From ea0b2618485f90a3976af0c4153ee88a965bc393 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 12 Jan 2021 12:01:16 -0500 Subject: [PATCH] Ignore dirty, not untracked. This might do the trick better. --- .gitmodules | 6 +- oscal | 2 +- resources/validations/src/ssp.sch | 5 + .../demo/FedRAMP-SSP-OSCAL-Template-c14n.xml | 2287 ++++++++++++++++ ...dRAMP-SSP-OSCAL-Template-upgraded-c14n.xml | 2347 +++++++++++++++++ 5 files changed, 4643 insertions(+), 4 deletions(-) create mode 100644 resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-c14n.xml create mode 100644 resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-upgraded-c14n.xml diff --git a/.gitmodules b/.gitmodules index 27382eb48..f6d766801 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,16 +2,16 @@ path = oscal url = https://github.com/usnistgov/OSCAL.git branch = master - ignore = untracked + ignore = dirty [submodule "resources/validations/test/xspec"] path = resources/validations/lib/xspec url = https://github.com/xspec/xspec.git branch = master - ignore = untracked + ignore = dirty [submodule "resources/validations/src/schematron"] path = resources/validations/lib/schematron url = https://github.com/schematron/schematron.git branch = master - ignore = untracked \ No newline at end of file + ignore = dirty \ No newline at end of file diff --git a/oscal b/oscal index 5581a8e6f..d26e3b3fe 160000 --- a/oscal +++ b/oscal @@ -1 +1 @@ -Subproject commit 5581a8e6f230a5f8c3c2a287a70ec5f5a90140b8 +Subproject commit d26e3b3fe749bae1e0738e7e3229c2ca1b5fa9df diff --git a/resources/validations/src/ssp.sch b/resources/validations/src/ssp.sch index 5f05aba84..2d477f066 100644 --- a/resources/validations/src/ssp.sch +++ b/resources/validations/src/ssp.sch @@ -13,6 +13,7 @@ + @@ -153,6 +154,10 @@ + + + + diff --git a/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-c14n.xml b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-c14n.xml new file mode 100644 index 000000000..853ae2dbb --- /dev/null +++ b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-c14n.xml @@ -0,0 +1,2287 @@ + + + FedRAMP System Security Plan (SSP) + 2020-07-01T00:00:00.00-04:00 + 2020-07-01T00:00:00.00-04:00 + 0.0 + 1.0-Milestone3 + + + 2019-06-01T00:00:00.00-04:00 + 1.0 + 1.0-Milestone3 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Initial publication.

+ + + + 2020-06-01T00:00:00.00-04:00 + 2.0 + 1.0-Milestone3 + csp + +

Updated for annual assessment.

+ + + + + Controlled Unclassified Information + + + + Prepared By + The organization that prepared this SSP. If developed in-house, this is the CSP itself. + + + Prepared For + The organization for which this SSP was prepared. Typically the CSP. + + + System Security Plan Approval + The individual or individuals accountable for the accuracy of this SSP. + + + Cloud Service Provider + CSP + + + Information System Owner + The individual within the CSP who is ultimately accountable for everything related to this system. + + + Authorizing Official + The individual or individuals who must grant this system an authorization to operate. + + + Authorizing Official's Point of Contact + The individual representing the authorizing official. + + + Information System Management Point of Contact (POC) + The highest level manager who responsible for system operation on behalf of the System Owner. + + + Information System Technical Point of Contact + The individual or individuals leading the technical operation of the system. + + + General Point of Contact (POC) + A general point of contact for the system, designated by the system owner. + + + System Information System Security Officer (or Equivalent) + The individual accountable for the security posture of the system on behalf of the system owner. + + + Privacy Official's Point of Contact + The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment. + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + The point of contact for an interconnection on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + The point of contact for an interconnection on behalf of this external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + Responsible for signing an interconnection security agreement on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + Consultant + Any consultants involved with developing or maintaining this content. + + + + [SAMPLE]Unix Administrator + This is a sample role. + + + [SAMPLE]Client Administrator + This is a sample role. + + + [SAMPLE]Program Director + This is a sample role. + + + Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) + FedRAMP PMO + + + Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) + FedRAMP JAB + + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 +
+ data-center + primary-data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center".

