<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.3/oscal_ssp_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
uuid="11111111-2222-4000-8000-000000000000">
<metadata>
<title>[EXAMPLE] FedRAMP [Baseline Name] System Security Plan (SSP)</title>
<published>2024-12-31T23:59:59Z</published>
<last-modified>2024-11-05T02:24:00Z</last-modified>
<version>fedramp3.0.0-oscal1.1.4</version>
<oscal-version>1.1.3</oscal-version>
<revisions>
<revision>
<published>2023-06-30T00:00:00Z</published>
<version>1.0</version>
<oscal-version>1.0.4</oscal-version>
<prop ns="http://fedramp.gov/ns/oscal" name="party-uuid"
value="11111111-2222-4000-8000-004000000001"/>
<remarks>
<p>Initial publication.</p>
</remarks>
</revision>
<revision>
<published>2023-07-06T00:00:00Z</published>
<version>1.1</version>
<oscal-version>1.0.4</oscal-version>
<prop ns="http://fedramp.gov/ns/oscal" name="party-uuid"
value="11111111-2222-4000-8000-004000000001"/>
<remarks>
<p>Minor <code>prop</code> updates.</p>
</remarks>
</revision>
</revisions>
<prop name="marking" value="cui" class="fedramp.gov"/>
<prop name="fedramp-version" ns="http://fedramp.gov/ns/oscal" value="fedramp-3.0.0-oscal-1.1.2" />
<!-- The following role definitions are required by FedRAMP -->
<!-- Do not change the ID's or titles. -->
<role id="fedramp-pmo">
<title>FedRAMP Program Management Office</title>
<description>
<p>The FedRAMP PMO resides within GSA and supports agencies and cloud service providers
through the FedRAMP authorization process and maintains a secure repository of
FedRAMP authorizations to enable reuse of security packages.</p>
</description>
</role>
<role id="prepared-by">
<title>Prepared By</title>
<description>
<p>The organization that prepared this SSP. If developed in-house, this is the CSP
itself.</p>
</description>
</role>
<role id="prepared-for">
<title>Prepared For</title>
<description>
<p>The organization for which this SSP was prepared. Typically the CSP.</p>
</description>
</role>
<role id="content-approver">
<title>System Security Plan Approval</title>
<description>
<p>The individual or individuals accountable for the accuracy of this SSP.</p>
</description>
</role>
<role id="cloud-service-provider">
<title>Cloud Service Provider</title>
<short-name>CSP</short-name>
</role>
<role id="system-owner">
<!-- Referenced in Section 4 - System Owner -->
<title>Information System Owner</title>
<description>
<p>The individual within the CSP who is ultimately accountable for everything related to
this system.</p>
</description>
</role>
<role id="authorizing-official">
<title>Authorizing Official</title>
<description>
<p>The individual or individuals who must grant this system an authorization to
operate.</p>
</description>
</role>
<role id="authorizing-official-poc">
<title>Authorizing Official's Point of Contact</title>
<description>
<p>The individual representing the authorizing official.</p>
</description>
</role>
<role id="system-poc-management">
<title>Information System Management Point of Contact (POC)</title>
<description>
<p>The highest level manager who responsible for system operation on behalf of the
System Owner.</p>
</description>
</role>
<role id="system-poc-technical">
<title>Information System Technical Point of Contact</title>
<description>
<p>The individual or individuals leading the technical operation of the system.</p>
</description>
</role>
<role id="system-poc-other">
<title>General Point of Contact (POC)</title>
<description>
<p>A general point of contact for the system, designated by the system owner.</p>
</description>
</role>
<role id="information-system-security-officer">
<!-- Referenced in Section 5 - Assignment of Security Responsibility -->
<title>System Information System Security Officer (or Equivalent)</title>
<description>
<p>The individual accountable for the security posture of the system on behalf of the
system owner.</p>
</description>
</role>
<role id="privacy-poc">
<title>Privacy Official's Point of Contact</title>
<description>
<p>The individual responsible for the privacy threshold analysis and if necessary the
privacy impact assessment.</p>
</description>
</role>
<role id="asset-owner">
<title>Owner of an inventory item within the system.</title>
</role>
<role id="asset-administrator">
