{ "extensions": { "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", "xmlns": "http://csrc.nist.gov/ns/oscal/1.0", "uuid": "bac3886f-deb3-4d9d-a422-b563d906b27c", "metadata": { "title": "[EXPERIMENTAL] FedRAMP Extensions", "published": "2023-06-30T00:00:00Z", "last-modified": "2023-07-12T00:00:00Z", "version": "fedramp2.0.0-oscal1.0.4", "oscal-version": "1.0.4", "revisions": { "revision": [ { "published": "2023-06-30T00:00:00Z", "version": "DRAFT-01", "prop": { "name": "party-uuid", "ns": "https://fedramp.gov/ns/oscal", "value": "9505ecff-86c4-42ad-aeb9-e6b0f8eacb69" }, "remarks": {"p": "Initial draft for fedramp2.0.0-oscal1.0.4 release. Subject to change."} }, { "published": "2023-07-06T00:00:00Z", "version": "DRAFT-02", "remarks": { "p": [ "Updated remarks for deprecated extensions, and added new rev5 extensions.", "The bindings and constraints for the new rev5 extensions are pending and will be added in a future revision." ] } }, { "published": "2023-07-12T00:00:00Z", "version": "DRAFT-03", "remarks": { "p": [ "Minor edits." ] } } ] }, "role": { "id": "prepared-by", "title": "Prepared By", "description": {"p": "The organization that prepared this content."} }, "party": { "uuid": "77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d", "type": "organization", "name": "Federal Risk and Authorization Management Program: Program Management Office", "short-name": "FedRAMP PMO", "link": {"href": "https://fedramp.gov"}, "email-address": "info@fedramp.gov", "address": { "type": "work", "addr-line": [ "1800 F St. NW", "" ], "city": "Washington", "state": "DC", "postal-code": "", "country": "US" }, "remarks": { "p": [ "This party entry must be present in a FedRAMP SSP.", "The uuid may be different; however, the uuid must be associated with the \"fedramp-pmo\" role in the responsible-party assemblies." ] } }, "responsible-party": { "role-id": "prepared-by", "party-uuid": "77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d" }, "remarks": { "p": [ "This EXPERIMENTAL file extends OSCAL to meet FedRAMP requirements.", "It provides the extensions, defined identifiers, and acceptable values in a machine-readable format necessary to meet FedRAMP Authorization Package requirements." ] } }, "index": [ { "id": "index-local-party-id", "target": "//o:party", "key-field": {"target": "@uuid"}, "remarks": {"p": "This document only."} }, { "id": "index-assessment-layer-party-id", "target": "oscal-document-set()/(o:assessment-plan | o:assessment-results)//o:party", "key-field": {"target": "@uuid"}, "remarks": {"p": "Select documents."} }, { "id": "global-local-party-id", "target": "oscal-document-set()//o:party", "key-field": {"target": "@uuid"}, "remarks": {"p": "Entire stack."} } ], "extension-namespace": {"ns": "https://fedramp.gov/ns/oscal"}, "extension": [ { "id": "response-point", "extension-name": "response-point", "formal-name": "Response Point", "description": "A property whose presence indicates its parent part is a required point of response for FedRAMP stakeholders.", "binding": [ {"pattern": "/o:profile/o:modify/o:alter/o:add/o:prop"}, {"pattern": "/o:profile/o:modify/o:alter/o:add//o:part/o:prop"}, {"pattern": "/o:catalog//o:control//o:part/o:prop"}, {"pattern": "/o:assessment-plan/o:local-definitions/o:objectives-and-methods//part/o:prop"}, {"pattern": "/o:assessment-results/o:local-definitions/o:objectives-and-methods//part/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } }, "remarks": { "p": [ "This appears in FedRAMP profiles and resolved profile catalogs.", "For control statements, it signals to the CSP which statements require a response in the SSP.", "For control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook." ] } }, { "id": "revision-history-party-uuid", "extension-name": "party-uuid", "formal-name": "Party Identifier", "description": "Identifies the party who authored this revision.", "binding": {"pattern": "/*/o:metadata/o:revisions/o:revision/o:prop"}, "constraint": { "matches": {"data-type": "uuid"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" }, "index-has-key": { "name": "index-local-party-uuid", "target": "o:prop[@name='party-uuid']", "key-field": {"target": "."}, "remarks": {"p": "On the revision element in the revision history, the party-uuid extension must match the UUID of an existing party in the metadata."} } } }, { "id": "iso-iec-17020-identifier", "extension-name": "iso-iec-17020-identifier", "formal-name": "ISO/IEC 17020 Identifier", "description": "The ISO/IEC-17020 identifier assigned to the assessor related to their status as an A2LA Accredited Third Party Assessment Organization.", "binding": [ {"pattern": "/o:assessment-plan/o:metadata/o:party/o:prop"}, {"pattern": "/o:assessment-results/o:metadata/o:party/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "CORE", "extension-name": "CORE", "formal-name": "Core Control", "description": "Identifies a control that must be included in every FedRAMP assessment.", "binding": [ {"pattern": "/o:profile/o:modify/o:alter/o:add/o:prop"}, {"pattern": "/o:profile/o:modify/o:alter/o:add//o:control/o:prop"}, {"pattern": "/o:catalog//o:control/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } }, "remarks": {"p": "Core controls must be assessed every year, and are often subject to additional scrutiny by assessors and adjudication reviewers."} }, { "id": "security-cia-level", "extension-name": "security-eauth-level", "formal-name": "eAuth Level (OVERALL)", "description": "The overall electronic authentication (eAuth) level applied to the system.", "binding": [ {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, {"pattern": "system-characteristics/o:prop[@name='authenticator-assurance-level']"}, {"pattern": "system-characteristics/o:prop[@name='federation-assurance-level']"}, {"pattern": "system-characteristics/o:prop[@name='identity-assurance-level']"} ], "constraint": { "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": 1, "label": "Level 1 (Low)", "#text": "The overall eAuth Level is defined as Level 1 (Low)." }, { "value": 2, "label": "Level 2 (Moderate)", "#text": "The overall eAuth Level is defined as Level 2 (Moderate)." }, { "value": 3, "label": "Level 3 (High)", "#text": "The overall eAuth Level is defined as Level 3 (High)." } ] } }, "remarks": {"p": "Deprecated."} }, { "id": "authorization-type", "extension-name": "authorization-type", "formal-name": "Authorization Type", "description": "Identifies the FedRAMP authorization type.", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "fedramp-jab", "label": "JAB P-ATO", "#text": "A FedRAMP Joint Authorization Board (JAB) Provisional-Authorization to Operate (P-ATO)." }, { "value": "fedramp-agency", "label": "Agency ATO", "#text": "A FedRAMP Agency Authorization to Operate (ATO)." }, { "value": "fedramp-li-saas", "label": "Tailored (LI-SaaS) ATO", "#text": "A FedRAMP Tailored authorization to operate (ATO) for low impact Software as a Service (LI-SaaS) systems." } ] } } }, { "id": "users-internal", "extension-name": "users-internal", "formal-name": "Internal Users", "description": "The current number of users internal to the organization.", "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:prop"}, "constraint": { "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "users-external", "extension-name": "users-external", "formal-name": "External Users", "description": "The current number of users external to the organization.", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "users-internal-future", "extension-name": "users-internal-future", "formal-name": "Future Internal Users", "description": "The anticipated number of users internal to the organization in one year.", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "users-external-future", "extension-name": "users-external-future", "formal-name": "Future External Users", "description": "The anticipated number of users external to the organization in one year.", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "privacy-designation", "extension-name": "privacy-designation", "formal-name": "Privacy Designation", "description": "Indicates whether this system is privacy sensitive.", "binding": {"pattern": "system-information/o:prop[@name='privacy-sensitive']"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "label": "Yes", "#text": "Privacy Sensitive" }, { "value": "no", "label": "No", "#text": "Not Privacy Sensitive" } ] } }, "remarks": {"p": "Deprecated."