+

A primary data center must also have a conformity tag of "primary-data-center".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 +
+ data-center + alternate-data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center"

+

An alternate or backup data center must also have a conformity tag of "alternate-data-center".

+ + + + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + 27b78960-59ef-4619-82b0-ae20b9c709ac + +

Replace sample CSP information.

+ + + + + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + +
+ 1800 F St. NW + + Washington + DC + + US +
+ info@fedramp.gov + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+ + + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + +
+ 3333 Corporate Way + Washington + DC + + US +
+ poc@consulting.sample + + + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + Individual's Title + person@ica.org.example + 202-555-1212 + 80361ec4-bfce-4b5c-85c8-313d6ebd220b + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + Individual's Title +
+ Mailstop A-1 +
+ name@org.domain + 202-000-0001 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + 27b78960-59ef-4619-82b0-ae20b9c709ac + + + [SAMPLE]Person Name 2 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0002 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 3 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0003 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 4 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0004 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 5 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0005 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 6 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0006 + 78992555-4a99-4eaa-868c-f2c249679dd3 + + + [SAMPLE]Person Name 7 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0007 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Exactly one

+ + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + +

One or more

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

One or more

+ + + + 0cec09d9-20c6-470b-9ffc-85763375880b + +

Exactly one

+ + + + f75e21f6-43d8-46ab-890d-7f2eebc5a830 + +

Exactly one

+ + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + +

Exactly one

+ + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

Exactly one

+ + + + db234cb7-1776-425c-9ac4-b067c1723011 + +

Exactly one

+ + + + 77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + +

Exactly one

+ + + +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and + High baselines.

+

Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.

+ + + + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

Describe the purpose and functions of this system here.

+ + + fedramp-agency + + + 2 + + 2 + 2 + 2 + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+ + + + low + + + + yes + + + yes + + yes + + yes + + no + [No SORN ID] + + Information Type Name + +

A description of the information.

+ + C.2.4.1 + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

Remarks are required if status/state is "other". Optional otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + 0 + 0 + 0 + 0 + + Name of Underlying System + f0bc13a4-3303-47dd-80d3-380e159c8362 + 2015-01-01 + +

The leveraged-authorizaton assembly is supposed to have a required uuid flag instead of an optional id flag. This will be fixed in the syntax shortly.

+

Use one leveraged-authorization assembly for each underlying system. (In the legacy world, these may be general support systems.

+ + + + + [SAMPLE]Unix System Administrator + high + + + admin-unix + + Full administrative access (root) + Add/remove users and hardware + install and configure software + OS updates, patches and hotfixes + perform backups + + + + [SAMPLE]Client Administrator + moderate + + + external + + Portal administration + Add/remove client users + Create, modify and delete client applications + + + + [SAMPLE]Program Director + limited + + + program-director + + Administrative Access Approver + Approves access requests for administrative accounts. + + + Access Approver + Approves access requests for administrative accounts. + + + + + This System + +

The entire system as depicted in the system authorization boundary

+ + + + + Name of Leveraged System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.

+ + 5a9c98ab-8e5e-433d-a7bd-515c07cd1497 + + + + [SAMPLE]Module Name + +

[SAMPLE]FIPS 140-2 Validated Module

+ + 0000 + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + os + infrastructure + Vendor Name + Model Number + Version Number + Patch Level + fips-module-1 + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + database + infrastructure + database + Vendor Name + Model Number + Version Number + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + os + infrastructure + + + + + + Database Sample + +

None

+ + database + database + + + + + + Appliance Sample + +

None

+ + appliance + web + https://admin.offering.com/login + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + [SAMPLE]Service Name +

Describe the service

 + Describe the reason the service is needed. + What uses this service? + + + + + + + + + +

Section 10.2, Table 10-1. Ports, Protocols and Services

+

SERVICES ARE NOW COMPONENTS WITH type='service'

+ + + + + + [EXAMPLE]Authorized Connection Information System Name +

Briefly describe the interconnection.

 + [SAMPLE]Telco Name + 10.1.1.1 + 10.2.2.2 + incoming-outgoing + Describe the information being transmitted. + 80 + 1 + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + +

Optional notes about this interconnection

+ + + + + + +

Flat-File Example (No implemented-component).

