Initial publication.
+Updated for annual assessment.
+Remove this role if there are no ICAs.
+Remove this role if there are no ICAs.
+Remove this role if there are no ICAs.
+Remove this role if there are no ICAs.
+There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.
+There must be one location for each data center.
+There must be at least two data centers.
+For a data center, briefly summarize the components at this location.
+All data centers must have a conformity tag of "data-center".
+A primary data center must also have a conformity tag of "primary-data-center".
+There must be one location for each data center.
+There must be at least two data centers.
+For a data center, briefly summarize the components at this location.
+All data centers must have a conformity tag of "data-center"
+An alternate or backup data center must also have a conformity tag of "alternate-data-center".
+Replace sample CSP information.
+This party entry must be present in a FedRAMP SSP.
+The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.
+This party entry must be present in a FedRAMP SSP.
+The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.
+Generic placeholder for any external organization.
+Generic placeholder for an authorizing agency.
+Underlying service provider. Leveraged Authorization.
+Exactly one
+Exactly one
+One or more
+Exactly one
+One or more
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and + High baselines.
+Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.
+Describe the purpose and functions of this system here.
+Remarks are required if service model is "other". Optional otherwise.
+Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.
+A description of the information.
+Required if the base and selected values do not match.
+Required if the base and selected values do not match.
+Required if the base and selected values do not match.
+Remarks are required if status/state is "other". Optional otherwise.
+A holistic, top-level explanation of the FedRAMP authorization boundary.
+A diagram-specific explanation.
+A holistic, top-level explanation of the network architecture.
+A diagram-specific explanation.
+A holistic, top-level explanation of the system's data flows.
+A diagram-specific explanation.
+The leveraged-authorizaton assembly is supposed to have a required uuid flag instead of an optional id flag. This will be fixed in the syntax shortly.
+Use one leveraged-authorization assembly for each underlying system. (In the legacy world, these may be general support systems.
+The entire system as depicted in the system authorization boundary
+If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.
+[SAMPLE]FIPS 140-2 Validated Module
+FUNCTION: Describe typical component function.
+COMMENTS: Provide other comments as needed.
+FUNCTION: Describe typical component function.
+COMMENTS: Provide other comments as needed.
+None
+None
+None
+Vendor appliance. No admin-level access.
+Describe the service
Section 10.2, Table 10-1. Ports, Protocols and Services
+SERVICES ARE NOW COMPONENTS WITH type='service'
+Briefly describe the interconnection.
If "other", remarks are required. Optional otherwise.
+Optional notes about this interconnection
+Flat-File Example (No implemented-component).
+If no, explain why. If yes, omit remarks field.
+If no, explain why. If yes, omit remarks field.
+Optional, longer, formatted description.
+COMMENTS: Additional information about this item.
+Component Inventory Example
+If no, explain why. If yes, omit remark.
+If no, explain why. If yes, omit remark.
+COMMENTS: If needed, provide additional information about this inventory item.
+None.
+None.
+None.
+None.
+Asset wasn't running at time of scan.
+None.
+None.
+Asset wasn't running at time of scan.
+IPv4 Production Subnet.
+IPv4 Management Subnet.
+FedRAMP SSP Template Section 13
+This description field is required by OSCAL. FedRAMP does not require any specific + information here.
+Describe the plan to complete the implementation.
+Describe how Part a is satisfied within the system.
+The specified component is the system itself.
+Any control implementation response that can not be associated with another component is associated with the component representing the system.
+This identifies a policy (attached in resources) that satisfies this control.
+This identifies a process (attached in resources) that satisfies this control.
+Describe how Part b-1 is satisfied.
+Describe how Part b-2 is satisfied.
+I won't describe the plan to complete the implementation.
+Describe the portion of the control that is not satisfied.
+Describe the justification for marking this control Not Applicable.
+Describe any customer-configured requirements for satisfying this control.
+Do not respond to this statement here. Respond within the by-component
assembly below.
For the portion of the control satisfied by this system or its owning organization, describe + how the control is met.