} }, { "id": "privacy-threshold-analysis-q1", "extension-name": "privacy-threshold-analysis-q1", "formal-name": "Privacy Threshold Analysis Q1", "description": "Does the ISA collect, maintain, or share PII in any identifiable form?", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "label": "Yes", "#text": "Yes, the ISA collects, maintains, or shares some form of PII." }, { "value": "no", "label": "No", "#text": "No, the ISA does not collect, maintain, or share PII in any form." } ] } }, "remarks": {"p": "Deprecated."} }, { "id": "privacy-threshold-analysis-q2", "extension-name": "privacy-threshold-analysis-q2", "formal-name": "Privacy Threshold Analysis Q2", "description": "Does the ISA collect, maintain, or share PII from or about the public?", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "label": "Yes", "#text": "Yes, the ISA collects, maintains, or shares PII from or about the public." }, { "value": "no", "label": "No", "#text": "No, the ISA does not collect, maintain, or share PII from or about the public." } ] } }, "remarks": {"p": "Deprecated."} }, { "id": "privacy-threshold-analysis-q3", "extension-name": "privacy-threshold-analysis-q3", "formal-name": "Privacy Threshold Analysis Q3", "description": "Has a Privacy Impact Assessment (PIA) ever been performed for the ISA?", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "label": "Yes", "#text": "Yes, a PIA has been performed." }, { "value": "no", "label": "No", "#text": "No, a PIA has not been performed.." } ] } }, "remarks": {"p": "Deprecated."} }, { "id": "privacy-threshold-analysis-q4", "extension-name": "privacy-threshold-analysis-q4", "formal-name": "Privacy Threshold Analysis Q4", "description": "Is there a Privacy Act System of Records Notice (SORN) for this ISA system?", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "label": "Yes", "#text": "Yes, there is a SORN ID for this system." }, { "value": "no", "label": "No", "#text": "No, there is not a SORN ID for this system." } ] } }, "remarks": {"p": "Deprecated."} }, { "id": "sorn-id", "extension-name": "sorn-id", "formal-name": "SORN ID", "description": "An assigned System of Records Notice (SORN) identifier for this system.", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "expect": {"test": ".[@name='pta-4'][@ns='https://fedramp.gov/ns/oscal']/@value='yes' and .[@name='sorn-id'][@ns='https://fedramp.gov/ns/oscal']"} }, "remarks": {"p": "Deprecated."} }, { "id": "user-sensitivity-level", "extension-name": "sensitivity", "formal-name": "User Sensitivity Level", "description": "Defines the sensitivity level of the identified user type.", "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:user/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "high-risk", "label": "High Risk", "#text": "Misuse of the user's access could result in grave damage to the public's trust." }, { "value": "severe", "label": "Severe", "#text": "Misuse of the user's access could result in a substantial degree of harm or serious damage to the public\u2019s trust." }, { "value": "moderate", "label": "Moderate", "#text": "Misuse of the user's access could result in a fair amount of harm or serious damage to the public\u2019s trust." }, { "value": "limited", "label": "Limited", "#text": "Misuse of the user's access could result in some harm or discernible damage to the public\u2019s trust." }, { "value": "not-applicable", "label": "Not Applicable", "#text": "The user does not have access to the system." } ] } }, "remarks": { "p": [ "Values are as required by FedRAMP for packages based on NIST 800-53, Revision 4.", { "#text": "Authoritative source: ", "a": { "href": "#871713A8-5A27-4AC3-8B94-972588469C6B", "#text": "OPM Position Designation (Page 18)" }, "#text1": "." } ] } }, { "id": "service-processor", "extension-name": "service-processor", "formal-name": "Service Processor", "description": "Name of the interconnection service processor.", "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, { "id": "information", "extension-name": "information", "formal-name": "Transmitted Information", "description": "Describes the information transmitted over the interconnection.", "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, { "id": "asset-type", "extension-name": "asset-type", "formal-name": "Asset Type", "description": "Identifies the type of asset.", "binding": [ {"pattern": "component/o:prop[@name='asset-type']"}, {"pattern": "o:inventory-item/o:prop[@name='asset-type']"} ], "constraint": { "matches": {"data-type": "token"}, "allowed-values": { "allow-other": "yes", "enum": [ { "value": "os", "short-label": "OS", "#text": "Operating System" }, { "value": "database", "short-label": "DB", "#text": "Database" }, { "value": "web-server", "short-label": "Web", "#text": "Service" }, { "value": "dns-server", "short-label": "DNS", "#text": "Policy" }, { "value": "email-server", "short-label": "eMail", "#text": "Process" }, { "value": "directory-server", "short-label": "LDAP", "#text": "Procedure" }, { "value": "pbx", "short-label": "PBX", "#text": "Private Branch Exchange" }, { "value": "firewall", "short-label": "FW", "#text": "Firewall" }, { "value": "router", "short-label": "Rtr", "#text": "Router" }, { "value": "switch", "short-label": "Swtch", "#text": "Switch" }, { "value": "storage-array", "short-label": "Store", "#text": "Storage Array" } ] } } }, { "id": "interconnection-direction", "extension-name": "interconnection-direction", "formal-name": "Interconnection Direction", "description": "Identifies the direction of information flow for the interconnection.", "binding": {"pattern": "o:component[@component-type='interconnection']/o:prop[@name='direction'][@ns='https://fedramp.gov/ns/oscal']"}, "constraint": { "matches": {"data-type": "token"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "incoming", "short-label": "In", "#text": "Incoming" }, { "value": "outgoing", "short-label": "Out", "#text": "Outgoing" }, { "value": "incoming-outgoing", "short-label": "In/Out", "#text": "Bi-Directional" } ] } }, "remarks": { "p": [ "Deprecated.", { "#text": "Use core OSCAL \"direction\" ", "code": "prop", "#text1": " instead." } ] } }, { "id": "interconnection-security", "extension-name": "interconnection-security", "formal-name": "Interconnection Security", "description": "Identifies the type of security applied to the interconnection.", "binding": {"pattern": "o:component[@component-type='interconnection']/o:prop[@name='connection-security'][@ns='https://fedramp.gov/ns/oscal']/@value"}, "constraint": { "matches": {"data-type": "token"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "ipsec", "short-label": "IPsec", "#text": "IPsec" }, { "value": "vpn", "short-label": "VPN", "#text": "Virtual Private Network" }, { "value": "ssl", "short-label": "SSL", "#text": "Secure Socket Layer" }, { "value": "certificate", "short-label": "Cert", "#text": "Certificate" }, { "value": "secure-file-transfer", "short-label": "SFT", "#text": "Secure File Transfer" }, { "value": "other", "short-label": "Other", "#text": "Other" } ] } } }, { "id": "inventory-item-state", "extension-name": "inventory-item-state", "formal-name": "Different states of inventory items: public, private, et cetera.", "description": "Indicates if the asset is virtual.", "binding": [ {"pattern": "o:inventory-item/o:prop[@name='virtual']"}, {"pattern": "o:component/o:prop[@name='virtual']"}, {"pattern": "o:inventory-item/o:prop[@name='public']"}, {"pattern": "component/o:prop[@name='public']"}, {"pattern": "o:inventory-item/o:prop[@name='allows-authenticated-scan']/@value"}, {"pattern": "o:component/o:prop[@name='allows-authenticated-scan']/@value"}, {"pattern": "o:inventory-item/o:prop[@name='is-scanned']/@value"}, {"pattern": "o:component/o:prop[@name='is-scanned']/@value"} ], "constraint": { "matches": {"data-type": "token"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "short-label": "Y", "#text": "Yes" }, { "value": "no", "short-label": "N", "#text": "No" } ] } }, "remarks": { "p": [ "Deprecated.", { "#text": "Use core OSCAL \"public\" and \"virtual\" ", "code": "prop", "#text1": " instead." } ] } }, { "id": "circuit", "extension-name": "circuit", "formal-name": "Service Processor", "description": "A circuit used for the communication.", "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, { "id": "interconnection-security", "extension-name": "interconnection-security", "formal-name": "Interconnection Security", "description": "Identifies the mechanisms/protocol(s) used to secure the communication.", "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "ipsec", "label": "IPsec", "#text": "IPsec" }, { "value": "vpn", "label": "VPN", "#text": "Virtual Private Network" }, { "value": "ssl", "label": "SSL", "#text": "Secure Socket Layer" }, { "value": "certificate", "label": "Cert", "#text": "Certificate" }, { "value": "secure-file-transfer", "label": "SFT", "#text": "Secure File Transfer" }, { "value": "other", "label": "Other", "#text": "Other" } ] } }, "remarks": {"p": "Renamed from \"connection-security\" to \"interconnection-security\"."} }, { "id": "service-used-by", "extension-name": "used-by", "formal-name": "Service Used By", "description": "Identifies what uses the service.", "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='service']/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, { "id": "scan-type", "extension-name": "scan-type", "formal-name": "Scan Type", "description": "Identifies the type(s) of scans to be performed on this inventory-item or component.", "binding": [ {"pattern": "/o:system-security-plan/o:system-implementation/o:component/o:prop"}, {"pattern": "/o:system-security-plan/o:system-implementation/o:system-inventory/o:o:inventory-item/o:prop"}, {"pattern": "/o:assessment-plan/o:local-definitions/o:component/o:prop"}, {"pattern": "/o:assessment-plan/o:local-definitions/o:o:inventory-item/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:local-definitions/o:component/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:local-definitions/o:o:inventory-item/o:prop"} ], "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "infrastructure", "label": "Infrastructure", "#text": "The component or inventory item is included in operating system (OS) and/or infrastructure scans." }, { "value": "database", "label": "Database", "#text": "The component or inventory item is included in Database scans." }, { "value": "web", "label": "Web", "#text": "The component or inventory item is included in Web interface/application scans." }, { "value": "other", "label": "Other", "#text": "The component or inventory item is included in non-typical scans." } ] } } }, { "id": "planned-completion-date", "extension-name": "planned-completion-date", "formal-name": "Planned Completion Date", "description": "Provides the date the control expects to be implemented. Must be present when Implementation Status is \"Planned\"", "binding": {"pattern": "/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:prop"}, "constraint": { "matches": {"data-type": "date"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "authorization-recommendation", "extension-name": "authorization-recommendation", "formal-name": "Authorization Recommendation", "description": "Indicates whether the assessor recommends the system be authorized by the authorizing official.", "binding": {"pattern": "/o:assessment-results/o:results/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "label": "Yes", "#text": "Yes, the assessor recommends the system for authorization." }, { "value": "no", "label": "No", "#text": "No, the assessor does not recommend the system for authorization." } ] } }, "remarks": { "p": [ "Deprecated.", { "#text": "Use \"recommend-authorization\" ", "code": "prop", "#text1": " instead." } ] } }, { "id": "title-short", "extension-name": "title-short", "formal-name": "Short Title", "description": "The short name for the system represented in the resource.", "binding": [ {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "system-id", "extension-name": "system-id", "formal-name": "System Identifier", "description": "The FedRAMP-assigned identifier for this system.", "binding": [ {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "import-profile", "extension-name": "import-profile", "formal-name": "Profile", "description": "The baseline/profile for this system based on its FIPS-199 categorization.", "binding": [ {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { "matches": {"data-type": "uri"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "authorization-date", "extension-name": "authorization-date", "formal-name": "Authorization Date", "description": "The date the system was authorized. Omit or leave blank for an initial authorization.", "binding": [ {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { "matches": {"data-type": "date"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "purpose", "extension-name": "purpose", "formal-name": "Purpose", "description": "Explains the system's purpose.", "binding": [ {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "description", "extension-name": "description", "formal-name": "Description", "description": "A brief description of the system.", "binding": [ {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } }, "remarks": {"p": "Deprecated."} }, { "id": "sampling", "extension-name": "sampling", "formal-name": "Sampling", "description": "Indicates whether a sampling methodology was used instead of assessing the entire system.", "binding": [ {"pattern": "/o:assessment-plan/o:assessment-subject/o:prop"}, {"pattern": "/o:assessment-results/o:results/o:assessment-subject/o:prop"} ], "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "yes", "label": "Yes", "#text": "Yes, a sampling methodology was used." }, { "value": "no", "label": "No", "#text": "No, a sampling methodology was not used." } ] } } }, { "id": "control-objective-implementation-status", "extension-name": "control-objective-implementation-status", "formal-name": "Objective Implementation Status", "description": "Indicates the implementation status of the control objective.", "binding": {"pattern": "/o:assessment-results/o:results/o:finding/o:target/o:prop"}, "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "implemented", "label": "Implemented", "#text": "The assessor finds sufficient evidence to agree the control objective is fully implemented." }, { "value": "partial", "label": "Partial", "#text": "The assessor finds evidence to suggest a portion of the control objective is implemented and a portion is not." }, { "value": "planned", "label": "Planned", "#text": "The assessor finds this control objective is not implemented, but there is evidence the system owner has a plan for implementing it." }, { "value": "alternative", "label": "Alternative Implementation", "#text": "The assessor finds evidence of an alternative implementation, which the assessor judges to provide protection similar enough to satisfy this control." }, { "value": "not-applicable", "label": "Not Applicable (N/A)", "#text": "The assessor finds this control objective does not apply to this system." } ] } }, "remarks": { "p": [ "Deprecated.", { "#text": "Use \"implementation-status\" ", "code": "prop", "#text1": " instead." } ] } }, { "id": "control-implementation-status", "extension-name": "implementation-status", "formal-name": "Control Implementation Status", "description": "Indicates the implementation status of the control.", "binding": [ {"pattern": "o:implemented-requirement/o:prop[@name='implementation-status']/@value"}, {"pattern": "/o:assessment-results/o:results/o:finding/o:target/o:prop"} ], "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "implemented", "label": "Implemented", "#text": "The assessor finds sufficient evidence to agree the control objective is fully implemented." }, { "value": "partial", "label": "Partial", "#text": "The assessor finds evidence to suggest a portion of the control objective is implemented and a portion is not." }, { "value": "planned", "label": "Planned", "#text": "The assessor finds this control objective is not implemented, but there is evidence the system owner has a plan for implementing it." }, { "value": "alternative", "label": "Alternative Implementation", "#text": "The assessor finds evidence of an alternative implementation, which the assessor judges to provide protection similar enough to satisfy this control." }, { "value": "not-applicable", "label": "Not Applicable (N/A)", "#text": "The assessor finds this control objective does not apply to this system." } ] } }, "remarks": {"p": "Updated bindings and constraint."