+ + 10.1.1.1 + 0000:0000:0000:0000 + no + no + dns.name + uniform.resource.identifier + netbios-name + 00:00:00:00:00:00 + software-name + V 0.0.0 + os + Vendor Name + Model Number + Patch-Level + Serial # + Asset Tag + VLAN Identifier + Network Identifier + infrastructure + database + component-id + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + db234cb7-1776-425c-9ac4-b067c1723011 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + 10.2.2.2 + 0000:0000:0000:0000 + 00:00:00:00:00:00 + no + no + dns.name + uniform.resource.locator + netbios-name + Patch-Level + + + + +

If no, explain why. If yes, omit remark.

+ + + + +

If no, explain why. If yes, omit remark.

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + + +

None.

+ + 10.3.3.3 + + + + + +

None.

+ + 10.4.4.4 + + + + + +

None.

+ + 10.5.5.5 + + + + + +

None.

+ + 10.6.6.6 + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + 10.7.7.7 + + + + + +

None.

+ + 10.8.8.8 + + +

Asset wasn't running at time of scan.

+ + + + + + + +

IPv4 Production Subnet.

+ + 10.10.10.0/24 + + + + +

IPv4 Management Subnet.

+ + 10.10.20.0/24 + + + + + + + + +

FedRAMP SSP Template Section 13

+

This description field is required by OSCAL. FedRAMP does not require any specific + information here.

+ + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Describe how Part a is satisfied within the system.

+ + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+ + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + +

Describe how Part b-1 is satisfied.

+ + + + +

Describe how Part b-2 is satisfied.

+ + + + + Completion Date + + +

Describe the plan to complete the implementation.

+ + + + +

Describe the portion of the control that is not satisfied.

+ + + + +

Describe the justification for marking this control Not Applicable.

+ + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + [SAMPLE]annually + + + +

Do not respond to this statement here. Respond within the by-component assembly below.

+ + + + +

For the portion of the control satisfied by this system or its owning organization, describe + how the control is met.

+ + + +

General customer responsibility description.

+ + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

+

While the "this system" component is not expclicity required within every statement, it will typically be present.

+ + + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+ + + +

Component-specific customer responsibility description.

+ + + + + + +

For the portion of the control that must be configured by or provided by the + customer, describe the customer responsibility here. This is what will appear + in the Customer Responsibility Matrix.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Component-based Approach

+ + + + +

Describe how Part a is satisfied.

+ + + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + +

Ignore.

+ + + + +

Describe how Part b-1 is satisfied.

+ + + + + +

Ignore.

+ + + + +

Describe how Part b-2 is satisfied.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + + FedRAMP Applicable Laws and Regulations + fedramp-citations + + + + FedRAMP Master Acronym and Glossary + fedramp-acronyms + + + + [SAMPLE]Name or Title of Document + law + Publication Date + Identification Number + + + + [SAMPLE]Privacy-Related Law Citation + law + pii + Publication Date + Identification Number + + + + [SAMPLE]Regulation Citation + regulation + Publication Date + Identification Number + + + + [SAMPLE]Interconnection Security Agreement Title + Document Date + Document Version + + + CSP Logo + prepared-for-logo + csp-logo + + + 00000000 + + + Preparer Logo + prepared-by-logo + + + 00000000 + + + FedRAMP Logo + fedramp-logo + + + + 3PAO Logo + 3pao-logo + + + 00000000 + + + The primary authorization boundary diagram. + + + 00000000 + +

Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"

+ + + + The primary network diagram. + + + 00000000 + +

Section 9.4, Figure 9-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value + of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"

+ + + + The primary data flow diagram. + + + 00000000 + +

Section 10, Figure 10-1 Data Flow Diagram (graphic)

+

This should be referenced in the + system-characteristics/data-flow/diagram/link/@href flag using a value + of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + User's Guide + User's Guide + user-guide + guide + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: User's Guide Attachment

+ + + + Privacy Impact Assessment + privacy-impact-assessment + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Privacy Impact Assessment

+ + + + Document Title + Rules of Behavior + rules-of-behavior + rob + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Rules of Behavior (ROB)

+ + + + Document Title + Contingency Plan (CP) + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Contingency Plan (CP) Attachment

+ + + + Document Title + Configuration Management (CM) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Configuration Management (CM) Plan Attachment

+ + + + Document Title + Incident Response (IR) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Incident Response (IR) Plan Attachment

+ + + + Separation of Duties Matrix + Separation of Duties Matrix + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Separation of Duties Matrix Attachment

+ + + + FedRAMP High Baseline + + +

Pointer to High baseline content in OSCAL.

