Skip to content

Commit

Permalink
Leveraged Authorization Sample Files
Browse files Browse the repository at this point in the history
  • Loading branch information
@brian-ruf @david-waltermire
brian-ruf authored and david-waltermire committed Oct 7, 2020
1 parent 71c0209 commit c07038d
Show file tree
Hide file tree
Showing 2 changed files with 473 additions and 0 deletions.
226 changes: 226 additions & 0 deletions src/ssp-example/oscal_Leveraged-example_ssp.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,226 @@
<?xml version="1.0" encoding="UTF-8"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
uuid="68325754-2c4f-4acf-b389-4ed899099c0b">
<metadata>
<title>CSP IaaS System Security Plan</title>
<last-modified>2020-06-23T09:57:52.662-04:00</last-modified>
<version>0.1</version>
<oscal-version>1.0.0-milestone3</oscal-version>
<role id="admin">
<title>Administrator</title>
</role>
<role id="customer">
<title>External Customer</title>
</role>
<role id="poc-for-customers">
<title>Internal POC for Customers</title>
</role>

<party type="person" uuid="11111111-0000-4000-9000-100000000001">
<party-name>Arnie Admin</party-name>
</party>

</metadata>
<import-profile href="../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml"/>
<system-characteristics>
<system-id>csp_iaas_system</system-id>
<system-name>Leveraged IaaS System</system-name>
<description>
<p>An example of three customers leveraging an authorized SaaS, which is running on an authorized IaaS.</p>
<pre>
Cust-A Cust-B Cust-C
| | |
+---------+---------+
|
+-------------------+
| Leveraging SaaS |
+-------------------+
|
|
+-------------------+
| Leveraged IaaS |
| this file |
+-------------------+
</pre>
<p>In this example, the IaaS SSP specifies customer responsibilities for certain controls.</p>
<p>The SaaS must address these for the control to be fully satisfied.</p>
<p>The SaaS provider may either implement these directly, or pass the responsiblity on to their customers. Both may be necessary.</p>

<p>For any given control, the Leveraged IaaS SSP must describe:</p>
<ol>
<li>HOW the IaaS is directly satisfying the control</li>
<li>WHAT responsibilities are left for the Leveraging SaaS (or their customers) to implement.</li>
</ol>
<p>For any given control, the Leveraging SaaS SSP must describe:</p>
<ol>
<li>WHAT is being inherited from the underlying IaaS</li>
<li>HOW the SaaS is directly satisfying the control.</li>
<li>WHAT responsibilities are left for the SaaS customers to implement. (The SaaS customers are Cust-A, B and C)</li>
</ol>
</description>
<security-sensitivity-level>low</security-sensitivity-level>
<system-information>
<information-type>
<title>System and Network Monitoring</title>
<description>
<p>This IaaS system handles information pertaining to audit events.</p>
</description>
<information-type-id system="https://doi.org/10.6028/NIST.SP.800-60v2r1">C.3.5.8</information-type-id>
<confidentiality-impact>
<base>fips-199-moderate</base>
<selected>fips-199-low</selected>
<adjustment-justification>
<p>This impact has been adjusted to low as an example of how to perform this type of adjustment.</p>
</adjustment-justification>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-moderate</base>
<selected>fips-199-low</selected>
<adjustment-justification>
<p>This impact has been adjusted to low as an example of how to perform this type of adjustment.</p>
</adjustment-justification>
</integrity-impact>
<availability-impact>
<base>fips-199-moderate</base>
<selected>fips-199-low</selected>
<adjustment-justification>
<p>This impact has been adjusted to low as an example of how to perform this type of adjustment.</p>
</adjustment-justification>
</availability-impact>
</information-type>
</system-information>
<security-impact-level>
<security-objective-confidentiality>fips-199-low</security-objective-confidentiality>
<security-objective-integrity>fips-199-low</security-objective-integrity>
<security-objective-availability>fips-199-low</security-objective-availability>
</security-impact-level>
<status state="operational"/>
<authorization-boundary>
<description>
<p>The hardware and software supporting the virtualized infrastructure supporting the IaaS.</p>
</description>
</authorization-boundary>
<remarks>
<p>Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements.</p>
</remarks>
</system-characteristics>
<system-implementation>
<user uuid="11111111-0000-4000-9000-200000000001">
<role-id>admin</role-id>
<authorized-privilege>
<title>Administrator</title>
<function-performed>Manages the components within the IaaS.</function-performed>
</authorized-privilege>
</user>

