diff --git a/.gitignore b/.gitignore index 09af49d08..8568f3f84 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,7 @@ documents/source -utils \ No newline at end of file +utils +.history/* + +resources/validations/src/ssp.xsl +resources/validations/report +resources/validations/target \ No newline at end of file diff --git a/.gitmodules b/.gitmodules index 62c9e326e..ae931c617 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,3 +2,9 @@ path = oscal url = https://github.com/usnistgov/OSCAL.git branch = master +[submodule "resources/validations/test/xspec"] + path = resources/validations/lib/xspec + url = https://github.com/xspec/xspec.git +[submodule "resources/validations/src/schematron"] + path = resources/validations/lib/schematron + url = https://github.com/schematron/schematron.git diff --git a/resources/validations/README.md b/resources/validations/README.md new file mode 100644 index 000000000..71b02da54 --- /dev/null +++ b/resources/validations/README.md @@ -0,0 +1,42 @@ +Schematron Validations for OSCAL +=== + +project structure +--- + +`/src` for the sch files +`/lib` for toolchain dependencies (e.g. Schematron) +`/report/test` for XSpec outputs +`/report/schematron` for final validations in Schematron SVRL reporting format +`/target` for intermediary and compiled artifacts (e.g. XSLT stylesheets) +`/test` for any XSpec or other testing artifacts +`/test/demo` xml files for validating XSpec against + +To validate xml files using schematron +--- + +example + +`./validate_with_schematron.sh test/demo/FedRAMP-SSP-OSCAL-Template.xml` + +you must pass in a file name you want validated as argument `$1`. by default it will compile and validate the input with all `src/*.sch` files. + +if you wish to override the default version (currently 10.2) of `SAXON HE`, you may pass it as the argument `$2` + + + +To Run Tests +--- + +```sh +cd /path/to/fedramp-automation/resources/validations +export SAXON_CP=yourpath/Saxon-HE-X.Y.Z.jar +export TEST_DIR=$(pwd)/report/test +lib/xspec/bin/xspec.sh -s -j test/test_all.xspec +``` + +Adding tests to the harness +--- + +To add new tests, add an import to the `test-all.xpec` +ex: `` diff --git a/resources/validations/bin/validate_with_schematron.sh b/resources/validations/bin/validate_with_schematron.sh new file mode 100755 index 000000000..5608a3a4c --- /dev/null +++ b/resources/validations/bin/validate_with_schematron.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +if [ ! -e "$1" ]; then + echo "no file input for report, exiting" + exit 1 +fi +DOC_TO_VALIDATE="$1" +echo "doc requested to be validated: ${DOC_TO_VALIDATE}" + +# Delete pre-existing XSLT report +rm -rf target/*.xsl; +SAXON_VERSION=$2 +SAXON_VERSION=${SAXON_VERSION:-10.2} + +echo "using saxon version ${SAXON_VERSION}" + +mvn -q org.apache.maven.plugins:maven-dependency-plugin:2.1:get \ + -DrepoUrl=https://mvnrepository.com/ \ + -DartifactId=Saxon-HE \ + -DgroupId=net.sf.saxon \ + -Dversion="${SAXON_VERSION}" + +# Delete pre-existing SVRL report +rm -rf report/schematron/*.results.xml + +for qualifiedSchematronName in src/*.sch; do + [ -e "${qualifiedSchematronName}" ] || continue + + # compute name without .sch + schematronName=${qualifiedSchematronName##*/} + schematronRoot=${schematronName%.*} + + # Use Saxon XSL transform to convert our Schematron to pure XSL 2.0 stylesheet + saxon_jar=~/.m2/repository/net/sf/saxon/Saxon-HE/"${SAXON_VERSION}"/Saxon-HE-"${SAXON_VERSION}".jar + java -cp "${saxon_jar}" net.sf.saxon.Transform -o:target/"${schematronRoot}".xsl -s:"${qualifiedSchematronName}" lib/schematron/trunk/schematron/code/iso_svrl_for_xslt2.xsl + echo "compiling: ${qualifiedSchematronName} to: target/${schematronRoot}.xsl" + + # Use Saxon XSL transform to use XSL-ified Schematron rules to analyze full FedRAMP-SSP-OSCAL template + # and dump the result into reports. + reportName="report/schematron/${DOC_TO_VALIDATE}__${schematronRoot}.results.xml" + echo "validating doc: ${DOC_TO_VALIDATE} with ${qualifiedSchematronName} output found in ${reportName}" + java -cp "${saxon_jar}" net.sf.saxon.Transform -o:"${reportName}" -s:"${DOC_TO_VALIDATE}" target/"${schematronRoot}".xsl +done diff --git a/resources/validations/lib/schematron b/resources/validations/lib/schematron new file mode 160000 index 000000000..02f3707b1 --- /dev/null +++ b/resources/validations/lib/schematron @@ -0,0 +1 @@ +Subproject commit 02f3707b194ce5792bf77b14a66d782c060abba3 diff --git a/resources/validations/lib/xspec b/resources/validations/lib/xspec new file mode 160000 index 000000000..e43b3c08f --- /dev/null +++ b/resources/validations/lib/xspec @@ -0,0 +1 @@ +Subproject commit e43b3c08f834d61c034f3811723bbd2efaf4a7a0 diff --git a/resources/validations/report/schematron/.gitempty b/resources/validations/report/schematron/.gitempty new file mode 100644 index 000000000..e69de29bb diff --git a/resources/validations/report/test/.gitempty b/resources/validations/report/test/.gitempty new file mode 100644 index 000000000..e69de29bb diff --git a/resources/validations/src/ssp.sch b/resources/validations/src/ssp.sch new file mode 100644 index 000000000..5e8517b65 --- /dev/null +++ b/resources/validations/src/ssp.sch @@ -0,0 +1,41 @@ + + + + + + +FedRAMP System Security Plan Validations + + + + + + + + + + + is an invalid value + + + + + + + + I see partial. + I see planned. + I see total. + + + + + + The following are required: + This SSP has not implemented : + + + \ No newline at end of file diff --git a/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-partial.xml b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-partial.xml new file mode 100644 index 000000000..8dc68d6cd --- /dev/null +++ b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template-partial.xml @@ -0,0 +1,2293 @@ + + + + FedRAMP System Security Plan (SSP) + 2020-07-01T00:00:00.00-04:00 + 2020-07-01T00:00:00.00-04:00 + 0.0 + 1.0-Milestone3 + + + 2019-06-01T00:00:00.00-04:00 + 1.0 + 1.0-Milestone3 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Initial publication.

