FFF`: Indicates the OSCAL field name associated with the UUID -**Metadata and Back Matter ** -`000`=root -`001`=resource -`002`=prop -`003`=location -`004`=party -`005`=action +**Metadata and Back Matter** +- `-0000`=root +- `-0010`=resource +- `-0020`=prop +- `-0030`=location +- `-0040`=party +- `-0050`=action **SSP** -`006`=information-type -`007`=diagram -`008`=user -`009`=component -`010`=protocol -`011`=inventory-item -`012`=implemented-requirement -`013`=statement -`014`=by-component -`015`=provided -`016`=responsibility -`017`=inherited -`018`=satisfied -`019`=leveraged-authorization +- `-0060`=information-type +- `-0070`=diagram +- `-0080`=user +- `-0090`=component +- `-0100`=protocol +- `-0110`=inventory-item +- `-0120`=implemented-requirement +- `-0130`=statement +- `-0140`=by-component +- `-0150`=provided +- `-0160`=responsibility +- `-0170`=inherited +- `-0180`=satisfied +- `-0190`=leveraged-authorization _Fields for other models to be added as we work with those models._ -`TT`: Used to further distinguish a field that can have multiple types. +- `TT`: Used to further distinguish a field that can have multiple types. It is optional and may be difficult to manage. Only use when this clarity is helpful or necessary. **Component Types** (`TT`) -`0`=This System -`1`=System -`2`=Interconnection -`3`=Software -`4`=Hardware -`5`=Service -`6`=Policy -`7`=Physical -`8`=Process/Procedure -`9`=Plan -`10`=Guidance -`11`=Standard -`12`=Validation -`13`=Network +- `0000`=This System +- `0010`=System +- `0020`=Interconnection +- `0030`=Software +- `0040`=Hardware +- `0050`=Service +- `0060`=Policy +- `0070`=Physical +- `0080`=Process/Procedure +- `0090`=Plan +- `0100`=Guidance +- `0110`=Standard +- `0120`=Validation +- `0130`=Network **Enumeration** -`###`: A simple sequence number. (`001`, `002`, through `fff`) +- `0###`: A simple sequence number. (`001`, `002`, through `fff`) - Start a new sequence for each system/model/field. # Examples: -In all example UUIDs, the first 18 digits are always: `00000000-0000-4000-80` ### Resource UUIDs All parties in example SSP content use: -`00000000-0000-4000-8001-c00100000###`, where the first resource is `00000000-0000-4000-8001-c00100000001`, the second party is `00000000-0000-4000-8001-c00100000002`, etc. +- `11111111-2222-4000-8001-001000000###`, where the first resource is `11111111-2222-4000-8001-001000000001`, the second party is `11111111-2222-4000-8001-001000000002`, etc. Backmatter resources in an SSP will always appear as: -`00000000-0000-4000-8001-c00100000###` +- `11111111-2222-4000-8001-001000000###` -Only the final 14 digits (`01-c00400000###`) are relevant. - -Looking just the relevant digits above: -`01` represents the primary system in the example. -`c` indicates this is in an SSP model. -`001` indicates it is for a resource. -The final three digits are assigned in sequence to each resource. +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `-0010` indicates it is for a resource. +- The final three digits are assigned in sequence to each resource. ### Parties All parties in example SSP content use: -`00000000-0000-4000-8001-c00400000###`, where the first party is `00000000-0000-4000-8001-c00400000001`, the second party is `00000000-0000-4000-8001-c00400000002`, etc. - -Only the final 14 digits (`01-c00400000###`) are relevant. +- `11111111-2222-4000-8001-004000000###`, where the first party is `11111111-2222-4000-8001-004000000001`, the second party is `-004000000002`, etc. -Looking just the relevant digits above: -`01` represents the primary system in the example. -`c` indicates this is in an SSP model. -`004` indicates it is for a party. -The final three digits are assigned in sequence to each party. +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `0040` indicates it is for a party. +- The final three digits are assigned in sequence to each party. ### Components All components in example SSP content use: -`00000000-0000-4000-8001-c00900120###`, where the first resource is `00000000-0000-4000-8001-c00900080001`, the second party is `00000000-0000-4000-8001-c00900120002`, etc. - -Only the final 14 digits (`01-c00400000###`) are relevant. +- `11111111-2222-4000-8001-0090TTT00###`, where the first resource is `11111111-2222-4000-8001-009000800001`, the second resource is `11111111-2222-4000-8001-009001200002`, etc. -Looking just the relevant digits above: -`01` represents the primary system in the example. -`c` indicates this is in an SSP model. -`009` indicates it is for a component. -The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero. +Where: +- `11111111` represents the primary system in the example. +- `-2222` indicates this is in an SSP model. +- `-00900120` indicates it is for a component of type `validation`. +- `-00900080` indicates it is for a component of type `process-procedure` +- The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero. -`012` indicates the UUID is for a `validation` component -`008` indicates the UUID is for a `process-procedure` component diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index bc25de1c3..06a516636 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1,6 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -12,7 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -21,7 +21,7 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 @@ -174,7 +174,7 @@

This is a sample role.

 - + CSP HQ
Suite 0000 @@ -187,7 +187,7 @@

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

- + Primary Data Center
2222 Main Street @@ -205,7 +205,7 @@

The type property must also have a class of "primary" or "alternate".

- + Secondary Data Center
3333 Small Road @@ -223,23 +223,23 @@

The type property must also have a class of "primary" or "alternate".

- + Cloud Service Provider (CSP) Name CSP Acronym/Short Name - - 00000000-0000-4000-8001-c00300000001 + + 11111111-2222-4000-8000-c00300000001

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

 - + Federal Risk and Authorization Management Program: Program Management Office FedRAMP PMO - - - + + + info@fedramp.gov
1800 F St. NW @@ -253,35 +253,35 @@

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

- + Federal Risk and Authorization Management Program: Joint Authorization Board FedRAMP JAB - +

This party entry must be present in a FedRAMP SSP.

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

 - + External Organization External

Generic placeholder for any external organization.

 - + Agency Name A.N.

Generic placeholder for an authorizing agency.

 - + Name of Consulting Org NOCO - + poc@example.com
3333 Corporate Way @@ -291,33 +291,33 @@ US
- + [SAMPLE]Remote System Org Name - + [SAMPLE]ICA POC's Name person@ica.example.org 2025551212 - 00000000-0000-4000-8001-c00400000007 + 11111111-2222-4000-8000-c00400000007 - + [SAMPLE]Example IaaS Provider E.I.P.

Underlying service provider. Leveraged Authorization.

 - + [SAMPLE]Person Name 1 name@example.com 2020000001 - 00000000-0000-4000-8001-c00300000001 - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00300000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 2 name@example.com @@ -329,9 +329,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 3 name@example.com @@ -343,9 +343,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 4 name@example.com @@ -357,9 +357,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 5 name@example.com @@ -371,9 +371,9 @@ 00000 US
- 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE]Person Name 6 name@example.com @@ -385,9 +385,9 @@ 00000 US - 00000000-0000-4000-8001-c00400000004 + 11111111-2222-4000-8000-c00400000004 - + [SAMPLE]Person Name 7 name@example.com @@ -399,86 +399,86 @@ 00000 US - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - + [SAMPLE] IT Department - + [SAMPLE]Security Team - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001

Exactly one

 - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010

Exactly one

 - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - 00000000-0000-4000-8001-c00400000010 - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-c00400000011

One or more

 - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010

Exactly one

 - 00000000-0000-4000-8001-c00400000003 - 00000000-0000-4000-8001-c00400000015 + 11111111-2222-4000-8000-c00400000003 + 11111111-2222-4000-8000-c00400000015

One or more

 - 00000000-0000-4000-8001-c00400000012 + 11111111-2222-4000-8000-c00400000012

Exactly one

 - 00000000-0000-4000-8001-c00400000013 + 11111111-2222-4000-8000-c00400000013

Exactly one

 - 00000000-0000-4000-8001-c00400000014 + 11111111-2222-4000-8000-c00400000014

Exactly one

 - 00000000-0000-4000-8001-c00400000015 + 11111111-2222-4000-8000-c00400000015

Exactly one

 - 00000000-0000-4000-8001-c00400000016 + 11111111-2222-4000-8000-c00400000016

Exactly one

 - 00000000-0000-4000-8001-c00400000002 + 11111111-2222-4000-8000-c00400000002

Exactly one

 @@ -498,7 +498,7 @@ - F00000000 + F00000000 System's Full Name System's Short Name or Acronym @@ -524,16 +524,16 @@ - + - + fips-199-moderate - + Information Type Name

A description of the information.

@@ -586,11 +586,11 @@

A holistic, top-level explanation of the FedRAMP authorization boundary.

 - +

A diagram-specific explanation.

 - + Authorization Boundary Diagram @@ -600,11 +600,11 @@

A holistic, top-level explanation of the network architecture.

- +

A diagram-specific explanation.

 - + Network Diagram @@ -614,34 +614,52 @@

A holistic, top-level explanation of the system's data flows.

- +

A diagram-specific explanation.

 - + Data Flow Diagram - - - - + + + + - + GovCloud - - - - + + - - - + + + +

Describe the features used from Service A.

+

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

+ + + + +

Describe the features used from Service B.

+

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

+ + + + + + +

If 'yes', describe the user authentication method.

+

If 'no', explain why no user authentication is used.

+

If 'not-applicable', attest that no users access the leveraged system.

+ + + - 00000000-0000-4000-8001-c00400000009 + 22222222-2222-4000-8000-c0040000000a 2015-01-01

Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.

@@ -650,12 +668,12 @@ - + [SAMPLE]Unix System Administrator - + - + admin-unix @@ -666,12 +684,12 @@ perform backups - + [SAMPLE]Client Administrator - + - + admin-client @@ -680,12 +698,12 @@ Create, modify and delete client applications - + [SAMPLE]Program Director - + - + information-system-security-officer isa-poc-local @@ -699,12 +717,12 @@ Approves access requests for administrative accounts. - + [SAMPLE]ISA POC - + - + isa-poc-remote isa-authorizing-official-remote @@ -715,7 +733,7 @@ - + This System

The entire system as depicted in the system authorization boundary

@@ -730,7 +748,7 @@ - + [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

@@ -738,9 +756,9 @@

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

 - - - + + + @@ -749,16 +767,16 @@ - + [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

 - - - + + + @@ -767,89 +785,117 @@ + - + Name of Leveraged System

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + + + + + + + + + + + + + + + + + + + + + + + + + Name of Interconnected System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + - + - + - - + - + + - - - - + + Service Provided by Leveraged System

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + - + - + [EXAMPLE]Authorized Connection Information System Name

Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).

 - + - + - + - + - + - + - + - + - + - - + + - + - + @@ -860,26 +906,26 @@ - - - + + +

If "other", remarks are required. Optional otherwise.

 - + - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008

Optional notes about this interconnection

@@ -891,78 +937,78 @@ - + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

 - + - + - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010

COMMENTS: Provide other comments as needed.

 - + [SAMPLE]Product

FUNCTION: Describe typical component function.

 - - + + - 00000000-0000-4000-8001-c00400000017 + 11111111-2222-4000-8000-c00400000017 - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011

COMMENTS: Provide other comments as needed.

 - + OS Sample

None

 - + - + Database Sample

None

 - + - + Appliance Sample

None

 - - + + @@ -973,56 +1019,56 @@ - + [EXAMPLE]Policies

[EXAMPLE]component representing a collection of policies in appendix A.

 - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

 - + [EXAMPLE]Procedures

[EXAMPLE]component representing a collection of procedures in appendix A.

 - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +

Links to the components, attached as a resource in back-matter.

@@ -1030,19 +1076,19 @@ - + [SAMPLE]Service Name

Describe the service

 Describe the reason the service is needed. - - + + - + - + @@ -1052,44 +1098,44 @@

- + [EXAMPLE]Authorized Connection Information System Name

Briefly describe the interconnection.

 - + - - - + + +

If "other", remarks are required. Optional otherwise.

 - + - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008 - 00000000-0000-4000-8001-c00400000008 + 11111111-2222-4000-8000-c00400000008

Optional notes about this interconnection

 - + IPv4 Production Subnet

IPv4 Production Subnet.

@@ -1099,7 +1145,7 @@ - + IPv4 Management Subnet

IPv4 Management Subnet.

@@ -1110,19 +1156,19 @@ - + Email Service

Email Service

 - + - +

Legacy Example (No implemented-component).

 @@ -1145,8 +1191,8 @@ - - + +

If no, explain why. If yes, omit remarks field.

@@ -1164,14 +1210,14 @@

Optional, longer, formatted description.

 - + - 00000000-0000-4000-8001-c00400000016 + 11111111-2222-4000-8000-c00400000016 - 00000000-0000-4000-8001-c00400000017 + 11111111-2222-4000-8000-c00400000017 - +

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

 @@ -1180,7 +1226,7 @@

COMMENTS: Additional information about this item.

 - +

Component Inventory Example

 @@ -1204,21 +1250,21 @@

If no, explain why. If yes, omit remark.

 - + - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010 - 00000000-0000-4000-8001-c00400000017 + 11111111-2222-4000-8000-c00400000017 - +

COMMENTS: If needed, provide additional information about this inventory item.

 - +

None.

 @@ -1230,10 +1276,10 @@ - - + + - +

None.

 @@ -1244,10 +1290,10 @@ - - + + - +

None.

 @@ -1258,10 +1304,10 @@ - - + + - +

None.

 @@ -1276,9 +1322,9 @@

Asset wasn't running at time of scan.

 - + - +

None.

 @@ -1289,10 +1335,10 @@ - - + + - +

None.

 @@ -1307,9 +1353,9 @@

Asset wasn't running at time of scan.

 - + - +

Email-Service

 @@ -1320,8 +1366,8 @@ - - + + @@ -1336,10 +1382,10 @@

This description field is required by OSCAL.

FedRAMP does not require any specific information here.

- - - - + + + + organization-defined personnel or roles @@ -1351,23 +1397,23 @@ at least annually - - + +

Describe how Part a is satisfied within the system.

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

In this case, a link must be provided to the policy.

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

 - - + +

The specified component is the system itself.

Any control implementation response that can not be associated with another component is associated with the component representing the system.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Identity Management and Access Control Policy.

@@ -1376,23 +1422,23 @@ - - + +

There

- +

Describe the plan to complete the implementation.

 - +

Describe how this policy currently satisfies part a.

 - +

Describe the plan for addressing the missing policy elements.

 @@ -1404,16 +1450,16 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 @@ -1421,28 +1467,28 @@ - - - + + +

Describe the plan to complete the implementation.

 - - + +

Describe any customer-configured requirements for satisfying this control.

 - 00000000-0000-4000-8001-c00400000010 + 11111111-2222-4000-8000-c00400000010 - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1460,50 +1506,50 @@ - - + +

Describe how AC-2, part a is satisfied within this system.

This points to the "This System" component, and is used any time a more specific component reference is not available.

 - +

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

 - +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

Not associated with inheritance, thus associated this with the by-component for "this system".

 - 00000000-0000-4000-8001-c00400000001 + 11111111-2222-4000-8000-c00400000001 - +

For the portion of the control satisfied by the application component of this system, describe how the control is met.

 - +

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

In the context of the application component in satisfaction of AC-2, part a.

 - 00000000-0000-4000-8001-c00400000005 + 11111111-2222-4000-8000-c00400000005 - +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

In the context of the application component in satisfaction of AC-2, part a.

 - 00000000-0000-4000-8001-c00400000005 + 11111111-2222-4000-8000-c00400000005 @@ -1514,11 +1560,11 @@

While the "this system" component is not explicitly required within every statement, it will typically be present.

 - +

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

 - +

Optional description.

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

@@ -1527,7 +1573,7 @@

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

 - +

Description of how the responsibility was satisfied.

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

@@ -1539,21 +1585,21 @@ - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1568,20 +1614,20 @@ - - + +

Describe how Part a is satisfied.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1589,36 +1635,36 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1633,21 +1679,21 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1655,38 +1701,38 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1701,20 +1747,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1722,36 +1768,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1766,20 +1812,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1787,34 +1833,34 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1829,20 +1875,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1850,36 +1896,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1894,20 +1940,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1915,36 +1961,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1959,20 +2005,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1980,36 +2026,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2024,20 +2070,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2045,36 +2091,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2089,20 +2135,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2110,36 +2156,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2154,20 +2200,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2175,36 +2221,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - + - + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2219,20 +2265,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2240,36 +2286,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2284,20 +2330,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2305,36 +2351,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2349,20 +2395,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2370,36 +2416,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2414,20 +2460,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2435,36 +2481,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2479,20 +2525,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2500,36 +2546,36 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2544,20 +2590,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2565,31 +2611,31 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - + + - 00000000-0000-4000-8001-c00400000018 + 11111111-2222-4000-8000-c00400000018 - - + +

Describe how the control is satisfied within the system.

DMARC is employed.

@@ -2608,21 +2654,21 @@ - - - + + +

Describe the plan to complete the implementation.

 - - - + + + - 00000000-0000-4000-8001-c00400000011 + 11111111-2222-4000-8000-c00400000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2637,20 +2683,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2663,11 +2709,11 @@ - +

SSP Signature

 - + 00000000 @@ -2682,9 +2728,9 @@ - + FedRAMP Applicable Laws and Regulations - + 00000000 @@ -2694,9 +2740,9 @@ - + FedRAMP Master Acronym and Glossary - + 00000000 @@ -2705,7 +2751,7 @@ - + Access Control Policy Title

AC Policy document

@@ -2722,7 +2768,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Policy Title

AT Policy document

@@ -2738,7 +2784,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Policy Title

AU Policy document

@@ -2754,7 +2800,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Policy Title

CA Policy document

@@ -2770,7 +2816,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Policy Title

CM Policy document

@@ -2786,7 +2832,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Policy Title

CP Policy document

@@ -2803,7 +2849,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Policy Title

IA Policy document

@@ -2819,7 +2865,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Policy Title

IR Policy document

@@ -2835,7 +2881,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Policy Title

MA Policy document

@@ -2851,7 +2897,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Policy Title

MP Policy document

@@ -2867,7 +2913,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Policy Title

PE Policy document

@@ -2883,7 +2929,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Policy Title

PL Policy document

@@ -2899,7 +2945,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Policy Title

PS Policy document

@@ -2915,7 +2961,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Policy Title

RA Policy document

@@ -2931,7 +2977,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Policy Title

SA Policy document

@@ -2947,7 +2993,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Policy Title

SC Policy document

@@ -2963,7 +3009,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Policy Title

SI Policy document

@@ -2979,7 +3025,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Policy Title

SR Policy document

@@ -2996,7 +3042,7 @@ - + Access Control Procedure Title

AC Procedure document

@@ -3012,7 +3058,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Procedure Title

AT Procedure document

@@ -3028,7 +3074,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Procedure Title

AU Procedure document

@@ -3044,7 +3090,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Procedure Title

CA Procedure document

@@ -3060,7 +3106,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Procedure Title

CM Procedure document

@@ -3076,7 +3122,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Procedure Title

CP Procedure document

@@ -3092,7 +3138,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Procedure Title

IA Procedure document

@@ -3108,7 +3154,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Procedure Title

IR Procedure document

@@ -3124,7 +3170,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Procedure Title

MA Procedure document

@@ -3140,7 +3186,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Procedure Title

MP Procedure document

@@ -3156,7 +3202,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Procedure Title

PE Procedure document

@@ -3172,7 +3218,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Procedure Title

PL Procedure document

@@ -3188,7 +3234,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Procedure Title

PS Procedure document

@@ -3204,7 +3250,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Procedure Title

RA Procedure document

@@ -3220,7 +3266,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Procedure Title

SA Procedure document

@@ -3236,7 +3282,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Procedure Title

SC Procedure document

@@ -3252,7 +3298,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Procedure Title

SI Procedure document

@@ -3268,7 +3314,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Procedure Title

SR Procedure document

@@ -3285,7 +3331,7 @@ - + User's Guide

User's Guide

@@ -3303,7 +3349,7 @@ - + Document Title

Rules of Behavior

@@ -3320,7 +3366,7 @@ - + Document Title

Contingency Plan (CP)

@@ -3337,7 +3383,7 @@ - + Document Title

Configuration Management (CM) Plan

@@ -3354,7 +3400,7 @@ - + Document Title

Incident Response (IR) Plan

@@ -3375,7 +3421,7 @@ - + [SAMPLE] Laws and Regulations @@ -3388,7 +3434,7 @@ - + Document Title

Continuous Monitoring Plan

@@ -3405,7 +3451,7 @@ - + [SAMPLE]Plan of Actions and Milestones (POAM) @@ -3416,7 +3462,7 @@ - + Supply Chain Risk Management Plan

Supply Chain Risk Management Plan

@@ -3435,7 +3481,7 @@ - + [SAMPLE]Interconnection Security Agreement Title @@ -3445,12 +3491,12 @@ 00000000 - + FedRAMP Logo

FedRAMP Logo

 - + 00000000 @@ -3458,7 +3504,7 @@

Must be present in a FedRAMP SSP.

 - + CSP Logo

CSP Logo

@@ -3471,7 +3517,7 @@

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + 3PAO Logo

3PAO Logo

@@ -3485,7 +3531,7 @@ - + Boundary Diagram

The primary authorization boundary diagram.

@@ -3494,13 +3540,13 @@ 00000000

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

-

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000054"

+

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000054"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Network Diagram

The primary network diagram.

@@ -3510,13 +3556,13 @@ 00000000

Section 8.1, Figure 8-2 Network Diagram (graphic)

-

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000055"

+

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000055"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Data Flow Diagram

The primary data flow diagram.