<component uuid="11111111-0000-4000-9001-000000000001" component-type="system">
<title>This System</title>
<description>
<p>This Leveraged IaaS.</p>
<p>The entire system as depicted in the system authorization boundary</p>
</description>
<status state="operational"/>
</component>

<component uuid="11111111-0000-4000-9001-000000000002" component-type="software">
<title>Application</title>
<description>
<p>An application within the IaaS, exposed to SaaS customers and their downstream customers.</p>
<p>This Leveraged IaaS maintains aspects of the application.</p>
<p>The Leveraging SaaS maintains aspects of their assigned portion of the application.</p>
<p>The customers of the Leveraging SaaS maintain aspects of their sub-assigned portions of the application.</p>
</description>
<prop name="implementation-point">system</prop>

<status state="operational"/>
<responsible-role role-id="admin">
<party-uuid>11111111-0000-4000-9000-100000000001</party-uuid>
</responsible-role>
</component>

</system-implementation>

<!-- ************************ -->
<control-implementation>
<description>
<p>This is a collection of control responses.</p>
</description>

<implemented-requirement control-id="ac-2" uuid="11111111-0000-4000-9009-002000000000">
<set-parameter param-id="ac-2_prm_1">
<value>privileged and non-privileged</value>
</set-parameter>
<!-- additional parameters omitted -->

<statement statement-id="ac-2_stmt.a" uuid="11111111-0000-4000-9009-002001000000">

<by-component uuid="11111111-0000-4000-9009-002001001000" component-uuid="11111111-0000-4000-9001-000000000001">
<description>
<p>Response for the "This System" component.</p>
<p>Overall description of how "This System" satisfies AC-2, Part a.</p>
</description>

<export>
<description><p>Optional description about what is being exported.</p></description>
<responsibility uuid="11111111-0000-4000-9009-002001001001">
<description>
<p>Leveraging system's responsibilities with respect to inheriting this capability.</p>
<p>In the context of the application component in satisfaction of AC-2, part a.</p>
</description>
<responsible-role role-id="customer" />
</responsibility>
</export>
</by-component>

<by-component uuid="11111111-0000-4000-9009-002001002000" component-uuid="11111111-0000-4000-9001-000000000002">
<description>
<p>Describes how the applicaiton satisfies AC-2, Part a.</p>
</description>

<export>
<description><p>Optional description about what is being exported.</p></description>

<provided uuid="11111111-0000-4000-9009-002001002001">
<description>
<p>Consumer-appropriate description of what may be inherited.</p>
<p>In the context of the application component in satisfaction of AC-2, part a.</p>
</description>
<responsible-role role-id="poc-for-customers" />
</provided>

<responsibility uuid="11111111-0000-4000-9009-002001002002" provided-uuid="11111111-0000-4000-9009-002001002001">
<description>
<p>Leveraging system's responsibilities with respect to inheriting this capability.</p>
<p>In the context of the application component in satisfaction of AC-2, part a.</p>
</description>
<responsible-role role-id="customer" />
</responsibility>

</export>

</by-component>

<remarks>
<p>a. Identifies and selects the following types of information system accounts to support
organizational missions/business functions: [Assignment: privileged and non-privileged];</p>
</remarks>
</statement>

<remarks>
<p>The organization:</p>
<p>a. Identifies and selects the following types of information system accounts to support
organizational missions/business functions: [Assignment: organization-defined information
system account types];</p>
<p>b. Assigns account managers for information system accounts;</p>
<p>c. Establishes conditions for group and role membership;</p>
<p>d. through j. omitted</p>
</remarks>
</implemented-requirement>
</control-implementation>

<back-matter>
<resource uuid="11111111-0000-4000-9999-000000000001">
<rlink href="./attachments/IaaS_ac_proc.docx"/>
</resource>
</back-matter>
</system-security-plan>
Loading

0 comments on commit c07038d

Please sign in to comment.