diff --git a/.github/workflows/config/.lycheeignore b/.github/workflows/config/.lycheeignore index f17c4e3..24d4681 100755 --- a/.github/workflows/config/.lycheeignore +++ b/.github/workflows/config/.lycheeignore @@ -1,4 +1,4 @@ https://search.usa.gov/search http://csrc.nist.gov/ns/* -https://fedramp.gov/ns/* +http://fedramp.gov/ns/* http://www.first.org/cvss/v3 diff --git a/content/documentation/general-concepts/3-fedramp-extensions-and-accepted-values.md b/content/documentation/general-concepts/3-fedramp-extensions-and-accepted-values.md index 783ac4b..e9c7bab 100644 --- a/content/documentation/general-concepts/3-fedramp-extensions-and-accepted-values.md +++ b/content/documentation/general-concepts/3-fedramp-extensions-and-accepted-values.md @@ -33,7 +33,7 @@ cybersecurity frameworks. They designed OSCAL to be extended where unique needs existed. {{}} -_All FedRAMP extensions include a namespace (ns) flag set to `https://fedramp.gov/ns/oscal`._ +_All FedRAMP extensions include a namespace (ns) flag set to `http://fedramp.gov/ns/oscal`._ {{}} NIST allows organizations to extend OSCAL anyplace `prop` fields or `part` @@ -57,7 +57,7 @@ in their own name space without concern for overlapping names. The above approach ensures two different organizations can create their own extensions without concern for reusing the same name values. -All FedRAMP extensions must have a namespace (`ns`) flag set to `https://fedramp.gov/ns/oscal`. +All FedRAMP extensions must have a namespace (`ns`) flag set to `http://fedramp.gov/ns/oscal`. For example, if the core OSCAL syntax has a `status` field, but both FedRAMP and the payment card industry (PCI) require their own @@ -83,12 +83,12 @@ flag using the syntax above.** #### FedRAMP Status Representation {{< highlight xml "linenos=table" >}} - + {{< /highlight >}} #### XPath Query {{< highlight xml "linenos=table" >}} - //prop[@name="status"][@ns="https://fedramp.gov/ns/oscal"] + //prop[@name="status"][@ns="http://fedramp.gov/ns/oscal"] {{< /highlight >}} #### (Possible) PCI Status Representation @@ -109,7 +109,7 @@ and `ns` flags as a pair. All FedRAMP extensions will appear as: {{< highlight xml "linenos=table" >}} - + {{< /highlight >}} **NOTE:** The catalog and profile OSCAL models also allow the `part` diff --git a/content/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal.md b/content/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal.md index 9fc008a..34021de 100644 --- a/content/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal.md +++ b/content/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal.md @@ -59,7 +59,7 @@ OR 2023-03-03T00:00:00.000Z 0.0 1.1.2 - + FedRAMP PMO @@ -320,7 +320,7 @@ FedRAMP's revision history requirements. 2022-06-01T00:00:00.000Z 1.0 1.1.2 -

Initial publication.

 @@ -328,7 +328,7 @@ FedRAMP's revision history requirements. 2022-06-01T00:00:00.000Z 2.0 1.1.2 -

Updated for annual assessment.

 @@ -340,7 +340,7 @@ FedRAMP's revision history requirements. {{}} **FedRAMP Extension (Author)** \ -prop (`ns="https://fedramp.gov/ns/oscal"`): +prop (`ns="http://fedramp.gov/ns/oscal"`): - `name="party-uuid"` {{}} @@ -351,7 +351,7 @@ prop (`ns="https://fedramp.gov/ns/oscal"`): - Revision Date for Individual Entry: `/*/metadata/revision-history/revision[1]/published` - Description for Individual Entry: `/*/metadata/revision-history/revision[1]/remarks/string()` - Version for Individual Entry: `/*/metadata/revision-history/revision[1]/version` -- Author for Individual Entry: `/*/metadata/party[@uuid=/*/metadata/revision-history/revision[1]/prop [@name='party-uuid'][@ns='https://fedramp.gov/ns/oscal']]/org/short-name` +- Author for Individual Entry: `/*/metadata/party[@uuid=/*/metadata/revision-history/revision[1]/prop [@name='party-uuid'][@ns='http://fedramp.gov/ns/oscal']]/org/short-name` {{}} Replace XPath predicate "[1]" with "[2]", "[3]", etc. @@ -382,12 +382,12 @@ FedRAMP maintains an official list of the versions on the [fedramp-automation re 2023-03-03T00:00:00.000Z 0.0 1.1.2 - + {{}} ##### XPath Query -`/*/metadata/prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']/@value` +`/*/metadata/prop[@name='fedramp-version'][@ns='http://fedramp.gov/ns/oscal']/@value` ### How to Contact Us @@ -473,12 +473,12 @@ assessor's organization. [SAMPLE]Person Name 1 - Individual's Title + Individual's Title uuid-of-csp [SAMPLE]Person Name 2 - Individual's Title + Individual's Title uuid-of-csp @@ -498,14 +498,14 @@ Required Role IDs: - `cloud-service-provider` **FedRAMP Extension (Person's Title)** \ -prop (`ns="https://fedramp.gov/ns/oscal"`): +prop (`ns="http://fedramp.gov/ns/oscal"`): - `name="title"` {{}} ##### XPath Queries - Approver’s Name: `(/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver']/party-uuid]]/party-name)[1]` -- Approver’s Title: `(/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver'] /party-uuid]]/prop[@name='title'][@ns='https://fedramp.gov/ns/oscal'])[1]` +- Approver’s Title: `(/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver'] /party-uuid]]/prop[@name='title'][@ns='http://fedramp.gov/ns/oscal'])[1]` NOTE: For each additional approver, replace the "[1]" with "[2]", "[3]", and so on. @@ -545,13 +545,13 @@ property type, `fedramp-acronyms`. FedRAMP Applicable Laws and Regulations - + FedRAMP Master Acronym and Glossary - + diff --git a/content/documentation/general-concepts/oscal-layers-of-validation.md b/content/documentation/general-concepts/oscal-layers-of-validation.md index 88996dc..858adcd 100644 --- a/content/documentation/general-concepts/oscal-layers-of-validation.md +++ b/content/documentation/general-concepts/oscal-layers-of-validation.md @@ -13,6 +13,6 @@ valid. |**Well-Formed**|The XML or JSON file follows the rules defined for that format.
Any tool that processes the format will recognize it as "well-formed," which means the tool can proceed with processing the XML or JSON.
XML: [https://www.w3.org/TR/REC-xml/](https://www.w3.org/TR/REC-xml/)
JSON: [https://json.org/](https://json.org/)| |**OSCAL Syntax**|The XML or JSON file only uses names and values defined by OSCAL. OSCAL publishes schemas to verify syntax compliance based on the following standards:
XML Syntax Validation: [XML Schema Definition Language (XSD) 1.1](https://www.w3.org/TR/xmlschema11-1/)
JSON Syntax Validation: [JSON Schema, draft 07](https://json-schema.org/)| |**OSCAL Content**| For certain OSCAL fields, the OSCAL syntax validation tools also enforce content - allowing only a pre-defined set of values to be used in certain fields.