<title>Administrative responsibility an inventory item within the system.</title>
</role>
<role id="isa-poc-local">
<title>ICA POC (Local)</title>
<description>
<p>The point of contact for an interconnection on behalf of this system.</p>
</description>
<remarks>
<p>Remove this role if there are no ICAs.</p>
</remarks>
</role>
<role id="isa-poc-remote">
<title>ICA POC (Remote)</title>
<description>
<p>The point of contact for an interconnection on behalf of this external system to
which this system connects.</p>
</description>
<remarks>
<p>Remove this role if there are no ICAs.</p>
</remarks>
</role>
<role id="isa-authorizing-official-local">
<title>ICA Signatory (Local)</title>
<description>
<p>Responsible for signing an interconnection security agreement on behalf of this
system.</p>
</description>
<remarks>
<p>Remove this role if there are no ICAs.</p>
</remarks>
</role>
<role id="isa-authorizing-official-remote">
<title>ICA Signatory (Remote)</title>
<description>
<p>Responsible for signing an interconnection security agreement on behalf of the
external system to which this system connects.</p>
</description>
<remarks>
<p>Remove this role if there are no ICAs.</p>
</remarks>
</role>
<role id="consultant">
<title>Consultant</title>
<description>
<p>Any consultants involved with developing or maintaining this content.</p>
</description>
</role>
<role id="customer">
<title>Customer</title>
<description>
<p>Represents any customers of this system as may be necessary for assigning customer
responsibility.</p>
</description>
</role>
<role id="provider">
<title>Provider</title>
<description>
<p>The provider of a leveraged system, external service, API, CLI.</p>
</description>
</role>
<role id="admin-unix">
<title>[SAMPLE]Unix Administrator</title>
<description>
<p>This is a sample role.</p>
</description>
</role>
<role id="admin-client">
<title>[SAMPLE]Client Administrator</title>
<description>
<p>This is a sample role.</p>
</description>
</role>
<role id="external-system-owner">
<title>External System Owner</title>
<description>
<p>The owner of an external system.</p>
</description>
</role>
<role id="external-system-poc-management">
<title>External System Management Point of Contact (POC)</title>
<description>
<p>The highest level manager who responsible for an external system's operation on
behalf of the System Owner.</p>
</description>
</role>
<role id="external-system-poc-technical">
<title>External System Technical Point of Contact</title>
<description>
<p>The individual or individuals leading the technical operation of an external
system.</p>
</description>
</role>
<role id="approver">
<title>Approver</title>
<description>
<p>An internal approving authority.</p>
</description>
</role>
<location uuid="11111111-2222-4000-8000-003000000001">
<title>CSP HQ</title>
<address type="work">
<addr-line>Suite 0000</addr-line>
<addr-line>1234 Some Street</addr-line>
<city>Haven</city>
<state>ME</state>
<postal-code>00000</postal-code>
</address>
<remarks>
<p>There must be one location identifying the CSP's primary business address, such as
the CSP's HQ, or the address of the system owner's primary business location.</p>
</remarks>
</location>
<location uuid="11111111-2222-4000-8000-003000000002">
<title>Primary Data Center</title>
<address>
<addr-line>2222 Main Street</addr-line>
<city>Anywhere</city>
<state>--</state>
<postal-code>00000-0000</postal-code>
<country>US</country>
</address>
<prop name="type" class="primary" value="data-center"/>
<remarks>
<p>There must be one location for each data center.</p>
<p>There must be at least two data center locations.</p>
<p>For a data center, briefly summarize the components at this location.</p>
<p>All data centers must have a "type" property with a value of "data-center".</p>
<p>The type property must also have a class of "primary" or "alternate".</p>
</remarks>
</location>
<location uuid="11111111-2222-4000-8000-003000000003">
<title>Secondary Data Center</title>
<address>
<addr-line>3333 Small Road</addr-line>
<city>Anywhere</city>
<state>--</state>
<postal-code>00000-0000</postal-code>
<country>US</country>
</address>
<prop name="type" class="alternate" value="data-center"/>
<remarks>
<p>There must be one location for each data center.</p>
<p>There must be at least two data center locations.</p>