+ + + + 2020-06-01T00:00:00.00-04:00 + 2.0 + 1.0-Milestone3 + csp + +

Updated for annual assessment.

+ + + + + Controlled Unclassified Information + + + + Prepared By + The organization that prepared this SSP. If developed in-house, this is the CSP itself. + + + Prepared For + The organization for which this SSP was prepared. Typically the CSP. + + + System Security Plan Approval + The individual or individuals accountable for the accuracy of this SSP. + + + Cloud Service Provider + CSP + + + Information System Owner + The individual within the CSP who is ultimately accountable for everything related to this system. + + + Authorizing Official + The individual or individuals who must grant this system an authorization to operate. + + + Authorizing Official's Point of Contact + The individual representing the authorizing official. + + + Information System Management Point of Contact (POC) + The highest level manager who responsible for system operation on behalf of the System Owner. + + + Information System Technical Point of Contact + The individual or individuals leading the technical operation of the system. + + + General Point of Contact (POC) + A general point of contact for the system, designated by the system owner. + + + System Information System Security Officer (or Equivalent) + The individual accountable for the security posture of the system on behalf of the system owner. + + + Privacy Official's Point of Contact + The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment. + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + The point of contact for an interconnection on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + The point of contact for an interconnection on behalf of this external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + Responsible for signing an interconnection security agreement on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + Consultant + Any consultants involved with developing or maintaining this content. + + + + [SAMPLE]Unix Administrator + This is a sample role. + + + [SAMPLE]Client Administrator + This is a sample role. + + + [SAMPLE]Program Director + This is a sample role. + + + Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) + FedRAMP PMO + + + Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) + FedRAMP JAB + + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 +
+ data-center + primary-data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center".