For example, Within the SSP model, impact levels within the information type assemblies only allow the following values: `fips-199-low`, `fips-199-moderate`, and `fips-199-high`. Any other value will cause an error when validating the file.| -|**FedRAMP Syntax Extensions** | OSCAL is designed to represent the commonality of most cybersecurity frameworks and provided the ability to extend the language for framework-specific needs. FedRAMP makes use of these extensions.

OSCAL provides `prop` fields throughout most of its assemblies, always with a `name`, `class`, and `ns` (namespace) flag:
`Data`

In the core OSCAL syntax, the `ns` flag is never used. Where FedRAMP extends OSCAL, the value for `ns` is always: `https://fedramp.gov/ns/oscal` (case sensitive).

When `ns='https://fedramp.gov/ns/oscal'` the `name` flag is as defined by FedRAMP. If the `class` flag is present, that is also defined by FedRAMP.| +|**FedRAMP Syntax Extensions** | OSCAL is designed to represent the commonality of most cybersecurity frameworks and provided the ability to extend the language for framework-specific needs. FedRAMP makes use of these extensions.

OSCAL provides `prop` fields throughout most of its assemblies, always with a `name`, `class`, and `ns` (namespace) flag:
`Data`

In the core OSCAL syntax, the `ns` flag is never used. Where FedRAMP extends OSCAL, the value for `ns` is always: `http://fedramp.gov/ns/oscal` (case sensitive).

When `ns="http://fedramp.gov/ns/oscal"` the `name` flag is as defined by FedRAMP. If the `class` flag is present, that is also defined by FedRAMP.| |**FedRAMP Content**| Today, FedRAMP content is enforced programmatically. FedRAMP intends to publish automated validation rules, which may be adopted by tool developers to verify OSCAL-based FedRAMP content is acceptable before submission.

Initial validation rules ensure a package has all required elements and will evolve to perform more detailed validation. Separate details will be published about this in the near future.| diff --git a/content/documentation/poam/3-working-with-oscal-files.md b/content/documentation/poam/3-working-with-oscal-files.md index e490351..7bec8b1 100644 --- a/content/documentation/poam/3-working-with-oscal-files.md +++ b/content/documentation/poam/3-working-with-oscal-files.md @@ -92,7 +92,7 @@ If the value is a URI fragment, such as #96445439-6ce1-4e22-beae-aa72cfe173d0, t [System Name] [FIPS-199 Level] SSP - + @@ -145,7 +145,7 @@ Finally, any SSP component referenced by POA&M data must be duplicated, whether ##### POA&M Representation {{< highlight xml "linenos=table" >}} -F00000000 +F00000000 @@ -187,7 +187,7 @@ FedRAMP will be implementing a separate set of automated POA&M validation rules - + diff --git a/content/documentation/poam/4-poam-template-to-oscal-mapping.md b/content/documentation/poam/4-poam-template-to-oscal-mapping.md index 2cb7a74..2b821a9 100644 --- a/content/documentation/poam/4-poam-template-to-oscal-mapping.md +++ b/content/documentation/poam/4-poam-template-to-oscal-mapping.md @@ -71,7 +71,7 @@ the title value used in the metadata section. [EXAMPLE]POA&M Item - + @@ -127,7 +127,7 @@ assembly, and exactly one risk assembly. - @@ -137,7 +137,7 @@ assembly, and exactly one risk assembly. [EXAMPLE]POA&M Item - + @@ -187,8 +187,8 @@ are present. XYZ Vulnerability Scanning Tool - - + + @@ -263,7 +263,7 @@ See [POA&M - Importing the System Security Plan](/documentation/poam/3-working-w

A virtual component.

 - + @@ -314,7 +314,7 @@ field's system flag value should reflect `http://cve.mitre.org` as the system, not the scanner tool. FedRAMP-required facet fields, such as likelihood and impact, have a -system flag with a value of `https://fedramp.gov`. FedRAMP-required +system flag with a value of `http://fedramp.gov/ns/oscal`. FedRAMP-required facets must also have a prop with the name flag set to `state` and the value flag set to either `initial` or `adjusted`. There must always be `initial` facets. If adjusted, there may be `adjusted` facets @@ -328,7 +328,7 @@ as well. The facet fields are designed to allow risk values and identifiers from different frameworks, systems, and tools to co-exist in the same risk assembly. For example, a scanning tool may provide risk values assigned by the tool itself, as well as a CVE identifier, IAVM severity score, and CVSS metrics. If the system is subject to multiple frameworks using different risk score values or risk calculation methods, they may each be expressed in their own characterization assembly. Common values for the system flag include: -- FedRAMP: https://fedramp.gov +- FedRAMP: http://fedramp.gov/ns/oscal - USCERT IAVM: https://us-cert.cisa.gov - CVE: http://cve.mitre.org - CVSS: (v2): http://www.first.org/cvss/v2, @@ -355,7 +355,7 @@ Until this matures and clear system values are widely available across the indus

If no risk statement from tool, set to 'No Risk Statement'.

- open @@ -364,9 +364,9 @@ Until this matures and clear system values are widely available across the indus + ns="http://fedramp.gov/ns/oscal" value="VulID-001"/> + ns="http://fedramp.gov/ns/oscal" value="Plugin-ID"/> @@ -381,13 +381,13 @@ Until this matures and clear system values are widely available across the indus - + - + - + @@ -423,8 +423,8 @@ data type](https://pages.nist.gov/metaschema/specification/datatypes/#date).

This is the tool-provided statement about the identified risk.

If no risk statement from tool, set to 'No Risk Statement'.

- - + + open @@ -627,7 +627,7 @@ the observation assembly must have a type tag of `risk-tracking`.

Description of the result of the vendor check-in.

 2023-07-07T00:00:00Z - @@ -698,11 +698,11 @@ value to `approved` and close the risk as described in the [*Risk Closure*](/doc Vulnerability Title

Vulnerability description

Risk statement.

 - - - - - + + + + + open @@ -761,8 +761,8 @@ related-observation entries in the poam-item assembly. Vulnerability Title

Vulnerability description

Risk statement.

 - - + + open @@ -813,10 +813,10 @@ Both initial and residual risk values are calculated based on likelihood and imp Every POA&M entry must have initial `likelihood` and `impact` values: {{< highlight xml "linenos=table" >}} - + - + {{}} @@ -824,7 +824,7 @@ Every POA&M entry must have initial `likelihood` and `impact` values: When justifying a risk adjustment, either the likelihood or impact may be lowered. It is possible to justify lowering both. Even if just one value is lowered, both residual risk values must be present: {{< highlight xml "linenos=table" >}} - + {{}} @@ -849,22 +849,22 @@ Add an entry to the risk log when investigating, for the completion of each miti 2023-10-10T00:00:00Z - + - + - + - +

Explain why likelihood was adjusted.

 - +

Explain why impact was adjusted.

@@ -936,8 +936,8 @@ If the Vendor Dependent Product Name is not already defined as an individual com Vulnerability Title

Vulnerability description

Risk statement.

