You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -915,7 +915,7 @@ Each system must define at least two data centers. There must be exactly one pri
---
## Leveraged FedRAMP-Authorized Services
If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. A leveraged authorization must define a FIPS-199 impact level (low, moderate, or high) that aligns with or exceeds the security sensitivity level of the leveraging system.
If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. A leveraged authorization must define a FIPS-199 impact level (low, moderate, or high) that matches or exceeds the security sensitivity level of the leveraging system.
The `leveraged-authorization` assembly includes the leveraged system's name, point of contact (POC), and authorization date. The `component` assembly must be linked to the `leveraged-authorization` assembly using a property (prop) field with the name "leveraged-authorization-uuid" and the
UUID value of its associated `leveraged-authorization` assembly. The `component` assembly enables controls to reference it with the `by-component` responses described in the [*Control Implementation Descriptions*](/documentation/ssp/6-security-controls/#control-implementation-descriptions) section. The "implementation-point" property value must be set to "external". The component assembly must define an `authentication-method` with remarks that explain the method if authentication is used, justify the absence of authentication if not used, or provide an explanation of why authentication is not applicable.