} }, { "id": "leveraged-authorization", "extension-name": "leveraged-authorization-uuid", "formal-name": "Leveraged Authorization", "description": "Indicates a leveraged authorization used for this control.", "binding": {"pattern": "/o:assessment-results/o:results/o:finding/o:target/o:prop"}, "constraint": { "matches": {"data-type": "uuid"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" } }, "remarks": { "p": { "#text": "This is for legacy SSP conversion to OSCAL. The preferred approach is to specify the leveraged system as a ", "code": "component", "#text1": " and reference it in the control using ", "code#1": "by-component", "#text2": "." } } }, { "id": "control-origination", "extension-name": "control-origination", "formal-name": "Control Origination", "description": "The point(s) from which the control satisfaction originates.", "binding": {"pattern": "implemented-requirement/o:prop[@name='control-origination']/@value"}, "constraint": { "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "remarks": { "p": { "#text": "When an prop is defined as an extension, a separate constraint assembly is needed to specify data type and allowed values on the ", "code": "@value", "#text1": " flag." } }, "allowed-values": { "allow-other": "no", "enum": [ { "value": "sp-corporate", "short-label": "SP Corporate", "#text": "Service Provider (Corporate)" }, { "value": "sp-system", "short-label": "SP System", "#text": "Service Provider (System Specific)" }, { "value": "customer-configured", "short-label": "Cust. Configured", "#text": "Configured by Customer" }, { "value": "customer-provided", "short-label": "Cust. Provided", "#text": "Provided by Customer" }, { "value": "inherited", "short-label": "Inherited", "#text": "Inherited" } ] } } }, { "id": "no-oscal-ssp-title-short", "extension-name": "title-short", "formal-name": "Short System Name", "description": "The abbreviated name for the system, such as an acronym.", "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "no-oscal-ssp-system-id", "extension-name": "system-id", "formal-name": "Short System Name", "description": "The FedRAMP-assigned system identifier.", "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "no-oscal-ssp-import-profile", "extension-name": "import-profile", "formal-name": "Relevant Baseline", "description": "Identifies the relevant OSCAL baseline.", "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { "matches": {"data-type": "uri"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } }, "remarks": {"p": "As with all URIs in OSCAL, this may contain a URI fragment, which identifies the local resource containing the relevant profile."} }, { "id": "no-oscal-ssp-purpose", "extension-name": "system-id", "formal-name": "Short System Name", "description": "The FedRAMP-assigned system identifier.", "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "no-oscal-ssp-authorization-date", "extension-name": "authorization-date", "formal-name": "Authorization Date", "description": "The date of the system's initial FedRAMP authorization.", "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { "matches": {"data-type": "dateTime-with-timezone"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 } } }, { "id": "task-login-url", "extension-name": "login-url", "formal-name": "Login URL", "description": "The login URL for a web application.", "binding": [ {"pattern": "/o:system-security-plan/o:system-implementation/o:o:inventory-item/o:prop"}, {"pattern": "/o:assessment-plan//o:task/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { "matches": {"data-type": "NCName"} }, "remarks": {"p": "Extention renamed from \"logn-url\" to \"login-url\"."} }, { "id": "task-login-id", "extension-name": "login-id", "formal-name": "Login ID", "description": "The login ID used to assess the web application.", "binding": [ {"pattern": "/o:assessment-plan//o:task/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { "matches": {"data-type": "NCName"} }, "remarks": {"p": "Extention renamed from \"logn-id\" to \"login-id\"."} }, { "id": "task-test-type", "extension-name": "test-type", "formal-name": "Test Type", "description": "Indicates the type of test represented by the task.", "binding": [ {"pattern": "/o:assessment-plan//o:task/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { "matches": {"data-type": "NCName"}, "allowed-values": { "enum": { "value": "web-application", "label": "Web Application", "#text": "This task tests a web application." } } } }, { "id": "task-user-uuid", "extension-name": "user-uuid", "formal-name": "User Identifier", "description": "Cites the SSP defined user role to use for testing.", "binding": [ {"pattern": "/o:assessment-plan//o:task/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { "matches": {"data-type": "uuid"} } }, { "id": "poam-id", "extension-name": "poam-id", "formal-name": "POA&M ID", "description": "A CSP-assigned POA&M identifier.", "binding": {"pattern": "/o:plan-of-action-and-milestones/o:poam-item/o:prop"}, "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "poam-impacted-control", "extension-name": "impacted-control-id", "formal-name": "Impacted Control", "description": "A control impacted by this POA&M item.", "binding": [ {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"} ], "constraint": { "matches": {"data-type": "token"} }, "remarks": { "p": [ "Impacted control is required in the POA&M and optional in the SAR.", "It is allowed in the SAR in anticipation of duplicating open risks from the SAR to the POA&M." ] } }, { "id": "sar-risk-priority", "extension-name": "priority", "formal-name": "Risk Priority", "description": "Assessor's recommended risk priority. Lower numbers are higher priority. One (1) is highest priority.", "binding": [ {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"} ], "constraint": { "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "sar-recommend-authorization", "extension-name": "recommend-authorization", "formal-name": "Assessor's Authorization Recommendation", "description": "Indicates the assessor's recommendation for initial or continued authorization.", "binding": {"pattern": "/o:assessment-results/o:result/o:attestation/o:part[@name='authorization-statements']/o:prop"}, "constraint": { "matches": {"data-type": "NCName"}, "has-cardinality": { "min-occurs": 1, "max-occurs": 1 }, "allowed-values": { "enum": [ { "value": "yes", "label": "Yes", "#text": "The assessor recommends initial or continued authorization." }, { "value": "no", "label": "No", "#text": "The assessor does not recommend initial or continued authorization." } ] } } }, { "id": "likelihood", "extension-name": "likelihood", "formal-name": "Likelihood", "description": "The likelihood of a risk.", "binding": {"pattern": "o:risk/o:risk-metric[@name='likelihood'][@system='https://fedramp.gov']"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "low", "short-label": "L", "#text": "Low" }, { "value": "moderate", "short-label": "M", "#text": "Moderate" }, { "value": "high", "short-label": "H", "#text": "High" } ] } }, { "id": "vulnerability-identifier", "extension-name": "vulnerability-id", "formal-name": "Vulnerability Identifier", "description": "A tool assigned vulnerability ID.", "binding": [ {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "plugin-identifier", "extension-name": "plugin-id", "formal-name": "Plugin