 - - + + open @@ -993,8 +993,8 @@ link suitable for delivery to FedRAMP. [EXAMPLE]AC Policy - - + + 2.1 2018-11-11T00:00:00Z @@ -1003,7 +1003,7 @@ link suitable for delivery to FedRAMP. [EXAMPLE]Screen Shot - + 00000000 diff --git a/content/documentation/sap/3-working-with-oscal-files.md b/content/documentation/sap/3-working-with-oscal-files.md index 8b4904a..69fff3f 100644 --- a/content/documentation/sap/3-working-with-oscal-files.md +++ b/content/documentation/sap/3-working-with-oscal-files.md @@ -179,15 +179,15 @@ that points to a resource in the back-matter. The resource must have a + ns="http://fedramp.gov/ns/oscal" value="SFN"/> - + - - diff --git a/content/documentation/sap/4-sap-template-to-oscal-mapping.md b/content/documentation/sap/4-sap-template-to-oscal-mapping.md index d535ba1..2873d3c 100644 --- a/content/documentation/sap/4-sap-template-to-oscal-mapping.md +++ b/content/documentation/sap/4-sap-template-to-oscal-mapping.md @@ -64,23 +64,23 @@ its associated documents. - + Background

Insert text from FedRAMP template

Insert text from FedRAMP template

- +

Insert text from FedRAMP template

 - + Purpose - +

This SAP has been developed by [IA Name] and is for [an initial assessment/an annual assessment/an annual assessment and significant change assessment/a significant change assessment] of the [CSP Name], [CSO Name]. The SAP provides the goals for the assessment and details how the assessment will be conducted.

 - + Applicable Laws, Regulations, Standards and Guidance - +

The FedRAMP-applicable laws, regulations, standards and guidance are included in the [CSO Name] SSP section – System Security Plan Approvals. Additionally, in Appendix L of the SSP, the [CSP Name] has included laws, regulations, standards, and guidance that apply specifically to this system.

 @@ -94,9 +94,9 @@ its associated documents. (SAP) IA Name: /assessment-plan/metadata/party[@uuid="uuid-of-ia"]/name (SAP) Initial assessment, annual assessment, or significant change? - /assessment-plan/metadata/prop[@ns="https://fedramp.gov/ns/oscal" and @name="assessment-type"]/@value + /assessment-plan/metadata/prop[@ns="http://fedramp.gov/ns/oscal" and @name="assessment-type"]/@value (SAP) Are there no/one/many significant changes in SAP scope? - /assessment-plan/metadata/prop[@ns="https://fedramp.gov/ns/oscal" and @name="significant-changes-scope"]/@value + /assessment-plan/metadata/prop[@ns="http://fedramp.gov/ns/oscal" and @name="significant-changes-scope"]/@value (SAP) CSP Name: /assessment-plan/metadata/party[@uuid="uuid-of-csp"]/name (SSP) CSO Name: @@ -115,7 +115,7 @@ for this information as follows: {{< highlight xml "linenos=table" >}} Table 2-1 (SSP) Unique Identifier: - /*/system-characteristics/system-id[@identifier-type='https://fedramp.gov'] + /*/system-characteristics/system-id[@identifier-type='http://fedramp.gov/ns/oscal'] (SSP) Information System Name: /*/system-characteristics/system-name (SSP) Information System Abbreviation: @@ -173,7 +173,7 @@ data centers. /*/assessment-subject[@type='location']/include-subject[1]/@subject-uuid NOTE: Replace "[1]" with "[2]", "[3]", etc. (SSP) Data Center Site Name (Lookup in SSP, using ID cited in SAP): - /*/metadata/location[@id='location-2']/prop[@name='title'] [@ns='https://fedramp.gov/ns/oscal'] + /*/metadata/location[@id='location-2']/prop[@name='title'] [@ns='http://fedramp.gov/ns/oscal'] NOTE: Replace 'location-2' with the SSP location as cited in the SAP. (SSP or SAP) Address: /*/metadata/location[@uuid='uuid-value-from-SAP']/address/addr-line @@ -336,7 +336,7 @@ The SSP inventory data should already indicate which assets have a web interface, with the following FedRAMP extension: {{< highlight xml "linenos=table" >}} - + {{}} This typically appears in the inventory-item itself with the legacy @@ -362,7 +362,7 @@ test users here. Both use FedRAMP extensions. Web Application Test #1

Describe this web application test.

 - + @@ -370,10 +370,10 @@ test users here. Both use FedRAMP extensions. Web Application Tests Web Application Test #1 - - + - + }} (SAP) Login URL: - (/*//task[prop[@name='type'][@ns="https://fedramp.gov/ns/oscal"][@value='web-application']])[1]/prop[@name='login-url'][@ns="https://fedramp.gov/ns/oscal"] + (/*//task[prop[@name='type'][@ns="http://fedramp.gov/ns/oscal"][@value='web-application']])[1]/prop[@name='login-url'][@ns="http://fedramp.gov/ns/oscal"] (SAP) Login ID: - (/*//task[prop[@name='type'][@ns="https://fedramp.gov/ns/oscal"][@value='web-application']])[1]/prop[@name='login-id'][@ns="https://fedramp.gov/ns/oscal"] + (/*//task[prop[@name='type'][@ns="http://fedramp.gov/ns/oscal"][@value='web-application']])[1]/prop[@name='login-id'][@ns="http://fedramp.gov/ns/oscal"] (SAP) Inventory-ID of host: - (/*//task[prop[@name='type'][@ns="https://fedramp.gov/ns/oscal"][@value='web-application']])[1]/ associated-activity/subject[@type='inventory-item']/include-subject/@subject-uuid + (/*//task[prop[@name='type'][@ns="http://fedramp.gov/ns/oscal"][@value='web-application']])[1]/ associated-activity/subject[@type='inventory-item']/include-subject/@subject-uuid NOTE: Replace "[1]" with "[2]", "[3]", etc. REMEMBER: The inventory-item could be in the SSP's system-implementation or the SAP's local-definitions. @@ -405,7 +405,7 @@ test users here. Both use FedRAMP extensions. The SSP inventory data should already indicate which assets are databases, with the following FedRAMP extension: {{< highlight xml "linenos=table" >}} - + {{}} This typically appears in the inventory-item itself with the legacy @@ -424,7 +424,7 @@ to properly identify all databases for testing. (SSP) Host name of first database in SSP (flat file approach): (/*/system-implementation/system-inventory/inventory-item/prop[@name='scan-type'][string()='database'])[1]/../prop[@name='fqdn'] (SSP) Host name of the first database in SSP (component approach) [xPath 2.0+ only]: - (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='https://fedramp.gov/ns/oscal']='database']/@id return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-id=$key]/prop[@name='fqdn'])[1] + (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='database']/@id return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-id=$key]/prop[@name='fqdn'])[1] {{}} @@ -469,7 +469,7 @@ generic roles locally in the SAP local-definitions assembly. Assessor Specified Role - + id-for-assessor-specified-role @@ -510,22 +510,22 @@ assessor to add a test user ID here via FedRAMP extension properties. Role-Based Tests Role Based Test #1 - - - Role Based Test #2 - - + - @@ -603,7 +603,7 @@ NOTE: Replace '001' with '002', '003', etc. for each sort-id based on desired or --- ### SAP Methodology -In general, the methodology is simply a single markup multiline field, which enables the assessor to modify the content using rich text formatting. The FedRAMP SAP template includes subsections for *Control Testing, Data Gathering, Sampling,* and *Penetration Test*. Each of these sections must be present in the FedRAMP OSCAL SAP terms-and-condition assembly as subparts within a part named "methodology". The subparts are specifically defined for FedRAMP SAP, so they have namespace "https://fedramp.gov/ns/oscal" and attributes named "control-testing", "data-gathering", "sampling", and "pen-testing". +In general, the methodology is simply a single markup multiline field, which enables the assessor to modify the content using rich text formatting. The FedRAMP SAP template includes subsections for *Control Testing, Data Gathering, Sampling,* and *Penetration Test*. Each of these sections must be present in the FedRAMP OSCAL SAP terms-and-condition assembly as subparts within a part named "methodology". The subparts are specifically defined for FedRAMP SAP, so they have namespace "http://fedramp.gov/ns/oscal" and attributes named "control-testing", "data-gathering", "sampling", and "pen-testing". {{< figure src="/img/sap-figure-10.png" title="FedRAMP SAP template methodology." alt="Screenshot of the FedRAMP SAP template where methodology information is provided." >}} @@ -614,28 +614,28 @@ In general, the methodology is simply a single markup multiline field, which ena Methodology - + Control Testing - +

