From 9cdb5074323e57631232ffc81c31321e09d92b9f Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Fri, 22 Nov 2024 09:29:12 -0500 Subject: [PATCH 1/4] Add leveraged authorization documentation --- .../ssp/4-ssp-template-to-oscal-mapping.md | 30 +++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index 4c08d4b..0c04765 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -915,10 +915,10 @@ Each system must define at least two data centers. There must be exactly one pri --- ## Leveraged FedRAMP-Authorized Services -If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. +If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. A leveraged authorization must define a FIPS-199 impact level (low, moderate, or high) that aligns with or exceeds the security sensitivity level of the leveraging system. The `leveraged-authorization` assembly includes the leveraged system's name, point of contact (POC), and authorization date. The `component` assembly must be linked to the `leveraged-authorization` assembly using a property (prop) field with the name "leveraged-authorization-uuid" and the -UUID value of its associated `leveraged-authorization` assembly. The `component` assembly enables controls to reference it with the `by-component` responses described in the [*Control Implementation Descriptions*](/documentation/ssp/6-security-controls/#control-implementation-descriptions) section. The "implementation-point" property value must be set to "external". +UUID value of its associated `leveraged-authorization` assembly. The `component` assembly enables controls to reference it with the `by-component` responses described in the [*Control Implementation Descriptions*](/documentation/ssp/6-security-controls/#control-implementation-descriptions) section. The "implementation-point" property value must be set to "external". The component assembly must define an `authentication-method` with remarks that explain the method if authentication is used, justify the absence of authentication if not used, or provide an explanation of why authentication is not applicable. If the leveraged system owner provides a UUID for their system, such as in an OSCAL-based Inheritance and Responsibility document (similar to a CRM), it should be provided as the inherited-uuid property value. @@ -946,7 +946,10 @@ While a leveraged system has no need to represent content here, its SSP must inc E.I.P. - + + + fips-199-moderate + Name of Underlying System @@ -960,8 +963,20 @@ While a leveraged system has no need to represent content here, its SSP must inc uuid-of-leveraged-system-poc 2015-01-01 - - + + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + Name of Leveraged System

Briefly describe leveraged system.

@@ -1020,6 +1035,11 @@ FedRAMP defines the following allowed values for the nature-of-agreement propert - other - sla +FedRAMP defines the following allowed values for an authentication-method's value property: +- yes +- no +- not-applicable + {{}} #### XPath Queries From 89f23bec1edc5421830214cee519aa6e0db6570f Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Mon, 25 Nov 2024 11:00:04 -0500 Subject: [PATCH 2/4] Fix wording Co-authored-by: DimitriZhurkin --- content/documentation/ssp/4-ssp-template-to-oscal-mapping.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index 0c04765..6276467 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -915,7 +915,7 @@ Each system must define at least two data centers. There must be exactly one pri --- ## Leveraged FedRAMP-Authorized Services -If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. A leveraged authorization must define a FIPS-199 impact level (low, moderate, or high) that aligns with or exceeds the security sensitivity level of the leveraging system. +If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. A leveraged authorization must define a FIPS-199 impact level (low, moderate, or high) that matches or exceeds the security sensitivity level of the leveraging system. The `leveraged-authorization` assembly includes the leveraged system's name, point of contact (POC), and authorization date. The `component` assembly must be linked to the `leveraged-authorization` assembly using a property (prop) field with the name "leveraged-authorization-uuid" and the UUID value of its associated `leveraged-authorization` assembly. The `component` assembly enables controls to reference it with the `by-component` responses described in the [*Control Implementation Descriptions*](/documentation/ssp/6-security-controls/#control-implementation-descriptions) section. The "implementation-point" property value must be set to "external". The component assembly must define an `authentication-method` with remarks that explain the method if authentication is used, justify the absence of authentication if not used, or provide an explanation of why authentication is not applicable. From 9705d4f10a675bbad7c1756c08175114eaa8b5da Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Fri, 29 Nov 2024 13:21:14 -0500 Subject: [PATCH 3/4] Remove "attest" Co-authored-by: DimitriZhurkin --- content/documentation/ssp/4-ssp-template-to-oscal-mapping.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index 6276467..0b64ff6 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -972,7 +972,7 @@ While a leveraged system has no need to represent content here, its SSP must inc

If 'yes', describe the authentication method.

If 'no', explain why no authentication is used.

-

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+

If 'not-applicable', explain why authentication is not applicable in the remarks.

 From b15dbc6db8f8bccd3e788805532bb04066d12181 Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Fri, 29 Nov 2024 13:24:30 -0500 Subject: [PATCH 4/4] Fix remark --- content/documentation/ssp/4-ssp-template-to-oscal-mapping.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index 0b64ff6..01827cd 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -970,9 +970,7 @@ While a leveraged system has no need to represent content here, its SSP must inc -

If 'yes', describe the authentication method.

-

If 'no', explain why no authentication is used.

-

If 'not-applicable', explain why authentication is not applicable in the remarks.

+

This component has an authentication method which we document as required here.