+ + + + FedRAMP Moderate Baseline + + +

Pointer to Moderate baseline content in OSCAL.

+ + + + FedRAMP Low Baseline + + +

Pointer to Low baseline content in OSCAL.

+ + + + \ No newline at end of file diff --git a/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-upgraded-c14n.xml b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-upgraded-c14n.xml new file mode 100644 index 000000000..4dfe40cdf --- /dev/null +++ b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-upgraded-c14n.xml @@ -0,0 +1,2347 @@ + + + FedRAMP System Security Plan (SSP) + 2020-07-01T00:00:00.00-04:00 + 2020-07-01T00:00:00.00-04:00 + 0.0 + 1.0-Milestone3 + + + 2019-06-01T00:00:00.00-04:00 + 1.0 + 1.0-Milestone3 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Initial publication.

+ + + + 2020-06-01T00:00:00.00-04:00 + 2.0 + 1.0-Milestone3 + csp + +

Updated for annual assessment.

+ + + + + Controlled Unclassified Information + + + + Prepared By + The organization that prepared this SSP. If developed in-house, this is the CSP itself. + + + Prepared For + The organization for which this SSP was prepared. Typically the CSP. + + + System Security Plan Approval + The individual or individuals accountable for the accuracy of this SSP. + + + Cloud Service Provider + CSP + + + Information System Owner + The individual within the CSP who is ultimately accountable for everything related to this system. + + + Authorizing Official + The individual or individuals who must grant this system an authorization to operate. + + + Authorizing Official's Point of Contact + The individual representing the authorizing official. + + + Information System Management Point of Contact (POC) + The highest level manager who responsible for system operation on behalf of the System Owner. + + + Information System Technical Point of Contact + The individual or individuals leading the technical operation of the system. + + + General Point of Contact (POC) + A general point of contact for the system, designated by the system owner. + + + System Information System Security Officer (or Equivalent) + The individual accountable for the security posture of the system on behalf of the system owner. + + + Privacy Official's Point of Contact + The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment. + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + The point of contact for an interconnection on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + The point of contact for an interconnection on behalf of this external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + Responsible for signing an interconnection security agreement on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + Consultant + Any consultants involved with developing or maintaining this content. + + + + [SAMPLE]Unix Administrator + This is a sample role. + + + [SAMPLE]Client Administrator + This is a sample role. + + + [SAMPLE]Program Director + This is a sample role. + + + Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) + FedRAMP PMO + + + Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) + FedRAMP JAB + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 +
+ data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center".

+

A primary data center must also have a conformity tag of "primary-data-center".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 +
+ data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center"

+

An alternate or backup data center must also have a conformity tag of "alternate-data-center".

+ + + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + 27b78960-59ef-4619-82b0-ae20b9c709ac + +

Replace sample CSP information.

+ + + + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + info@fedramp.gov +
+ 1800 F St. NW + + Washington + DC + + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+ + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + + poc@consulting.sample +
+ 3333 Corporate Way + Washington + DC + + US +
+ + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + Individual's Title + person@ica.org.example + 202-555-1212 + 80361ec4-bfce-4b5c-85c8-313d6ebd220b + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + Individual's Title + Mailstop A-1 + name@org.domain + 202-000-0001 + 27b78960-59ef-4619-82b0-ae20b9c709ac + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 2 + Individual's Title + name@org.domain + 202-000-0002 +
+ Address Line + City + ST + 00000 + US +
+ 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 3 + Individual's Title + name@org.domain + 202-000-0003 +
+ Address Line + City + ST + 00000 + US +
+ 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 4 + Individual's Title + name@org.domain + 202-000-0004 +
+ Address Line + City + ST + 00000 + US +
+ 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 5 + Individual's Title + name@org.domain + 202-000-0005 +
+ Address Line + City + ST + 00000 + US +
+ 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 6 + Individual's Title + name@org.domain + 202-000-0006 +
+ Address Line + City + ST + 00000 + US +
+ 78992555-4a99-4eaa-868c-f2c249679dd3 + + + [SAMPLE]Person Name 7 + Individual's Title + name@org.domain + 202-000-0007 +
+ Address Line + City + ST + 00000 + US +
+ 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Exactly one

+ + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + +

One or more

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

One or more

+ + + + 0cec09d9-20c6-470b-9ffc-85763375880b + +

Exactly one

+ + + + f75e21f6-43d8-46ab-890d-7f2eebc5a830 + +

Exactly one

+ + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + +

Exactly one

+ + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

Exactly one

+ + + + db234cb7-1776-425c-9ac4-b067c1723011 + +

Exactly one

+ + + + 77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + +

Exactly one

+ + + +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and + High baselines.