[IA Name] will ...

- + Data Gathering - +

[IA Name] data gathering activities will ...

- + Sampling - - + +

The sampling methodology for evidence/artifact gathering, related to controls assessment, is described in Appendix B.

[IA Name] [will/will not] ...

- - + +

The Penetration Test Plan and Methodology is attached in Appendix C.

 @@ -657,10 +657,10 @@ assessor for the assessment. The insert elements can be used by tool developers Methodology - + Sampling - - + +

The sampling methodology for evidence/artifact gathering, related to controls assessment, is described in Appendix B.

[IA Name] [will/will not] ...

@@ -785,7 +785,7 @@ ID that duplicates one used in the SSP. sap-location-1 https://assessor.web.site 0000.00 + ns='http://fedramp.gov/ns/oscal'>0000.00 uuid-of-assessor @@ -803,7 +803,7 @@ ID that duplicates one used in the SSP. (SAP) Assessor's Web Site: /*/metadata/party[@id=(/*/metadata/responsible-party[@role-id='assessor']/party-uuid)] /org/url (SAP) 3PAO's A2LA Certification Number: - /*/metadata/party[@id=(/*/metadata/responsible-party[@role-id='assessor']/party-uuid)] /org/prop[@name='iso-iec-17020-identifier'][@ns='https://fedramp.gov/ns/oscal'] + /*/metadata/party[@id=(/*/metadata/responsible-party[@role-id='assessor']/party-uuid)] /org/prop[@name='iso-iec-17020-identifier'][@ns='http://fedramp.gov/ns/oscal'] {{}} @@ -1047,7 +1047,7 @@ NOTE: Replace [1] as needed with [2], [3], etc. ##### Including Manual Test Methods in the OSCAL SAP Test Plan Section The FedRAMP OSCAL SAP terms-and-condition assembly should contain a -part with `ns="https://fedramp.gov/ns/oscal" name="manual-methods-testing"` when needed to facilitate rendering of +part with `ns="http://fedramp.gov/ns/oscal" name="manual-methods-testing"` when needed to facilitate rendering of OSCAL SAP by tools. The insert elements can be used by tool developers as insertion points for data items such as test ID, test name, and test description if the tool is able to manage them as parameters. The use of @@ -1057,12 +1057,12 @@ insert within an OSCAL part is described on the [NIST OSCAL Concepts page](https {{< highlight xml "linenos=table" >}} - + Test Plan - + Testing Performed Using Manual Methods - + @@ -1087,7 +1087,7 @@ insert within an OSCAL part is described on the [NIST OSCAL Concepts page](https ##### XPath Queries {{< highlight xml "linenos=table" >}} (SAP) Test ID: - /assessment-plan/local-definitions[1]/activity[1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="label"]/@value + /assessment-plan/local-definitions[1]/activity[1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="label"]/@value (SAP) Test Name: /assessment-plan/local-definitions[1]/activity[1]/title (SAP) Description: @@ -1457,7 +1457,7 @@ NOTE: Replace [1] as needed with [2], [3], etc. (SSP) Name of the first person or organization: /*/metadata/party[@id='person-1']/person/person-name (SSP) Role/Title of the first person: - /*/metadata/party[@id='person-1']/person/prop[@name='title'] [@ns='https://fedramp.gov/ns/oscal'] + /*/metadata/party[@id='person-1']/person/prop[@name='title'] [@ns='http://fedramp.gov/ns/oscal'] (SSP) Phone for the first person or organization: /*/metadata/party[@id='person-1']//phone (SSP) Email for the first person or organization: @@ -1657,7 +1657,7 @@ a FedRAMP "type" prop with an allowed value, sampling-methodology.

Embed or reference copies of the sampling methodology for security controls assessment and vulnerability scanning (if applicable).