+

A primary data center must also have a conformity tag of "primary-data-center".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 +
+ data-center + alternate-data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center"

+

An alternate or backup data center must also have a conformity tag of "alternate-data-center".

+ + + + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + 27b78960-59ef-4619-82b0-ae20b9c709ac + +

Replace sample CSP information.

+ + + + + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + +
+ 1800 F St. NW + + Washington + DC + + US +
+ info@fedramp.gov + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+ + + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + +
+ 3333 Corporate Way + Washington + DC + + US +
+ poc@consulting.sample + + + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + Individual's Title + person@ica.org.example + 202-555-1212 + 80361ec4-bfce-4b5c-85c8-313d6ebd220b + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + Individual's Title +
+ Mailstop A-1 +
+ name@org.domain + 202-000-0001 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + 27b78960-59ef-4619-82b0-ae20b9c709ac + + + [SAMPLE]Person Name 2 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0002 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 3 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0003 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 4 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0004 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 5 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0005 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 6 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0006 + 78992555-4a99-4eaa-868c-f2c249679dd3 + + + [SAMPLE]Person Name 7 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0007 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Exactly one

+ + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + +

One or more

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

One or more

+ + + + 0cec09d9-20c6-470b-9ffc-85763375880b + +

Exactly one

+ + + + f75e21f6-43d8-46ab-890d-7f2eebc5a830 + +

Exactly one

+ + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + +

Exactly one

+ + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

Exactly one

+ + + + db234cb7-1776-425c-9ac4-b067c1723011 + +

Exactly one

+ + + + 77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + +

Exactly one

+ + + +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and + High baselines.

+

Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.

+ + + + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

Describe the purpose and functions of this system here.

+ + + fedramp-agency + + + 2 + + 2 + 2 + 2 + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+ + + + low + + + + yes + + + yes + + yes + + yes + + no + [No SORN ID] + + Information Type Name + +

A description of the information.

+ + C.2.4.1 + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

Remarks are required if status/state is "other". Optional otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + 0 + 0 + 0 + 0 + + Name of Underlying System + f0bc13a4-3303-47dd-80d3-380e159c8362 + 2015-01-01 + +

The leveraged-authorizaton assembly is supposed to have a required uuid flag instead of an optional id flag. This will be fixed in the syntax shortly.

+

Use one leveraged-authorization assembly for each underlying system. (In the legacy world, these may be general support systems.

+ + + + + [SAMPLE]Unix System Administrator + high + + + admin-unix + + Full administrative access (root) + Add/remove users and hardware + install and configure software + OS updates, patches and hotfixes + perform backups + + + + [SAMPLE]Client Administrator + moderate + + + external + + Portal administration + Add/remove client users + Create, modify and delete client applications + + + + [SAMPLE]Program Director + limited + + + program-director + + Administrative Access Approver + Approves access requests for administrative accounts. + + + Access Approver + Approves access requests for administrative accounts. + + + + + This System + +

The entire system as depicted in the system authorization boundary

+ + + + + Name of Leveraged System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.