@@ -3525,19 +3571,19 @@ 00000000

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

-

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#00000000-0000-4000-8001-c00100000056"

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000056"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Separation of Duties Matrix

Separation of Duties Matrix

 - + From 155a97d700274ce1deb03445f75d7aa19473eb5c Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 14 Nov 2024 00:39:08 -0500 Subject: [PATCH 19/52] WIP SSP Example, Made AwesomeCloudSSP2.xml XML Schema valid --- .../awesome-cloud/xml/AwesomeCloudSSP2.xml | 44 +- .../examples/UUIDs_for_Examples_Legend.md | 4 + .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 1669 ++++++++++------- 3 files changed, 1007 insertions(+), 710 deletions(-) diff --git a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml index 9da0b5937..6f3b24487 100644 --- a/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml +++ b/src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml @@ -146,25 +146,37 @@ - + +

+ - + +

+ - + +

+ - + +

+ - + +

+ - + +

+ @@ -272,7 +284,9 @@ The AwesomeCloud Software as a Service (SaaS) Solution - + +

+ @@ -659,7 +673,9 @@ - + +

+ @@ -737,19 +753,25 @@ Authorization Boundary Diagram - + +

+ Network Architecture Diagram - + +

+ Data Flow Diagram - + +

+ diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md index 09280bc23..db71de47b 100644 --- a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -92,6 +92,10 @@ _Fields for other models to be added as we work with those models._ # Examples: +### "This System" + +Always `11111111-2222-4000-8000-009000000000` in its SSP. + ### Resource UUIDs diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 06a516636..6cd41764b 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1,6 +1,6 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z @@ -12,7 +12,7 @@ 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -21,7 +21,7 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 @@ -162,6 +162,12 @@

Represents any customers of this system as may be necessary for assigning customer responsibility.

 + + Provider + +

The provider of a leveraged system, external service, API, CLI.

+ + [SAMPLE]Unix Administrator @@ -174,7 +180,19 @@

This is a sample role.

 - + + Leveraged Authorization Users + +

Any internal users of a leveraged authorization.

+ + + + Approver + +

An internal approving authority.

+ + + CSP HQ
Suite 0000 @@ -187,7 +205,7 @@

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

- + Primary Data Center
2222 Main Street @@ -205,7 +223,7 @@

The type property must also have a class of "primary" or "alternate".

- + Secondary Data Center
3333 Small Road @@ -223,23 +241,23 @@

The type property must also have a class of "primary" or "alternate".

- + Cloud Service Provider (CSP) Name CSP Acronym/Short Name - - 11111111-2222-4000-8000-c00300000001 + + 11111111-2222-4000-8000-003000000001

Replace sample CSP information.

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

 - + Federal Risk and Authorization Management Program: Program Management Office FedRAMP PMO - - + + info@fedramp.gov
1800 F St. NW @@ -253,35 +271,35 @@

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

- + Federal Risk and Authorization Management Program: Joint Authorization Board FedRAMP JAB - +

This party entry must be present in a FedRAMP SSP.

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

 - + External Organization External

Generic placeholder for any external organization.

 - + Agency Name A.N.

Generic placeholder for an authorizing agency.

 - + Name of Consulting Org NOCO - + poc@example.com
3333 Corporate Way @@ -291,15 +309,15 @@ US
- + [SAMPLE]Remote System Org Name - + [SAMPLE]ICA POC's Name person@ica.example.org 2025551212 - 11111111-2222-4000-8000-c00400000007 + 11111111-2222-4000-8000-004000000007 [SAMPLE]Example IaaS Provider @@ -308,16 +326,16 @@

Underlying service provider. Leveraged Authorization.

 - + [SAMPLE]Person Name 1 name@example.com 2020000001 - 11111111-2222-4000-8000-c00300000001 - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 2 name@example.com @@ -329,9 +347,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 3 name@example.com @@ -343,9 +361,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 4 name@example.com @@ -357,9 +375,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 5 name@example.com @@ -371,9 +389,9 @@ 00000 US
- 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE]Person Name 6 name@example.com @@ -385,9 +403,9 @@ 00000 US - 11111111-2222-4000-8000-c00400000004 + 11111111-2222-4000-8000-004000000004 - + [SAMPLE]Person Name 7 name@example.com @@ -399,95 +417,105 @@ 00000 US - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - + [SAMPLE] IT Department - + [SAMPLE]Security Team + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 -

Exactly one

+

Zero or more

 - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010

Exactly one

 - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - 11111111-2222-4000-8000-c00400000010 - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011

One or more

 - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010

Exactly one

 - 11111111-2222-4000-8000-c00400000003 - 11111111-2222-4000-8000-c00400000015 + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015

One or more

 - 11111111-2222-4000-8000-c00400000012 + 11111111-2222-4000-8000-004000000012

Exactly one

 - 11111111-2222-4000-8000-c00400000013 + 11111111-2222-4000-8000-004000000013

Exactly one

 - 11111111-2222-4000-8000-c00400000014 + 11111111-2222-4000-8000-004000000014

Exactly one

 - 11111111-2222-4000-8000-c00400000015 + 11111111-2222-4000-8000-004000000015

Exactly one

 - 11111111-2222-4000-8000-c00400000016 - -

Exactly one

- - - - 11111111-2222-4000-8000-c00400000002 + 11111111-2222-4000-8000-004000000016

Exactly one

 - -

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and High baselines.

-

Guidance for OSCAL-based FedRAMP Tailored Low Impact - Software as a Service (LI-SaaS) content has not yet been developed.

- + @@ -533,7 +561,7 @@ - + Information Type Name

A description of the information.

@@ -586,11 +614,11 @@

A holistic, top-level explanation of the FedRAMP authorization boundary.

 - +

A diagram-specific explanation.

 - + Authorization Boundary Diagram @@ -600,11 +628,11 @@

A holistic, top-level explanation of the network architecture.

- +

A diagram-specific explanation.

 - + Network Diagram @@ -614,42 +642,26 @@

A holistic, top-level explanation of the system's data flows.

- +

A diagram-specific explanation.

 - + Data Flow Diagram - - - - - - - - GovCloud - + + + + + + + AwesomeCloud Commercial(IaaS) + - - - - -

Describe the features used from Service A.

-

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

- - - - -

Describe the features used from Service B.

-

This service must be explicitly listed for this CSO on the FedRAMP Marketplace.

- - - - +

If 'yes', describe the user authentication method.

@@ -657,169 +669,154 @@

If 'not-applicable', attest that no users access the leveraged system.

 - - - 22222222-2222-4000-8000-c0040000000a + 11111111-2222-4000-8000-c0040000000a 2015-01-01 -

Use one leveraged-authorization assembly for each underlying system. In the legacy world, these may be general support systems.

-

The link fields are optional, but preferred when known. Often, a leveraging system's SSP author will not have access to the leveraged system's SSP, but should have access to the leveraged system's CRM.

+

Use one leveraged-authorization assembly for each underlying authorized cloud system or general support system (GSS).

 + - - [SAMPLE]Unix System Administrator - - - - + + General Users - admin-unix - - Full administrative access (root) - Add/remove users and hardware - install and configure software - OS updates, patches and hotfixes - perform backups - - - - [SAMPLE]Client Administrator - - - - - - admin-client - - Portal administration - Add/remove client users - Create, modify and delete client applications - - - - [SAMPLE]Program Director - - - - - - information-system-security-officer - isa-poc-local - isa-authorizing-official-local - - Administrative Access Approver - Approves access requests for administrative accounts. - - - Access Approver - Approves access requests for administrative accounts. - - - - [SAMPLE]ISA POC - - - - - - isa-poc-remote - isa-authorizing-official-remote - - External System Access Provider - Authorizes access to external interconnected system. - + +

The user content is currently being investigated as it may no longer be necessary under FedRAMP's adoption of Rev 5.

+ + - - + + + This System

The entire system as depicted in the system authorization boundary

-

Email is employed

+

FedRAMP requires exactly one "this-system" component.

+

This is used in SSP control responses.

 + +

When applicable, components must specify services, ports, and protocols.

+

All components that use or implement encryption must reference a "validation" component.

+ - - - - - - - [SAMPLE]Cryptographic Module Name + + + + + Awesome Cloud PaaS -

Provide a description and any pertinent note regarding the use of this CM.

-

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

-

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

 - - - - - - - - - + + + + + +

For a leveraged authoriation, describe the information being transferred.

+ + + + + + +

System development information

+ + + + +

System and network monitoring information

+ + + + + +

For a leveraged authorization, this property must always be present to link this component to the leveraged authorization.

+ + + + +

For a leveraged system, this property must always be present with a value of "external".

+ + + + +

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

+ + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + - - - [SAMPLE]Cryptographic Module Name + + + + + + Authorized Service Provided by Leveraged System -

Provide a description and any pertinent note regarding the use of this CM.

-

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

- - - - - - - - - + + + + +

This is a service provided by the leveraged system.

+

It is explicitly listed on the FedRAMP marketplace as being an authorized service.

+

As a result, this service includes both the "provided-by" link and the "leveraged-authorization-uuid" property.

+ - - + + - - - Name of Leveraged System + + Non-Authorized Service Provided by Leveraged System -

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - - - - - - - - - - - - - - + + +

This is a service provided by the leveraged system.

+

It is NOT explicitly listed on the FedRAMP marketplace as being an authorized service.

+

As a result, this service still includes the "provided-by" link, but omits the "leveraged-authorization-uuid" property.

+ - + + + + + Service Provided by Leveraged System + +

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + + + + + - - + Name of Interconnected System

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

@@ -846,23 +843,22 @@ - + Service Provided by Leveraged System

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - + - - + - + [EXAMPLE]Authorized Connection Information System Name @@ -913,31 +909,95 @@

If "other", remarks are required. Optional otherwise.

 - + - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008 - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008 - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008 - 11111111-2222-4000-8000-c00400000008 + 11111111-2222-4000-8000-004000000008

Optional notes about this interconnection

 + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + - + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

@@ -948,16 +1008,18 @@ - + - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010

COMMENTS: Provide other comments as needed.

 - + + + [SAMPLE]Product

FUNCTION: Describe typical component function.

@@ -970,16 +1032,16 @@ - 11111111-2222-4000-8000-c00400000017 + 11111111-2222-4000-8000-004000000017 - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011

COMMENTS: Provide other comments as needed.

 - + OS Sample

None

@@ -990,7 +1052,7 @@ - + Database Sample

None

@@ -1001,7 +1063,7 @@ - + Appliance Sample

None

@@ -1019,123 +1081,332 @@ - - [EXAMPLE]Policies - -

[EXAMPLE]component representing a collection of policies in appendix A.

- - - - - - - - - - - - - - - - - - + + AC Policy + +

The Access Control Policy governs how access is managed and approved.

+ + - -

Links to the components, attached as a resource in back-matter.

- - - - [EXAMPLE]Procedures - -

[EXAMPLE]component representing a collection of procedures in appendix A.

- - - - - - - - - - - - - - - - - - + + AT Policy + +

The Awareness and Training Policy governs how access is managed and approved.

+ + - -

Links to the components, attached as a resource in back-matter.

- - + + + AU Policy + +

The Audit and Accountability governs how access is managed and approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Policy governs how access is managed and approved.

+ + + + + + CM Policy + +

The Configuration Management Policy governs how access is managed and approved.

+ + + + + + CP Policy + +

The Contingency Planning Policy governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Policy governs how access is managed and approved.

+ + + + + + IR Policy + +

The Incident Response Policy governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Policy governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Policy governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Policy governs how access is managed and approved.

+ + + + + + PL Policy + +

The Planning Policy governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Policy governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Policy governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Policy governs how access is managed and approved.

+ + + + + + RA Policy + +

The Risk Assessment Policy governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Policy governs how access is managed and approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Policy governs how access is managed and approved.

+ + + + + + SI Policy + +

The System and Information Integrity Policy governs how access is managed and approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Policy governs how access is managed and approved.

+ + + + - - - [SAMPLE]Service Name + + + AC Policy -

Describe the service

+

The Access Control Procedure governs how access is managed and approved.

 - Describe the reason the service is needed. - - + - - - - - - - -

Section 10.2, Table 10-1. Ports, Protocols and Services

-

- SERVICES ARE NOW COMPONENTS WITH type='service' -

- - - [EXAMPLE]Authorized Connection Information System Name + + AT Policy -

Briefly describe the interconnection.

+

The Awareness and Training Procedure governs how access is managed and approved.

 - - - - - - - - - - - -

If "other", remarks are required. Optional otherwise.

- - - + + + + + AU Policy + +

The Audit and Accountability Procedure governs how access is managed and approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Procedure governs how access is managed and approved.

+ + + + + + CM Policy + +

The Configuration Management Procedure governs how access is managed and approved.

+ + + + + + CP Policy + +

The Contingency Planning Procedure governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Procedure governs how access is managed and approved.

+ + + + + + IR Policy + +

The Incident Response Procedure governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Procedure governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Procedure governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Procedure governs how access is managed and approved.

+ + + + + + PL Policy + +

The Planning Procedure governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Procedure governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Procedure governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Procedure governs how access is managed and approved.

+ + + + + + RA Policy + +

The Risk Assessment Procedure governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Procedure governs how access is managed and approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Procedure governs how access is managed and approved.

+ + + + + + SI Policy + +

The System and Information Integrity Procedure governs how access is managed and approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Procedure governs how access is managed and approved.

+ + - - 11111111-2222-4000-8000-c00400000008 - - - 11111111-2222-4000-8000-c00400000008 - - - 11111111-2222-4000-8000-c00400000008 - - - 11111111-2222-4000-8000-c00400000008 - - -

Optional notes about this interconnection

- - + + + + IPv4 Production Subnet

IPv4 Production Subnet.

@@ -1145,7 +1416,7 @@ - + IPv4 Management Subnet

IPv4 Management Subnet.

@@ -1156,19 +1427,19 @@ - + Email Service

Email Service

 - + - +

Legacy Example (No implemented-component).

 @@ -1210,14 +1481,14 @@

Optional, longer, formatted description.

- + - 11111111-2222-4000-8000-c00400000016 + 11111111-2222-4000-8000-004000000016 - 11111111-2222-4000-8000-c00400000017 + 11111111-2222-4000-8000-004000000017 - +

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

 @@ -1226,7 +1497,7 @@

COMMENTS: Additional information about this item.

 - +

Component Inventory Example

 @@ -1252,19 +1523,19 @@ - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-c00400000017 + 11111111-2222-4000-8000-004000000017 - +

COMMENTS: If needed, provide additional information about this inventory item.

 - +

None.

 @@ -1277,9 +1548,9 @@ - + - +

None.

 @@ -1291,9 +1562,9 @@ - + - +

None.

 @@ -1305,9 +1576,9 @@ - + - +

None.

 @@ -1322,9 +1593,9 @@

Asset wasn't running at time of scan.

- + - +

None.

 @@ -1336,9 +1607,9 @@ - + - +

None.

 @@ -1353,9 +1624,9 @@

Asset wasn't running at time of scan.

- + - +

Email-Service

 @@ -1367,7 +1638,7 @@ - + @@ -1382,10 +1653,10 @@

This description field is required by OSCAL.

FedRAMP does not require any specific information here.

- + - - + + organization-defined personnel or roles @@ -1397,23 +1668,23 @@ at least annually - - + +

Describe how Part a is satisfied within the system.

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

In this case, a link must be provided to the policy.

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

 - - + +

The specified component is the system itself.

Any control implementation response that can not be associated with another component is associated with the component representing the system.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Identity Management and Access Control Policy.

@@ -1422,8 +1693,8 @@ - - + +

There

@@ -1434,7 +1705,7 @@ - +

Describe how this policy currently satisfies part a.

 @@ -1450,16 +1721,16 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 @@ -1467,7 +1738,7 @@ - + @@ -1482,13 +1753,13 @@ - 11111111-2222-4000-8000-c00400000010 + 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1506,50 +1777,50 @@ - - + +

Describe how AC-2, part a is satisfied within this system.

This points to the "This System" component, and is used any time a more specific component reference is not available.

 - +

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

 - +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

Not associated with inheritance, thus associated this with the by-component for "this system".

 - 11111111-2222-4000-8000-c00400000001 + 11111111-2222-4000-8000-004000000001 - +

For the portion of the control satisfied by the application component of this system, describe how the control is met.

 - +

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

In the context of the application component in satisfaction of AC-2, part a.

 - 11111111-2222-4000-8000-c00400000005 + 11111111-2222-4000-8000-004000000005 - +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

In the context of the application component in satisfaction of AC-2, part a.

 - 11111111-2222-4000-8000-c00400000005 + 11111111-2222-4000-8000-004000000005 @@ -1560,11 +1831,11 @@

While the "this system" component is not explicitly required within every statement, it will typically be present.

 - +

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

 - +

Optional description.

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

@@ -1573,7 +1844,7 @@

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

 - +

Description of how the responsibility was satisfied.

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

@@ -1585,7 +1856,7 @@ - + @@ -1593,13 +1864,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1614,20 +1885,20 @@ - - + +

Describe how Part a is satisfied.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1635,22 +1906,22 @@ - - + +

Describe how Part b-1 is satisfied.

 - - + +

Describe how Part b-2 is satisfied.

 - + @@ -1658,13 +1929,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1679,21 +1950,21 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1701,24 +1972,24 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - + @@ -1726,13 +1997,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1747,20 +2018,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1768,22 +2039,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1791,13 +2062,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1812,20 +2083,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1833,22 +2104,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1857,10 +2128,10 @@ - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1875,20 +2146,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1896,22 +2167,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1919,13 +2190,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -1940,20 +2211,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -1961,22 +2232,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -1984,13 +2255,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2005,20 +2276,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2026,22 +2297,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2049,13 +2320,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2070,20 +2341,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2091,22 +2362,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2114,13 +2385,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2135,20 +2406,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2156,22 +2427,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2179,13 +2450,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2200,20 +2471,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2221,22 +2492,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2245,12 +2516,12 @@ - + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2265,20 +2536,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2286,22 +2557,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2309,13 +2580,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2330,20 +2601,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2351,22 +2622,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2374,13 +2645,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2395,20 +2666,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2416,22 +2687,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2439,13 +2710,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2460,20 +2731,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2481,22 +2752,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2504,13 +2775,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2525,20 +2796,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2546,22 +2817,22 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + @@ -2569,13 +2840,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2590,20 +2861,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2611,31 +2882,31 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - + - 11111111-2222-4000-8000-c00400000018 + 11111111-2222-4000-8000-004000000018 - - + +

Describe how the control is satisfied within the system.

DMARC is employed.

@@ -2654,7 +2925,7 @@ - + @@ -2662,13 +2933,13 @@ - - + + - 11111111-2222-4000-8000-c00400000011 + 11111111-2222-4000-8000-004000000011 - - + +

Describe how the control is satisfied within the system.

 @@ -2683,20 +2954,20 @@ - - + +

For the portion of the control satisfied by the service provider, describe how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

That component contains a link to the policy, so it does not have to be linked here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

@@ -2709,7 +2980,7 @@ - +

SSP Signature

 @@ -2728,7 +2999,7 @@ - + FedRAMP Applicable Laws and Regulations @@ -2740,7 +3011,7 @@ - + FedRAMP Master Acronym and Glossary @@ -2751,7 +3022,7 @@ - + Access Control Policy Title

AC Policy document

@@ -2768,7 +3039,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Policy Title

AT Policy document

@@ -2784,7 +3055,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Policy Title

AU Policy document

@@ -2800,7 +3071,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Policy Title

CA Policy document

@@ -2816,7 +3087,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Policy Title

CM Policy document

@@ -2832,7 +3103,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Policy Title

CP Policy document

@@ -2849,7 +3120,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Policy Title

IA Policy document

@@ -2865,7 +3136,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Policy Title

IR Policy document

@@ -2881,7 +3152,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Policy Title

MA Policy document

@@ -2897,7 +3168,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Policy Title

MP Policy document

@@ -2913,7 +3184,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Policy Title

PE Policy document

@@ -2929,7 +3200,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Policy Title

PL Policy document

@@ -2945,7 +3216,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Policy Title

PS Policy document

@@ -2961,7 +3232,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Policy Title

RA Policy document

@@ -2977,7 +3248,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Policy Title

SA Policy document

@@ -2993,7 +3264,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Policy Title

SC Policy document

@@ -3009,7 +3280,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Policy Title

SI Policy document

@@ -3025,7 +3296,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Policy Title

SR Policy document

@@ -3042,7 +3313,7 @@ - + Access Control Procedure Title

AC Procedure document

@@ -3058,7 +3329,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Awareness and Training Procedure Title

AT Procedure document

@@ -3074,7 +3345,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Audit and Accountability Procedure Title

AU Procedure document

@@ -3090,7 +3361,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Security Assessment and Authorization Procedure Title

CA Procedure document

@@ -3106,7 +3377,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Configuration Management Procedure Title

CM Procedure document

@@ -3122,7 +3393,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Contingency Planning Procedure Title

CP Procedure document

@@ -3138,7 +3409,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Identification and Authentication Procedure Title

IA Procedure document

@@ -3154,7 +3425,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Incident Response Procedure Title

IR Procedure document

@@ -3170,7 +3441,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Maintenance Procedure Title

MA Procedure document

@@ -3186,7 +3457,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Media Protection Procedure Title

MP Procedure document

@@ -3202,7 +3473,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Physical and Environmental Protection Procedure Title

PE Procedure document

@@ -3218,7 +3489,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Planning Procedure Title

PL Procedure document

@@ -3234,7 +3505,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Personnel Security Procedure Title

PS Procedure document

@@ -3250,7 +3521,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Risk Adjustment Procedure Title

RA Procedure document

@@ -3266,7 +3537,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Service Acquisition Procedure Title

SA Procedure document

@@ -3282,7 +3553,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Communications Protection Procedure Title

SC Procedure document

@@ -3298,7 +3569,7 @@

May use rlink with a relative path, or embedded as base64.

 - + System and Information Integrity Procedure Title

SI Procedure document

@@ -3314,7 +3585,7 @@

May use rlink with a relative path, or embedded as base64.