 - . . .
- @@ -1761,7 +1761,7 @@ significant-change-request. . . . - diff --git a/content/documentation/sar/3-working-with-oscal-files.md b/content/documentation/sar/3-working-with-oscal-files.md index 9758ebc..4438fbc 100644 --- a/content/documentation/sar/3-working-with-oscal-files.md +++ b/content/documentation/sar/3-working-with-oscal-files.md @@ -182,7 +182,7 @@ If the value is a URI fragment, such as **#96445439-6ce1-4e22-beae-aa72cfe173d0* [System Name] [FIPS-199 Level] SAP - + @@ -219,7 +219,7 @@ FedRAMP will be implementing a separate set of automated SAR validation rules fo - diff --git a/content/documentation/sar/4-sar-template-to-oscal-mapping.md b/content/documentation/sar/4-sar-template-to-oscal-mapping.md index 77e4ce8..898702f 100644 --- a/content/documentation/sar/4-sar-template-to-oscal-mapping.md +++ b/content/documentation/sar/4-sar-template-to-oscal-mapping.md @@ -127,12 +127,12 @@ When using a **FedRAMP Resolved Profile Catalog**, the following query will iden ##### XPath Queries {{< highlight xml "linenos=table" >}} (Baseline) Response Points for AC-1: - //control[@id='ac-1']/part[@name='objective']//prop[@name='response-point'] [@ns='https://fedramp.gov/ns/oscal']/../@id + //control[@id='ac-1']/part[@name='objective']//prop[@name='response-point'] [@ns='http://fedramp.gov/ns/oscal']/../@id (Baseline) Response Points for AC Family: - //group[@id='ac']/control/part[@name='objective']//prop[@name='response-point'] [@ns='https://fedramp.gov/ns/oscal']/../@id + //group[@id='ac']/control/part[@name='objective']//prop[@name='response-point'] [@ns='http://fedramp.gov/ns/oscal']/../@id (Baseline) Response Points for entire baseline: - //control/part[@name='objective']//prop[@name='response-point'] [@ns='https://fedramp.gov/ns/oscal']/../@id + //control/part[@name='objective']//prop[@name='response-point'] [@ns='http://fedramp.gov/ns/oscal']/../@id {{}}
@@ -175,7 +175,7 @@ The target assembly identifies which objective is being addressed by the assesso - + satisfied @@ -193,7 +193,7 @@ The target assembly identifies which objective is being addressed by the assesso - + satisfied @@ -208,7 +208,7 @@ The target assembly identifies which objective is being addressed by the assesso
{{}} **Accepted Values** -- The implementation-status fields must have the @ns flag with a value of https://fedramp.gov/ns/oscal +- The implementation-status fields must have the @ns flag with a value of http://fedramp.gov/ns/oscal - The implementation-status field may only have one of the following values, which match the SSP accepted values: - implemented, partial, planned, alternative, not-applicable - The status field may only have one of the following values: @@ -228,7 +228,7 @@ The following assumes that the first result assembly contains the current assess ##### XPath Queries {{< highlight xml "linenos=table" >}} (SAR) Implementation Status: - /*/result[1]/finding/target[@type='objective-id'][@target-id='ac-1.a.1_obj.1'] /prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'] + /*/result[1]/finding/target[@type='objective-id'][@target-id='ac-1.a.1_obj.1'] /prop[@name='implementation-status'][@ns='http://fedramp.gov/ns/oscal'] (SAR) Assessment Result: /*/result[1]/finding/target[@type='objective-id'][@target-id='ac-1.a.1_obj.1'] /status (SAR) Quantity of Assessor POC's cited for this objective (integer): @@ -557,7 +557,7 @@ The Implementation Status, Assessment Results, and Assessor POC are handled the + ns="http://fedramp.gov/ns/oscal" value="implemented"/> satisfied @@ -679,10 +679,10 @@ Initially, the status field should always be set to \"open\". If the risk is add - + - + @@ -694,7 +694,7 @@ Initially, the status field should always be set to \"open\". If the risk is add + ns="http://fedramp.gov/ns/oscal" value="implemented"/> not-satisfied @@ -748,10 +748,10 @@ The response origin field\'s type flag should be set to \"party\", and the actor - + - + @@ -917,10 +917,10 @@ The uuid flag of the origin field must be set to the tool\'s UUID, and the type - + - + @@ -945,7 +945,7 @@ The uuid flag of the origin field must be set to the tool\'s UUID, and the type The risk assembly uses facet fields to capture relevant tool output details. The facet field's system flag allows data from different tools and different security frameworks to co-exist in the same file. -FedRAMP-required risk-metric data, such as likelihood and impact, are specified with facet fields with a system flag value of \"https://fedramp.gov\". FedRAMP-required risk metrics must also have the class flag set to either \"initial\" or \"residual\". There must +FedRAMP-required risk-metric data, such as likelihood and impact, are specified with facet fields with a system flag value of \"http://fedramp.gov/ns/oscal\". FedRAMP-required risk metrics must also have the class flag set to either \"initial\" or \"residual\". There must always be an initial risk metric. If adjusted, there may be a residual risk metric as well. The uuid flag of the origin field must be set to the tool\'s UUID, and the type flag must be set to \"tool\". @@ -981,17 +981,17 @@ The uuid flag of the origin field must be set to the tool\'s UUID, and the type - + - + - + - + @@ -1071,16 +1071,16 @@ The risk assembly is populated as described in previous sections.

Statement about the risk identified by penetration testing.

 - + open - + - + @@ -1112,7 +1112,7 @@ After risks are identified during an assessment, their status may change. Some a #### False Positive (FP) To document a false positive, add a prop to the risk assembly, and change the risk status to \"closed\". Set the prop name to -\"false-positive\", the ns to \"https://fedramp.gov/ns/oscal\", and the value to \"pending\". +\"false-positive\", the ns to \"http://fedramp.gov/ns/oscal\", and the value to \"pending\". Within the observation assembly, provide a description of the false positive. This must have a conformity tag with a value of \"false-positive\". Typically, the observation method is set to EXAMINE; however, another method may be identified if more appropriate. @@ -1143,7 +1143,7 @@ resource.) - closed @@ -1164,7 +1164,7 @@ FedRAMP allowed values for false-positive prop: #### Operationally Required (OR) -To document an operationally required risk, add a prop to the risk assembly, and keep the risk status as \"open\". Set the prop name to \"operational-requirement\", the ns to \"https://fedramp.gov/ns/oscal\", and the value to \"pending\". +To document an operationally required risk, add a prop to the risk assembly, and keep the risk status as \"open\". Set the prop name to \"operational-requirement\", the ns to \"http://fedramp.gov/ns/oscal\", and the value to \"pending\". Within the observation assembly, provide a justification for the operational requirement. This must have a conformity tag with a value of \"operational-requirement\". Typically, the observation method is set to EXAMINE; however, another method may be identified if more appropriate. @@ -1196,7 +1196,7 @@ Finally, add a separate relevant-evidence assembly for each piece of evidence su - @@ -1219,7 +1219,7 @@ FedRAMP allowed values for operational-requirement prop: #### Risk Adjustment (RA) To document an operationally required risk, add a prop to the risk assembly and keep the risk status as \"open\". Set the prop name to -\"risk-adjustment\", the ns to \"https://fedramp.gov/ns/oscal\", and the value to \"pending\". +\"risk-adjustment\", the ns to \"http://fedramp.gov/ns/oscal\", and the value to \"pending\". Within the observation assembly, provide a justification for the risk adjustment. This must have a conformity tag with a value of \"risk-adjustment\". Typically, the observation method is set to EXAMINE; however, another method may be identified if more appropriate. @@ -1252,24 +1252,24 @@ See the [*CVSS Scoring*](#/documentation/sar/5-generated-content/#cvss-scoring) - - + - + - + - + @@ -1371,7 +1371,7 @@ priority value of \"1\" represents the most important risk. \"2\" represents the + ns="http://fedramp.gov/ns/oscal" value="yes"/>

[3PAO] attests to the accuracy of the information provided in this FedRAMP Security Assessment Report for the annual assessment @@ -1400,7 +1400,7 @@ priority value of \"1\" represents the most important risk. \"2\" represents the

This is a statement about the identified risk as provided by the tool.