+

Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.

+ + + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

Describe the purpose and functions of this system here.

+ + + fedramp-agency + + + 2 + + 2 + 2 + 2 + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+ + + + low + + + + yes + + + yes + + yes + + yes + + no + [No SORN ID] + + Information Type Name + +

A description of the information.

+ + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

Remarks are required if status/state is "other". Optional otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + 0 + 0 + 0 + 0 + + Name of Underlying System + f0bc13a4-3303-47dd-80d3-380e159c8362 + 2015-01-01 + +

The leveraged-authorizaton assembly is supposed to have a required uuid flag instead of an optional id flag. This will be fixed in the syntax shortly.

+

Use one leveraged-authorization assembly for each underlying system. (In the legacy world, these may be general support systems.

+ + + + [SAMPLE]Unix System Administrator + high + + + admin-unix + + Full administrative access (root) + Add/remove users and hardware + install and configure software + OS updates, patches and hotfixes + perform backups + + + + [SAMPLE]Client Administrator + moderate + + + external + + Portal administration + Add/remove client users + Create, modify and delete client applications + + + + [SAMPLE]Program Director + limited + + + program-director + + Administrative Access Approver + Approves access requests for administrative accounts. + + + Access Approver + Approves access requests for administrative accounts. + + + + This System + +

The entire system as depicted in the system authorization boundary

+ + + + + Name of Leveraged System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.

+ + 5a9c98ab-8e5e-433d-a7bd-515c07cd1497 + + + + [SAMPLE]Module Name + +

[SAMPLE]FIPS 140-2 Validated Module

+ + + 0000 + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + os + infrastructure + + Vendor Name + Model Number + Version Number + Patch Level + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + database + infrastructure + database + Vendor Name + Model Number + Version Number + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + operating-system + infrastructure + + + + + + Database Sample + +

None

+ + database + database + + + + + + Appliance Sample + +

None

+ + appliance + web + https://admin.offering.com/login + + + +

Vendor appliance. No admin-level access.

+ + + + + + [SAMPLE]Service Name + +

Describe the service

+ + Describe the reason the service is needed. + + What uses this service? + + + + + + + + + +

Section 10.2, Table 10-1. Ports, Protocols and Services

+

+ SERVICES ARE NOW COMPONENTS WITH type='service' +

+ + + + [EXAMPLE]Authorized Connection Information System Name + +

Briefly describe the interconnection.

+ + [SAMPLE]Telco Name + 10.1.1.1 + 10.2.2.2 + incoming + outgoing + + Describe the information being transmitted. + 80 + 1 + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + +

Optional notes about this interconnection

+ + + + +

Flat-File Example (No implemented-component).

+ + unique-asset-id + 10.1.1.1 + 0000:0000:0000:0000 + no + no + dns.name + uniform.resource.identifier + netbios-name + 00:00:00:00:00:00 + software-name + V 0.0.0 + os + Vendor Name + Model Number + Patch-Level + Serial # + Asset Tag + VLAN Identifier + Network Identifier + infrastructure + database + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + + db234cb7-1776-425c-9ac4-b067c1723011 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + +

This links to a FIPS 140-2 validated software component that is used by this inventory item. This type of linkage to a validation through the component is preferable to the link[rel='validation'] example above.

+ + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + unique-asset-ID + 10.2.2.2 + 0000:0000:0000:0000 + 00:00:00:00:00:00 + no + no + dns.name + uniform.resource.locator + netbios-name + Patch-Level + + + + +

If no, explain why. If yes, omit remark.

+ + + + +

If no, explain why. If yes, omit remark.

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + +

None.

+ + unique-asset-id + 10.3.3.3 + + + + + +

None.