+ + 5a9c98ab-8e5e-433d-a7bd-515c07cd1497 + + + + [SAMPLE]Module Name + +

[SAMPLE]FIPS 140-2 Validated Module

+ + 0000 + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + os + infrastructure + Vendor Name + Model Number + Version Number + Patch Level + fips-module-1 + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + database + infrastructure + database + Vendor Name + Model Number + Version Number + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + os + infrastructure + + + + + + Database Sample + +

None

+ + database + database + + + + + + Appliance Sample + +

None

+ + appliance + web + https://admin.offering.com/login + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + [SAMPLE]Service Name +

Describe the service

 + Describe the reason the service is needed. + What uses this service? + + + + + + + + + +

Section 10.2, Table 10-1. Ports, Protocols and Services

+

SERVICES ARE NOW COMPONENTS WITH type='service'

+ + + + + + [EXAMPLE]Authorized Connection Information System Name +

Briefly describe the interconnection.

 + [SAMPLE]Telco Name + 10.1.1.1 + 10.2.2.2 + incoming-outgoing + Describe the information being transmitted. + 80 + 1 + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + +

Optional notes about this interconnection

+ + + + + + +

Flat-File Example (No implemented-component).

+ + 10.1.1.1 + 0000:0000:0000:0000 + no + no + dns.name + uniform.resource.identifier + netbios-name + 00:00:00:00:00:00 + software-name + V 0.0.0 + os + Vendor Name + Model Number + Patch-Level + Serial # + Asset Tag + VLAN Identifier + Network Identifier + infrastructure + database + component-id + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + db234cb7-1776-425c-9ac4-b067c1723011 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + 10.2.2.2 + 0000:0000:0000:0000 + 00:00:00:00:00:00 + no + no + dns.name + uniform.resource.locator + netbios-name + Patch-Level + + + + +

If no, explain why. If yes, omit remark.

+ + + + +

If no, explain why. If yes, omit remark.

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + + +

None.

+ + 10.3.3.3 + + + + + +

None.

+ + 10.4.4.4 + + + + + +

None.

+ + 10.5.5.5 + + + + + +

None.

+ + 10.6.6.6 + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + 10.7.7.7 + + + + + +

None.

+ + 10.8.8.8 + + +

Asset wasn't running at time of scan.

+ + + + + + + +

IPv4 Production Subnet.

+ + 10.10.10.0/24 + + + + +

IPv4 Management Subnet.

+ + 10.10.20.0/24 + + + + + + + + +

FedRAMP SSP Template Section 13

+

This description field is required by OSCAL. FedRAMP does not require any specific + information here.

+ + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Describe how Part a is satisfied within the system.

+ + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+ + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + +

Describe how Part b-1 is satisfied.

+ + + + +

Describe how Part b-2 is satisfied.

+ + + + + Completion Date + + +

I won't describe the plan to complete the implementation.

+ + + + +

Describe the portion of the control that is not satisfied.

+ + + + +

Describe the justification for marking this control Not Applicable.

+ + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + [SAMPLE]annually + + + +

Do not respond to this statement here. Respond within the by-component assembly below.

+ + + + +

For the portion of the control satisfied by this system or its owning organization, describe + how the control is met.

+ + + +

General customer responsibility description.

+ + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

+

While the "this system" component is not expclicity required within every statement, it will typically be present.

+ + + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+ + + +

Component-specific customer responsibility description.

+ + + + + + +

For the portion of the control that must be configured by or provided by the + customer, describe the customer responsibility here. This is what will appear + in the Customer Responsibility Matrix.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Component-based Approach

+ + + + +

Describe how Part a is satisfied.

+ + + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + +

Ignore.

+ + + + +

Describe how Part b-1 is satisfied.

+ + + + + +

Ignore.

+ + + + +

Describe how Part b-2 is satisfied.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + + FedRAMP Applicable Laws and Regulations + fedramp-citations + + + + FedRAMP Master Acronym and Glossary + fedramp-acronyms + + + + [SAMPLE]Name or Title of Document + law + Publication Date + Identification Number + + + + [SAMPLE]Privacy-Related Law Citation + law + pii + Publication Date + Identification Number + + + + [SAMPLE]Regulation Citation + regulation + Publication Date + Identification Number + + + + [SAMPLE]Interconnection Security Agreement Title + Document Date + Document Version + + + CSP Logo + prepared-for-logo + csp-logo + + + 00000000 + + + Preparer Logo + prepared-by-logo + + + 00000000 + + + FedRAMP Logo + fedramp-logo + + + + 3PAO Logo + 3pao-logo + + + 00000000 + + + The primary authorization boundary diagram. + + + 00000000 + +

Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"

+ + + + The primary network diagram. + + + 00000000 + +

Section 9.4, Figure 9-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value + of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"

+ + + + The primary data flow diagram. + + + 00000000 + +

Section 10, Figure 10-1 Data Flow Diagram (graphic)

+

This should be referenced in the + system-characteristics/data-flow/diagram/link/@href flag using a value + of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + User's Guide + User's Guide + user-guide + guide + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: User's Guide Attachment

+ + + + Privacy Impact Assessment + privacy-impact-assessment + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Privacy Impact Assessment

+ + + + Document Title + Rules of Behavior + rules-of-behavior + rob + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Rules of Behavior (ROB)

+ + + + Document Title + Contingency Plan (CP) + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Contingency Plan (CP) Attachment

+ + + + Document Title + Configuration Management (CM) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Configuration Management (CM) Plan Attachment

+ + + + Document Title + Incident Response (IR) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Incident Response (IR) Plan Attachment

+ + + + Separation of Duties Matrix + Separation of Duties Matrix + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Separation of Duties Matrix Attachment

+ + + + FedRAMP High Baseline + + +

Pointer to High baseline content in OSCAL.

+ + + + FedRAMP Moderate Baseline + + +

Pointer to Moderate baseline content in OSCAL.

+ + + + FedRAMP Low Baseline + + +

Pointer to Low baseline content in OSCAL.

+ + + + diff --git a/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template.xml b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template.xml new file mode 100644 index 000000000..7c9975304 --- /dev/null +++ b/resources/validations/test/demo/FedRAMP-SSP-OSCAL-Template.xml @@ -0,0 +1,2295 @@ + + + + FedRAMP System Security Plan (SSP) + 2020-07-01T00:00:00.00-04:00 + 2020-07-01T00:00:00.00-04:00 + 0.0 + 1.0-Milestone3 + + + 2019-06-01T00:00:00.00-04:00 + 1.0 + 1.0-Milestone3 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Initial publication.

+ + + + 2020-06-01T00:00:00.00-04:00 + 2.0 + 1.0-Milestone3 + csp + +

Updated for annual assessment.

+ + + + + Controlled Unclassified Information + + + + Prepared By + The organization that prepared this SSP. If developed in-house, this is the CSP itself. + + + Prepared For + The organization for which this SSP was prepared. Typically the CSP. + + + System Security Plan Approval + The individual or individuals accountable for the accuracy of this SSP. + + + Cloud Service Provider + CSP + + + Information System Owner + The individual within the CSP who is ultimately accountable for everything related to this system. + + + Authorizing Official + The individual or individuals who must grant this system an authorization to operate. + + + Authorizing Official's Point of Contact + The individual representing the authorizing official. + + + Information System Management Point of Contact (POC) + The highest level manager who responsible for system operation on behalf of the System Owner. + + + Information System Technical Point of Contact + The individual or individuals leading the technical operation of the system. + + + General Point of Contact (POC) + A general point of contact for the system, designated by the system owner. + + + System Information System Security Officer (or Equivalent) + The individual accountable for the security posture of the system on behalf of the system owner. + + + Privacy Official's Point of Contact + The individual responsible for the privacy threshold analysis and if necessary the privacy impact assessment. + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + The point of contact for an interconnection on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + The point of contact for an interconnection on behalf of this external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + Responsible for signing an interconnection security agreement on behalf of this system. + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + Responsible for signing an interconnection security agreement on behalf of the external system to which this system connects. + +

Remove this role if there are no ICAs.