- + diff --git a/content/documentation/ssp/3-working-with-oscal-files.md b/content/documentation/ssp/3-working-with-oscal-files.md index 7220005..ad4ab85 100644 --- a/content/documentation/ssp/3-working-with-oscal-files.md +++ b/content/documentation/ssp/3-working-with-oscal-files.md @@ -129,7 +129,7 @@ FedRAMP will be implementing a separate set of automated SSP validation rules fo - diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index db2a3f4..442689f 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -68,7 +68,7 @@ system-characteristics assembly. The FedRAMP-assigned application number is the unique ID for a FedRAMP system. OSCAL supports several system identifiers, which may be assigned by different organizations. -For this reason, OSCAL requires the identifier-type flag be present and have a value that uniquely identifies the issuing organization. FedRAMP requires its value to be "https://fedramp.gov" for all FedRAMP-issued application numbers. +For this reason, OSCAL requires the identifier-type flag be present and have a value that uniquely identifies the issuing organization. FedRAMP requires its value to be "http://fedramp.gov/ns/oscal" for all FedRAMP-issued application numbers. {{< figure src="/img/ssp-figure-5.png" title="FedRAMP SSP template System Name and Package ID" alt="Screenshot of the system name, and package ID in the FedRAMP SSP template." >}} @@ -88,7 +88,7 @@ This assembly defines the full name of the system and its short name. A FedRAMP System's Full Name System's Short Name or Acronym - F00000000 + F00000000 @@ -101,7 +101,7 @@ This assembly defines the full name of the system and its short name. A FedRAMP **FedRAMP Allowed Value** Required Identifier Type: -- identifier-type="https://fedramp.gov" +- identifier-type="http://fedramp.gov/ns/oscal" {{}} @@ -112,7 +112,7 @@ Required Identifier Type: Information System Abbreviation: /*/system-characteristics/system-name-short FedRAMP Unique Identifier: - /*/system-characteristics/system-id[@identifier-type="https://fedramp.gov"] + /*/system-characteristics/system-id[@identifier-type="http://fedramp.gov/ns/oscal"] {{}} --- @@ -130,7 +130,7 @@ A FedRAMP System Security Plan (SSP) must document in its description of the sys System Administrator - + system-admin @@ -175,7 +175,7 @@ Role ID: /*/system-implementation/user/role-id Sensitivity Level: - /*/system-implementation/user/prop[@ns='https://fedramp.gov/ns/oscal'][@name="sensitivity"]/@value + /*/system-implementation/user/prop[@ns='http://fedramp.gov/ns/oscal'][@name="sensitivity"]/@value {{}} ## Best Practices @@ -206,7 +206,7 @@ The core-OSCAL system-characteristics assembly has a property for the cloud serv System's Full Name System's Short Name or Acronym - F00000000 + F00000000 @@ -267,7 +267,7 @@ The core-OSCAL system-characteristics assembly has a property for the cloud depl System's Full Name System's Short Name or Acronym - F00000000 + F00000000 @@ -329,7 +329,7 @@ The digital identity level identified in the FedRAMP SSP template document, illu System's Full Name System's Short Name or Acronym - F00000000 + F00000000 @@ -385,7 +385,7 @@ A FedRAMP SSP in OSCAL defines the system's sensitivity level and supporting inf System's Full Name System's Short Name or Acronym - F00000000 + F00000000 @@ -449,7 +449,7 @@ Each information type has confidentiality, integrity, and availability (CIA) sec System's Full Name System's Short Name or Acronym - F00000000 + F00000000 @@ -578,7 +578,7 @@ The system status in the FedRAMP SSP template document is specified in the "Full

Otherwise, it is optional.

 - + @@ -606,7 +606,7 @@ FedRAMP only accepts those in bold: Remarks on System's Operational Status: /*/system-characteristics/status/remarks/node() Fully Operational As Of Date: - /*/system-characteristics/prop[@name="fully-operational-date"][@ns="https://fedramp.gov/ns/oscal"]/@value + /*/system-characteristics/prop[@name="fully-operational-date"][@ns="http://fedramp.gov/ns/oscal"]/@value {{}} **NOTE:** @@ -757,7 +757,7 @@ A `role` with an ID value of "authorizing-official" is required. Use the `respon @@ -766,7 +766,7 @@ A `role` with an ID value of "authorizing-official" is required. Use the `respon #### XPath Queries {{< highlight xml "linenos=table" >}} FedRAMP Authorization Type: - /*/system-characteristics/prop[@name="authorization-type"][@ns="https://fedramp.gov/ns/oscal"]/@value + /*/system-characteristics/prop[@name="authorization-type"][@ns="http://fedramp.gov/ns/oscal"]/@value Authorizing Official: /*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id="authorizing-official"]/party-uuid]]/name {{}} @@ -955,11 +955,11 @@ While a leveraged system has no need to represent content here, its SSP must inc Name of Underlying System - - + uuid-of-leveraged-system-poc 2015-01-01 @@ -983,10 +983,10 @@ While a leveraged system has no need to represent content here, its SSP must inc - + - @@ -1049,21 +1049,21 @@ FedRAMP defines the following allowed values for an authentication-method's valu Description of first leveraged system CSO service (component): (//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/description)[1] Authorization type of first leveraged system: - /system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="authorization-type"]/@value + /system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="authorization-type"]/@value FedRAMP package ID# of the first leveraged system: - /system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="leveraged-system-identifier"]/@value + /system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="leveraged-system-identifier"]/@value Nature of Agreement for first leveraged system: - (//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/prop[@ns="https://fedramp.gov/ns/oscal" and @name="nature-of-agreement"]/@value)[1] + (//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/prop[@ns="http://fedramp.gov/ns/oscal" and @name="nature-of-agreement"]/@value)[1] FedRAMP impact level of the first leveraged system: - /system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="impact-level"]/@value + /system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="impact-level"]/@value Data Types transmitted to, stored or processed by the first leveraged system CSO: - (//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-data-type"]/@value) + (//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/prop[@ns="http://fedramp.gov/ns/oscal" and @name="interconnection-data-type"]/@value) Authorized Users of the first leveraged system CSO: //system-security-plan/system-implementation/user[@uuid="uuid-of-user"] Corresponding Access Level: //system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/prop[@name="privilege-level"]/@value Corresponding Authentication method: - //system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="authentication-method"]/@value + //system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="authentication-method"]/@value {{}}
@@ -1083,7 +1083,7 @@ A FedRAMP SSP must identify the users of the system by type, privilege, sensitiv System Administrator - + system-admin-user @@ -1127,7 +1127,7 @@ A FedRAMP SSP must identify the users of the system by type, privilege, sensitiv **FedRAMP Extension:** -prop (ns=“https://fedramp.gov/ns/oscal") +prop (ns=“http://fedramp.gov/ns/oscal") - name="sensitivity" **FedRAMP Allowed Values** @@ -1142,7 +1142,7 @@ prop (ns=“https://fedramp.gov/ns/oscal") **FedRAMP Extension:** -prop (ns=“https://fedramp.gov/ns/oscal") +prop (ns=“http://fedramp.gov/ns/oscal") - name="authentication-method" **FedRAMP Allowed Values** @@ -1160,8 +1160,8 @@ Role: /*/system-implementation/user[1]/title Replace "[1]" with "[2]", "[3]", etc. Internal or External: /*/system-implementation/user[1]/prop[@name="type"]/@value Privileged, Non-Privileged, or No Logical Access: /*/system-implementation/user[1]/prop[@name="privilege-level"]/@value -Sensitivity Level: /*/system-implementation/user[1]/prop[@name="sensitivity"][@ns= "https://fedramp.gov/ns/oscal"]/@value -Authentication method: /*/system-implementation/user[1]/prop[@name="authentication-method"][@ns="https://fedramp.gov/ns/oscal"]/@value +Sensitivity Level: /*/system-implementation/user[1]/prop[@name="sensitivity"][@ns= "http://fedramp.gov/ns/oscal"]/@value +Authentication method: /*/system-implementation/user[1]/prop[@name="authentication-method"][@ns="http://fedramp.gov/ns/oscal"]/@value Authorized Privileges: /*/system-implementation/user[1]/authorized-privilege/title count(/*/system-implementation/user[1]/authorized-privilege) Functions Performed: /*/system-implementation/user[1]/authorized-privilege[1]/function-performed[1] @@ -1187,42 +1187,42 @@ The nature-of-agreement property identifies acceptable agreement types.