+General customer responsibility description.
+The component-uuid above points to the "this system" component.
+Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.
+This can also be used to provide a summary, such as a holistic overview of how multiple components work together.
+While the "this system" component is not expclicity required within every statement
, it will typically be present.
For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.
+Component-specific customer responsibility description.
+For the portion of the control that must be configured by or provided by the + customer, describe the customer responsibility here. This is what will appear + in the Customer Responsibility Matrix.
+Describe the plan to complete the implementation.
+Component-based Approach
+Describe how Part a is satisfied.
+This identifies a policy (attached in resources) that satisfies this control.
+This identifies a process (attached in resources) that satisfies this control.
+Ignore.
+Describe how Part b-1 is satisfied.
+Ignore.
+Describe how Part b-2 is satisfied.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)
+This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"
+Section 9.4, Figure 9-2 Network Diagram (graphic)
+This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value + of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"
+Section 10, Figure 10-1 Data Flow Diagram (graphic)
+This should be referenced in the + system-characteristics/data-flow/diagram/link/@href flag using a value + of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"
+Table 15-1 Attachments: Policy Attachment
+Table 15-1 Attachments: Policy Attachment
+Table 15-1 Attachments: Procedure Attachment
+Table 15-1 Attachments: Procedure Attachment
+Table 15-1 Attachments: User's Guide Attachment
+Table 15-1 Attachments: Privacy Impact Assessment
+Table 15-1 Attachments: Rules of Behavior (ROB)
+Table 15-1 Attachments: Contingency Plan (CP) Attachment
+Table 15-1 Attachments: Configuration Management (CM) Plan Attachment
+Table 15-1 Attachments: Incident Response (IR) Plan Attachment
+Table 15-1 Attachments: Separation of Duties Matrix Attachment
+Pointer to High baseline content in OSCAL.
+Pointer to Moderate baseline content in OSCAL.
+Pointer to Low baseline content in OSCAL.
+Initial publication.
+Updated for annual assessment.
+Remove this role if there are no ICAs.
+Remove this role if there are no ICAs.
+Remove this role if there are no ICAs.
+Remove this role if there are no ICAs.
+There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.
+There must be one location for each data center.
+There must be at least two data centers.
+For a data center, briefly summarize the components at this location.
+All data centers must have a conformity tag of "data-center".
+A primary data center must also have a conformity tag of "primary-data-center".
+There must be one location for each data center.
+There must be at least two data centers.
+For a data center, briefly summarize the components at this location.
+All data centers must have a conformity tag of "data-center"
+An alternate or backup data center must also have a conformity tag of "alternate-data-center".
+Replace sample CSP information.
+This party entry must be present in a FedRAMP SSP.
+The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.
+This party entry must be present in a FedRAMP SSP.
+The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.
+Generic placeholder for any external organization.
+Generic placeholder for an authorizing agency.
+Underlying service provider. Leveraged Authorization.
+Exactly one
+Exactly one
+One or more
+Exactly one
+One or more
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+Exactly one
+This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and + High baselines.
+Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.
+Describe the purpose and functions of this system here.
+Remarks are required if service model is "other". Optional otherwise.
+Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.
+A description of the information.
+Required if the base and selected values do not match.
+Required if the base and selected values do not match.
+Required if the base and selected values do not match.
+Remarks are required if status/state is "other". Optional otherwise.
+A holistic, top-level explanation of the FedRAMP authorization boundary.
+A diagram-specific explanation.
+A holistic, top-level explanation of the network architecture.
+A diagram-specific explanation.
+A holistic, top-level explanation of the system's data flows.
+A diagram-specific explanation.
+The leveraged-authorizaton assembly is supposed to have a required uuid flag instead of an optional id flag. This will be fixed in the syntax shortly.
+Use one leveraged-authorization assembly for each underlying system. (In the legacy world, these may be general support systems.
+The entire system as depicted in the system authorization boundary
+If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.
+[SAMPLE]FIPS 140-2 Validated Module
+FUNCTION: Describe typical component function.