 - + Supply Chain Risk Procedure Title

SR Procedure document

@@ -3331,7 +3602,7 @@ - + User's Guide

User's Guide

@@ -3349,7 +3620,7 @@ - + Document Title

Rules of Behavior

@@ -3366,7 +3637,7 @@ - + Document Title

Contingency Plan (CP)

@@ -3383,7 +3654,7 @@ - + Document Title

Configuration Management (CM) Plan

@@ -3400,7 +3671,7 @@ - + Document Title

Incident Response (IR) Plan

@@ -3421,7 +3692,7 @@ - + [SAMPLE] Laws and Regulations @@ -3434,7 +3705,7 @@ - + Document Title

Continuous Monitoring Plan

@@ -3451,7 +3722,7 @@ - + [SAMPLE]Plan of Actions and Milestones (POAM) @@ -3462,7 +3733,7 @@ - + Supply Chain Risk Management Plan

Supply Chain Risk Management Plan

@@ -3481,7 +3752,7 @@ - + [SAMPLE]Interconnection Security Agreement Title @@ -3491,7 +3762,7 @@ 00000000 - + FedRAMP Logo

FedRAMP Logo

@@ -3504,7 +3775,7 @@

Must be present in a FedRAMP SSP.

 - + CSP Logo

CSP Logo

@@ -3517,7 +3788,7 @@

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + 3PAO Logo

3PAO Logo

@@ -3531,7 +3802,7 @@ - + Boundary Diagram

The primary authorization boundary diagram.

@@ -3540,13 +3811,13 @@ 00000000

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

-

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000054"

+

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Network Diagram

The primary network diagram.

@@ -3556,13 +3827,13 @@ 00000000

Section 8.1, Figure 8-2 Network Diagram (graphic)

-

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000055"

+

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Data Flow Diagram

The primary data flow diagram.

@@ -3571,14 +3842,14 @@ 00000000

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

-

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-c00100000056"

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

May use rlink with a relative path, or embedded as base64.

FedRAMP prefers base64 for images and diagrams.

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

 - + Separation of Duties Matrix

Separation of Duties Matrix

From 21582e329177809823fd5ba439169e045d5c5dfb Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 14 Nov 2024 19:33:22 -0500 Subject: [PATCH 20/52] Component WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 114 +++++++++--------- 1 file changed, 59 insertions(+), 55 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 6cd41764b..3cffdb406 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -686,8 +686,7 @@ - - + This System @@ -703,26 +702,28 @@ + + + - - - Awesome Cloud PaaS + Awesome Cloud IaaS (Leveraged Authorized System)

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

Must include all leveraged services and features from the leveraged authorization here.

 - - + + +

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

+ + -

For a leveraged authoriation, describe the information being transferred.

+

Describe the information being transferred in the @value field.

 - -

System development information

@@ -756,66 +757,72 @@ 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 + +

Must have a "system" component for each FedRAMP Authorized System leveraged by this system as an underlying service provider.

+ - - - Authorized Service Provided by Leveraged System + Service A -

+

An authorized service provided by Awesome Cloud

+

Describe the service and what it is used for.

 - +

This is a service provided by the leveraged system.

-

It is explicitly listed on the FedRAMP marketplace as being an authorized service.

-

As a result, this service includes both the "provided-by" link and the "leveraged-authorization-uuid" property.

+

The service is explicitly listed on the FedRAMP marketplace as being included in the scope of the leveraged system's ATO.

+

As a result, this service includes the "leveraged-authorization-uuid" property.

+

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

 - - - - Non-Authorized Service Provided by Leveraged System + Service B -

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

A non-authorized service provided by an authorized, leveraged system.

+

Describe the service and what it is used for.

 - +

This is a service provided by the leveraged system.

-

It is NOT explicitly listed on the FedRAMP marketplace as being an authorized service.

-

As a result, this service still includes the "provided-by" link, but omits the "leveraged-authorization-uuid" property.

+

It is NOT explicitly listed on the FedRAMP marketplace as being within the scope of leveraged system's ATO.

+

As a result, the "leveraged-authorization-uuid" property must NOT be used.

+

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

 - - - - Service Provided by Leveraged System + Service C -

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

 - - + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT be used.

+

All services require the "implementation-point" property. In this case, the property value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+ - - Name of Interconnected System @@ -823,41 +830,22 @@

Must include all leveraged services and features from the leveraged authorization here.

 - - - - - - - - - - - Service Provided by Leveraged System - -

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

- - - - - [EXAMPLE]Authorized Connection Information System Name @@ -928,6 +916,22 @@ + + + + + + Service D + +

A service that exists within the authorization boundary.

+

Describe the service and what it is used for.

+ + + + + + + From ccf4923e4a319c67fc1c6fe614eb708e88c1f074 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 15 Nov 2024 00:19:00 -0500 Subject: [PATCH 21/52] Ch 7 External WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 3cffdb406..7a55f0a63 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -186,6 +186,24 @@

Any internal users of a leveraged authorization.

 + + External System Owner + +

The owner of an external system.

+ + + + External System Management Point of Contact (POC) + +

The highest level manager who responsible for an external system's operation on behalf of the System Owner.

+ + + + External System Technical Point of Contact + +

The individual or individuals leading the technical operation of an external system.

+ + Approver @@ -425,6 +443,12 @@ [SAMPLE]Security Team + + Leveraged Authorization User + + + + Name of Leveraged System A Provider @@ -752,6 +776,9 @@ + + 11111111-2222-4000-8000-c0040000000a + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 @@ -773,6 +800,9 @@ + + 11111111-2222-4000-8000-c0040000000a +

This is a service provided by the leveraged system.

The service is explicitly listed on the FedRAMP marketplace as being included in the scope of the leveraged system's ATO.

@@ -822,6 +852,62 @@ + + + Other Cloud SaaS + +

+ + + + +

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

+ + + + +

Describe the information being transferred in the @value field.

+ + + + +

System development information

+ + + + +

System and network monitoring information

+ + + + + +

For a leveraged system, this property must always be present with a value of "external".

+ + + + +

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

+ + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

Each interconnection must be defined with both an "system" component and an "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization here.

+ + + + Name of Interconnected System @@ -916,6 +1002,23 @@ + + Management CLI + +

None

+ + + + + + +

+ + + + + + From bfbc6b9c4dc1523d959237928cf7588bac1b85b6 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 15 Nov 2024 13:13:15 -0500 Subject: [PATCH 22/52] External system/service WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 1687 ++++++++++++----- 1 file changed, 1162 insertions(+), 525 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 7a55f0a63..3aeae9b15 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1,18 +1,20 @@ - + FedRAMP [Baseline Name] System Security Plan (SSP) - 2024-12-31T23:59:59Z - 2024-11-05T02:24:00Z - fedramp3.0.0-oscal1.1.4 - 1.1.2 + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -21,7 +23,8 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 @@ -33,13 +36,16 @@ FedRAMP Program Management Office -

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process and maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.

+

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers + through the FedRAMP authorization process and maintains a secure repository of + FedRAMP authorizations to enable reuse of security packages.

 Prepared By -

The organization that prepared this SSP. If developed in-house, this is the CSP itself.

+

The organization that prepared this SSP. If developed in-house, this is the CSP + itself.

 @@ -62,13 +68,15 @@ Information System Owner -

The individual within the CSP who is ultimately accountable for everything related to this system.

+

The individual within the CSP who is ultimately accountable for everything related to + this system.

 Authorizing Official -

The individual or individuals who must grant this system an authorization to operate.

+

The individual or individuals who must grant this system an authorization to + operate.

 @@ -80,7 +88,8 @@ Information System Management Point of Contact (POC) -

The highest level manager who responsible for system operation on behalf of the System Owner.

+

The highest level manager who responsible for system operation on behalf of the + System Owner.

 @@ -99,13 +108,15 @@ System Information System Security Officer (or Equivalent) -

The individual accountable for the security posture of the system on behalf of the system owner.

+

The individual accountable for the security posture of the system on behalf of the + system owner.

 Privacy Official's Point of Contact -

The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment.

+

The individual responsible for the privacy threshold analysis and if necessary the + privacy impact assessment.

 @@ -126,7 +137,8 @@ ICA POC (Remote) -

The point of contact for an interconnection on behalf of this external system to which this system connects.

+

The point of contact for an interconnection on behalf of this external system to + which this system connects.

Remove this role if there are no ICAs.

@@ -135,7 +147,8 @@ ICA Signatory (Local) -

Responsible for signing an interconnection security agreement on behalf of this system.

+

Responsible for signing an interconnection security agreement on behalf of this + system.

Remove this role if there are no ICAs.

@@ -144,7 +157,8 @@ ICA Signatory (Remote) -

Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects.

+

Responsible for signing an interconnection security agreement on behalf of the + external system to which this system connects.

Remove this role if there are no ICAs.

@@ -159,7 +173,8 @@ Customer -

Represents any customers of this system as may be necessary for assigning customer responsibility.

+

Represents any customers of this system as may be necessary for assigning customer + responsibility.

 @@ -195,13 +210,15 @@ External System Management Point of Contact (POC) -

The highest level manager who responsible for an external system's operation on behalf of the System Owner.

+

The highest level manager who responsible for an external system's operation on + behalf of the System Owner.

 External System Technical Point of Contact -

The individual or individuals leading the technical operation of an external system.

+

The individual or individuals leading the technical operation of an external + system.

 @@ -220,7 +237,8 @@ 00000 -

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+

There must be one location identifying the CSP's primary business address, such as + the CSP's HQ, or the address of the system owner's primary business location.

 @@ -267,7 +285,8 @@ 11111111-2222-4000-8000-003000000001

Replace sample CSP information.

-

CSP information must be present and associated with the "cloud-service-provider" role via responsible-party.

+

CSP information must be present and associated with the "cloud-service-provider" role + via responsible-party.

 @@ -286,7 +305,8 @@

This party entry must be present in a FedRAMP SSP.

-

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-pmo" role in the responsible-party assemblies.

 @@ -295,7 +315,8 @@

This party entry must be present in a FedRAMP SSP.

-

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+

The uuid may be different; however, the uuid must be associated with the + "fedramp-jab" role in the responsible-party assemblies.

 @@ -446,9 +467,9 @@ Leveraged Authorization User - - - + + + Name of Leveraged System A Provider @@ -541,9 +562,11 @@ - + -

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

+

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official + FedRAMP 3.0.0 release.

Must adjust accordingly for applicable baseline and revision.

 @@ -555,8 +578,15 @@ System's Short Name or Acronym -

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] offering using a multi-tenant [insert based on the Deployment Model above] cloud computing environment. It is available to [Insert scope of customers in accordance with instructions above (for example, the public, federal, state, local, and tribal governments, as well as research institutions, federal contractors, government contractors etc.)].

-

NOTE: Additional description, including the purpose and functions of this system may be added here. This includes any narrative text usually included in section 9.1 of the SSP.

+

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] + offering using a multi-tenant [insert based on the Deployment Model above] cloud + computing environment. It is available to [Insert scope of customers in accordance with + instructions above (for example, the public, federal, state, local, and tribal + governments, as well as research institutions, federal contractors, government + contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be + added here. This includes any narrative text usually included in section 9.1 of the + SSP.

NOTE: The description is expected to be at least 32 words in length.

 @@ -568,7 +598,8 @@ -

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.

+

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

 @@ -576,7 +607,8 @@ - + @@ -676,14 +708,15 @@ - + - + AwesomeCloud Commercial(IaaS) - + @@ -696,33 +729,39 @@ 11111111-2222-4000-8000-c0040000000a 2015-01-01 -

Use one leveraged-authorization assembly for each underlying authorized cloud system or general support system (GSS).

+

Use one leveraged-authorization assembly for each underlying authorized cloud system + or general support system (GSS).

 - + General Users -

The user content is currently being investigated as it may no longer be necessary under FedRAMP's adoption of Rev 5.

+

The user content is currently being investigated as it may no longer be necessary + under FedRAMP's adoption of Rev 5.

 - - - + + + + + This System

The entire system as depicted in the system authorization boundary

FedRAMP requires exactly one "this-system" component.

-

This is used in SSP control responses.

+

This is used in SSP control responses and may be used in interconnection + linkages.

When applicable, components must specify services, ports, and protocols.

-

All components that use or implement encryption must reference a "validation" component.

+

All components that use or implement encryption must reference a "validation" + component.

 @@ -730,50 +769,20 @@ - + + + Awesome Cloud IaaS (Leveraged Authorized System) -

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

Briefly describe the leveraged system.

 - - - -

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

- - - - -

Describe the information being transferred in the @value field.

- - - - -

System development information

- - - - -

System and network monitoring information

- - - - - -

For a leveraged authorization, this property must always be present to link this component to the leveraged authorization.

- - - - -

For a leveraged system, this property must always be present with a value of "external".

- - - - -

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

- - + + + + + + @@ -785,86 +794,177 @@ 11111111-2222-4000-8000-004000000012 -

Must have a "system" component for each FedRAMP Authorized System leveraged by this system as an underlying service provider.

+

Each leveraged authorization must have:

+

a "leveraged-authorization" entry.

+

a "system" component (this component).

+

+

This component must always have:

+

- The name of the leveraged system in the title - exactly as it appears in the + FedRAMP Marketplace

+

- A "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry.

+

- An "implementation-point" property with a value of "external".

+

- A responsible-role with a role-id of "provider" and exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.

+

- A "nature-of-agreement" property with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- C.3.5.1 is System development information

+

- C.3.5.8 is System and network monitoring information

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

+

Create a separate "service" component for each service used from the leveraged + system.

+

- If the service is included in the ATO scope and listed on the FedRAMP marketplace, + use the "leveraged-authorization-uuid" property in the "service" component to link it + directly to the leveraged authorization.

+

- If the service is not included in the ATO scope or not listed on the FedRAMP + marketplace, the "leveraged-authorization-uuid" property must be omitted from the + "service" component.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorizationo assembly:

+

- Package ID, Authorization Type, Impact Level

 - + Service A -

An authorized service provided by Awesome Cloud

+

An authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

 - + + + - - 11111111-2222-4000-8000-c0040000000a - -

This is a service provided by the leveraged system.

-

The service is explicitly listed on the FedRAMP marketplace as being included in the scope of the leveraged system's ATO.

-

As a result, this service includes the "leveraged-authorization-uuid" property.

-

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

-

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

+

This service is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO.

+

+

Each service used from a leveraged authorization must have:

+

- a "leveraged-authorization" entry.

+

- a "system" component linked to the leveraged-authorization entry.

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - exactly as it appears in the FedRAMP + Marketplace

+

- A "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry.

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

 - + + + Service B -

A non-authorized service provided by an authorized, leveraged system.

+

An non-authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

 - + + + -

This is a service provided by the leveraged system.

-

It is NOT explicitly listed on the FedRAMP marketplace as being within the scope of leveraged system's ATO.

-

As a result, the "leveraged-authorization-uuid" property must NOT be used.

-

All services require the "implementation-point" property. With a leveraged service, this property value is set to "external.

-

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

-

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+

This service is provided by the leveraged system; however, it is NOT explicitly + listed on the FedRAMP marketplace as being included in the scope of this leveraged + system's ATO.

+

As a result, the "leveraged-authorization-uuid" property must NOT be present.

+

+

Each NON-authorized service used from a leveraged authorization must have:

+

- a "leveraged-authorization" entry.

+

- a "system" component linked to the leveraged-authorization entry.

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - preferably exactly as it appears on the + vendor's web site

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

 - - - Service C - -

A service provided by an external system other than the leveraged system.

-

Describe the service and what it is used for.

- - - - - -

This is a service provided by an external system other than the leveraged system.

-

As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT be used.

-

All services require the "implementation-point" property. In this case, the property value is set to "external.

-

All external services would normally require a "provided-by" link; however, a known bug in core OSCAL syntax prevents the use of this property at this time.

-

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

- - - - + + Other Cloud SaaS -

+

-

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, etc

+

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, + etc

 - +

Describe the information being transferred in the @value field.

 @@ -882,16 +982,18 @@ -

For a leveraged system, this property must always be present with a value of "external".

+

For a leveraged system, this property must always be present with a value of + "external".

 -

Include this property if available, such as through an OSCAL-based CRM, component definition, or direct access to the leveraged system's SSP.

+

Include this property if available, such as through an OSCAL-based CRM, component + definition, or direct access to the leveraged system's SSP.

 - + 11111111-2222-4000-8000-004000000010 @@ -902,18 +1004,35 @@ 11111111-2222-4000-8000-004000000012 -

Each interconnection must be defined with both an "system" component and an "interconnection" component.

-

Must include all leveraged services and features from the leveraged authorization here.

+

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

 - - + Name of Interconnected System -

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

-

Must include all leveraged services and features from the leveraged authorization here.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

 @@ -922,7 +1041,8 @@ - + @@ -930,13 +1050,14 @@ - - + [EXAMPLE]Authorized Connection Information System Name -

Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).

+

Describe the purpose of the external system/service; specifically, provide reasons + for connectivity (e.g., system monitoring, system alerting, download updates, + etc.).

 @@ -947,23 +1068,30 @@ - + - + - + - + - - + + - + @@ -976,7 +1104,8 @@ - + @@ -1002,28 +1131,212 @@ - + + + + Other Cloud SaaS + +

+ + + + +

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, + etc

+ + + + +

Describe the information being transferred in the @value field.

+ + + + +

System development information

+ + + + +

System and network monitoring information

+ + + + + +

For a leveraged system, this property must always be present with a value of + "external".

+ + + + +

Include this property if available, such as through an OSCAL-based CRM, component + definition, or direct access to the leveraged system's SSP.

+ + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the + "this-system" component.

+

If the leveraged system owner provides a UUID for their system (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+

Must include all leveraged services and features from the leveraged authorization + here.

+

For an external system, the "implementation-point" property must always be present + with a value of "external".

+ + +

Each interconnection must be defined with both an "system" component and an + "interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization + here.

+ + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + + + + + + + 11111111-2222-4000-8000-c0040000000a + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

+

Each external service used from a leveraged authorization must have:

+

- a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

+

- a "service" component (this component).

+

+

This component must always have:

+

- The name of the service in the title - preferably exactly as it appears on the + vendor's web site

+

- An "implementation-point" property with a value of "external".

+

- A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.

+

- Example: "#11111111-2222-4000-8000-009000100001"

+

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, + this property is blocked from proper use.

+

- a status with a state value of "operational"

+

+

Where relevant, this component should also have:

+

- One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.

+

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + +

All services require the "implementation-point" property. In this case, the property + value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+ + +

Link(s) to the vendor's web site describing the service are encouraged, but not + required..

+ + + + + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + +

This is a service provided by an external system other than the leveraged system.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must + NOT be used.

+

All services require the "implementation-point" property. In this case, the property + value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known + bug in core OSCAL syntax prevents the use of this property at this time.

+

If the leveraged system owner provides a UUID for their service (such as in an + OSCAL-based CRM), it should be reflected in the inherited-uuid + property.

+ + + + + Management CLI

None

 - + -

+

- + - + Service D

A service that exists within the authorization boundary.

@@ -1032,7 +1345,7 @@ - + @@ -1042,18 +1355,22 @@ [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

-

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, record-level, etc.)

-

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, + file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

 - + - + @@ -1061,20 +1378,23 @@ [SAMPLE]Cryptographic Module Name

Provide a description and any pertinent note regarding the use of this CM.

-

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

 - + - + - + @@ -1083,7 +1403,7 @@ - + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

@@ -1103,8 +1423,8 @@

COMMENTS: Provide other comments as needed.

 - - + + [SAMPLE]Product Name

FUNCTION: Describe typical component function.

@@ -1148,7 +1468,7 @@

COMMENTS: Provide other comments as needed.

 - + OS Sample

None

@@ -1159,7 +1479,7 @@ - + Database Sample

None

@@ -1170,14 +1490,15 @@ - + Appliance Sample

None

 - + @@ -1203,7 +1524,7 @@ - + AU Policy @@ -1211,15 +1532,16 @@ - + CA Policy -

The Assessment, Authorization, and Monitoring Policy governs how access is managed and approved.

+

The Assessment, Authorization, and Monitoring Policy governs how access is managed + and approved.

 - + CM Policy @@ -1227,7 +1549,7 @@ - + CP Policy @@ -1235,15 +1557,16 @@ - + IA Policy -

The Identificaiton and Authentication Policy governs how access is managed and approved.

+

The Identificaiton and Authentication Policy governs how access is managed and + approved.

 - + IR Policy @@ -1251,7 +1574,7 @@ - + MA Policy @@ -1259,7 +1582,7 @@ - + MP Policy @@ -1267,15 +1590,16 @@ - + PE Policy -

The Physical and Enviornmental Protection Policy governs how access is managed and approved.

+

The Physical and Enviornmental Protection Policy governs how access is managed and + approved.

 - + PL Policy @@ -1283,7 +1607,7 @@ - + PM Policy @@ -1291,7 +1615,7 @@ - + PS Policy @@ -1299,15 +1623,16 @@ - + PT Policy -

The PII Processing and Transparency Policy governs how access is managed and approved.

+

The PII Processing and Transparency Policy governs how access is managed and + approved.

 - + RA Policy @@ -1315,39 +1640,43 @@ - + SA Policy -

The System and Services Acquisition Policy governs how access is managed and approved.

+

The System and Services Acquisition Policy governs how access is managed and + approved.

 - + S3 Policy -

The System and Communication Protection Policy governs how access is managed and approved.

+

The System and Communication Protection Policy governs how access is managed and + approved.

 - + SI Policy -

The System and Information Integrity Policy governs how access is managed and approved.

+

The System and Information Integrity Policy governs how access is managed and + approved.

 - + SR Policy -

The Supply Chain Risk Management Policy governs how access is managed and approved.

+

The Supply Chain Risk Management Policy governs how access is managed and + approved.

 - + @@ -1365,31 +1694,34 @@ - + AU Policy -

The Audit and Accountability Procedure governs how access is managed and approved.

+

The Audit and Accountability Procedure governs how access is managed and + approved.