Identifier", "description": "A tool assigned Plugin ID.", "binding": [ {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"} ], "constraint": { "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 } } }, { "id": "operational-requirement", "extension-name": "operational-requirement", "formal-name": "Operational Requirement", "description": "The risk cannot be remediated without impact to the system and must be accepted.", "binding": [ {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "enum": [ { "value": "investigating", "label": "Investigating", "#text": "A possible operational requirement is being investigated." }, { "value": "pending", "label": "Tracking", "#text": "An operational requirement deviation request was submitted to the AO and is pending adjudication." }, { "value": "approved", "label": "Approved", "#text": "The operational requirement has been approved by the AO." }, { "value": "withdrawn", "label": "Withdrawn", "#text": "The operational requirement was withdrawn." } ] } } }, { "id": "false-positive", "extension-name": "false-positive", "formal-name": "False Positive", "description": "The risk was found to be a false positive report.", "binding": [ {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { "matches": {"data-type": "NCName"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "enum": [ { "value": "investigating", "label": "Investigating", "#text": "A possible risk adjustment is being investigated." }, { "value": "pending", "label": "Tracking", "#text": "A false positive deviation request was submitted to the AO and is pending adjudication." }, { "value": "approved", "label": "Approved", "#text": "The false positive has been approved by the AO." }, { "value": "withdrawn", "label": "Withdrawn", "#text": "The false positive was withdrawn." } ] } } }, { "id": "risk-adjustment", "extension-name": "risk-adjustment", "formal-name": "Risk Adjustment", "description": "Mitigating factors were identified or implemented, reducing the likelihood or impact of the risk.", "binding": [ {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "enum": [ { "value": "investigating", "label": "Investigating", "#text": "A possible risk adjustment is being investigated." }, { "value": "pending", "label": "Tracking", "#text": "A risk adjustment deviation request was submitted to the AO and is pending adjudication." }, { "value": "approved", "label": "Approved", "#text": "The risk adjustment has been approved by the AO." }, { "value": "withdrawn", "label": "Withdrawn", "#text": "The risk adjustment was withdrawn." } ] } } }, { "id": "vendor-dependency", "extension-name": "vendor-dependency", "formal-name": "Vendor Dependency", "description": "A vendor resolution is pending, but not yet available.", "binding": [ {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": 1 }, "allowed-values": { "enum": [ { "value": "investigating", "label": "Investigating", "#text": "The risk is a suspected vendor dependency, and is being investigated for verification." }, { "value": "tracking", "label": "Tracking", "#text": "The vendor has confirmed the issue and is working on a resolution." }, { "value": "resolved", "label": "Resolved", "#text": "The vendor released the fix and it has been applied." }, { "value": "withdrawn", "label": "Withdrawn", "#text": "The vendor dependency was withdrawn." } ] } } }, { "id": "assessment-type", "extension-name": "assessment-type", "formal-name": "Assessment Type", "description": "The type of assessment (e.g., initial authorization, annual assessment, assessment for a significant change, or another type of assessment).", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "authentication-method", "extension-name": "authentication-method", "formal-name": "Authentication Method", "description": "The authentication method(s) for users of a leveraged service or external interconnection. Refer to for authentication methods NIST 800-63B (https://pages.nist.gov/800-63-3/sp800-63b.html) for authentiction methods", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "authorized-users", "extension-name": "authorized-users", "formal-name": "Authorized Users", "description": "The users or roles that can access the leveraged service or external interconnection. ", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "cryptographic-module-usage", "extension-name": "cryptographic-module-usage", "formal-name": "Cryptographic Module Usage", "description": "The cryptographic module is used for data at rest (DAT) or data in transit (DIT).", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "csp-validated", "extension-name": "csp-validated", "formal-name": "CSP Validated", "description": "The CSP ensured the independent assessor team roles are appropriately filled.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "discrepancies", "extension-name": "discrepancies", "formal-name": "Discrepancies", "description": "Any discrepancies between inventory that was in scope for the planned assessment and the assets in the assessment results.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "discrepencies-reason", "extension-name": "discrepencies-reason", "formal-name": "Discrepencies Reason", "description": "The justification or reason for any discrepancies between inventory that was in scope for the planned assessment and the assets in the assessment results.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "fully-operational-date", "extension-name": "fully-operational-date", "formal-name": "Fully Operational Date", "description": "The date when security control implementations for the appropriate control baseline was completed.", "remarks": { "p": [ "Added for rev 5 templates.", "\u201cFully operational\u201d means there are no \u201cgaps\u201d in the security control baseline implementations for the system. The CSP attests that the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements." ] } }, { "id": "ia-manual-review", "extension-name": "ia-manual-review", "formal-name": "IA Manual Review", "description": "Confirmation that the independent assessor performed a manual review of (scan) configuration files to analyze for existing vulnerabilities. ", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "ia-validated", "extension-name": "ia-validated", "formal-name": "IA Validated", "description": "The independent assessor ensured the assessment team roles are appropriately filled.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "impact-level", "extension-name": "impact-level", "formal-name": "Impact Level", "description": "The impact level of a leveraged authorization.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "interconnection-compliance", "extension-name": "interconnection-compliance", "formal-name": "Interconnection Compliance", "description": "Any (security) compliance certifications the third party external service has (e.g., PCI SOC 2, CSA STAR Level 2, etc.).", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "interconnection-data-categorization", "extension-name": "interconnection-data-categorization", "formal-name": "Interconnection Data Categorization", "description": "The security impact level of the data (Low, Moderate, High), processed by or stored in the external service, in accordance with FIPS 199 & NIST 800-60 Vol. 2.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "interconnection-data-type", "extension-name": "interconnection-data-type", "formal-name": "Interconnection Data Type", "description": "The type of data / information processed by or stored in the external service, in accordance with NIST 800-60 Vol. 2.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "interconnection-hosting-environment", "extension-name": "interconnection-hosting-environment", "formal-name": "Interconnection Hosting Environment", "description": "A description of the hosting environment (e.g., corporate network, IaaS, or self-hosted) for the external service.