+COMMENTS: Provide other comments as needed.
+FUNCTION: Describe typical component function.
+COMMENTS: Provide other comments as needed.
+None
+None
+None
+Vendor appliance. No admin-level access.
+Describe the service
Section 10.2, Table 10-1. Ports, Protocols and Services
+SERVICES ARE NOW COMPONENTS WITH type='service'
+Briefly describe the interconnection.
If "other", remarks are required. Optional otherwise.
+Optional notes about this interconnection
+Flat-File Example (No implemented-component).
+If no, explain why. If yes, omit remarks field.
+If no, explain why. If yes, omit remarks field.
+Optional, longer, formatted description.
+COMMENTS: Additional information about this item.
+Component Inventory Example
+If no, explain why. If yes, omit remark.
+If no, explain why. If yes, omit remark.
+COMMENTS: If needed, provide additional information about this inventory item.
+None.
+None.
+None.
+None.
+Asset wasn't running at time of scan.
+None.
+None.
+Asset wasn't running at time of scan.
+IPv4 Production Subnet.
+IPv4 Management Subnet.
+FedRAMP SSP Template Section 13
+This description field is required by OSCAL. FedRAMP does not require any specific + information here.
+Describe the plan to complete the implementation.
+Describe how Part a is satisfied within the system.
+The specified component is the system itself.
+Any control implementation response that can not be associated with another component is associated with the component representing the system.
+This identifies a policy (attached in resources) that satisfies this control.
+This identifies a process (attached in resources) that satisfies this control.
+Describe how Part b-1 is satisfied.
+Describe how Part b-2 is satisfied.
+Describe the plan to complete the implementation.
+Describe the portion of the control that is not satisfied.
+Describe the justification for marking this control Not Applicable.
+Describe any customer-configured requirements for satisfying this control.
+Do not respond to this statement here. Respond within the by-component
assembly below.
For the portion of the control satisfied by this system or its owning organization, describe + how the control is met.
+General customer responsibility description.
+The component-uuid above points to the "this system" component.
+Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.
+This can also be used to provide a summary, such as a holistic overview of how multiple components work together.
+While the "this system" component is not expclicity required within every statement
, it will typically be present.
For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.
+Component-specific customer responsibility description.
+For the portion of the control that must be configured by or provided by the + customer, describe the customer responsibility here. This is what will appear + in the Customer Responsibility Matrix.
+Describe the plan to complete the implementation.
+Component-based Approach
+Describe how Part a is satisfied.
+This identifies a policy (attached in resources) that satisfies this control.
+This identifies a process (attached in resources) that satisfies this control.
+Ignore.
+Describe how Part b-1 is satisfied.
+Ignore.
+Describe how Part b-2 is satisfied.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Describe the plan to complete the implementation.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Ignore.
+For the portion of the control satisfied by the service provider, describe + how the control is met.
+Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)
+This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"
+Section 9.4, Figure 9-2 Network Diagram (graphic)
+This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value + of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"
+Section 10, Figure 10-1 Data Flow Diagram (graphic)
+This should be referenced in the + system-characteristics/data-flow/diagram/link/@href flag using a value + of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"
+Table 15-1 Attachments: Policy Attachment
+Table 15-1 Attachments: Policy Attachment
+Table 15-1 Attachments: Procedure Attachment
+Table 15-1 Attachments: Procedure Attachment
+Table 15-1 Attachments: User's Guide Attachment
+Table 15-1 Attachments: Privacy Impact Assessment
+Table 15-1 Attachments: Rules of Behavior (ROB)
+Table 15-1 Attachments: Contingency Plan (CP) Attachment
+Table 15-1 Attachments: Configuration Management (CM) Plan Attachment
+Table 15-1 Attachments: Incident Response (IR) Plan Attachment
+Table 15-1 Attachments: Separation of Duties Matrix Attachment
+Pointer to High baseline content in OSCAL.
+Pointer to Moderate baseline content in OSCAL.
+Pointer to Low baseline content in OSCAL.
+