+ + + + Consultant + Any consultants involved with developing or maintaining this content. + + + + [SAMPLE]Unix Administrator + This is a sample role. + + + [SAMPLE]Client Administrator + This is a sample role. + + + [SAMPLE]Program Director + This is a sample role. + + + Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) + FedRAMP PMO + + + Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) + FedRAMP JAB + + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 +
+ data-center + primary-data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center".

+

A primary data center must also have a conformity tag of "primary-data-center".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 +
+ data-center + alternate-data-center + +

There must be one location for each data center.

+

There must be at least two data centers.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a conformity tag of "data-center"

+

An alternate or backup data center must also have a conformity tag of "alternate-data-center".

+ + + + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + 27b78960-59ef-4619-82b0-ae20b9c709ac + +

Replace sample CSP information.

+ + + + + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + +
+ 1800 F St. NW + + Washington + DC + + US +
+ info@fedramp.gov + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.

+ + + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + +
+ 3333 Corporate Way + Washington + DC + + US +
+ poc@consulting.sample + + + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + Individual's Title + person@ica.org.example + 202-555-1212 + 80361ec4-bfce-4b5c-85c8-313d6ebd220b + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + Individual's Title +
+ Mailstop A-1 +
+ name@org.domain + 202-000-0001 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + 27b78960-59ef-4619-82b0-ae20b9c709ac + + + [SAMPLE]Person Name 2 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0002 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 3 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0003 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 4 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0004 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 5 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0005 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE]Person Name 6 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0006 + 78992555-4a99-4eaa-868c-f2c249679dd3 + + + [SAMPLE]Person Name 7 + Individual's Title +
+ Address Line + City + ST + 00000 + US +
+ name@org.domain + 202-000-0007 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Exactly one

+ + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + +

One or more

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

One or more

+ + + + 0cec09d9-20c6-470b-9ffc-85763375880b + +

Exactly one

+ + + + f75e21f6-43d8-46ab-890d-7f2eebc5a830 + +

Exactly one

+ + + + 132953a9-640c-46f7-9de9-3fa15ec99361 + +

Exactly one

+ + + + 4fded5fd-7a65-47ea-bd76-df57c46e27d1 + +

Exactly one

+ + + + db234cb7-1776-425c-9ac4-b067c1723011 + +

Exactly one

+ + + + 77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d + +

Exactly one

+ + + + 49017ec3-9f51-4dbd-9253-858c2b1295fd + +

Exactly one

+ + + +

This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and + High baselines.

+

Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.

+ + + + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

Describe the purpose and functions of this system here.

+ + + fedramp-agency + + + 2 + + 2 + 2 + 2 + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional + otherwise.

+ + + + low + + + + yes + + + yes + + yes + + yes + + no + [No SORN ID] + + Information Type Name + +

A description of the information.

+ + C.2.4.1 + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

Remarks are required if status/state is "other". Optional otherwise.

+ + + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + 0 + 0 + 0 + 0 + + Name of Underlying System + f0bc13a4-3303-47dd-80d3-380e159c8362 + 2015-01-01 + +

The leveraged-authorizaton assembly is supposed to have a required uuid flag instead of an optional id flag. This will be fixed in the syntax shortly.

+

Use one leveraged-authorization assembly for each underlying system. (In the legacy world, these may be general support systems.

+ + + + + [SAMPLE]Unix System Administrator + high + + + admin-unix + + Full administrative access (root) + Add/remove users and hardware + install and configure software + OS updates, patches and hotfixes + perform backups + + + + [SAMPLE]Client Administrator + moderate + + + external + + Portal administration + Add/remove client users + Create, modify and delete client applications + + + + [SAMPLE]Program Director + limited + + + program-director + + Administrative Access Approver + Approves access requests for administrative accounts. + + + Access Approver + Approves access requests for administrative accounts. + + + + + This System + +

The entire system as depicted in the system authorization boundary

+ + + + + Name of Leveraged System + +

If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.