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "interconnection-risk", "extension-name": "interconnection-risk", "formal-name": "Interconnection Risk", "description": "A description of the potential risks introduced by the external system/service and impact to the CSO or federal data if the confidentiality, integrity, and availability (CIA) of the system/service is compromised.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "interconnection-type", "extension-name": "interconnection-type", "formal-name": "Interconnection Type", "description": "Numeric indicator of the type of interconnection, where 1 = Non-FedRAMP Authorized Cloud Services, 2 = Corporate Shared Services, and 3 = Update Services for In-Boundary Software/Services. ", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "ipv4-address", "extension-name": "ipv4-address", "formal-name": "IPv4 Address", "description": "The IP address of a component, inventory item, or other asset.", "remarks": { "p": [ "Added for rev 5 templates.", { "#text": "Core OSCAL has an \"ipv4-address\" ", "code": "prop", "#text1": " which can be used for certain component types and for inventory items. This extension can be used instead, and is also applicable for other assemblies such as ", "code#1": "assessment-platform", "#text2": "." } ] } }, { "id": "ipv4-subnet", "extension-name": "ipv4-subnet", "formal-name": "IPv4 Subnet", "description": "The subnet for a component of inventory item.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "kev-catalog", "extension-name": "kev-catalog", "formal-name": "KEV Catalog", "description": "Indicates if this vulnerability is on the CISA Known Exploited Vulnerabilities (KEV) Catalog.", "remarks": { "p": [ "Added for rev 5 templates.", "In accordance with Binding Operational Directive (BOD) 22-01, CSPs must track their vulnerabilities against the KEV catalog." ] } }, { "id": "kev-due-date", "extension-name": "kev-due-date", "formal-name": "Due Date", "description": "The KEV catalog specified due date by which the vulnerability must be remediated.", "remarks": { "p": [ "Added for rev 5 templates.", "In accordance with Binding Operational Directive (BOD) 22-01, CSPs must track their vulnerabilities against the KEV catalog." ] } }, { "id": "label", "extension-name": "label", "formal-name": "Test ID", "description": "The test ID for the manual test method.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "leveraged-system-identifier", "extension-name": "leveraged-system-identifier", "formal-name": "leveraged-system-identifier", "description": "The identifier corresponding to the FedRAMP package ID.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "name", "extension-name": "name", "formal-name": "Tool Name", "description": "The product or tool name for a component or inventory item.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "nature-of-agreement", "extension-name": "nature-of-agreement", "formal-name": "Nature of Agreement", "description": "Any type of agreement between a CSP and the leveraged CSP vendors who support products (e.g., End User Licensing Agreement (EULA), Service-Level Agreement (SLA), App License Agreement, Contract, etc.).", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "resolution-resource", "extension-name": "resolution-resource", "formal-name": "Resolution Resource", "description": "The back-matter resource reference used to determine which FedRAMP validation rulesets apply.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "scan-percentage", "extension-name": "scan-percentage", "formal-name": "Scan Percentage", "description": "The scan coverage", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "significant-changes-scope", "extension-name": "significant-changes-scope", "formal-name": "Significant Changes Scope", "description": "The general quantity of significant change(s) in scope.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "sort-id", "extension-name": "sort-id", "formal-name": "Sort ID", "description": "Identifier for sort ordering content.", "remarks": { "p": { "#text": "Core OSCAL has a \"sort-id\" ", "code": "prop", "#text1": ", however this \"sort-id\" extension can be applied to any assembly that provided information which may need to be rendered in a specific order. The ", "code#1": "step", "#text2": " assembly is an example of this." } } }, { "id": "still-supported", "extension-name": "still-supported", "formal-name": "Still Supported", "description": "Specify if the product / component is still supported by the vendor / manufacturer.", "remarks": {"p": "Added for rev 5 templates."} }, { "id": "type", "extension-name": "type", "formal-name": "Type", "description": "The \"type\" of back-matter resource.", "remarks": { "p": [ "Added for rev 5 templates.", "Locally defined resource types." ] } }, { "id": "vendor-name", "extension-name": "vendor-name", "formal-name": "Vendor Name", "description": "The vendor or manufacturer of a component or inventory item.", "remarks": {"p": "Added for rev 5 templates."} } ], "constraint": [ { "name": "observation-types", "formal-name": "Observation Types", "description": "In addition to the NIST observation types, FedRAMP requires observation types to support risk deviations and vendor dependencies.", "binding": [ {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:type"}, {"pattern": "/o:assessment-results/o:result/o:observation/o:type"} ], "allowed-values": { "allow-other": "yes", "enum": [ { "value": "vendor-dependency", "label": "Vendor Dependency", "#text": "The observation provides evidence of reliance on a vendor for a pending resolution that is not yet available." }, { "value": "false-positive", "label": "False Positive", "#text": "The observation provides evidence the associated risk is a false positive finding." }, { "value": "operational-requirement", "label": "Operational Requirement", "#text": "The observation provides evidence to substantiate the assertion that remediating the risk will have an adverse impact on the system." }, { "value": "risk-adjustment", "label": "Risk Adjustment", "#text": "The observation provides evidence to justify an adjustment to the likelihood or impact values." }, { "value": "closure", "label": "Closure", "#text": "The observation provides evidence of risk closure." } ] } }, { "name": "sar-risk-impacted-control", "formal-name": "Impacted Control", "description": "The impacted control field is optional in the SAR, but helpful in anticipation of copying open risks to the POA&M.", "binding": {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" } }, { "name": "poam-risk-impacted-control", "formal-name": "Impacted Control", "description": "At least one impacted control field is required in the POA&M.", "binding": {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" } }, { "name": "control-origination-constraints", "formal-name": "Control Origination", "description": "The point(s) from which the control satisfaction originates.", "binding": {"pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='control-origination'][@ns='https://fedramp.gov/ns/oscal']/@value"}, "matches": {"data-type": "token"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "sp-corporate", "label": "SP Corporate", "#text": "Service Provider (Corporate)" }, { "value": "sp-system", "label": "SP System", "#text": "Service Provider (System Specific)" }, { "value": "customer-configured", "label": "Cust. Configured", "#text": "Configured by Customer" }, { "value": "customer-provided", "label": "Cust. Provided", "#text": "Provided by Customer" }, { "value": "inherited", "label": "Inherited", "#text": "Inherited" } ] } }, { "name": "control-implementation-status-constraints", "formal-name": "Control Implementation Status Constraints", "description": "Defines the data type and allowed values for the Control Implementation Status", "binding": {"pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal']/@value"}, "matches": {"data-type": "token"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "implemented", "label": "Implemented", "#text": "The assessor finds sufficient evidence to agree the control objective is fully implemented." }, { "value": "partial", "label": "Partial", "#text": "The assessor finds evidence to suggest a portion of the control objective is implemented and a portion is not." }, { "value": "planned", "label": "Planned", "#text": "The assessor finds this control objective is not implemented, but there is evidence the system owner has a plan for implementing it." }, { "value": "alternative", "label": "Alternative Implementation", "#text": "The assessor finds evidence of an alternative implementation, which the assessor judges to provide protection similar enough to satisfy this control." }, { "value": "not-applicable", "label": "Not Applicable (N/A)", "#text": "The assessor finds this control objective does not apply to this system." } ] }, "remarks": {"p": "When an extension is an prop, the data type and allowed values must be defined in a separate constraint."