 - + CA Policy -

The Assessment, Authorization, and Monitoring Procedure governs how access is managed and approved.

+

The Assessment, Authorization, and Monitoring Procedure governs how access is managed + and approved.

 - + CM Policy -

The Configuration Management Procedure governs how access is managed and approved.

+

The Configuration Management Procedure governs how access is managed and + approved.

 - + CP Policy @@ -1397,15 +1729,16 @@ - + IA Policy -

The Identificaiton and Authentication Procedure governs how access is managed and approved.

+

The Identificaiton and Authentication Procedure governs how access is managed and + approved.

 - + IR Policy @@ -1413,7 +1746,7 @@ - + MA Policy @@ -1421,7 +1754,7 @@ - + MP Policy @@ -1429,15 +1762,16 @@ - + PE Policy -

The Physical and Enviornmental Protection Procedure governs how access is managed and approved.

+

The Physical and Enviornmental Protection Procedure governs how access is managed and + approved.

 - + PL Policy @@ -1445,7 +1779,7 @@ - + PM Policy @@ -1453,7 +1787,7 @@ - + PS Policy @@ -1461,15 +1795,16 @@ - + PT Policy -

The PII Processing and Transparency Procedure governs how access is managed and approved.

+

The PII Processing and Transparency Procedure governs how access is managed and + approved.

 - + RA Policy @@ -1477,35 +1812,39 @@ - + SA Policy -

The System and Services Acquisition Procedure governs how access is managed and approved.

+

The System and Services Acquisition Procedure governs how access is managed and + approved.

 - + S3 Policy -

The System and Communication Protection Procedure governs how access is managed and approved.

+

The System and Communication Protection Procedure governs how access is managed and + approved.

 - + SI Policy -

The System and Information Integrity Procedure governs how access is managed and approved.

+

The System and Information Integrity Procedure governs how access is managed and + approved.

 - + SR Policy -

The Supply Chain Risk Management Procedure governs how access is managed and approved.

+

The Supply Chain Risk Management Procedure governs how access is managed and + approved.

 @@ -1534,7 +1873,7 @@ - + Email Service

Email Service

@@ -1597,7 +1936,9 @@ -

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

+

This links to a FIPS 140-2 validated software component that is used by this + inventory item. This type of linkage to a validation through the component is + preferable to the link[rel='validation'] example above.

 @@ -1655,7 +1996,8 @@ - + @@ -1669,7 +2011,8 @@ - + @@ -1683,7 +2026,8 @@ - + @@ -1700,7 +2044,8 @@

Asset wasn't running at time of scan.

 - + @@ -1714,7 +2059,8 @@ - + @@ -1731,7 +2077,8 @@

Asset wasn't running at time of scan.

 - + @@ -1745,7 +2092,8 @@ - + @@ -1776,47 +2124,58 @@ - +

Describe how Part a is satisfied within the system.

-

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

+

Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

In this case, a link must be provided to the policy.

-

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

+

FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

 - +

The specified component is the system itself.

-

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+

Any control implementation response that can not be associated with another + component is associated with the component representing the system.

 - +

Describe how this policy component satisfies part a.

-

Component approach. This links to a component representing the Identity Management and Access Control Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

Component approach. This links to a component representing the Identity + Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - + - +

There

- +

Describe the plan to complete the implementation.

 - +

Describe how this policy currently satisfies part a.

 - +

Describe the plan for addressing the missing policy elements.

 @@ -1829,19 +2188,21 @@ - +

Describe how Part b-1 is satisfied.

 - + - +

Describe how Part b-2 is satisfied.

 - + @@ -1854,7 +2215,8 @@ - +

Describe any customer-configured requirements for satisfying this control.

 @@ -1866,7 +2228,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -1885,21 +2248,27 @@ - +

Describe how AC-2, part a is satisfied within this system.

-

This points to the "This System" component, and is used any time a more specific component reference is not available.

+

This points to the "This System" component, and is used any time a more + specific component reference is not available.

 -

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

+

Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

 - + -

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

-

Not associated with inheritance, thus associated this with the by-component for "this system".

+

Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

+

Not associated with inheritance, thus associated this with the + by-component for "this system".

 11111111-2222-4000-8000-004000000001 @@ -1907,24 +2276,31 @@ - + -

For the portion of the control satisfied by the application component of this system, describe how the control is met.

+

For the portion of the control satisfied by the application component of this + system, describe how the control is met.

 -

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

-

In the context of the application component in satisfaction of AC-2, part a.

+

Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part + a.

 11111111-2222-4000-8000-004000000005 - + -

Leveraging system's responsibilities with respect to inheriting this capability from this application.

-

In the context of the application component in satisfaction of AC-2, part a.

+

Leveraging system's responsibilities with respect to inheriting this + capability from this application.

+

In the context of the application component in satisfaction of AC-2, part + a.

 11111111-2222-4000-8000-004000000005 @@ -1933,30 +2309,44 @@

The component-uuid above points to the "this system" component.

-

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

-

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

-

While the "this system" component is not explicitly required within every statement, it will typically be present.

+

Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

+

While the "this system" component is not explicitly required within every + statement, it will typically be present.

 - + -

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

+

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

 - +

Optional description.

-

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

+

Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

In the context of this component in satisfaction of AC-2, part a.

-

The provided-uuid links this to the same statement in the leveraged system's SSP.

-

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+

The provided-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

 - +

Description of how the responsibility was satisfied.

-

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

-

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

-

Tools should use this to ensure all identified customer responsibility statements have a corresponding satisfied statement in the leveraging system's SSP.

+

The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

Tool developers should be mindful that

@@ -1977,7 +2367,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -1993,35 +2384,42 @@ - +

Describe how Part a is satisfied.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - +

Describe how Part b-1 is satisfied.

 - +

Describe how Part b-2 is satisfied.

 @@ -2042,7 +2440,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2058,39 +2457,49 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2110,7 +2519,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2126,37 +2536,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2175,7 +2595,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2191,37 +2612,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2238,7 +2669,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2254,37 +2686,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2303,7 +2745,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2319,37 +2762,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2368,7 +2821,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2384,37 +2838,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2433,7 +2897,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2449,37 +2914,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2498,7 +2973,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2514,37 +2990,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2563,7 +3049,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2579,37 +3066,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2628,7 +3125,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2644,37 +3142,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2693,7 +3201,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2709,37 +3218,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2758,7 +3277,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2774,37 +3294,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2823,7 +3353,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2839,37 +3370,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2888,7 +3429,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2904,37 +3446,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -2953,7 +3505,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -2969,37 +3522,47 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 @@ -3013,7 +3576,8 @@ 11111111-2222-4000-8000-004000000018 - +

Describe how the control is satisfied within the system.

DMARC is employed.

@@ -3046,7 +3610,8 @@ 11111111-2222-4000-8000-004000000011 - +

Describe how the control is satisfied within the system.

 @@ -3062,23 +3627,29 @@ - + -

For the portion of the control satisfied by the service provider, describe how the control is met.

+

For the portion of the control satisfied by the service provider, describe + how the control is met.

 - +

Describe how this policy component satisfies part a.

Component approach. This links to a component representing the Policy.

-

That component contains a link to the policy, so it does not have to be linked here too.

+

That component contains a link to the policy, so it does not have to be linked + here too.

 - +

Describe how this procedure component satisfies part a.

Component approach. This links to a component representing the procedure.

-

That component contains a link to the procedure, so it does not have to be linked here too.

+

That component contains a link to the procedure, so it does not have to be + linked here too.

 @@ -3096,22 +3667,27 @@ 00000000 -

FedRAMP is formulating guidelines for handling digital/electronic signatures in OSCAL, and welcome feedback on solutions.

+

FedRAMP is formulating guidelines for handling digital/electronic signatures in + OSCAL, and welcome feedback on solutions.

For now, FedRAMP recommends one of the following:

  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • -
  • Render the OSCAL SSP content as a printed page that is physically signed, scanned, and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, + scanned, and attached.
-

If your organization prefers another approach, please seek prior approval from the FedRAMP PMO.

+

If your organization prefers another approach, please seek prior approval from the + FedRAMP PMO.

 FedRAMP Applicable Laws and Regulations - + - 00000000 + 00000000

Must be present in a FedRAMP SAP.

 @@ -3121,9 +3697,11 @@ FedRAMP Master Acronym and Glossary - + - 00000000 + 00000000

Must be present in a FedRAMP SSP.

 @@ -3143,7 +3721,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3159,7 +3738,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3175,7 +3755,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3191,7 +3772,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3207,7 +3789,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3224,7 +3807,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3240,7 +3824,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3256,7 +3841,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3272,7 +3858,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3288,7 +3875,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3304,7 +3892,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3320,7 +3909,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3336,7 +3926,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3352,7 +3943,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3368,7 +3960,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3384,7 +3977,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3400,7 +3994,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3416,7 +4011,8 @@ 00000000

Table 12-1 Attachments: Policy Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3433,7 +4029,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3449,7 +4046,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3465,7 +4063,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3481,7 +4080,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3497,7 +4097,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3513,7 +4114,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3529,7 +4131,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3545,7 +4148,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3561,7 +4165,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3577,7 +4182,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3593,7 +4199,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3609,7 +4216,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3625,7 +4233,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3641,7 +4250,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3657,7 +4267,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3673,7 +4284,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3689,7 +4301,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3705,7 +4318,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3721,7 +4335,8 @@

Table 12-1 Attachments: User's Guide Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3740,7 +4355,8 @@ 00000000

Table 12-1 Attachments: Rules of Behavior (ROB)

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3757,7 +4373,8 @@ 00000000

Table 12-1 Attachments: Contingency Plan (CP) Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3774,7 +4391,8 @@ 00000000

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3791,7 +4409,8 @@ 00000000

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3825,7 +4444,8 @@ 00000000

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3853,7 +4473,8 @@ 00000000

Table 12-1 Attachments: Procedure Attachment

-

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 @@ -3890,9 +4511,11 @@ 00000000 -

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3903,9 +4526,11 @@ 00000000 -

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3918,10 +4543,14 @@ 00000000

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

-

This should be referenced in the system-characteristics/authorization-boundary/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000054"

-

May use rlink with a relative path, or embedded as base64.

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#11111111-2222-4000-8000-001000000054"

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3934,10 +4563,14 @@ 00000000

Section 8.1, Figure 8-2 Network Diagram (graphic)

-

This should be referenced in the system-characteristics/network-architecture/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000055"

-

May use rlink with a relative path, or embedded as base64.

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3949,10 +4582,13 @@ 00000000

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

-

This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag using a value of "#11111111-2222-4000-8000-001000000056"

-

May use rlink with a relative path, or embedded as base64.

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href + flag using a value of "#11111111-2222-4000-8000-001000000056"

+

May use rlink with a relative path, or embedded as + base64.

FedRAMP prefers base64 for images and diagrams.

-

Images must be in sufficient resolution to read all detail when rendered in a browser via HTML5.

+

Images must be in sufficient resolution to read all detail when rendered in a browser + via HTML5.

 @@ -3968,7 +4604,8 @@ 00000000 -

May use rlink with a relative path, or embedded as base64.

+

May use rlink with a relative path, or embedded as + base64.

 From e07164320072631dd7abad1f2d8ba358c206291c Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 15 Nov 2024 17:00:00 -0500 Subject: [PATCH 23/52] Table 7.1 WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 235 +++++++++++------- 1 file changed, 142 insertions(+), 93 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 3aeae9b15..5016d98de 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -734,14 +734,9 @@ - - - General Users - -

The user content is currently being investigated as it may no longer be necessary - under FedRAMP's adoption of Rev 5.

+

The user assembly is being reviewed for continued applicability under FedRAMP's adoption of Rev 5.

 @@ -769,6 +764,7 @@ + @@ -891,6 +887,7 @@ + @@ -901,8 +898,25 @@

Describe the service and what it is used for.

+ + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + @@ -920,6 +934,7 @@

- The name of the service in the title - preferably exactly as it appears on the vendor's web site

- An "implementation-point" property with a value of "external".

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

- A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

- Example: "#11111111-2222-4000-8000-009000100001"

@@ -979,7 +994,22 @@

System and network monitoring information

 - + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ +

For a leveraged system, this property must always be present with a value of @@ -994,6 +1024,9 @@ + + 33333333-2222-4000-8000-004000000001 + 11111111-2222-4000-8000-004000000010 @@ -1016,104 +1049,70 @@

For an external system, the "implementation-point" property must always be present with a value of "external".

-

Each interconnection must be defined with both an "system" component and an "interconnection" component.

Must include all leveraged services and features from the leveraged authorization here.

+ +

The risk associated with an external system must be quantified within the context of an interconnection, service, or cli, thus risk, impact, and mitigation properties are applied to those component types.

 - Name of Interconnected System - -

If the leveraged system owner provides a UUID for their system (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

-

Must include all leveraged services and features from the leveraged authorization - here.

- - - - - - - - - - - - - - - - - - [EXAMPLE]Authorized Connection Information System Name

Describe the purpose of the external system/service; specifically, provide reasons - for connectivity (e.g., system monitoring, system alerting, download updates, - etc.).

+ for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

 - - + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - +

If "other", remarks are required. Optional otherwise.

 + + + +

Either describe a risk associated with this interconnection, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + + + + 44444444-2222-4000-8000-004000000001 + 11111111-2222-4000-8000-004000000008 @@ -1126,6 +1125,9 @@ 11111111-2222-4000-8000-004000000008 + + +

Optional notes about this interconnection

 @@ -1214,9 +1216,27 @@

Describe the service and what it is used for.

+ + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + @@ -1243,6 +1263,7 @@

This component must always have:

- The name of the service in the title - preferably exactly as it appears on the vendor's web site

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

- An "implementation-point" property with a value of "external".

- A "provided-by" link with a URI fragment that points to the UUID of the above "system" component.

@@ -1271,21 +1292,6 @@

- Nature of Agreement, CSP Name

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

- - -

All services require the "implementation-point" property. In this case, the property - value is set to "external.

-

All external services would normally require a "provided-by" link; however, a known - bug in core OSCAL syntax prevents the use of this property at this time.

-

If the leveraged system owner provides a UUID for their service (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

- - -

Link(s) to the vendor's web site describing the service are encouraged, but not - required..

- - @@ -1297,10 +1303,34 @@

Describe the service and what it is used for.

+ + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + +

This is a service provided by an external system other than the leveraged system.

+ + + +

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+ + +

As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT be used.

All services require the "implementation-point" property. In this case, the property @@ -1310,6 +1340,10 @@

If the leveraged system owner provides a UUID for their service (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.

+ + + + @@ -1321,8 +1355,23 @@ - + + + +

Either describe a risk associated with this CLI, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ +

From adbf9dcd68b1880896738e51e1deeb01ccf34724 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 19 Nov 2024 09:10:30 -0500 Subject: [PATCH 24/52] Table 7.1 examples WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 66 ++++++++++--------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 5016d98de..a1ee72d2e 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -843,7 +843,7 @@ - +

This service is explicitly listed on the FedRAMP marketplace as being included in the @@ -897,10 +897,11 @@

An non-authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

- - - - + + + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

@@ -917,8 +918,8 @@

If there are one or more identified risks, describe any mitigating factors.

 - - + +

This service is provided by the leveraged system; however, it is NOT explicitly listed on the FedRAMP marketplace as being included in the scope of this leveraged @@ -969,21 +970,10 @@ Other Cloud SaaS -

+

An external system to which this system shares an interconnection.

- - - -

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, - etc

- - - - -

Describe the information being transferred in the @value field.

- - + +

System development information

@@ -1024,7 +1014,7 @@ - + 33333333-2222-4000-8000-004000000001 @@ -1068,13 +1058,13 @@ - - - + + + @@ -1083,7 +1073,7 @@ - +

If "other", remarks are required. Optional otherwise.

 @@ -1107,7 +1097,8 @@ - + + @@ -1125,8 +1116,9 @@ 11111111-2222-4000-8000-004000000008 - - + + services +

Optional notes about this interconnection

@@ -1216,7 +1208,7 @@

Describe the service and what it is used for.

- + @@ -1238,7 +1230,7 @@ - + @@ -1302,7 +1294,8 @@

A service provided by an external system other than the leveraged system.

Describe the service and what it is used for.

- + +

Either describe a risk associated with this service, or indicate there is no identified risk.

@@ -1321,7 +1314,12 @@ + + + Remote API Service + +

This is a service provided by an external system other than the leveraged system.

@@ -1354,6 +1352,9 @@

None

+ + + @@ -1377,6 +1378,7 @@

+ From 18fef787570064771460e5fac113040cc5dfd8a2 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 08:02:03 -0500 Subject: [PATCH 25/52] Tables 6.1 and 7.1 WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 345 ++++++++++++------ 1 file changed, 240 insertions(+), 105 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index a1ee72d2e..2237334bf 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -717,15 +717,21 @@ AwesomeCloud Commercial(IaaS) - - - + -

If 'yes', describe the user authentication method.

-

If 'no', explain why no user authentication is used.

-

If 'not-applicable', attest that no users access the leveraged system.

+

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

 + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + 11111111-2222-4000-8000-c0040000000a 2015-01-01 @@ -739,7 +745,31 @@

The user assembly is being reviewed for continued applicability under FedRAMP's adoption of Rev 5.

 - + + + + Add/Remove Admins + This can add and remove admins. + + + + + + add/remove non-privliged admins + + + + + + Manage services and components within the virtual cloud environment. + + + + + + Add and remove users from the virtual cloud environment. + + @@ -754,9 +784,8 @@ -

When applicable, components must specify services, ports, and protocols.

-

All components that use or implement encryption must reference a "validation" - component.

+

A FedRAMP SSP must always have exactly one component that represents the whole system. + It should be the only component with the "this-system" component type.

 @@ -776,59 +805,102 @@ + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + - + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+ + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ - - 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-004000000011 - 11111111-2222-4000-8000-004000000012 + + + -

Each leveraged authorization must have:

-

a "leveraged-authorization" entry.

-

a "system" component (this component).

-

-

This component must always have:

-

- The name of the leveraged system in the title - exactly as it appears in the - FedRAMP Marketplace

-

- A "leveraged authorization-uuid" property that links this component to the - leveraged-authorization entry.

-

- An "implementation-point" property with a value of "external".

-

- A responsible-role with a role-id of "provider" and exactly one party-uuid entry - that indicates which organization is the provider of this leveraged system.

-

- A "nature-of-agreement" property with an appropriate allowed value. If the value is - "other", use the proeprty's remarks to descibe the agreement.

-

- a status with a state value of "operational"

+

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment, which points to the "system" + component that represents the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • a "user-authentication" property/extension
    • +
  • A responsible-role with a role-id of "provider" and exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • A "nature-of-agreement" property with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • a status with a state value of "operational"
    • +

Where relevant, this component should also have:

-

- One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

-

- C.3.5.1 is System development information

-

- C.3.5.8 is System and network monitoring information

-

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

-

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

-

-

Create a separate "service" component for each service used from the leveraged - system.

-

- If the service is included in the ATO scope and listed on the FedRAMP marketplace, - use the "leveraged-authorization-uuid" property in the "service" component to link it - directly to the leveraged authorization.

-

- If the service is not included in the ATO scope or not listed on the FedRAMP - marketplace, the "leveraged-authorization-uuid" property must be omitted from the - "service" component.

+
    +
  • +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
      +
    • C.3.5.1 is System development information
      • +
    • C.3.5.8 is System and network monitoring information
      • +
    • +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +

-

The following fields from the Leveraged Authorization Table are handled in the - leveraged-authorizationo assembly:

-

- Package ID, Authorization Type, Impact Level

+

Links to the vendor website describing the system are encouraged, but not required.

+

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized services using a "service" component. + Both authorized and non-authorized service components are represented the same + in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property, while this + property must be excluded from the component of a + non-authorized service.
    • +
  • The component for a non-authorized service must include + properties/extensions to indicate if the service is still + suported, to cite other compliance programs the service may + have satisifed, and to identify any relevant + risks/impacts/mitigations.
    • +
  • Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other SSP content.
    • +
+

The components for both authorized and non-authorized services + must include a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: "#11111111-2222-4000-8000-009000100001")

 @@ -845,44 +917,46 @@ + + + + -

This service is explicitly listed on the FedRAMP marketplace as being included in the - scope of this leveraged system's ATO.

-

-

Each service used from a leveraged authorization must have:

-

- a "leveraged-authorization" entry.

-

- a "system" component linked to the leveraged-authorization entry.

-

- a "service" component (this component).

+

This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

-

This component must always have:

-

- The name of the service in the title - exactly as it appears in the FedRAMP - Marketplace

-

- A "leveraged authorization-uuid" property that links this component to the - leveraged-authorization entry.

-

- An "implementation-point" property with a value of "external".

-

- A "provided-by" link with a URI fragment that points to the UUID of the above - "system" component.

-

- Example: "#11111111-2222-4000-8000-009000100001"

-

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

-

- a status with a state value of "operational"

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +

Where relevant, this component should also have:

-

- One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

-

- A responsible-role with a role-id of "leveraged-authorization-users" and exactly +

    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

    -

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

    + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +

Link(s) to the vendor's web site describing the service are encouraged, but not required.

-

The following fields from the Leveraged Authorization Table are handled in the leveraged-authorization assembly:

-

- Package ID, Authorization Type, Impact Level

+
    +
  • Package ID, Authorization Type, Impact Level
    • +

The following fields from the Leveraged Authorization Table are handled in the - "system" component assembly:

+ "system" component representing the leveraged system as a whole:

- Nature of Agreement, CSP Name

 @@ -900,6 +974,13 @@ + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + @@ -921,27 +1002,33 @@ -

This service is provided by the leveraged system; however, it is NOT explicitly - listed on the FedRAMP marketplace as being included in the scope of this leveraged - system's ATO.

-

As a result, the "leveraged-authorization-uuid" property must NOT be present.

+

This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of this leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

-

Each NON-authorized service used from a leveraged authorization must have:

-

- a "leveraged-authorization" entry.