+ + 5a9c98ab-8e5e-433d-a7bd-515c07cd1497 + + + + [SAMPLE]Module Name + +

[SAMPLE]FIPS 140-2 Validated Module

+ + 0000 + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + os + infrastructure + Vendor Name + Model Number + Version Number + Patch Level + fips-module-1 + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + database + infrastructure + database + Vendor Name + Model Number + Version Number + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + 36b8d6c0-3b25-42cc-b529-cf4066145cdd + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + os + infrastructure + + + + + + Database Sample + +

None

+ + database + database + + + + + + Appliance Sample + +

None

+ + appliance + web + https://admin.offering.com/login + + + +

Vendor appliance. No admin-level access.

+ + + + + + + + [SAMPLE]Service Name +

Describe the service

 + Describe the reason the service is needed. + What uses this service? + + + + + + + + + +

Section 10.2, Table 10-1. Ports, Protocols and Services

+

SERVICES ARE NOW COMPONENTS WITH type='service'

+ + + + + + [EXAMPLE]Authorized Connection Information System Name +

Briefly describe the interconnection.

 + [SAMPLE]Telco Name + 10.1.1.1 + 10.2.2.2 + incoming-outgoing + Describe the information being transmitted. + 80 + 1 + + +

If "other", remarks are required. Optional otherwise.

+ + + + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + + 09ad840f-aa79-43aa-9f22-25182c2ab11b + + +

Optional notes about this interconnection

+ + + + + + +

Flat-File Example (No implemented-component).

+ + 10.1.1.1 + 0000:0000:0000:0000 + no + no + dns.name + uniform.resource.identifier + netbios-name + 00:00:00:00:00:00 + software-name + V 0.0.0 + os + Vendor Name + Model Number + Patch-Level + Serial # + Asset Tag + VLAN Identifier + Network Identifier + infrastructure + database + component-id + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + db234cb7-1776-425c-9ac4-b067c1723011 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + 10.2.2.2 + 0000:0000:0000:0000 + 00:00:00:00:00:00 + no + no + dns.name + uniform.resource.locator + netbios-name + Patch-Level + + + + +

If no, explain why. If yes, omit remark.

+ + + + +

If no, explain why. If yes, omit remark.

+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + + b306f5af-b93a-4a7f-a2b2-37a44fc92a79 + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + + +

None.

+ + 10.3.3.3 + + + + + +

None.

+ + 10.4.4.4 + + + + + +

None.

+ + 10.5.5.5 + + + + + +

None.

+ + 10.6.6.6 + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + 10.7.7.7 + + + + + +

None.

+ + 10.8.8.8 + + +

Asset wasn't running at time of scan.

+ + + + + + + +

IPv4 Production Subnet.

+ + 10.10.10.0/24 + + + + +

IPv4 Management Subnet.

+ + 10.10.20.0/24 + + + + + + + + +

FedRAMP SSP Template Section 13

+

This description field is required by OSCAL. FedRAMP does not require any specific + information here.

+ + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + + + +

Describe how Part a is satisfied within the system.

+ + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+ + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + +

Describe how Part b-1 is satisfied.

+ + + + +

Describe how Part b-2 is satisfied.

+ + + + + Completion Date + + +

Describe the plan to complete the implementation.

+ + + + +

Describe the portion of the control that is not satisfied.

+ + + + +

Describe the justification for marking this control Not Applicable.

+ + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + [SAMPLE]annually + + + +

Do not respond to this statement here. Respond within the by-component assembly below.

+ + + + +

For the portion of the control satisfied by this system or its owning organization, describe + how the control is met.

+ + + +

General customer responsibility description.

+ + + +

The component-uuid above points to the "this system" component.

+

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

+

While the "this system" component is not expclicity required within every statement, it will typically be present.

+ + + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, + describe what is inherited.

+ + + +

Component-specific customer responsibility description.

+ + + + + + +

For the portion of the control that must be configured by or provided by the + customer, describe the customer responsibility here. This is what will appear + in the Customer Responsibility Matrix.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Component-based Approach

+ + + + +

Describe how Part a is satisfied.