} }, { "formal-name": "Control Implementation Status Constraints", "description": "Remarks are required for certain Control Implementation Status values.", "binding": {"pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement"}, "matches": {"data-type": "NCName"}, "expect": {"test": "(o:prop[@name='planned-completion'][@ns='https://fedramp.gov/ns/oscal'])"} }, {"formal-name": "FedRAMP Facet System Constraints"}, { "name": "planned-completion-date", "formal-name": "Planned Implementation Date Exists", "description": "If the control implementation status is \"Planned\" a \"Planned Implementation Date\" must be provided.", "prop": { "name": "reference", "#text": 3.1 }, "binding": {"pattern": "/o:system-security-plan/o:control-implementation/o:implemented-requirement[o:prop[@name='implementation-status'][@value='planned']]"}, "expect": [ {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='partial']/remarks)"}, {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='planned']/remarks)"}, {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='alternative']/remarks)"}, {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='not-applicable']/remarks)"} ], "remarks": { "p": { "#text": "In the SSP, if ", "code": "implemented-requirement", "#text1": " includes ", "code#1": "prop[@name='implementation-status']", "#text2": " with ", "code#2": "value='planned'", "#text3": ", a ", "code#3": "planned-completion-date", "#text4": " extension must be provided." } } }, { "formal-name": "Port Class Exists", "description": "If a port number is provided as part of an interconnection, Local or Remote must be specified.", "binding": {"pattern": "o:system-security-plan/o:system-implementation/o:component[@component-type='interconnection']/o:prop[@name='port']"}, "expect": {"test": "exists(@class)"}, "remarks": { "p": [ "The port field is a FedRAMP extension - a property assigned to a component with a component type of 'interconnection'.", { "#text": "When this extension is present, it must include a ", "code": "@class", "#text1": " flag with a value of either 'local' or 'remote'." } ] } }, { "formal-name": "Port Class Valid Values", "description": "If a port number is provided as part of an interconnection, Local or Remote must be specified.", "binding": {"pattern": "o:system-security-plan/o:system-implementation/o:component[@component-type='interconnection']/o:prop[@name='port']/@class"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "local", "label": "Local", "#text": "The identified port number is used by the interconnected system to communicate with this system." }, { "value": "remote", "label": "Remote", "#text": "The identified port number is used by this system to communicate with the interconnected system." } ] }, "remarks": { "p": [ "The port field is a FedRAMP extension - a property assigned to a component with a component type of 'interconnection'.", { "#text": "When this extension is present, it must include a ", "code": "@class", "#text1": " flag with a value of either 'local' or 'remote'." } ] } }, { "formal-name": "Additional Component Types", "description": "Identifies additional component types for Assessment Assets in the SAP and SAR.", "binding": [ {"pattern": "o:assessment-plan/o:assessment-assets/o:component/@type"}, {"pattern": "o:assessment-results/o:assessment-result/o:local-definitions/o:assessment-assets/o:component/@type"} ], "allowed-values": { "allow-other": "no", "enum": { "value": "assessment-origination", "label": "Assessment Origination", "#text": "The component identifies one or more IP addresses from which assessment activities may be performed." } }, "remarks": { "p": [ "For FedRAMP, the SAP must identify the IP addresses from which scanning and penetration test activities are performed, and the SAR must identify the actual IP addresses used.", { "#text": "This requires an additional component type in the SAP's ", "code": "assessment-assets", "#text1": ", and in the SAR's ", "code#1": "result", "#text2": ", ", "code#2": "local-definitions", "#text3": ", ", "code#3": "assessment-assets", "#text4": "." } ] } }, { "name": "fedramp-general-role-identifiers", "formal-name": "General Role Identifiers", "description": "FedRAMP additional roles identifiers.", "binding": {"pattern": "/*/o:metadata/o:role/@id"}, "allowed-values": { "allow-other": "yes", "enum": [ { "value": "fedramp-pmo", "label": "FedRAMP PMO", "#text": "The FedRAMP Program Management Office (PMO)" }, { "value": "fedramp-jab", "label": "FedRAMP JAB", "#text": "The FedRAMP Joint Authorization Board (JAB)" }, { "value": "cloud-service-provider", "label": "CSP", "#text": "Cloud Service Provider" }, { "value": "csp-operations-center", "label": "CSP Operations Center", "#text": "Cloud Service Provider Operations Center" } ] }, "remarks": {"p": "These are in addition to the NIST-defined allowed values for role identifiers, and apply to all OSCAL-based FedRAMP content."} }, { "name": "fedramp-assessment-role-identifiers", "formal-name": "Assessment Role Identifiers", "description": "FedRAMP additional roles identifiers.", "binding": {"pattern": "/*/o:metadata/o:role/@id"}, "allowed-values": { "allow-other": "yes", "enum": [ { "value": "assessor", "label": "Assessor", "#text": "Assessor" }, { "value": "assessment-team", "label": "Assessment Team", "#text": "Assessment Team" }, { "value": "assessment-lead", "label": "Assessment Lead", "#text": "Assessment Lead" }, { "value": "assessment-executive", "label": "Assessment Executive", "#text": "Assessment Executive" }, { "value": "csp-assessment-poc", "label": "CSP Assessment PoC", "#text": "Cloud Service Provider Assessment Point(s) of Contact" }, { "value": "csp-end-of-testing-poc", "label": "CSP End of Testing PoC", "#text": "Cloud Service Provider End of Testing Point(s) of Contact" }, { "value": "csp-results-poc", "label": "CSP Results PoC", "#text": "Cloud Service Provider Point(s) of Contact" }, { "value": "penetration-test-team", "label": "Penetration Test Team", "#text": "Penetration Test Team" }, { "value": "penetration-test-lead", "label": "Penetration Test Lead", "#text": "Penetration Test Lead" } ] }, "remarks": {"p": "These are in addition to the NIST-defined allowed values for role identifiers, and apply to OSCAL-based FedRAMP SAP and SAR content."