-

- a "system" component linked to the leveraged-authorization entry.

-

- a "service" component (this component).

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
    • +
  • One or more "risk" property/extension for each identified risk; or, + one "risk" property/extension that asserts there is no identified risk, + and provides a basis for that assertion.
    • +
  • +
  • +
  • +
  • +
  • +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

This component must always have:

-

- The name of the service in the title - preferably exactly as it appears on the - vendor's web site

-

- An "implementation-point" property with a value of "external".

-

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

-

- A "provided-by" link with a URI fragment that points to the UUID of the above - "system" component.

-

- Example: "#11111111-2222-4000-8000-009000100001"

-

- IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) an error will incorrectly be raised for this link.

-

- a status with a state value of "operational"

-

+

Where relevant, this component should also have:

- One or more "information-type" properties, where the allowed values are the 800-63 information type identifiers.

@@ -1008,15 +1095,30 @@ -

Include this property if available, such as through an OSCAL-based CRM, component - definition, or direct access to the leveraged system's SSP.

+

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

 - + 33333333-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-002000000010 + + + + + + 11111111-2222-4000-8000-002000000010 + + + + 11111111-2222-4000-8000-004000000010 @@ -1060,6 +1162,13 @@ + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + @@ -1164,8 +1273,9 @@ -

Include this property if available, such as through an OSCAL-based CRM, component - definition, or direct access to the leveraged system's SSP.

+

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

 @@ -1210,6 +1320,13 @@ + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + @@ -1227,9 +1344,14 @@

If there are one or more identified risks, describe any mitigating factors.

 - - - + + + +

This can only be known if provided by the leveraged system. + such as via an OSCAL-based CRM, component definition, + or as a result to the leveraged system's OSCAL-based SSP.

+ + @@ -1296,6 +1418,13 @@ + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ +

Either describe a risk associated with this service, or indicate there is no identified risk.

@@ -1354,7 +1483,13 @@ - + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + From 60c291370b160af03643760b4d85996bfead5267 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 12:07:39 -0500 Subject: [PATCH 26/52] Table 6.1 and 7.1 WIP --- .../rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 2237334bf..9101913a8 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -753,18 +753,21 @@ + add/remove non-privliged admins + Manage services and components within the virtual cloud environment. + Add and remove users from the virtual cloud environment. From 18bd9f203fe0c02dc349d70cefd34fd27784fea4 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 14:52:44 -0500 Subject: [PATCH 27/52] added example ssp to fedramp_extensions.feature --- features/fedramp_extensions.feature | 2 ++ 1 file changed, 2 insertions(+) diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index b4cd704d0..b8dbe220c 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -12,6 +12,8 @@ Examples: | ssp-all-VALID.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml | # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml | +| ../../../content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | + @full-coverage Scenario: Preparing constraint coverage analysis From 53da9056e22bd1ccfed4783ff1fdb52d0a0e0161 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 14:58:06 -0500 Subject: [PATCH 28/52] WIP --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier new file mode 100644 index 000000000..0f1613914 --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +HostUrl=https://raw.githubusercontent.com/brian-ruf/fedramp-automation/refs/heads/example-ssp/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml From 51dfea8974baae1e8f75fad29767d9422e2a0c7f Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 15:03:58 -0500 Subject: [PATCH 29/52] fixed import URL --- src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index 9101913a8..d34f2b023 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -563,7 +563,7 @@ + href="https://raw.githubusercontent.com/GSA/fedramp-automation/refs/heads/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml">

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

From 1c341d7e63e8be70608afb9934ceeabfc7ddda08 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 15:06:15 -0500 Subject: [PATCH 30/52] fixed party-uuids in component --- .../rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index d34f2b023..b87611d52 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1111,13 +1111,13 @@ - 11111111-2222-4000-8000-002000000010 + 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-002000000010 + 11111111-2222-4000-8000-004000000010 From a18b1107bb9f10166c52f2ec667a38418996e4ac Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 21 Nov 2024 15:09:20 -0500 Subject: [PATCH 31/52] removed zone identifier file --- .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier deleted file mode 100644 index 0f1613914..000000000 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -HostUrl=https://raw.githubusercontent.com/brian-ruf/fedramp-automation/refs/heads/example-ssp/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml From 89156719ccbc35e66bad638ea2adaa00fccdcc9a Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 22 Nov 2024 12:52:23 -0500 Subject: [PATCH 32/52] interconnection updates WIP --- src/content/rev5/examples/ssp/xml/.gitignore | 2 + .../ssp/xml/FedRAMP-SSP-Example.OSCAL.xml | 192 ++++++------------ 2 files changed, 64 insertions(+), 130 deletions(-) create mode 100644 src/content/rev5/examples/ssp/xml/.gitignore diff --git a/src/content/rev5/examples/ssp/xml/.gitignore b/src/content/rev5/examples/ssp/xml/.gitignore new file mode 100644 index 000000000..48db62d38 --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/.gitignore @@ -0,0 +1,2 @@ +*.sh +*.sarif diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml index b87611d52..1d7be51a6 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml @@ -1064,71 +1064,25 @@ - - -

System development information

- - - - -

System and network monitoring information

- - - - -

Either describe a risk associated with this service, or indicate there is no identified risk.

-

If there is no risk, please explain your basis for that conclusion.

- - - - -

If there are one or more identified risks, describe any resulting impact.

- - - - -

If there are one or more identified risks, describe any mitigating factors.

- - - - -

For a leveraged system, this property must always be present with a value of - "external".

- - - - -

This can only be known if provided by the leveraged system. - such as via an OSCAL-based CRM, component definition, - or as a result to the leveraged system's OSCAL-based SSP.

- - + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 - - - - 11111111-2222-4000-8000-004000000010 - - - - - + 11111111-2222-4000-8000-004000000010 - - - - - 11111111-2222-4000-8000-004000000010 - - + 11111111-2222-4000-8000-004000000011 - + 11111111-2222-4000-8000-004000000012 @@ -1179,8 +1133,7 @@ - - + @@ -1208,9 +1161,9 @@ - - - + + + @@ -1222,9 +1175,6 @@ 11111111-2222-4000-8000-004000000008 - - 11111111-2222-4000-8000-004000000008 - 11111111-2222-4000-8000-004000000008 @@ -1233,7 +1183,14 @@ -

Optional notes about this interconnection

+

This is an interconnection between this system and one or more + external systems.

+

There must be a separate "system" component for each external system + linked by this interconnection. (Typically only one, but could be more.)

+

There must be one "used-by" link for each external "system" component + connected by this interconnection. The href is a URI fragment with the + UUID of the "system" component.

+

There must be at least one

@@ -1245,51 +1202,19 @@

- - -

Specify the type of agreement (e.g., EULA, SLA, App License Agreement, Contract, - etc

- - - - -

Describe the information being transferred in the @value field.

- - - - -

System development information

- - - - -

System and network monitoring information

- - - - - -

For a leveraged system, this property must always be present with a value of - "external".

- - - - -

This can only be known if provided by the leveraged system. - such as via an OSCAL-based CRM, component definition, - or as a result to the leveraged system's OSCAL-based SSP.

- - + + + + - + 11111111-2222-4000-8000-004000000010 - + 11111111-2222-4000-8000-004000000011 - + 11111111-2222-4000-8000-004000000012 @@ -1868,7 +1793,7 @@ - + AC Policy

The Access Control Procedure governs how access is managed and approved.

@@ -1876,7 +1801,7 @@ - + AT Policy

The Awareness and Training Procedure governs how access is managed and approved.

@@ -1884,7 +1809,7 @@ - + AU Policy

The Audit and Accountability Procedure governs how access is managed and @@ -1893,7 +1818,7 @@ - + CA Policy

The Assessment, Authorization, and Monitoring Procedure governs how access is managed @@ -1902,7 +1827,7 @@ - + CM Policy

The Configuration Management Procedure governs how access is managed and @@ -1911,7 +1836,7 @@ - + CP Policy

The Contingency Planning Procedure governs how access is managed and approved.

@@ -1919,7 +1844,7 @@ - + IA Policy

The Identificaiton and Authentication Procedure governs how access is managed and @@ -1928,7 +1853,7 @@ - + IR Policy

The Incident Response Procedure governs how access is managed and approved.

@@ -1936,7 +1861,7 @@ - + MA Policy

The Maintenance Procedure governs how access is managed and approved.

@@ -1944,7 +1869,7 @@ - + MP Policy

The Media Protection Procedure governs how access is managed and approved.

@@ -1952,7 +1877,7 @@ - + PE Policy

The Physical and Enviornmental Protection Procedure governs how access is managed and @@ -1961,7 +1886,7 @@ - + PL Policy

The Planning Procedure governs how access is managed and approved.

@@ -1969,7 +1894,7 @@ - + PM Policy

The Program Management Procedure governs how access is managed and approved.

@@ -1977,7 +1902,7 @@ - + PS Policy

The Personnel Security Procedure governs how access is managed and approved.

@@ -1985,7 +1910,7 @@ - + PT Policy

The PII Processing and Transparency Procedure governs how access is managed and @@ -1994,7 +1919,7 @@ - + RA Policy

The Risk Assessment Procedure governs how access is managed and approved.

@@ -2002,7 +1927,7 @@ - + SA Policy

The System and Services Acquisition Procedure governs how access is managed and @@ -2011,7 +1936,7 @@ - + S3 Policy

The System and Communication Protection Procedure governs how access is managed and @@ -2020,7 +1945,7 @@ - + SI Policy

The System and Information Integrity Procedure governs how access is managed and @@ -2029,7 +1954,7 @@ - + SR Policy

The Supply Chain Risk Management Procedure governs how access is managed and @@ -3851,14 +3776,14 @@

SSP Signature

 - + 00000000 -

FedRAMP is formulating guidelines for handling digital/electronic signatures in +

The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in OSCAL, and welcome feedback on solutions.

-

For now, FedRAMP recommends one of the following:

+

For now, the PMO recommends one of the following:

  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
  • Render the OSCAL SSP content as a printed page that is physically signed, @@ -3871,7 +3796,7 @@ FedRAMP Applicable Laws and Regulations - + @@ -3885,7 +3810,7 @@ FedRAMP Master Acronym and Glossary - + @@ -4786,7 +4711,7 @@

    Separation of Duties Matrix

     - + @@ -4797,5 +4722,12 @@ base64.

     + + Interconneciton Security Agreement (ISA) + + + + + From 5d8d510941f8f321bed4f299823ce6d4277968ac Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 22 Nov 2024 23:26:46 -0500 Subject: [PATCH 33/52] leveraged authorizations and interconnections --- ...SCAL.xml => fedramp-ssp-example.oscal.xml} | 135 ++++++++++-------- 1 file changed, 76 insertions(+), 59 deletions(-) rename src/content/rev5/examples/ssp/xml/{FedRAMP-SSP-Example.OSCAL.xml => fedramp-ssp-example.oscal.xml} (97%) diff --git a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml similarity index 97% rename from src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml rename to src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 1d7be51a6..461db14f6 100644 --- a/src/content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1063,8 +1063,6 @@

    An external system to which this system shares an interconnection.

    - - @@ -1086,24 +1084,32 @@ 11111111-2222-4000-8000-004000000012 -

    For each external system with which this system connects:

    -

    Must have a "system" component (this component).

    -

    Must have an "interconnection" component that connects this component with the - "this-system" component.

    -

    If the leveraged system owner provides a UUID for their system (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

    -

    Must include all leveraged services and features from the leveraged authorization - here.

    -

    For an external system, the "implementation-point" property must always be present - with a value of "external".

    - -

    Each interconnection must be defined with both an "system" component and an - "interconnection" component.

    -

    Must include all leveraged services and features from the leveraged authorization - here.

    +

    Each interconnection to one or more remote systems must have:

    +
      +
    • a "system" component (this component)
      • +
    • an "interconnection" component
      • +
    +

    Each "system" component must have:

    +
      +
    • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
      • +
    • an "implementation-point" property with a value of "external"
      • +
    • a "status" field with a state value of "operational"
      • +
    -

    The risk associated with an external system must be quantified within the context of an interconnection, service, or cli, thus risk, impact, and mitigation properties are applied to those component types.

    +

    While not required, each "system" component should have:

    +
      +
    • an "inherited-uuid" property if the value was provided by the system owner
      • +
    • a "compliance" property/extension if appropriate
      • +
    • an "authorizing-official" responsible-role
      • +
    • an "system-owner" responsible-role
      • +
    • an "system-poc-management" responsible-role
      • +
    • an "system-poc-technical" responsible-role
      • +
    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "authorizing-official", "system-owner", "system-poc-management + and "system-poc-technical"

     @@ -1118,7 +1124,6 @@ -

    If 'yes', describe the authentication method in the remarks.

    @@ -1129,20 +1134,21 @@ - + - + + +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    +     +     - + + - - -

    If "other", remarks are required. Optional otherwise.

    -     -     + @@ -1175,22 +1181,50 @@ 11111111-2222-4000-8000-004000000008 - - 11111111-2222-4000-8000-004000000008 - + services -

    This is an interconnection between this system and one or more - external systems.

    -

    There must be a separate "system" component for each external system - linked by this interconnection. (Typically only one, but could be more.)

    -

    There must be one "used-by" link for each external "system" component - connected by this interconnection. The href is a URI fragment with the - UUID of the "system" component.

    -

    There must be at least one

    +

    Each interconnection to one or more remote systems must have:

    +
      +
    • one "system" component for each remote system sharing the connection
      • +
    • an "interconnection" component (this component)
      • +
    +

    Each "interconnection" component must have:

    +
      +
    • an "implementation-point" property with a value of "external"
      • +
    • a "status" field with a state value of "operational"
      • +
    • one or two "direction" properties
      • +
    • a "nature-of-agreement" property/extension
      • +
    • one or more "authentication-method" properties/extensions.
      • +
    • a "hosting-environment" proptery/extension
      • +
    • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
      • +
    • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
      • +
    • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
      • +
    • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
      • +
    • exactly one "used-by" link with an href value that refers to the "this-system" component.
      • +
    • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
      • +
    • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
      • +
    +

    Authentication methods must address both system-authentication as well as + user authentication mechanisms.

    +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    +

    If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

    +

    +

    While not required, each "interconnection" component should have:

    +
      +
    • an "inherited-uuid" property if the value was provided by the system owner
      • +
    • a "compliance" property/extension if appropriate
      • +
    • an "system-poc-management" responsible-role
      • +
    • an "system-poc-technical" responsible-role
      • +
    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP + properties/extensions for these roles, instead favor the core OSCAL + responsible-roles constructs, and the NIST-standard roles of + "system-poc-management" and "system-poc-technical". With an interconnection, + the system POC roles reference parties that represent the connection provider.

     @@ -3776,7 +3810,7 @@

    SSP Signature

     - + 00000000 @@ -3796,7 +3830,7 @@ FedRAMP Applicable Laws and Regulations - + @@ -3810,7 +3844,7 @@ FedRAMP Master Acronym and Glossary - + @@ -4705,23 +4739,6 @@ via HTML5.

         - - - Separation of Duties Matrix - -

    Separation of Duties Matrix

    -     - - - - - - 00000000 - -

    May use rlink with a relative path, or embedded as - base64.

    -     -     Interconneciton Security Agreement (ISA) From f6eb3d6737db0cf44dab6c3c92718a39c1478de6 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 25 Nov 2024 22:25:08 -0500 Subject: [PATCH 34/52] LA and External/Intercon cleanup --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 272 +++++++++++------- 1 file changed, 171 insertions(+), 101 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 461db14f6..661a870b0 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -30,7 +30,8 @@ - + + @@ -647,6 +648,68 @@ + + Information Type Name + +

    A description of the information.

    +     + + C.3.5.1 + + + fips-199-moderate + fips-199-moderate + +

    Required if the base and selected values do not match.

    +     +     + + fips-199-moderate + fips-199-moderate + +

    Required if the base and selected values do not match.

    +     +     + + fips-199-moderate + fips-199-moderate + +

    Required if the base and selected values do not match.

    +     +     +     + + Information Type Name + +

    A description of the information.

    +     + + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

    Required if the base and selected values do not match.

    +     +     + + fips-199-moderate + fips-199-moderate + +

    Required if the base and selected values do not match.

    +     +     + + fips-199-moderate + fips-199-moderate + +

    Required if the base and selected values do not match.

    +     +     +     + + @@ -735,14 +798,22 @@ 11111111-2222-4000-8000-c0040000000a 2015-01-01 -

    Use one leveraged-authorization assembly for each underlying authorized cloud system - or general support system (GSS).

    +

    Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

    +

    For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

     -

    The user assembly is being reviewed for continued applicability under FedRAMP's adoption of Rev 5.

    +

    The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

    +

    Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

    @@ -780,15 +851,16 @@ This System -

    The entire system as depicted in the system authorization boundary

    -

    FedRAMP requires exactly one "this-system" component.

    -

    This is used in SSP control responses and may be used in interconnection - linkages.

    +

    This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

    +

    FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

     -

    A FedRAMP SSP must always have exactly one component that represents the whole system. - It should be the only component with the "this-system" component type.

    +

    A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

    +

    It does not need system details, as those exist elsewhere in this SSP.

         @@ -807,6 +879,7 @@ + @@ -817,13 +890,6 @@ - - -

    This can only be known if provided by the leveraged system. - such as via an OSCAL-based CRM, component definition, - or as a result to the leveraged system's OSCAL-based SSP.

    -     -     @@ -848,62 +914,73 @@
    • the name of the system in the title - exactly as it appears in the FedRAMP Marketplace
      • -
    • a "leveraged authorization-uuid" property that links this component to the +
    • a "leveraged authorization-uuid" core property that links this component to the leveraged-authorization entry
      • -
    • an "implementation-point" property with a value of "external"; and
      • -
    • a "provided-by" link with a URI fragment, which points to the "system" - component that represents the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
      • -
    • a "user-authentication" property/extension
      • -
    • A responsible-role with a role-id of "provider" and exactly one party-uuid entry - that indicates which organization is the provider of this leveraged system.
      • -
    • A "nature-of-agreement" property with an appropriate allowed value. If the value is +
    • an "implementation-point" core property with a value of "external"
      • +
    • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is "other", use the proeprty's remarks to descibe the agreement.
      • +
    • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
      • +
    • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
      • +
    • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • a status with a state value of "operational"
      • +
    • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.

    Where relevant, this component should also have:

      -
    • -
    • One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.
        -
      • C.3.5.1 is System development information
        • -
      • C.3.5.8 is System and network monitoring information
        • -
      • -
    • One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.
      • -
    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for their system (such as in an OSCAL-based CRM).

    Links to the vendor website describing the system are encouraged, but not required.

    +

    Services

    A service within the scope of the leveraged system's authorization boundary is considered an "authorized service". Any other service offered by the leveraged system is considered a "non-authorized service"

    -

    Represent each authorized or non-authorized services using a "service" component. - Both authorized and non-authorized service components are represented the same - in OSCAL with the following exceptions:

    +

    Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

    • The component for an authorized servcie includes a - "leveraged-authorization-uuid" property, while this + "leveraged-authorization-uuid" property. This property must be excluded from the component of a - non-authorized service.
      • + non-authorized leveraged service.
    • The component for a non-authorized service must include - properties/extensions to indicate if the service is still - suported, to cite other compliance programs the service may - have satisifed, and to identify any relevant - risks/impacts/mitigations.
      • -
    • Although SSP Table 7.1 also requires data categoriation and hosting - environment information about non-authorized leveraged services, - these datails are derived from other SSP content.
      • + a "still-supported" property/extension. +
    • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
    -

    The components for both authorized and non-authorized services - must include a "provided-by" link with a URI fragment that points + +

    Both authorized and non-authorized leveraged services include:

    +
      +
    • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. - (Example: "#11111111-2222-4000-8000-009000100001")

      + (Example: "#11111111-2222-4000-8000-009000100001")
      • +
    • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
      • +
    • an "implementation-point" core property with a value of "external"
      • +
    • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
      • +
    • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
      • +
    • a status with a state value of "operational"
      • +
    • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
      • +
    + +

    Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

    @@ -986,58 +1063,61 @@     - - -

    Either describe a risk associated with this service, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    -     -     - - -

    If there are one or more identified risks, describe any resulting impact.

    -     -     - - -

    If there are one or more identified risks, describe any mitigating factors.

    -     -     + + + + + + +

    This is a service offered by a leveraged system and used by this system. It is NOT explicitly listed on the FedRAMP marketplace as being included - in the scope of this leveraged system's ATO, thus is treated as a + in the scope of the leveraged system's ATO, thus is treated as a non-authorized, leveraged service.

    -

    Each leveraged service must be expressed as a "service" component, and must have:

    +

    Each non-authorized leveraged service must be expressed as a "service" component, and must have:

    • the name of the service in the title - exactly as it appears in the FedRAMP Marketplace
    • an "implementation-point" property with a value of "external"; and
      • +
    • one or two "direction" prperty/extensions
      • +
    • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
      • +
    • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the + POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) + in an OSCAL-based POA&M.
    • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
      • -
    • One or more "risk" property/extension for each identified risk; or, - one "risk" property/extension that asserts there is no identified risk, - and provides a basis for that assertion.
      • -
    • -
    • -
    • +

    The "leveraged-authorization-uuid" property must NOT be present, as this is how tools are able to distinguish between authorized and non-authorized services from the same leveraged provider.

    -

    This component must always have:

    - +

    Where relevant, this component should also have:

    -

    - One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

    -

    - A responsible-role with a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

    +
      +
    • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
      • +
    • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
      • +
    +

    Link(s) to the vendor's web site describing the service are encouraged, but not + required.

    +

    The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

    +
      +
    • Package ID, Authorization Type, Impact Level
      • +
    +

    +

    - An "inherited-uuid" property if the leveraged system's owner provides a UUID for their system (such as in an OSCAL-based CRM).