Briefly describe the interconnection details.

- - + - - - + - - - - - - - - + - - - + - + @@ -1265,31 +1265,31 @@ Refer to the XPath queries below and corresponding notes for guidance on what ta #### XPath Queries {{< highlight xml "linenos=table" >}} Interconnection # for first external system: - /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-type"]/@value + /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="http://fedramp.gov/ns/oscal" and @name="interconnection-type"]/@value System/Service/API/CLI Name: /*/system-implementation/component[@type='interconnection']/title Connection Details: /*/system-implementation/component[@type='interconnection'][1]/prop[@name="direction"]/@value Nature of Agreement for first external system: - /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal" and @name="nature-of-agreement"]/@value + /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="http://fedramp.gov/ns/oscal" and @name="nature-of-agreement"]/@value Still Supported (Y/N): - /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal" and @name="still-supported"]/@value + /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="http://fedramp.gov/ns/oscal" and @name="still-supported"]/@value Data Types: - /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-data-type"]/@value + /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="interconnection-data-type"]/@value Data Categorization: - /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-data-categorization"]/@value + /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="interconnection-data-categorization"]/@value Authorized Users: //system-security-plan/system-implementation/user[@uuid="uuid-of-user"] Corresponding Access Level: //system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/prop @name="privilege-level"]/@value Other Compliance Programs: - /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-compliance"]/@value + /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="interconnection-compliance"]/@value Description: /*/system-implementation/component[@type='interconnection'][1]/description Hosting Environment: - /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-hosting-environment"]/@value + /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="interconnection-hosting-environment"]/@value Risk/Impact/Mitigation: - /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-risk"]/@value + /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="interconnection-risk"]/@value {{}}
@@ -1595,11 +1595,11 @@ a URI fragment. The fragment must start with a hashtag (#) and include the UUID Module Name

FIPS 140-2 Validated Module

 - - - @@ -1639,11 +1639,11 @@ The approach is the same as in the [*cryptographic module data-in-transit*](#cry Module Name

FIPS 140-2 Validated Module

 - - - diff --git a/content/documentation/ssp/5-attachments.md b/content/documentation/ssp/5-attachments.md index 58cae66..69fd59c 100644 --- a/content/documentation/ssp/5-attachments.md +++ b/content/documentation/ssp/5-attachments.md @@ -19,7 +19,7 @@ is handled: |**Appendix Name**|**Machine Readable**|**How to Handle in OSCAL**| | :-- | :-- | :-- | | **Appendix A: FedRAMP Security Controls** | [Yes](/documentation/ssp/6-security-controls/) | This can be generated from the content in the Security Controls section and does not need to be maintained separately or attached. | -| **Appendix B: Related Acronyms** | No | Attach using the `back-matter`, `resource` syntax.

For Acronyms, resource must include a `prop` with `@ns="https://fedramp.gov/ns/oscal"`, `@name="type"`, and `@value="fedramp-acronyms"`. | +| **Appendix B: Related Acronyms** | No | Attach using the `back-matter`, `resource` syntax.

For Acronyms, resource must include a `prop` with `@ns="http://fedramp.gov/ns/oscal"`, `@name="type"`, and `@value="fedramp-acronyms"`. | | **Appendix C: Security Policies and Procedures** | No | Attach using the `back-matter`, `resource` syntax.

For Policies, resource must include a `prop` with `@name=”type”`, `@value=”policy”`, and `@class=”control-family”`.

For Procedures, resource must include a `prop` with `@name=”type”`, `@value=”procedure”`, and `@class=”control-family”`. | | **Appendix D: User Guide** | No | Attach using the `back-matter`, `resource` syntax.

For User Guides, resource must include a `prop` with `@name=”type”` and `@value=”users-guide”`. | | **Appendix E: Digital Identity Worksheet** | [Yes](/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination) | See the [Digital Identity Determination](/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination) section. | @@ -47,9 +47,9 @@ The following OSCAL representation of a FedRAMP SSP attachment demonstrates the Document Title Policy document - - - + + + 00000000 @@ -64,13 +64,13 @@ The following OSCAL representation of a FedRAMP SSP attachment demonstrates the ##### XPath Queries {{< highlight xml "linenos=table" >}} The Number of Policies Attached: - count(/*/back-matter/resource/prop[@name="type"][@ns="https://fedramp.gov/ns/oscal"][string(./@value)="policy"]) + count(/*/back-matter/resource/prop[@name="type"][@ns="http://fedramp.gov/ns/oscal"][string(./@value)="policy"]) Attachment (Embedded Base64 encoded): /*/back-matter/resource[@id="att-policy-1"]/base64 OR (Relative Link): /*/back-matter/resource[@id="att-policy-1"]/rlink/@href Title of First Policy Document: - /*/back-matter/resource/prop[@name="type"][@ns="https://fedramp.gov/ns/oscal"][string(.)="policy"][1]/../prop[@name="title"][@ns="https://fedramp.gov/ns/oscal"] + /*/back-matter/resource/prop[@name="type"][@ns="http://fedramp.gov/ns/oscal"][string(.)="policy"][1]/../prop[@name="title"][@ns="http://fedramp.gov/ns/oscal"] {{}} --- @@ -125,7 +125,7 @@ For example, if the same Linux operating system is used as the platform for all - +

If no, explain why. If yes, omit remarks field.

 @@ -170,7 +170,7 @@ asset-administrator is managing a system or an application. Currently, any FedRA - +

If no, explain why. If yes, omit remarks field.