+ + unique-asset-id + 10.4.4.4 + + + + + +

None.

+ + unique-asset-id + 10.5.5.5 + + + + + +

None.

+ + unique-asset-id + 10.6.6.6 + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + unique-asset-id + 10.7.7.7 + + + + + +

None.

+ + unique-asset-id + 10.8.8.8 + + +

Asset wasn't running at time of scan.

+ + + + + + +

IPv4 Production Subnet.

+ + 10.10.10.0 + 10.10.10.0/24 + + + + +

IPv4 Management Subnet.

+ + 10.10.20.0 + 10.10.20.0/24 + + + + + + +

FedRAMP SSP Template Section 13

+

This description field is required by OSCAL. FedRAMP does not require any specific + information here.

+ + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + +

Describe how Part a is satisfied within the system.

+ + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+ + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + + +

Describe how Part b-1 is satisfied.

+ + + + + + +

Describe how Part b-2 is satisfied.

+ + + + + + Completion Date + + +

Describe the plan to complete the implementation.

+ + + + +

Describe the portion of the control that is not satisfied.

+ + + + +

Describe the justification for marking this control Not Applicable.

+ + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + [SAMPLE]annually + + + + + + +

Do not respond to this statement here. Respond within the by-component assembly below.

+ + + + +

For the portion of the control satisfied by this system or its owning organization, describe + how the control is met.

+ + + + +

General customer responsibility description.

+ + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

+

While the "this system" component is not expclicity required within every statement, it will typically be present.

+ + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+ + + + +

Component-specific customer responsibility description.

+ + + + + +

For the portion of the control that must be configured by or provided by the + customer, describe the customer responsibility here. This is what will appear + in the Customer Responsibility Matrix.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Component-based Approach

+ + + + +

Describe how Part a is satisfied.

+ + + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + + +

Ignore.

+ + + + +

Describe how Part b-1 is satisfied.

+ + + + + + +

Ignore.

+ + + + +

Describe how Part b-2 is satisfied.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + + + + FedRAMP Applicable Laws and Regulations + fedramp-citations + + + + FedRAMP Master Acronym and Glossary + fedramp-acronyms + + + + [SAMPLE]Name or Title of Document + law + Publication Date + Identification Number + + + + [SAMPLE]Privacy-Related Law Citation + law + pii + Publication Date + Identification Number + + + + [SAMPLE]Regulation Citation + regulation + Publication Date + Identification Number + + + + [SAMPLE]Interconnection Security Agreement Title + Document Date + Document Version + agreement + + + CSP Logo + prepared-for-logo + csp-logo + + + 00000000 + + + Preparer Logo + prepared-by-logo + + + 00000000 + + + FedRAMP Logo + fedramp-logo + + + + 3PAO Logo + 3pao-logo + + + 00000000 + + + The primary authorization boundary diagram. + + + 00000000 + +

Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"

+ + + + The primary network diagram. + + + 00000000 + +

Section 9.4, Figure 9-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value + of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"

+ + + + The primary data flow diagram. + + + 00000000 + +

Section 10, Figure 10-1 Data Flow Diagram (graphic)

+

This should be referenced in the + system-characteristics/data-flow/diagram/link/@href flag using a value + of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + User's Guide + User's Guide + user-guide + guide + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: User's Guide Attachment

+ + + + Privacy Impact Assessment + privacy-impact-assessment + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Privacy Impact Assessment

+ + + + Document Title + Rules of Behavior + rules-of-behavior + rob + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Rules of Behavior (ROB)

+ + + + Document Title + Contingency Plan (CP) + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Contingency Plan (CP) Attachment

+ + + + Document Title + Configuration Management (CM) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Configuration Management (CM) Plan Attachment

+ + + + Document Title + Incident Response (IR) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Incident Response (IR) Plan Attachment

+ + + + Separation of Duties Matrix + Separation of Duties Matrix + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Separation of Duties Matrix Attachment

+ + + + FedRAMP High Baseline + + +

Pointer to High baseline content in OSCAL.

+ + + + FedRAMP Moderate Baseline + + +

Pointer to Moderate baseline content in OSCAL.

+ + + + FedRAMP Low Baseline + + +

Pointer to Low baseline content in OSCAL.

+ + + + \ No newline at end of file