    Link(s) to the vendor's web site describing the service are encouraged, but not @@ -1150,26 +1230,14 @@ - - -

    Either describe a risk associated with this interconnection, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    -     -     - - -

    If there are one or more identified risks, describe any resulting impact.

    -     -     - - -

    If there are one or more identified risks, describe any mitigating factors.

    -     -     - + + + + + @@ -4598,12 +4666,13 @@     - [SAMPLE]Plan of Actions and Milestones (POAM) + Plan of Actions and Milestones (POAM) - + + 00000000 @@ -4687,6 +4756,7 @@

    The primary authorization boundary diagram.

     + 00000000 From 75f273f61cdd1d6516a155a430d803be5443c223 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 25 Nov 2024 22:42:22 -0500 Subject: [PATCH 35/52] fixing validation errors --- .../rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 661a870b0..b6e078857 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -608,8 +608,7 @@ - + From ef659d860fc4964b022198b4ef5000b4c9d9c861 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 26 Nov 2024 09:09:52 -0500 Subject: [PATCH 36/52] more cleanup --- .../rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index b6e078857..22bc5824e 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -807,6 +807,10 @@ + + + none +

    The user assembly is being reviewed for continued applicability under FedRAMP's adoption of Rev 5.

    From 445e036334973e0dc22fe5ec23ed7bbbd4802d14 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 26 Nov 2024 09:15:21 -0500 Subject: [PATCH 37/52] more cleanup --- src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 22bc5824e..9df44c2ad 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -3878,6 +3878,7 @@ + Signed System Security Plan

    SSP Signature

     From 78336aecef55de82872a9ea255fd1f6e967441c6 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 26 Nov 2024 21:32:27 -0500 Subject: [PATCH 38/52] attachment cleanup --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 221 ++++++++++-------- 1 file changed, 122 insertions(+), 99 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 9df44c2ad..4a947cd29 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -634,7 +634,7 @@ fips-199-moderate - fips-199-moderate + fips-199-low

    Required if the base and selected values do not match.

     @@ -657,7 +657,7 @@ fips-199-moderate - fips-199-moderate + fips-199-low

    Required if the base and selected values do not match.

     @@ -671,7 +671,7 @@     fips-199-moderate - fips-199-moderate + fips-199-high

    Required if the base and selected values do not match.

     @@ -3882,9 +3882,9 @@

    SSP Signature

     - + - + 00000000

    The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in @@ -3902,21 +3902,21 @@ FedRAMP Applicable Laws and Regulations - + 00000000 -

    Must be present in a FedRAMP SAP.

    +

    Must be present in a FedRAMP SSP.

         FedRAMP Master Acronym and Glossary - + @@ -3932,11 +3932,11 @@

    AC Policy document

     - + - + 00000000 @@ -3950,11 +3950,11 @@

    AT Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -3967,11 +3967,11 @@

    AU Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -3984,11 +3984,11 @@

    CA Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4001,11 +4001,11 @@

    CM Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4018,11 +4018,11 @@

    CP Policy document

     - + - + 00000000 @@ -4036,11 +4036,11 @@

    IA Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4053,11 +4053,11 @@

    IR Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4070,11 +4070,11 @@

    MA Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4087,11 +4087,11 @@

    MP Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4104,11 +4104,11 @@

    PE Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4121,11 +4121,11 @@

    PL Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4138,11 +4138,11 @@

    PS Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4155,11 +4155,11 @@

    RA Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4172,11 +4172,11 @@

    SA Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4189,11 +4189,11 @@

    SC Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4206,11 +4206,11 @@

    SI Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4223,11 +4223,11 @@

    SR Policy document

     - + - + 00000000

    Table 12-1 Attachments: Policy Attachment

    @@ -4241,11 +4241,11 @@

    AC Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4258,11 +4258,11 @@

    AT Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4275,11 +4275,11 @@

    AU Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4292,11 +4292,11 @@

    CA Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4309,11 +4309,11 @@

    CM Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4326,11 +4326,11 @@

    CP Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4343,11 +4343,11 @@

    IA Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4360,11 +4360,11 @@

    IR Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4377,11 +4377,11 @@

    MA Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4394,11 +4394,11 @@

    MP Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4411,11 +4411,11 @@

    PE Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4428,11 +4428,11 @@

    PL Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4445,11 +4445,11 @@

    PS Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4462,11 +4462,11 @@

    RA Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4479,11 +4479,11 @@

    SA Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4496,11 +4496,11 @@

    SC Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4513,11 +4513,11 @@

    SI Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4530,11 +4530,11 @@

    SR Procedure document

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4551,7 +4551,7 @@ - +

    Table 12-1 Attachments: User's Guide Attachment

    @@ -4571,7 +4571,7 @@ - + 00000000

    Table 12-1 Attachments: Rules of Behavior (ROB)

    @@ -4589,7 +4589,7 @@ - + 00000000

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    @@ -4607,7 +4607,7 @@ - + 00000000

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    @@ -4625,7 +4625,7 @@ - + 00000000

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    @@ -4660,7 +4660,7 @@ - + 00000000

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    @@ -4675,8 +4675,8 @@ - - + + 00000000     @@ -4686,11 +4686,11 @@

    Supply Chain Risk Management Plan

     - + - + 00000000

    Table 12-1 Attachments: Procedure Attachment

    @@ -4706,8 +4706,8 @@ - - + + 00000000 @@ -4729,7 +4729,7 @@

    CSP Logo

     - + 00000000

    May use rlink with a relative path, or embedded as @@ -4744,7 +4744,7 @@

    3PAO Logo

    - + 00000000

    May use rlink with a relative path, or embedded as @@ -4761,7 +4761,7 @@

    The primary authorization boundary diagram.

    - + 00000000

    Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

    @@ -4780,8 +4780,9 @@

    The primary network diagram.

     + - + 00000000

    Section 8.1, Figure 8-2 Network Diagram (graphic)

    @@ -4800,7 +4801,8 @@

    The primary data flow diagram.

     - + + 00000000

    Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

    @@ -4815,10 +4817,31 @@ Interconneciton Security Agreement (ISA) - + - + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + +

    CSP-specific citation. Note the "type" property's class is "law" + and the value is "citation".

    +     +     + + CSP Acronyms + + + +

    CSP-specific citation. Note the "type" property's class is "acronyms" + and the value is "citation".

    +     From 4109c762d00db9bb572e2d95e355f9858285eb5d Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 2 Dec 2024 22:46:22 -0500 Subject: [PATCH 39/52] revised resources to omit defunct FedRAMP acronyms attachment, plus adjusted components to align with Ports, protocols, Services approach --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 73 ++++++++----------- 1 file changed, 32 insertions(+), 41 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 4a947cd29..99900fbb4 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1166,6 +1166,10 @@ 11111111-2222-4000-8000-004000000012 + + services + +

    Each interconnection to one or more remote systems must have:

      @@ -1177,6 +1181,9 @@
    • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
    • an "implementation-point" property with a value of "external"
    • a "status" field with a state value of "operational"
      • +
    • if an interconnection exists with this system and there are + remote listening ports, one or more "protocol" assemblies must + be provided.

    While not required, each "system" component should have:

    @@ -1227,8 +1234,8 @@ - + @@ -1253,8 +1260,8 @@ 11111111-2222-4000-8000-004000000008 - - services + + Incoming FTP Service @@ -1362,22 +1369,6 @@ - - -

    Either describe a risk associated with this service, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    -     -     - - -

    If there are one or more identified risks, describe any resulting impact.

    -     -     - - -

    If there are one or more identified risks, describe any mitigating factors.

    -     -

    This can only be known if provided by the leveraged system. @@ -1395,8 +1386,11 @@ 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 - - + + + + +

    This is a service provided by an external system other than the leveraged system.

    @@ -1707,7 +1701,12 @@ + + + + + Appliance Sample @@ -2097,10 +2096,14 @@

    Email Service

     - + + + + +     @@ -3904,28 +3907,12 @@ FedRAMP Applicable Laws and Regulations - - 00000000 - -

    Must be present in a FedRAMP SSP.

    -     - - - - - FedRAMP Master Acronym and Glossary - - - - 00000000 + href="https://www.fedramp.gov/assets/resources/templates/FedRAMP-Laws-Regulations-Standards-and-Guidance-Reference.xlsx"/>

    Must be present in a FedRAMP SSP.

         + Access Control Policy Title @@ -4639,13 +4626,17 @@ - [SAMPLE] Laws and Regulations + CSP-specific Law Citation Identification Number 00000000 + +

    A CSP-specific law citation

    +

    The "type" property must be present and contain the value "law".

    +     From 3d8fcde8cc4c6cce71abfd1660caba3840515910 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 3 Dec 2024 22:53:16 -0500 Subject: [PATCH 40/52] attachment modeling WIP --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 1725 +++-------------- 1 file changed, 221 insertions(+), 1504 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 99900fbb4..be6159f2b 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -564,7 +564,7 @@ + href="https://raw.githubusercontent.com/GSA/fedramp-automation/refs/heads/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml">

    This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

    @@ -2332,1547 +2332,242 @@ - - - - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - - - - - -

    Describe how Part a is satisfied within the system.

    -

    Legacy approach. If no policy component is defined, describe here how the - policy satisfies part a.

    -

    In this case, a link must be provided to the policy.

    -

    FedRAMP prefers all policies and procedures be attached as a resource in the - back-matter. The link points to a resource.

    -     - - - - -

    The specified component is the system itself.

    -

    Any control implementation response that can not be associated with another - component is associated with the component representing the system.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Identity - Management and Access Control Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     - -     -     - - - -

    There

    -     - - - -

    Describe the plan to complete the implementation.

    -     -     -     - - -

    Describe how this policy currently satisfies part a.

    -     - - -

    Describe the plan for addressing the missing policy elements.

    -     -     - - -

    Identify what is currently missing from this policy.

    -     -     -     -     - - - -

    Describe how Part b-1 is satisfied.

    -     - -     -     - - - -

    Describe how Part b-2 is satisfied.

    -     - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - -

    Describe any customer-configured requirements for satisfying this control.

    -     -     - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - [SAMPLE]privileged, non-privileged - - - [SAMPLE]all - - - [SAMPLE]The Access Control Procedure - - - at least annually - -     -     - - - -

    Describe how AC-2, part a is satisfied within this system.

    -

    This points to the "This System" component, and is used any time a more - specific component reference is not available.

    -     - - - -

    Leveraged system's statement of capabilities which may be inherited by a - leveraging systems to satisfy AC-2, part a.

    -     -     - - -

    Leveraged system's statement of a leveraging system's responsibilities in - satisfaction of AC-2, part a.

    -

    Not associated with inheritance, thus associated this with the - by-component for "this system".

    -     - - 11111111-2222-4000-8000-004000000001 - -     -     -     - - -

    For the portion of the control satisfied by the application component of this - system, describe how the control is met.

    -     - - - -

    Consumer-appropriate description of what may be inherited from this - application component by a leveraging system.

    -

    In the context of the application component in satisfaction of AC-2, part - a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     - - -

    Leveraging system's responsibilities with respect to inheriting this - capability from this application.

    -

    In the context of the application component in satisfaction of AC-2, part - a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     -     - -

    The component-uuid above points to the "this system" component.

    -

    Any control response content that does not cleanly fit another system component - is placed here. This includes customer responsibility content.

    -

    This can also be used to provide a summary, such as a holistic overview of how - multiple components work together.

    -

    While the "this system" component is not explicitly required within every - statement, it will typically be present.

    -     -     - - -

    For the portion inherited from an underlying FedRAMP-authorized provider, - describe what is inherited.

    -     - - -

    Optional description.

    -

    Consumer-appropriate description of what may be inherited as provided by the - leveraged system.

    -

    In the context of this component in satisfaction of AC-2, part a.

    -

    The provided-uuid links this to the same statement in the - leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).

    -     -     - - -

    Description of how the responsibility was satisfied.

    -

    The responsibility-uuid links this to the same statement in the - leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based - CRM (Inheritance and Responsibility Model).

    -

    Tools should use this to ensure all identified customer - responsibility statements have a corresponding - satisfied statement in the leveraging system's SSP.

    -

    Tool developers should be mindful that

    -     -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    Describe how Part a is satisfied.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    Describe how Part b-1 is satisfied.

    -     -     -     - - - -

    Describe how Part b-2 is satisfied.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     - -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    -     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + uuid="11111111-2222-4000-8000-014000000001"> -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    +

    Describe how Part a is satisfied within the system.

    +

    Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

    +

    In this case, a link must be provided to the policy.

    +

    FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

     + +

    The specified component is the system itself.

    +

    Any control implementation response that can not be associated with another + component is associated with the component representing the system.

    +     - + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    +

    Describe how this policy satisfies part a.

    +

    Component approach. This links to a component representing the Identity + Management and Access Control Policy.

    That component contains a link to the policy, so it does not have to be linked here too.

     +     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     -     -     - - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - - 11111111-2222-4000-8000-004000000011 - - - - -

    Describe how the control is satisfied within the system.

    -     - - organization-defined personnel or roles - - - at least every 3 years - - - at least annually - -     -     - - - -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    -     -     - + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    +

    Describe how this procedure satisfies part a.

    +

    Component approach. This links to a component representing the Identity + Management and Access Control Policy.

    That component contains a link to the policy, so it does not have to be linked here too.

     -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    -     +     - + + uuid="11111111-2222-4000-8000-014000000003"> -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    +

    There

    + + + +

    Describe the plan to complete the implementation.

    +     +     -     - - + -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    +

    Describe how this policy currently satisfies part a.

     + + +

    Describe the plan for addressing the missing policy elements.

    +     +     + + +

    Identify what is currently missing from this policy.

    +     +     -     - - - - - - - 11111111-2222-4000-8000-004000000018 - - - + + -

    Describe how the control is satisfied within the system.

    -

    DMARC is employed.

    -

    SPF is employed.

    -

    DKIM is employed.

    +

    Describe how Part b-1 is satisfied.

     - - organization-defined personnel or roles - - - [specify frequency] - - - [specify frequency] - +     - +

    Describe the plan to complete the implementation.

         + - - + + +

    Describe any customer-configured requirements for satisfying this control.

    +     +     + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 - + + uuid="11111111-2222-4000-8000-014000000007">

    Describe how the control is satisfied within the system.

     - - to include chief privacy and ISSO and/or similar role or designees + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all - - at least every 3 years + + [SAMPLE]The Access Control Procedure - + at least annually     - + + uuid="11111111-2222-4000-8000-014000000008"> -

    For the portion of the control satisfied by the service provider, describe - how the control is met.

    +

    Describe how AC-2, part a is satisfied within this system.

    +

    This points to the "This System" component, and is used any time a more + specific component reference is not available.

     + + + +

    Leveraged system's statement of capabilities which may be inherited by a + leveraging systems to satisfy AC-2, part a.

    +     +     + + +

    Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

    +

    Not associated with inheritance, thus associated this with the + by-component for "this system".

    +     + + 11111111-2222-4000-8000-004000000001 + +     +     - + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked - here too.

    +

    For the portion of the control satisfied by the application component of this + system, describe how the control is met.

     + + + +

    Consumer-appropriate description of what may be inherited from this + application component by a leveraging system.

    +

    In the context of the application component in satisfaction of AC-2, part + a.

    +     + + 11111111-2222-4000-8000-004000000005 + +     + + +

    Leveraging system's responsibilities with respect to inheriting this + capability from this application.

    +

    In the context of the application component in satisfaction of AC-2, part + a.

    +     + + 11111111-2222-4000-8000-004000000005 + +     +     + +

    The component-uuid above points to the "this system" component.

    +

    Any control response content that does not cleanly fit another system component + is placed here. This includes customer responsibility content.

    +

    This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

    +

    While the "this system" component is not explicitly required within every + statement, it will typically be present.

    +     - + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be - linked here too.

    +

    For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

     + + +

    Optional description.

    +

    Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

    +

    In the context of this component in satisfaction of AC-2, part a.

    +

    The provided-uuid links this to the same statement in the + leveraged system's SSP.

    +

    It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

    +     +     + + +

    Description of how the responsibility was satisfied.

    +

    The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

    +

    It may be linked directly, but is more commonly provided via an OSCAL-based + CRM (Inheritance and Responsibility Model).

    +

    Tools should use this to ensure all identified customer + responsibility statements have a corresponding + satisfied statement in the leveraging system's SSP.

    +

    Tool developers should be mindful that

    +     +     @@ -3915,21 +2610,26 @@ - Access Control Policy Title + Access Control and Identity Management Policy -

    AC Policy document

    +

    A single policy that addresses both the AC and IA families.

     - - - - - 00000000 + + + 00000000 -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64.

    +

    Each policy must be attached as back-matter resources, and must include:

    +
      +
    • a title field with the attached document's published title.
      • +
    • a "type" property with a value of "policy".
      • +
    • a "published" property with the attached document's publication date.
      • +
    • a "version" property with the attached document's published version.
      • +
    • Either base64 embedded attachment or an rlink with a valid href value.
      • +
    • both base64 and rlink require a media-type for policies
      • +
    +

    Each policy must have a corrisponding "policy" component.

         @@ -4060,7 +2760,7 @@ - + 00000000 @@ -4232,12 +2932,18 @@ - + 00000000 -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64.

    +

    Procedures must be attached as back-matter resources, and must include:

    +
      +
    • a title field with the attached document's published title.
      • +
    • a "type" property with a value of "procedure".
      • +
    • a "published" property with the attached document's publication date.
      • +
    • a "version" property with the attached document's published version.
      • +
    • Either base64 embedded attachment or an rlink with a valid href value.
      • +
    • both base64 and rlink require a media-type for policies
      • +
    @@ -4663,13 +3369,24 @@ Plan of Actions and Milestones (POAM) - - 00000000 - + +

    The POA&M attachment may either be a legacy Excel workbook or OSCAL file. + The resource must have:

    +
      +
    • a title field with the the value, "Plan of Actions and Milestones (POAM)"
      • +
    • a "published" property with the effective date of the attached POA&M.
      • +
    • a "type" property with a value of "plan" and a class of "poam".
      • +
    • Either base64 embedded attachment or an rlink with a valid href value.
      • +
    • Both base64 and rlink require a media-type for policies
      • +
    +

    A "version" property is optional.

    +

    The appropriate media types for OSCAL content + are, "application/xml", "application/json" or "application/yaml".

    +     @@ -4707,7 +3424,7 @@

    FedRAMP Logo

     - + 00000000 From d8beca630a55585a6de50fa9bb7feadc7b253b03 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Wed, 4 Dec 2024 09:26:47 -0500 Subject: [PATCH 41/52] attachment modeling WIP --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 431 +++--------------- 1 file changed, 67 insertions(+), 364 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index be6159f2b..d4220a607 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -847,8 +847,7 @@ Add and remove users from the virtual cloud environment.     - - + @@ -867,11 +866,8 @@     - - - @@ -1044,10 +1040,9 @@ - - + - + Service B @@ -1138,8 +1133,8 @@ - - + + Other Cloud SaaS @@ -1203,7 +1198,7 @@ - + [EXAMPLE]Authorized Connection Information System Name @@ -1306,8 +1301,8 @@ - - + + Other Cloud SaaS @@ -1350,7 +1345,7 @@ - + Service C @@ -1436,7 +1431,7 @@ - + Service C @@ -1501,7 +1496,7 @@ - + Management CLI @@ -1546,8 +1541,6 @@ - - Service D @@ -1658,7 +1651,21 @@ - + + Email Service + +

    Email Service

    +     + + + + + + + + +     + [SAMPLE]Product @@ -1726,179 +1733,66 @@ - - - AC Policy - -

    The Access Control Policy governs how access is managed and approved.

    -     - - -     - - AT Policy - -

    The Awareness and Training Policy governs how access is managed and approved.

    -     - - -     - - AU Policy - -

    The Audit and Accountability governs how access is managed and approved.

    -     - - -     - - CA Policy - -

    The Assessment, Authorization, and Monitoring Policy governs how access is managed - and approved.

    -     - - -     - - CM Policy - -

    The Configuration Management Policy governs how access is managed and approved.

    -     - - -     - - CP Policy - -

    The Contingency Planning Policy governs how access is managed and approved.

    -     - - -     - - IA Policy - -

    The Identificaiton and Authentication Policy governs how access is managed and - approved.

    -     - - -     - - IR Policy - -

    The Incident Response Policy governs how access is managed and approved.

    -     - - -     - - MA Policy - -

    The Maintenance Policy governs how access is managed and approved.

    -     - - -     - - MP Policy - -

    The Media Protection Policy governs how access is managed and approved.

    -     - - -     - - PE Policy - -

    The Physical and Enviornmental Protection Policy governs how access is managed and - approved.

    -     - - -     - - PL Policy - -

    The Planning Policy governs how access is managed and approved.

    -     - - -     - - PM Policy - -

    The Program Management Policy governs how access is managed and approved.

    -     - - -     - - PS Policy - -

    The Personnel Security Policy governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Policy governs how access is managed and - approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Policy governs how access is managed and approved.

    -     - - -     - - SA Policy + + + IPv4 Production Subnet -

    The System and Services Acquisition Policy governs how access is managed and - approved.

    +

    IPv4 Production Subnet.

     - + + +     - - S3 Policy + + IPv4 Management Subnet -

    The System and Communication Protection Policy governs how access is managed and - approved.

    +

    IPv4 Management Subnet.

     - + + + +     - - SI Policy + + + + + + Access Control and Identity Management Policy -

    The System and Information Integrity Policy governs how access is managed and - approved.

    +

    The Access Control and Identity Management Policy governs how + user identities and access rights are managed.

     - + + +

    A policy component is required for each policy that governs the system.

    +

    The title, description and status fields are required by core OSCAL. + The title field should reflect the actual title of the policy document.

    +

    A "policy" link field must be present that identifies the back-matter + resource representing the attached policy.

    +

    The document version and date are represented in the linked resource. Not here.

    +

    At this time FedRAMP does not _require_ policy approver or + audience information in the SSP; however, both may be represented here + using the responsible-role field. If electing to include this information, + use the "approver" role ID to represent approvers. Any other role listed + is assumed to be audience.