+ + + + + + +

This identifies a policy (attached in resources) that satisfies this control.

+ + + + + +

This identifies a process (attached in resources) that satisfies this control.

+ + + + +

Ignore.

+ + + + +

Describe how Part b-1 is satisfied.

+ + + + + +

Ignore.

+ + + + +

Describe how Part b-2 is satisfied.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + 2020-11-27Z + + +

Describe the plan to complete the implementation.

+ + + + + + [replace with list of personnel or roles] + + + [specify frequency] + + + [specify frequency] + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + +

Ignore.

+ + + + +

For the portion of the control satisfied by the service provider, describe + how the control is met.

+ + + + + + + + + + FedRAMP Applicable Laws and Regulations + fedramp-citations + + + + FedRAMP Master Acronym and Glossary + fedramp-acronyms + + + + [SAMPLE]Name or Title of Document + law + Publication Date + Identification Number + + + + [SAMPLE]Privacy-Related Law Citation + law + pii + Publication Date + Identification Number + + + + [SAMPLE]Regulation Citation + regulation + Publication Date + Identification Number + + + + [SAMPLE]Interconnection Security Agreement Title + Document Date + Document Version + + + CSP Logo + prepared-for-logo + csp-logo + + + 00000000 + + + Preparer Logo + prepared-by-logo + + + 00000000 + + + FedRAMP Logo + fedramp-logo + + + + 3PAO Logo + 3pao-logo + + + 00000000 + + + The primary authorization boundary diagram. + + + 00000000 + +

Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the + system-characteristics/authorization-boundary/diagram/link/@href flag using a value + of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"

+ + + + The primary network diagram. + + + 00000000 + +

Section 9.4, Figure 9-2 Network Diagram (graphic)

+

This should be referenced in the + system-characteristics/network-architecture/diagram/link/@href flag using a value + of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"

+ + + + The primary data flow diagram. + + + 00000000 + +

Section 10, Figure 10-1 Data Flow Diagram (graphic)

+

This should be referenced in the + system-characteristics/data-flow/diagram/link/@href flag using a value + of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Policy Title + Policy document + policy + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Policy Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + Procedure Title + Procedure document + procedure + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Procedure Attachment

+ + + + User's Guide + User's Guide + user-guide + guide + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: User's Guide Attachment

+ + + + Privacy Impact Assessment + privacy-impact-assessment + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Privacy Impact Assessment

+ + + + Document Title + Rules of Behavior + rules-of-behavior + rob + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Rules of Behavior (ROB)

+ + + + Document Title + Contingency Plan (CP) + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Contingency Plan (CP) Attachment

+ + + + Document Title + Configuration Management (CM) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Configuration Management (CM) Plan Attachment

+ + + + Document Title + Incident Response (IR) Plan + plan + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Incident Response (IR) Plan Attachment

+ + + + Separation of Duties Matrix + Separation of Duties Matrix + Document Date + Document Version + + + 00000000 + +

Table 15-1 Attachments: Separation of Duties Matrix Attachment

+ + + + FedRAMP High Baseline + + +

Pointer to High baseline content in OSCAL.

+ + + + FedRAMP Moderate Baseline + + +

Pointer to Moderate baseline content in OSCAL.

+ + + + FedRAMP Low Baseline + + +

Pointer to Low baseline content in OSCAL.

+ + + + diff --git a/resources/validations/test/test.xspec b/resources/validations/test/test.xspec new file mode 100644 index 000000000..b2437bebe --- /dev/null +++ b/resources/validations/test/test.xspec @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + \ No newline at end of file diff --git a/resources/validations/test/test_all.xspec b/resources/validations/test/test_all.xspec new file mode 100644 index 000000000..f8ee4e9ac --- /dev/null +++ b/resources/validations/test/test_all.xspec @@ -0,0 +1,4 @@ + + + + \ No newline at end of file