 @@ -254,11 +254,11 @@ approach. ##### XPath Queries {{< highlight xml "linenos=table" >}} IPv4 Address of All Inventory Items Identified for Infrastructure Scanning: - distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='https://fedramp.gov/ns/oscal']='infrastructure']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/ prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='https://fedramp.gov/ns/oscal'] [string(.)='infrastructure']]) ) + distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='infrastructure']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/ prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'] [string(.)='infrastructure']]) ) IPv4 Address of All Inventory Items Identified for Web Scanning: - distinct-values( (let $key:=/*/system-implementation/component[prop[@name='scan-type'][@ns='https://fedramp.gov/ns/oscal']='web']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='https://fedramp.gov/ns/oscal'][string(.)='web']])) + distinct-values( (let $key:=/*/system-implementation/component[prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']='web']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='web']])) IPv4 Address of All Inventory Items Identified for Database Scanning: - distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='https://fedramp.gov/ns/oscal']='database']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='https://fedramp.gov/ns/oscal'][string(.)='database']])) + distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='database']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='database']])) IPv4 Address of All Items Where an Authenticated Scan is Possible: distinct-values( (/*/system-implementation/system-inventory/inventory-item/prop [@name='ipv4-address'][../prop[@name="allows-authenticated-scan"][@value='yes']] ) | (let $key:=/*/system-implementation/component[prop [@name='allows-authenticated-scan'][@value='yes']]/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address'])) IPv4 Address of All Items Where an Authenticated Scan is Not Possible: diff --git a/content/documentation/ssp/6-security-controls.md b/content/documentation/ssp/6-security-controls.md index 8ca49cd..45f8169 100644 --- a/content/documentation/ssp/6-security-controls.md +++ b/content/documentation/ssp/6-security-controls.md @@ -179,7 +179,7 @@ in the remarks field. **If the implementation-status is planned,** a brief description of the plan to address the gap, including major milestones must be explained in the `remarks` field. There must also be a prop -(name=\"planned-completion-date\" ns=\"https://fedramp.gov/ns/oscal\") +(name=\"planned-completion-date\" ns=\"http://fedramp.gov/ns/oscal\") field containing the intended completion date. With XML, `prop` fields must appear before other sibling fields (such as `set-parmeter`, `responsible-role`, etc.), even though that sequence is counter-intuitive in this situation. @@ -198,15 +198,15 @@ justification must be provided in the `remarks` field. + ns="http://fedramp.gov/ns/oscal" value="2021-01-01Z"/> + ns="http://fedramp.gov/ns/oscal" value="implemented" /> + ns="http://fedramp.gov/ns/oscal" value="partial" /> + ns="http://fedramp.gov/ns/oscal" value="planned" /> + ns="http://fedramp.gov/ns/oscal" value="not-applicable"/> @@ -219,13 +219,13 @@ justification must be provided in the `remarks` field. Implementation Status (may return more than 1 result for a given control) : /*/control-implementation/implemented-requirement[@control-id="ac-1"] /prop[@name="implementation-status"]/@value Gap Description (If implementation-status="partial"): - /*/control-implementation/implemented-requirement/prop[@name='implementation-status'][@value="partial"][@ns="https://fedramp.gov/ns/oscal"]/remarks/node() + /*/control-implementation/implemented-requirement/prop[@name='implementation-status'][@value="partial"][@ns="http://fedramp.gov/ns/oscal"]/remarks/node() Planned Completion Date (If implementation-status="planned"): - /*/control-implementation/implemented-requirement[@control-id="ac-1"]/prop[@name="planned-completion-date"][@ns="https://fedramp.gov/ns/oscal"]/@value + /*/control-implementation/implemented-requirement[@control-id="ac-1"]/prop[@name="planned-completion-date"][@ns="http://fedramp.gov/ns/oscal"]/@value Plan for Completion (If implementation-status="planned"): - /*/control-implementation/implemented-requirement/prop[@name='implementation-status'][@value="planned"][@ns="https://fedramp.gov/ns/oscal"]/remarks/node() + /*/control-implementation/implemented-requirement/prop[@name='implementation-status'][@value="planned"][@ns="http://fedramp.gov/ns/oscal"]/remarks/node() Not Applicable (N/A) Justification (If implementation-status="na"): - /*/control-implementation/implemented-requirement/prop[@name='implementation-status'][@value="not-applicable"][@ns="https://fedramp.gov/ns/oscal"]/remarks/node() + /*/control-implementation/implemented-requirement/prop[@name='implementation-status'][@value="not-applicable"][@ns="http://fedramp.gov/ns/oscal"]/remarks/node() {{}} @@ -251,7 +251,7 @@ sp-corporate and sp-system. **If the control origination is inherited,** there must also be a FedRAMP extension (prop name=\"leveraged-authorization-uuid\" -ns=\"https://fedramp.gov/ns/oscal\") field containing the UUID of the +ns=\"http://fedramp.gov/ns/oscal\") field containing the UUID of the leveraged authorization as it appears in the /\*/system-implementation/leveraged-authorization assembly. @@ -270,13 +270,13 @@ leveraged authorization as it appears in the - - - - @@ -288,9 +288,9 @@ leveraged authorization as it appears in the ##### XPath Queries {{< highlight xml "linenos=table" >}} Number of Control Originations: - count(/*/control-implementation/implemented-requirement[@control-id="ac-2"]/prop[@name="control-origination"][@ns="https://fedramp.gov/ns/oscal"]) + count(/*/control-implementation/implemented-requirement[@control-id="ac-2"]/prop[@name="control-origination"][@ns="http://fedramp.gov/ns/oscal"]) Control Origination(could return more than 1 result): - /*/control-implementation/implemented-requirement[@control-id="ac-2"]/prop[@name="control-origination"][@ns="https://fedramp.gov/ns/oscal"][1]/@value + /*/control-implementation/implemented-requirement[@control-id="ac-2"]/prop[@name="control-origination"][@ns="http://fedramp.gov/ns/oscal"][1]/@value Inherited From: System Name (If control-origination="inherited"): /*/system-implementation/leveraged-authorization[@uuid=/*/control-implementation/implemented-requirement[@control-id="ac-2"]/prop[@name="leveraged-authorization-uuid"]]/title Inherited From: Authorization Date (If control-origination="inherited"): @@ -316,7 +316,7 @@ will identify the response points for a given control. ##### XPath Query {{< highlight xml "linenos=table" >}} Response Points for AC-1: - //control[@id='ac-1']/part[@name='statement']//prop[@name='response-point'][@ns='https://fedramp.gov/ns/oscal']/../@id + //control[@id='ac-1']/part[@name='statement']//prop[@name='response-point'][@ns='http://fedramp.gov/ns/oscal']/../@id {{}} diff --git a/content/documentation/ssp/7-generated-content.md b/content/documentation/ssp/7-generated-content.md index 0eadf24..1b1cae3 100644 --- a/content/documentation/ssp/7-generated-content.md +++ b/content/documentation/ssp/7-generated-content.md @@ -26,7 +26,7 @@ There are many ways a tool developer can generate the CRM. FedRAMP plans to deve ##### Useful CRM XPath Queries {{< highlight xml "linenos=table" >}} Flat-File CRM Query: - //control-implementation/implemented-requirement/prop[@name="control-origination"][@ns="https://fedramp.gov/ns/oscal"][@value="customer-configured" or @value="customer-provided"]/remarks/node() + //control-implementation/implemented-requirement/prop[@name="control-origination"][@ns="http://fedramp.gov/ns/oscal"][@value="customer-configured" or @value="customer-provided"]/remarks/node() Component-based CRM Query: //control-implementation/implemented-requirement/statement/by-component[@component-id="customer"]/description