    +     - - SR Policy + + AT Policy -

    The Supply Chain Risk Management Policy governs how access is managed and - approved.

    +

    The Awareness and Training Policy governs how access is managed and approved.

     - +     - AC Policy + Access Control Procedure

    The Access Control Procedure governs how access is managed and approved.

     @@ -1913,198 +1807,7 @@     - - AU Policy - -

    The Audit and Accountability Procedure governs how access is managed and - approved.

    -     - - -     - - CA Policy - -

    The Assessment, Authorization, and Monitoring Procedure governs how access is managed - and approved.

    -     - - -     - - CM Policy - -

    The Configuration Management Procedure governs how access is managed and - approved.

    -     - - -     - - CP Policy - -

    The Contingency Planning Procedure governs how access is managed and approved.

    -     - - -     - - IA Policy - -

    The Identificaiton and Authentication Procedure governs how access is managed and - approved.

    -     - - -     - - IR Policy - -

    The Incident Response Procedure governs how access is managed and approved.

    -     - - -     - - MA Policy - -

    The Maintenance Procedure governs how access is managed and approved.

    -     - - -     - - MP Policy - -

    The Media Protection Procedure governs how access is managed and approved.

    -     - - -     - - PE Policy - -

    The Physical and Enviornmental Protection Procedure governs how access is managed and - approved.

    -     - - -     - - PL Policy - -

    The Planning Procedure governs how access is managed and approved.

    -     - - -     - - PM Policy - -

    The Program Management Procedure governs how access is managed and approved.

    -     - - -     - - PS Policy - -

    The Personnel Security Procedure governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Procedure governs how access is managed and - approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Procedure governs how access is managed and approved.

    -     - - -     - - SA Policy - -

    The System and Services Acquisition Procedure governs how access is managed and - approved.

    -     - - -     - - S3 Policy - -

    The System and Communication Protection Procedure governs how access is managed and - approved.

    -     - - -     - - SI Policy - -

    The System and Information Integrity Procedure governs how access is managed and - approved.

    -     - - -     - - SR Policy - -

    The Supply Chain Risk Management Procedure governs how access is managed and - approved.

    -     - - -     - - - - IPv4 Production Subnet - -

    IPv4 Production Subnet.

    -     - - - - -     - - IPv4 Management Subnet - -

    IPv4 Management Subnet.

    -     - - - - - -     - - Email Service - -

    Email Service

    -     - - - - - - - - -     From 9605ba87a973a6f19cef52746eba028f480460ab Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Wed, 4 Dec 2024 14:57:04 -0500 Subject: [PATCH 42/52] SSP component cleanup, UUID planning for implemented controls --- .../examples/UUIDs_for_Examples_Legend.md | 14 +- .../ssp/xml/fedramp-ssp-example.oscal.xml | 263 +++++++++++------- 2 files changed, 175 insertions(+), 102 deletions(-) diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md index db71de47b..a98061bf9 100644 --- a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -55,13 +55,13 @@ The format used for examples is v4 compliant as follows: - `-0090`=component - `-0100`=protocol - `-0110`=inventory-item -- `-0120`=implemented-requirement -- `-0130`=statement -- `-0140`=by-component -- `-0150`=provided -- `-0160`=responsibility -- `-0170`=inherited -- `-0180`=satisfied +- `-0120####`=implemented-requirement +- `-0120cccc##`=statement +- `-0120ccccss##`=by-component +- `-0130cccc01xx`=provided +- `-0130cccc02xx`=responsibility +- `-0140cccc01xx`=inherited +- `-0140cccc02xx`=satisfied - `-0190`=leveraged-authorization _Fields for other models to be added as we work with those models._ diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index d4220a607..9f2863644 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -196,12 +196,6 @@

    This is a sample role.

     - - Leveraged Authorization Users - -

    Any internal users of a leveraged authorization.

    -     -     External System Owner @@ -1061,16 +1055,14 @@     - - - +

    This is a service offered by a leveraged system and used by this system. It is NOT explicitly listed on the FedRAMP marketplace as being included in the scope of the leveraged system's ATO, thus is treated as a @@ -1085,9 +1077,8 @@

  • One or more "information-type" property/extensions, where the allowed values are the 800-63 information type identifiers, and the cited types are included full list of system information types.
  • exactly one "poam-item" link, with an href value that references the - POA&M and a resource-fragment that represents the - POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) - in an OSCAL-based POA&M.
    • + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
  • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
  • @@ -1166,6 +1157,7 @@ +

    Each interconnection to one or more remote systems must have:

    • a "system" component (this component)
      • @@ -1239,8 +1231,7 @@ - - + @@ -1260,6 +1251,8 @@ + +

      Each interconnection to one or more remote systems must have:

      • one "system" component for each remote system sharing the connection
        • @@ -1279,6 +1272,10 @@
      • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
      • exactly one "used-by" link with an href value that refers to the "this-system" component.
      • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
        • +
      • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
        • +
      • exactly one "provider" responsible role that references the party information for the organization the provides the connection.

      Authentication methods must address both system-authentication as well as @@ -1353,7 +1350,7 @@

      Describe the service and what it is used for.

      - + @@ -1372,52 +1369,60 @@ + 11111111-2222-4000-8000-c0040000000a - + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 - + + +

      This is a service provided by an external system other than the leveraged system.

      As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT be used.

      Each external service used from a leveraged authorization must have:

      -

      - a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).

      -

      - a "service" component (this component).

      +
        +
      • a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).
        • +
      • a "service" component (this component).
        • +

      This component must always have:

      -

      - The name of the service in the title - preferably exactly as it appears on the - vendor's web site

      -

      - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

      -

      - An "implementation-point" property with a value of "external".

      -

      - A "provided-by" link with a URI fragment that points to the UUID of the above - "system" component.

      -

      - Example: "#11111111-2222-4000-8000-009000100001"

      -

      - IMPORTANT: Due to a known error in core OSCAL (versions <=1.1.2) constraints, - this property is blocked from proper use.

      -

      - a status with a state value of "operational"

      +
        +
      • The name of the service in the title - preferably exactly as it appears on the + vendor's web site
        • +
      • An "implementation-point" property with a value of "external".
        • +
      • A "provided-by" link with a URI fragment that points to the UUID of the above + "system" component.
        • +
      • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
        • +
      • a status with a state value of "operational"
        • +

      Where relevant, this component should also have:

      -

      - One or more "information-type" properties, where the allowed values are the 800-63 - information type identifiers.

      -

      - A responsible-role with a role-id of "leveraged-authorization-users" and exactly - one or more party-uuid entries that indicates which users within this system may - interact with the leveraged systeme.

      -

      - An "inherited-uuid" property if the leveraged system's owner provides a UUID for - their system (such as in an OSCAL-based CRM).

      -

      Link(s) to the vendor's web site describing the service are encouraged, but not - required.

      +
        +
      • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
        • +
      • A responsible-role with a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
        • +
      • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
        • +
      • Link(s) to the vendor's web site describing the service are encouraged, but not + required.
        • +

      The following fields from the Leveraged Authorization Table are handled in the leveraged-authorization assembly:

      @@ -1427,7 +1432,9 @@ "system" component assembly:

      - Nature of Agreement, CSP Name

      -

      An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

      +

      An unauthorized service from an underlying leveraged authorization + must NOT have the "leveraged-authorization-uuid" property. The presence + or absence of this property is how the authorization status of a service is indicated.

       @@ -1435,7 +1442,8 @@ Service C -

      A service provided by an external system other than the leveraged system.

      +

      A service offered by this system to external systems, such as an API. + As a result, communication crosses the boundary.

      Describe the service and what it is used for.

       @@ -1447,52 +1455,26 @@

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

       - - -

      Either describe a risk associated with this service, or indicate there is no identified risk.

      -

      If there is no risk, please explain your basis for that conclusion.

      -       -       - - -

      If there are one or more identified risks, describe any resulting impact.

      -       -       - - -

      If there are one or more identified risks, describe any mitigating factors.

      -       -       + Remote API Service -

      This is a service provided by an external system other than the leveraged system.

      - + +

      This is a service provided by this system to external systems, such as an offered API.

      - -

      - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

      - - - -

      As a result, the "leveraged-authorization-uuid" property is not applicable and must - NOT be used.

      All services require the "implementation-point" property. In this case, the property - value is set to "external.

      -

      All external services would normally require a "provided-by" link; however, a known - bug in core OSCAL syntax prevents the use of this property at this time.

      -

      If the leveraged system owner provides a UUID for their service (such as in an - OSCAL-based CRM), it should be reflected in the inherited-uuid - property.

      - - - - + value is set to "internal.

      +
        +
      • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
        • +
      @@ -1500,7 +1482,11 @@ Management CLI -

      None

      +

      A CLI tool used to manage a hypervisor, service or system outside + this system's boundary, resulting in communication that crosses + the boundary.

      +

      This may also be a CLI tool that others use from outside the boundary + to manage or interact with this system.

       @@ -1512,31 +1498,24 @@

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

       - - - - -

      Either describe a risk associated with this CLI, or indicate there is no identified risk.

      -

      If there is no risk, please explain your basis for that conclusion.

      -       -       - - -

      If there are one or more identified risks, describe any resulting impact.

      -       -       - - -

      If there are one or more identified risks, describe any mitigating factors.

      -       -       +

      + + + +

      +
        +
      • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
        • +
      +       @@ -2274,6 +2253,100 @@ + + + + organization-defined personnel or roles + + + at least every 3 years + + + at least annually + + + + + +

      Describe how Part a is satisfied within the system.

      +

      Legacy approach. If no policy component is defined, describe here how the + policy satisfies part a.

      +

      In this case, a link must be provided to the policy.

      +

      FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

      +       + +

      The specified component is the system itself.

      +

      Any control implementation response that can not be associated with another + component is associated with the component representing the system.

      +       +       + + +

      Describe how this policy satisfies part a.

      +

      Component approach. This links to a component representing the Identity + Management and Access Control Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       + +       + + +

      Describe how this procedure satisfies part a.

      +

      Component approach. This links to a component representing the Identity + Management and Access Control Policy.

      +

      That component contains a link to the policy, so it does not have to be linked + here too.

      +       + +       +       + + + +

      There

      +       + + + +

      Describe the plan to complete the implementation.

      +       +       +       + + +

      Describe how this policy currently satisfies part a.

      +       + + +

      Describe the plan for addressing the missing policy elements.

      +       +       + + +

      Identify what is currently missing from this policy.

      +       +       +       +       + + + +

      Describe how Part b-1 is satisfied.

      +       + +       +       +       @@ -3113,7 +3186,7 @@ - [SAMPLE]Interconnection Security Agreement Title + Interconnection Security Agreement From 61614012d6bf07a1bc26cf287e3cc248c7036452 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 6 Dec 2024 00:03:01 -0500 Subject: [PATCH 43/52] attachments WIP --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 212 ++++++++++++------ 1 file changed, 145 insertions(+), 67 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 9f2863644..ce558bc7f 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -289,7 +289,6 @@ FedRAMP PMO - info@fedramp.gov
      1800 F St. NW @@ -862,8 +861,10 @@ - - + + + + Awesome Cloud IaaS (Leveraged Authorized System) @@ -986,6 +987,7 @@ + @@ -993,6 +995,7 @@ + 11111111-2222-4000-8000-004000000008

      This is a service offered by a leveraged system and used by this system. @@ -1034,8 +1037,10 @@ + - + + Service B @@ -1045,6 +1050,7 @@ + @@ -1058,8 +1064,11 @@ - - + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 @@ -1227,7 +1236,7 @@ - + @@ -1245,7 +1254,13 @@ 11111111-2222-4000-8000-004000000008 - + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + Incoming FTP Service @@ -1351,6 +1366,7 @@ + @@ -1376,6 +1392,7 @@ 11111111-2222-4000-8000-c0040000000a + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 @@ -1448,6 +1465,7 @@ +

      If 'yes', describe the authentication method in the remarks.

      @@ -1460,6 +1478,12 @@ + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + Remote API Service @@ -1491,6 +1515,7 @@ +

      If 'yes', describe the authentication method in the remarks.

      @@ -1507,6 +1532,10 @@ + + + 11111111-2222-4000-8000-004000000010 +

      @@ -1744,7 +1773,7 @@

      The Access Control and Identity Management Policy governs how user identities and access rights are managed.

      - +

      A policy component is required for each policy that governs the system.

      @@ -1765,7 +1794,7 @@

      The Awareness and Training Policy governs how access is managed and approved.

       - +       @@ -1775,7 +1804,7 @@

      The Access Control Procedure governs how access is managed and approved.

       - + @@ -1783,7 +1812,7 @@

      The Awareness and Training Procedure governs how access is managed and approved.

       - +       @@ -2012,63 +2041,107 @@

      This description field is required by OSCAL.

      FedRAMP does not require any specific information here.

      - + - - organization-defined personnel or roles + + all managers, administrators and users of the system + +

      [Assignment: organization-defined personnel or roles]

      +

      This focuses on roles the POLICY is disseminated to.

      +       + + all managers and administrators of the system + +

      [Assignment: organization-defined personnel or roles]

      +

      This focuses on roles PROCEDURES are disseminated to.

      +       +       + + System-level + +

      [Selection (one or more): Organization-level; Mission/business process-level; Systemlevel]

      +

      This is a SELECT parameter. Use one "value" field for each selection.

      +       +       + + System Architect + +

      [Assignment: organization-defined official]

      +       +       at least every 3 years + +

      [Assignment: organization-defined frequency]

      +       + + change in organizational legal status or ownership + +

      [Assignment:organization-defined events]

      +       +       at least annually + +

      [Assignment: organization-defined frequency]

      +       - - + + change in policy or a security incident involving a failure of access control mechanisms + +

      [Assignment:organization-defined events]

      +       +       + + + uuid="11111111-2222-4000-8000-012000010101"> -

      Describe how Part a is satisfied within the system.

      -

      Legacy approach. If no policy component is defined, describe here how the - policy satisfies part a.

      -

      In this case, a link must be provided to the policy.

      +

      Describe how Part a is satisfied within the system as a whole.

      FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

       -

      The specified component is the system itself.

      -

      Any control implementation response that can not be associated with another - component is associated with the component representing the system.

      +

      This is the "this-system" component, which represents the system as a whole.

      +

      There are two reasons to provide a response here:

      +
        +
      • When first converting a legacy/Word-based SSP to OSCAL, the entire control + response may be placed here until it can be parsed out into appropriate component + responses.
        • +
      • When it is necessary to explain how two or more components work together to + satisfy this requirement.
        • +
      + uuid="11111111-2222-4000-8000-012000010102"> -

      Describe how this policy satisfies part a.

      -

      Component approach. This links to a component representing the Identity - Management and Access Control Policy.

      -

      That component contains a link to the policy, so it does not have to be linked - here too.

      +

      Describe how this policy satisfies part a.

       + +

      This is the "policy" component, which represents the Access Control and + Identity Management Policy.

      +       - + -

      Describe how this procedure satisfies part a.

      -

      Component approach. This links to a component representing the Identity - Management and Access Control Policy.

      -

      That component contains a link to the policy, so it does not have to be linked - here too.

      +

      Describe how this procedure satisfies part a.

       + +

      This is the "process-procedure" component, which represents the Access Control Process.

      +       - + + uuid="11111111-2222-4000-8000-012000010201"> -

      There

      +

      Describe how Part b is satisfied within the system as a whole.

       @@ -2077,9 +2150,21 @@

      Describe the plan to complete the implementation.

      + +

      This is the "this-system" component, which represents the system as a whole.

      +

      There are two reasons to provide a response here:

      +
        +
      • When first converting a legacy/Word-based SSP to OSCAL, the entire control + response may be placed here until it can be parsed out into appropriate component + responses.
        • +
      • When it is necessary to explain how two or more components work together to + satisfy this requirement.
        • +
      +       + + uuid="11111111-2222-4000-8000-012000010202">

      Describe how this policy currently satisfies part a.

       @@ -2096,9 +2181,9 @@       - + + uuid="11111111-2222-4000-8000-012000010301">

      Describe how Part b-1 is satisfied.

       @@ -2106,7 +2191,7 @@       - + @@ -2121,33 +2206,26 @@

      Describe any customer-configured requirements for satisfying this control.

             + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 - - - -

      Describe how the control is satisfied within the system.

      -       - - [SAMPLE]privileged, non-privileged - - - [SAMPLE]all - - - [SAMPLE]The Access Control Procedure - - - at least annually - -       -       - + + @@ -3200,7 +3278,7 @@

      FedRAMP Logo

       - + 00000000 From 55fe3e452df7cce295f8f03fdad7e979eb8b8628 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Fri, 6 Dec 2024 00:31:39 -0500 Subject: [PATCH 44/52] syntax cleanup --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index ce558bc7f..c5d9473e4 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -2227,7 +2227,7 @@ + uuid="11111111-2222-4000-8000-012000020101">

      Describe how AC-2, part a is satisfied within this system.

      This points to the "This System" component, and is used any time a more @@ -2255,7 +2255,7 @@ + uuid="11111111-2222-4000-8000-012000020102">

      For the portion of the control satisfied by the application component of this system, describe how the control is met.

      @@ -2296,7 +2296,7 @@       + uuid="11111111-2222-4000-8000-012000020103">

      For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

      @@ -2331,7 +2331,7 @@       - + organization-defined personnel or roles @@ -2343,9 +2343,9 @@ at least annually - + + uuid="11111111-2222-4000-8000-012000030101">

      Describe how Part a is satisfied within the system.

      Legacy approach. If no policy component is defined, describe here how the @@ -2361,7 +2361,7 @@ + uuid="11111111-2222-4000-8000-012000030102">

      Describe how this policy satisfies part a.

      Component approach. This links to a component representing the Identity @@ -2372,7 +2372,7 @@ + uuid="11111111-2222-4000-8000-012000030103">

      Describe how this procedure satisfies part a.

      Component approach. This links to a component representing the Identity @@ -2383,9 +2383,9 @@ - + + uuid="11111111-2222-4000-8000-012000030201">

      There

      @@ -2398,7 +2398,7 @@       + uuid="11111111-2222-4000-8000-012000030202">

      Describe how this policy currently satisfies part a.

       @@ -2415,7 +2415,7 @@       - + From b0d42a0743c5e9921a528330aa42d74c0c9b8d82 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Sun, 8 Dec 2024 21:42:40 -0500 Subject: [PATCH 45/52] additional table 6-1, 7-1 revisions --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 311 +++++++++++++----- 1 file changed, 236 insertions(+), 75 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index c5d9473e4..163bc0060 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -557,7 +557,7 @@ + href="https://raw.githubusercontent.com/GSA/fedramp-automation/refs/heads/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml">

      This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official FedRAMP 3.0.0 release.

      @@ -874,16 +874,16 @@ - - + +

      If 'yes', describe the authentication method.

      If 'no', explain why no authentication is used.

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

             - - + + @@ -988,8 +988,8 @@ - - + + @@ -1049,18 +1049,17 @@

      Describe the service and what it is used for.

       - - - - + + +

      If 'yes', describe the authentication method.

      If 'no', explain why no authentication is used.

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

             - - + + @@ -1207,22 +1206,21 @@

      Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

      - - - - + + +

      If 'yes', describe the authentication method in the remarks.

      If 'no', explain why no authentication is used in the remarks.

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

             - - - - - - + + + + + +

      Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

       @@ -1234,7 +1232,7 @@ - + @@ -1261,10 +1259,7 @@ 11111111-2222-4000-8000-004000000012 - - Incoming FTP Service - - + @@ -1365,7 +1360,7 @@

      Describe the service and what it is used for.

      - + @@ -1375,8 +1370,8 @@

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

             - - + +

      This can only be known if provided by the leveraged system. @@ -1456,27 +1451,72 @@ + + + Undetermined External API Clients + +

      This component represents any of the public API clients that may + access this systems'API service.

      + + + + + + + + +

      When an API service is offered to a large community, this one component + bay be used to represent the collection of API clients that may connect + from that community. This must have:

      +
        +
      • a component type set to "external-client"
        • +
      • an "implementation-point" property set to "external"
        • +
      • one or more responsible roles should be defined representing + the community of potential API client users. If the servvice + is open to the public, use the "public" responsible-role ID.
        • +
      +       + + - Service C + API Service

      A service offered by this system to external systems, such as an API. As a result, communication crosses the boundary.

      Describe the service and what it is used for.

       - - - + + + + + +

      If 'yes', describe the authentication method in the remarks.

      If 'no', explain why no authentication is used in the remarks.

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

             - - + + +

      Terms of Use

      +       +       + + + +

      Explain why authentication scans are not possible for this component. + Provide evidence if available, such as scanner tool or vendor links.

      +       +       + + + + + - + @@ -1484,21 +1524,47 @@ 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 - - Remote API Service + + API Service - -

      This is a service provided by this system to external systems, such as an offered API.

      - -

      All services require the "implementation-point" property. In this case, the property - value is set to "internal.

      +

      This is a service provided by this system to external systems, such as an + offered API. The following is required:

        -
      • exactly one "poam-item" link, with an href value that references the - POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) - or poam-item UUID (OSCAL POA&M)
        • +
      • The "title" fields must have the name of the offered API.
        • +
      • The "description" field must include the purpose and use of the API.
        • +
      • The component "type" attribute must have a value of "service".
        • +
      • The "implementation-point" property must have a value of "internal".
        • +
      • The "communicates-externally" prop/extensions must have a value of "yes".
        • +
      • One or more "information-type" prop/extensions must be present with 800-60 information type values.
        • +
      • The "connection-security" prop/extensions must be present with an appropriate value.
        • +
      • The "authentication-method" prop/extensions must be present with an appropriate value.
        • +
      • The "authentication-method" prop/extensions "remarks" must provide additional content.
        • +
      • The "nature-of-agreement" prop/extension must identify any governing terms for the connection.
        • +
      • One or more "used-by" links must provide the component UUID of the other system.
        • +
      • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
        • +
      • A "status" field that must have a state of "operational"
        • +
      • One or more "responsible-role" fields with: +
          +
        • one or more roles by "role-id" [rquiried]
          • +
        • one or more "privilege-uuid" prop/extensions [required]
          • +
        • one or more "party-uuid" values to identify who has these privliges. [required]
          • +
        +
        • +
      • One or more "protocol" fields.
        • +
      +

      +

      Because this is softare that exists within the boundary, it is also requires the following + in satisfaction of inventory/CM/ConMon requirements:

      +
        +
      • An "allows-authenticated-scan" property with an appropriate value.
        • +
      • An "scan-type" property/extension set to "infrastructure".
        • +
      • TODO: Revisit this list when working the inventory epic
      +       @@ -1506,30 +1572,39 @@ Management CLI -

      A CLI tool used to manage a hypervisor, service or system outside - this system's boundary, resulting in communication that crosses - the boundary.