} }, { "name": "hash-algorithm", "extension-name": "hash-algorithm", "formal-name": "Hash Algorithm", "description": "Identifies the algorithm used to create the hash value of the attachment.", "binding": {"pattern": "o:resource/o:hash/@algorithm"}, "allowed-values": { "allow-other": "yes", "enum": [ { "value": "SHA-224", "short-label": "SHA-224", "#text": "SHA-224" }, { "value": "SHA-256", "short-label": "SHA-256", "#text": "SHA-256" }, { "value": "SHA-384", "short-label": "SHA-384", "#text": "SHA-384" }, { "value": "SHA-512", "short-label": "SHA-512", "#text": "SHA-512" }, { "value": "RIPEMD-160", "short-label": "RIPEMD-160", "#text": "RIPEMD-160" } ] } }, { "name": "attachment-type", "formal-name": "Attachment/Resource Types", "description": "FedRAMP additional attachment/resource types.", "binding": {"pattern": "/*/o:back-matter/o:resource/o:prop[@name='type']"}, "allowed-values": { "allow-other": "yes", "enum": [ { "value": "law", "short-label": "Law", "#text": "Law or Statute" }, { "value": "regulation", "short-label": "Regulation", "#text": "Regulation or Directive" }, { "value": "standard", "short-label": "Standard", "#text": "Industry Standard" }, { "value": "guidance", "short-label": "Guidance", "#text": "Guidance" }, { "value": "policy", "short-label": "Policy", "#text": "Policy" }, { "value": "procedure", "short-label": "Procedure", "#text": "Procedure" }, { "value": "guide", "short-label": "Guidance", "#text": "Guidance Document" }, { "value": "rules-of-behavior", "short-label": "ROB", "#text": "Rules of Behavior" }, { "value": "plan", "short-label": "Plan", "#text": "Plan" }, { "value": "system-security-plan", "short-label": "SSP", "#text": "System Security Plan" }, { "value": "artifact", "short-label": "artifact", "#text": "Artifact" }, { "value": "evidence", "short-label": "evidence", "#text": "Evidence" }, { "value": "screen-shot", "short-label": "screen", "#text": "Screen Shot" }, { "value": "image", "short-label": "image", "#text": "Image" }, { "value": "tool-report", "short-label": "Report", "#text": "Tool Report" }, { "value": "raw-tool-output", "short-label": "Raw", "#text": "Raw Tool Output" }, { "value": "interview-notes", "short-label": "Notes", "#text": "Interview Notes" }, { "value": "questionnaire", "short-label": "Questions", "#text": "Questions" }, { "value": "report", "short-label": "Report", "#text": "Report" }, { "value": "fedramp-citations", "short-label": "FR Citations", "#text": "FedRAMP Citations" }, { "value": "fedramp-acronyms", "short-label": "FR Acronyms", "#text": "FedRAMP Acronyms" }, { "value": "fedramp-logo", "short-label": "FR Logo", "#text": "FedRAMP Logo" }, { "value": "separation-of-duties-matrix", "short-label": "SoD Matrix", "#text": "Separation of Duties Matrix" }, { "value": "logo", "short-label": "Logo", "#text": "Logo" }, { "value": "personal-identifiable-information", "short-label": "PII", "#text": "Personal Identifiable Information (PII)" }, { "value": "agreement", "short-label": "Agreement", "#text": "Agreement" }, { "value": "isa-agreement", "short-label": "Agreement", "#text": "Interconnection Security Agreement" }, { "value": "incident-response-plan", "short-label": "IRP", "#text": "Incident Response Plan" }, { "value": "information-security-policies-and-procedures", "short-label": "ISPP", "#text": "Incident Security Policies and Procedures" }, { "value": "user-guide", "short-label": "User Guide", "#text": "User Guide" }, { "value": "privacy-impact-analysis", "short-label": "PIA", "#text": "Privacy Impact Assessment" }, { "value": "information-system-contingency-plan", "short-label": "ISCP", "#text": "Information System Contingency Plan" }, { "value": "configuration-management-plan", "short-label": "CMP", "#text": "configuration-management-plan" } ] }, "remarks": {"p": "These are in addition to the NIST-defined allowed values for resource types."} }, { "name": "media-type", "formal-name": "Attachment/Resource Media Types", "description": "IANA media-types supported by FedRAMP as attachment/resource types.", "binding": [ {"pattern": "o:rlink/@media-type"}, {"pattern": "o:base64/@media-type"} ], "allowed-values": { "enum": [ { "value": "application/gzip", "#text": "application/gzip" }, { "value": "application/msword", "#text": "application/msword" }, { "value": "application/octet-stream", "#text": "application/octet-stream" }, { "value": "application/pdf", "#text": "application/pdf" }, { "value": "application/vnd.ms-excel", "#text": "application/vnd.ms-excel" }, { "value": "application/vnd.ms-works", "#text": "application/vnd.ms-works" }, { "value": "application/vnd.oasis.opendocument.graphics", "#text": "application/vnd.oasis.opendocument.graphics" }, { "value": "application/vnd.oasis.opendocument.presentation", "#text": "application/vnd.oasis.opendocument.presentation" }, { "value": "application/vnd.oasis.opendocument.spreadsheet", "#text": "application/vnd.oasis.opendocument.spreadsheet" }, { "value": "application/vnd.oasis.opendocument.text", "#text": "application/vnd.oasis.opendocument.text" }, { "value": "application/vnd.openxmlformats-officedocument.presentationml.presentation", "#text": "application/vnd.openxmlformats-officedocument.presentationml.presentation" }, { "value": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "#text": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" }, { "value": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "#text": "application/vnd.openxmlformats-officedocument.wordprocessingml.document" }, { "value": "application/x-bzip", "#text": "application/x-bzip" }, { "value": "application/x-bzip2", "#text": "application/x-bzip2" }, { "value": "application/x-tar", "#text": "application/x-tar" }, { "value": "application/zip", "#text": "application/zip" }, { "value": "image/bmp", "#text": "image/bmp" }, { "value": "image/jpeg", "#text": "image/jpeg" }, { "value": "image/png", "#text": "image/png" }, { "value": "image/tiff", "#text": "image/tiff" }, { "value": "image/webp", "#text": "image/webp" }, { "value": "image/svg+xml", "#text": "image/svg+xml" }, { "value": "text/csv", "#text": "text/csv" }, { "value": "text/html", "#text": "text/html" }, { "value": "text/plain", "#text": "text/plain" } ] }, "remarks": {"p": "These are in addition to the NIST-defined allowed values for resource types."} }, { "name": "system-identifier-type", "formal-name": "System Identifier Type", "description": "Enables an identifier to be formally recognized as being assigned by FedRAMP.", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-id/@identifier-type"}, "allowed-values": { "allow-other": "yes", "enum": [ { "value": "https://fedramp.gov", "label": "FedRAMP ID", "#text": "FedRAMP-Assigned Identifier" }, { "value": "https://ietf.org/rfc/rfc4122", "short-label": "UUIDv4", "#text": "RFC-4122 UUIDv4 Value" } ] } }, { "name": "information-type-system", "formal-name": "Information Type System", "description": "Identifies the system from which the information type was defined.", "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:information-type-id/@system"}, "allowed-values": { "allow-other": "no", "enum": { "value": "https://doi.org/10.6028/NIST.SP.800-60v2r1", "label": "SP 800-60 V2R1", "#text": "NIST SP 800-60, Volume 2, Revision 1" } }, "remarks": {"p": "FedRAMP only allows information types defined in NIST SP 800-60v2r1."} }, { "name": "security-level", "formal-name": "Security Impact Level", "description": "The security objective level as defined by NIST SP 800-60.", "binding": [ {"pattern": "security-sensitivity-level"}, {"pattern": "security-impact-level"}, {"pattern": "(security-objective-confidentiality|security-objective-integrity|security-objective-availability)"}, {"pattern": "system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"} ], "allowed-values": { "allow-other": "no", "enum": [ { "value": "fips-199-low", "label": "L", "#text": "Low" }, { "value": "fips-199-moderate", "label": "M", "#text": "Moderate" }, { "value": "fips-199-high", "label": "H", "#text": "High" } ] } }, { "name": "operational-status", "formal-name": "Operational Status (system)", "description": "The operational status of the system", "binding": {"pattern": "o:status/@state"}, "allowed-values": { "allow-other": "no", "enum": [ { "value": "operational", "short-label": "Operational", "#text": "Operational" }, { "value": "under-development", "short-label": "Development", "#text": "Under Development" }, { "value": "under-major-modification", "short-label": "Major Mod.", "#text": "Major Modification" }, { "value": "disposition", "short-label": "Alternative", "#text": "Alternative Implementation" }, { "value": "other", "short-label": "Other", "#text": "Other" } ] }, "remarks": {"p": "FedRAMP limits the allowed values from a larger NIST-defined list to only those defined here."} } ], "back-matter": { "resource": { "uuid": "871713A8-5A27-4AC3-8B94-972588469C6B", "title": "OPM Position Designation", "prop": [ {"name": "type"}, { "name": "published", "#text": "2017-09-01T00:00:00Z" } ], "rlink": { "media-type": "application/pdf", "href": "https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/position-designation-system-with-glossary-2017.pdf" } } } } }