      -

      This may also be a CLI tool that others use from outside the boundary - to manage or interact with this system.

      +

      A CLI tool used from within this system's boundary to manage a + hypervisor, service, or other system outside this system's boundary, + resulting in communication that crosses the boundary.

       - - - + + + + + +

      If 'yes', describe the authentication method in the remarks.

      If 'no', explain why no authentication is used in the remarks.

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

             - - + + +

      Terms of Use

      +       +       + + -

      +

      Explain why authentication scans are not possible for this component. + Provide evidence if available, such as scanner tool or vendor links.

             - + + + @@ -1537,17 +1612,108 @@ 11111111-2222-4000-8000-004000000010 - -

      +

      When an internal CLI tool communicates with a system outside the boundary, + such as for management of the underlying leveraged system or interaction + with an external system, the following is required:

        -
      • exactly one "poam-item" link, with an href value that references the - POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) +
      • The "title" fields must have the name of the CLI tool.
        • +
      • The "description" field must include the purpose and use of the tool within this system.
        • +
      • The component "type" attribute must have a value of "software".
        • +
      • The "asset-type" property must have a value of "cli".
        • +
      • The "implementation-point" property must have a value of "internal".
        • +
      • The "communicates-externally" prop/extensions must have a value of "yes".
        • +
      • One or more "information-type" prop/extensions must be present with 800-60 information type values.
        • +
      • The "connection-security" prop/extensions must be present with an appropriate value.
        • +
      • The "authentication-method" prop/extensions must be present with an appropriate value.
        • +
      • The "authentication-method" prop/extensions "remarks" must provide additional content.
        • +
      • The "nature-of-agreement" prop/extension must identify any governing terms for the connection.
        • +
      • One or more "communicates-with" link must provide the component UUID of the other system.
        • +
      • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) or poam-item UUID (OSCAL POA&M)
        • +
      • A "status" field that must have a state of "operational"
        • +
      • One or more "responsible-role" fields with: +
          +
        • one or more roles by "role-id" [rquiried]
          • +
        • one or more "privilege-uuid" prop/extensions [required]
          • +
        • one or more "party-uuid" values to identify who has these privliges. [required]
          • +
        +
        • +
      +

      +

      Because this is softare that exists within the boundary, it is also requires the following + in satisfaction of inventory/CM/ConMon requirements:

      +
        +
      • An "allows-authenticated-scan" property with an appropriate value.
        • +
      • An "scan-type" property/extension set to "infrastructure".
        • +
      • TODO: Revisit this list when working the inventory epic
             - + + + External Management CLI + +

      A CLI tool used by systems outside the authorization boundary to manage + or interact with this system..

      +       + + + + + + + +

      If 'yes', describe the authentication method in the remarks.

      +

      If 'no', explain why no authentication is used in the remarks.

      +

      If 'not-applicable', attest explain why authentication is not applicable in the remarks.

      +       +       + + +

      Terms of Use

      +       +       + + + + + + + +

      When a CLI tool outside the system communicates with this system, + such as for management of the user's hypervisor in this system, the + following is required:

      +
        +
      • The "title" fields must have the name of the CLI tool.
        • +
      • The "description" field that describes how the tool can influence the operation of this system.
        • +
      • The component "type" attribute must have a value of "software".
        • +
      • The "asset-type" property must have a value of "cli".
        • +
      • The "implementation-point" property must have a value of "external".
        • +
      • One or more "information-type" prop/extensions must be present with 800-60 information type values.
        • +
      • The "connection-security" prop/extensions must be present with an appropriate value.
        • +
      • The "authentication-method" prop/extensions must be present with an appropriate value.
        • +
      • The "authentication-method" prop/extensions "remarks" must provide additional content.
        • +
      • The "nature-of-agreement" prop/extension must identify any governing terms for the connection.
        • +
      • One or more "communicates-with" link must provide the component UUID of the component within this system.
        • +
      • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) + or poam-item UUID (OSCAL POA&M)
        • +
      • A "status" field that must have a state of "operational"
        • +
      • One or more "responsible-role" fields with: +
          +
        • one or more roles by "role-id" [rquiried]
          • +
        • one or more "privilege-uuid" prop/extensions [required]
          • +
        • one or more "party-uuid" values to identify who has these privliges. [optional]
          • +
        +
        • +
      +

      +

      As this is impelemented external to the system boundary, information such as "scan-type" + and "allows-authenticated-scanning" are not applicable and should not be present.

      +       +       @@ -1638,7 +1804,7 @@       - + [SAMPLE]Product Name

      FUNCTION: Describe typical component function.

      @@ -1696,7 +1862,7 @@

      COMMENTS: Provide other comments as needed.

       - + OS Sample

      None

      @@ -1707,7 +1873,7 @@       - + Database Sample

      None

      @@ -1723,7 +1889,7 @@       - + Appliance Sample

      None

      @@ -2029,12 +2195,7 @@ > - - +

      Appendix A - FedRAMP SSP Rev5 Template

      From b94a79b7f57028f970c59a655b990da746e4795c Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Wed, 11 Dec 2024 01:11:59 -0500 Subject: [PATCH 46/52] enumerating all controls WIP --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 7871 ++++++++++++++++- 1 file changed, 7869 insertions(+), 2 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 163bc0060..43617d720 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -2198,12 +2198,12 @@ -

      Appendix A - FedRAMP SSP Rev5 Template

      This description field is required by OSCAL.

      FedRAMP does not require any specific information here.

      +

      +

      - all managers, administrators and users of the system @@ -2264,6 +2264,7 @@

      FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

       +

      This is the "this-system" component, which represents the system as a whole.

      There are two reasons to provide a response here:

      @@ -2491,6 +2492,16 @@       + + + +

      Describe how AC-2, part a is satisfied within this system.

      +

      This points to the "This System" component, and is used any time a more + specific component reference is not available.

      +       +       +       @@ -2586,6 +2597,7862 @@ + + + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + + placeholder + + + placeholder + + + +

      This is the 'this-system' component.

       + +       +       +       + + From adfea5483d589e8fd56ad3ac6021b0f4694684e2 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 16 Dec 2024 23:05:57 -0500 Subject: [PATCH 47/52] documents and other component work --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 8017 +---------------- 1 file changed, 108 insertions(+), 7909 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 43617d720..f67fd36f4 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1,5 +1,5 @@ - + @@ -551,6 +551,9 @@ 11111111-2222-4000-8000-004000000016

      Exactly one

      +
        +
      • testtest

        hello

        • +
      @@ -1715,6 +1718,101 @@ + + + + + + + Access Control and Identity Management Policy + +

      The Access Control and Identity Management Policy governs how + user identities and access rights are managed.

      +       + + + + +

      A policy component is required for each policy that governs the system.

      +

      The title, description and status fields are required by core OSCAL. + The title field should reflect the actual title of the policy document.

      +

      For system-specific policies, the "implementation-point" property must be + present and set to "internal".

      +

      For corproate policies, the "implementation-point" property must be + present and set to "external" with its class set to "corporate".

      +

      For any policy that is niether system-specific, nor corporate, the + "implementation-point" property must be present and set to "external", + with a class set to anything other than "corporate" or no class + attribute at all.

      +

      An "attachment" link field must be present that identifies the back-matter + resource representing the attached policy.

      +

      The document version and date are represented in the linked resource. Not here.

      +

      At this time FedRAMP does not _require_ policy approver or + audience information in the SSP; however, both may be represented here + using the responsible-role field. If electing to include this information, + use the "approver" role ID to represent approvers. Any other role listed + is assumed to be audience.

      +       +       + + AT Policy + +

      The Awareness and Training Policy governs how access is managed and approved.

      +       + + + +       + + + + Access Control Procedure + +

      The Access Control Procedure governs how access is managed and approved.

      +       + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + +

      A "process-procedure" component is required for each process or procedure + that governs the system.

      +

      The title, description and status fields are required by core OSCAL. + The title field should reflect the actual title of the document.

      +

      For system-specific processes or procedures, the "implementation-point" property must be + present and set to "internal".

      +

      For corproate processes or procedures, the "implementation-point" property must be + present and set to "external" with its class set to "corporate".

      +

      For any processes or procedures that is niether system-specific, nor corporate, the + "implementation-point" property must be present and set to "external", + with a class set to anything other than "corporate" or no class + attribute at all.

      +

      An "attachment" link field must be present that identifies the back-matter + resource representing the attached policy.

      +

      The document version and date are represented in the linked resource. Not here.

      +

      At this time FedRAMP does not _require_ policy approver or + audience information in the SSP; however, both may be represented here + using the responsible-role field. If electing to include this information, + use the "approver" role ID to represent approvers. Any other role listed + is assumed to be audience.

      +       +       + + Awareness and Training Procedure + +

      The Awareness and Training Procedure governs how access is managed and approved.

      +       + + + +       + + Service D @@ -1727,7 +1825,6 @@ - @@ -1752,6 +1849,9 @@ + + 44444444-2222-4000-8000-004000000001 + @@ -1763,7 +1863,6 @@ - @@ -1773,6 +1872,9 @@ + + 44444444-2222-4000-8000-004000000001 + @@ -1932,58 +2034,8 @@ - - - Access Control and Identity Management Policy - -

      The Access Control and Identity Management Policy governs how - user identities and access rights are managed.

      -       - - - -

      A policy component is required for each policy that governs the system.

      -

      The title, description and status fields are required by core OSCAL. - The title field should reflect the actual title of the policy document.

      -

      A "policy" link field must be present that identifies the back-matter - resource representing the attached policy.

      -

      The document version and date are represented in the linked resource. Not here.

      -

      At this time FedRAMP does not _require_ policy approver or - audience information in the SSP; however, both may be represented here - using the responsible-role field. If electing to include this information, - use the "approver" role ID to represent approvers. Any other role listed - is assumed to be audience.

      -       -       - - AT Policy - -

      The Awareness and Training Policy governs how access is managed and approved.

      -       - - -       - - - - Access Control Procedure - -

      The Access Control Procedure governs how access is managed and approved.

      -       - - -       - - AT Policy - -

      The Awareness and Training Procedure governs how access is managed and approved.

      -       - - -       - - - + +

      Legacy Example (No implemented-component).

      @@ -2492,7 +2544,7 @@ - + @@ -2599,7859 +2651,6 @@       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - - - placeholder - - - placeholder - - - -

      This is the 'this-system' component.

       - -       -       -       - From 24cd96632339a049171270e8b347f36e8666456e Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 23 Dec 2024 21:37:33 -0500 Subject: [PATCH 48/52] Crypto WIP --- .../examples/UUIDs_for_Examples_Legend.md | 1 + .../ssp/xml/fedramp-ssp-example.oscal.xml | 176 ++++++++++++------ 2 files changed, 115 insertions(+), 62 deletions(-) diff --git a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md index a98061bf9..956fadb5b 100644 --- a/src/content/rev5/examples/UUIDs_for_Examples_Legend.md +++ b/src/content/rev5/examples/UUIDs_for_Examples_Legend.md @@ -84,6 +84,7 @@ _Fields for other models to be added as we work with those models._ - `0110`=Standard - `0120`=Validation - `0130`=Network +- `0140`=Connection **Enumeration** - `0###`: A simple sequence number. (`001`, `002`, through `fff`) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index f67fd36f4..b4bacbe75 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -609,7 +609,7 @@ - fips-199-moderate + fips-199-high @@ -1092,8 +1092,7 @@ or poam-item UUID (OSCAL POA&M)
    • a "provided-by" link with a URI fragment that points to the "system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001")
      • -
    • -
    • +

    The "leveraged-authorization-uuid" property must NOT be present, as this is how @@ -1237,9 +1236,15 @@ - - - + + ISA + + + UUID of "this system" or a component within this system's boundary + + + UUID of remote system + @@ -1261,7 +1266,7 @@ 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 - + @@ -1489,6 +1494,7 @@

    Describe the service and what it is used for.

    + @@ -1580,13 +1586,13 @@ resulting in communication that crosses the boundary.

    - + - - - - - + + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    @@ -1726,6 +1732,7 @@ Access Control and Identity Management Policy +

    This is a corporate policy used for the system.

    The Access Control and Identity Management Policy governs how user identities and access rights are managed.

     @@ -1811,23 +1818,39 @@     - - - - Service D + + + + + Encrypted Communication +

    An encryptred communication between the web server and the database server

     + + + + + +     + + + + + Database Sample -

    A service that exists within the authorization boundary.

    -

    Describe the service and what it is used for.

    +

    None

     - + + + + + + + + +     - - - - [SAMPLE]Cryptographic Module Name @@ -1838,7 +1861,7 @@ compliance (e.g., Module in Process).

     - + @@ -1846,14 +1869,16 @@ - 44444444-2222-4000-8000-004000000001     - + + + [SAMPLE]Cryptographic Module Name @@ -1861,25 +1886,62 @@

    For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

     - - - - + + - - - - 44444444-2222-4000-8000-004000000001 - +     + + + Appliance Sample + +

    None

    +     + + + + + + +     + + + + + Service D + +

    A service that exists within the authorization boundary.

    +

    Describe the service and what it is used for.

    +     + + +     + + + + Container Image + +

    This is a container image used to create container instances within the system.

    +     + + + + + + + 44444444-2222-4000-8000-004000000001 + +     + @@ -2051,7 +2113,6 @@ - @@ -2060,7 +2121,7 @@ - +

    If no, explain why. If yes, omit remarks field.

    @@ -2406,20 +2467,6 @@ - - - -

    Describe the plan to complete the implementation.

    -     -     - - - - -

    Describe any customer-configured requirements for satisfying this control.

    -     -     [SAMPLE]privileged, non-privileged @@ -2432,17 +2479,12 @@ at least annually - - 11111111-2222-4000-8000-004000000010 - - - 11111111-2222-4000-8000-004000000011 - +

    Description for the "this-system" component.

    Describe how AC-2, part a is satisfied within this system.

    This points to the "This System" component, and is used any time a more specific component reference is not available.

    @@ -2450,8 +2492,8 @@ -

    Leveraged system's statement of capabilities which may be inherited by a - leveraging systems to satisfy AC-2, part a.

    +

    This system's statement of capabilities which may be inherited by a + customer's leveraging systems toward satisfaction of AC-2, part a.

         11111111-2222-4000-8000-004000000001 + +

    Any content for the customer responsibility matrix must be included within export.

    +

    provided is a statement about what

    +     - + + Server Security Technical Implementation Guide (STIG) + + + + + From 4b7fbf8b47f248d3b6e60733e987b39d4c631469 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 23 Dec 2024 23:58:37 -0500 Subject: [PATCH 49/52] cryptographic modules WIP --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 75 ++++++++++++------- 1 file changed, 48 insertions(+), 27 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index b4bacbe75..15d8c6d8b 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1824,26 +1824,34 @@ Encrypted Communication -

    An encryptred communication between the web server and the database server

     - - + +

    An encryptred communication between the web server and + the database server for the purpose of performing SQL queries.

    +     + + + + + +

    Any notes about this connection to appear in Table Q.

    +     - - Database Sample

    None

     - - + + + + @@ -1852,7 +1860,7 @@     - [SAMPLE]Cryptographic Module Name + Cryptographic Module Name

    Provide a description and any pertinent note regarding the use of this CM.

    For data-at-rest modules, describe type of encryption implemented (e.g., full disk, @@ -1860,36 +1868,50 @@

    Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

     - - - - - + + - - - 44444444-2222-4000-8000-004000000001 - + +

    If the same FIPS-validated cryptographic module is deployed + in two or more different components, each deployment SHOULD + have its own "validation" component entry, such as if the same + module is embedded in a software product and an operating system.

    +

    The "asst-type" property is value is "cryptographic-module", + and the class must be present with one of the following values:

    +
      +
    • "embeded": Embedded CM
      • +
    • "third-party": Third-party CM
      • +
    • "uses-os": Uses OS CM
      • +
    • "fips-mode": In FIPS Mode
      • +
    • "other": Other as described in the remarks
      • +
    +

    Note that if the value is "other", additional detail must be + provided in the property's remarks field.

    +     - [SAMPLE]Cryptographic Module Name + Cryptographic Module Name

    Provide a description and any pertinent note regarding the use of this CM.

    For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).

     - - + + + + +

    Usage statement

    +     +     @@ -1897,16 +1919,15 @@     - Appliance Sample + Web Server -

    None

    +

    This is a web server that communicates with a database via + an encrypted connection

     - - - + +     From 51e68e9828aef25bdaf99d08bd7d3f4c42e26593 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 30 Dec 2024 16:06:05 -0500 Subject: [PATCH 50/52] all inventory-items now point to valid components --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 81 +++++++++++++++---- 1 file changed, 64 insertions(+), 17 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 15d8c6d8b..3c3c8ec16 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1820,6 +1820,9 @@     + + + @@ -1869,9 +1872,14 @@ compliance (e.g., Module in Process).

    - + + + +

    Usage statement

    +     +     @@ -1895,7 +1903,6 @@     - Cryptographic Module Name @@ -1928,11 +1935,50 @@ + + + + + Linux Operating System + +

    This is a web server that communicates with a database via + an encrypted connection

    +     + + + + + +     + + + Cryptographic Module Name + +

    Provide a description and any pertinent note regarding the use of this CM.

    +

    For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

    +     + + + + + + +

    Usage statement

    +     +     + + + +     + + @@ -2015,9 +2061,9 @@

    Email Service

     + + - - @@ -2031,8 +2077,8 @@

    FUNCTION: Describe typical component function.

    - - + + @@ -2047,6 +2093,7 @@

    COMMENTS: Provide other comments as needed.

     + OS Sample @@ -2058,6 +2105,7 @@ + Database Sample @@ -2074,6 +2122,7 @@ + Appliance Sample @@ -2167,7 +2216,7 @@ 11111111-2222-4000-8000-004000000017 - +

    This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is @@ -2209,7 +2258,7 @@ 11111111-2222-4000-8000-004000000017 - + @@ -2229,7 +2278,7 @@ - @@ -2244,8 +2293,7 @@ - + @@ -2259,8 +2307,7 @@ - + @@ -2277,7 +2324,7 @@

    Asset wasn't running at time of scan.

         - @@ -2292,7 +2339,7 @@ - @@ -2310,7 +2357,7 @@

    Asset wasn't running at time of scan.

     - @@ -2325,7 +2372,7 @@ - From 0f1bd9d603b8aa956effb705bc904003067398d4 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 31 Dec 2024 12:06:13 -0500 Subject: [PATCH 51/52] moved from 'baseline-configuration-name' prop to 'baseline' link --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 3c3c8ec16..8043276e3 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1849,7 +1849,6 @@

    None

    - @@ -1932,10 +1931,10 @@ an encrypted connection

    - + @@ -1948,9 +1947,9 @@ an encrypted connection

    - + @@ -2101,8 +2100,8 @@ - + @@ -2113,9 +2112,9 @@ - + @@ -2132,12 +2131,12 @@ -

    Vendor appliance. No admin-level access.

         + @@ -2197,7 +2196,6 @@

    If no, explain why. If yes, omit remarks field.

     - @@ -2210,6 +2208,7 @@ + 11111111-2222-4000-8000-004000000016 @@ -2244,7 +2243,6 @@ - @@ -2252,6 +2250,7 @@ + 11111111-2222-4000-8000-004000000010 From dd4871a1e86482411567068f5c0e0a4afb0eae41 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 7 Jan 2025 11:58:14 -0500 Subject: [PATCH 52/52] WIP --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 8043276e3..72d2928e9 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -3,11 +3,11 @@ - FedRAMP [Baseline Name] System Security Plan (SSP) + [EXAMPLE] FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z 2024-11-05T02:24:00Z fedramp3.0.0-oscal1.1.4 - 1.1.2 + 1.1.3 2023-06-30T00:00:00Z @@ -1084,7 +1084,6 @@
  • the name of the service in the title - exactly as it appears in the FedRAMP Marketplace
  • an "implementation-point" property with a value of "external"; and
    • -
  • one or two "direction" prperty/extensions
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 information type identifiers, and the cited types are included full list of system information types.
  • exactly one "poam-item" link, with an href value that references the @@ -1280,7 +1279,6 @@
    • an "implementation-point" property with a value of "external"
    • a "status" field with a state value of "operational"
      • -
    • one or two "direction" properties
    • a "nature-of-agreement" property/extension
    • one or more "authentication-method" properties/extensions.
    • a "hosting-environment" proptery/extension
      • @@ -1603,8 +1601,7 @@

      Terms of Use

       - - +

      Explain why authentication scans are not possible for this component. @@ -1612,7 +1609,6 @@ - @@ -1725,7 +1721,6 @@ - @@ -1833,7 +1828,6 @@ - @@ -3563,10 +3557,12 @@ Plan of Actions and Milestones (POAM) - - - - 00000000 + + +

      The POA&M attachment may either be a legacy Excel workbook or OSCAL file. The resource must have:

      @@ -3580,6 +3576,7 @@

      A "version" property is optional.

      The appropriate media types for OSCAL content are, "application/xml", "application/json" or "application/yaml".

      +

      FedRAMP does not accept base64 POA&M contenta at this time.