<p>For a data center, briefly summarize the components at this location.</p>
<p>All data centers must have a "type" property with a value of "data-center".</p>
<p>The type property must also have a class of "primary" or "alternate".</p>
</remarks>
</location>
<party uuid="11111111-2222-4000-8000-004000000001" type="organization">
<!-- CSP Name - referenced in Table 3.1 -->
<name>Cloud Service Provider (CSP) Name</name>
<short-name>CSP Acronym/Short Name</short-name>
<link href="#11111111-2222-4000-8000-001000000052" rel="logo"/>
<location-uuid>11111111-2222-4000-8000-003000000001</location-uuid>
<remarks>
<p>Replace sample CSP information.</p>
<p>CSP information must be present and associated with the "cloud-service-provider" role
via <code>responsible-party</code>.</p>
</remarks>
</party>
<party uuid="11111111-2222-4000-8000-004000000002" type="organization">
<name>Federal Risk and Authorization Management Program: Program Management Office</name>
<short-name>FedRAMP PMO</short-name>
<link href="http://fedramp.gov" rel="homepage"/>
<link href="#11111111-2222-4000-8000-001000000051" rel="logo"/>
<email-address>info@fedramp.gov</email-address>
<address type="work">
<addr-line>1800 F St. NW</addr-line>
<city>Washington</city>
<state>DC</state>
<postal-code>20006</postal-code>
<country>US</country>
</address>
<remarks>
<p>This party entry must be present in a FedRAMP SSP.</p>
<p>The uuid may be different; however, the uuid must be associated with the
"fedramp-pmo" role in the responsible-party assemblies.</p>
</remarks>
</party>
<party uuid="11111111-2222-4000-8000-004000000003" type="organization">
<name>Federal Risk and Authorization Management Program: Joint Authorization Board</name>
<short-name>FedRAMP JAB</short-name>
<link href="#11111111-2222-4000-8000-001000000051" rel="logo"/>
<remarks>
<p>This party entry must be present in a FedRAMP SSP.</p>
<p>The uuid may be different; however, the uuid must be associated with the
"fedramp-jab" role in the responsible-party assemblies.</p>
</remarks>
</party>
<!-- The following parties are samples, and may be modified or removed -->
<party uuid="11111111-2222-4000-8000-004000000004" type="organization">
<name>External Organization</name>
<short-name>External</short-name>
<remarks>
<p>Generic placeholder for any external organization.</p>
</remarks>
</party>
<party uuid="11111111-2222-4000-8000-004000000005" type="organization">
<name>Agency Name</name>
<short-name>A.N.</short-name>
<remarks>
<p>Generic placeholder for an authorizing agency.</p>
</remarks>
</party>
<party uuid="11111111-2222-4000-8000-004000000006" type="organization">
<name>Name of Consulting Org</name>
<short-name>NOCO</short-name>
<link href="https://example.com"/>
<link href="#11111111-2222-4000-8000-001000000053" rel="logo"/>
<email-address>poc@example.com</email-address>
<address type="work">
<addr-line>3333 Corporate Way</addr-line>
<city>Washington</city>
<state>DC</state>
<postal-code>00000</postal-code>
<country>US</country>
</address>
</party>
<party uuid="11111111-2222-4000-8000-004000000007" type="organization">
<name>[SAMPLE]Remote System Org Name</name>
</party>
<party uuid="11111111-2222-4000-8000-004000000008" type="person">
<name>[SAMPLE]ICA POC's Name</name>
<prop name="job-title" value="Individual's Title"/>
<email-address>person@ica.example.org</email-address>
<telephone-number>2025551212</telephone-number>
<member-of-organization>11111111-2222-4000-8000-004000000007</member-of-organization>
</party>
<party uuid="22222222-2222-4000-8000-c0040000000a" type="organization">
<name>[SAMPLE]Example IaaS Provider</name>
<short-name>E.I.P.</short-name>
<remarks>
<p>Underlying service provider. Leveraged Authorization.</p>
</remarks>
</party>
<party uuid="11111111-2222-4000-8000-004000000010" type="person">
<name>[SAMPLE]Person Name 1</name>
<prop name="job-title" value="Individual's Title"/>
<prop name="mail-stop" value="Mailstop A-1"/>
<email-address>name@example.com</email-address>
<telephone-number>2020000001</telephone-number>
<location-uuid>11111111-2222-4000-8000-003000000001</location-uuid>
<member-of-organization>11111111-2222-4000-8000-004000000001</member-of-organization>
</party>
<party uuid="11111111-2222-4000-8000-004000000011" type="person">
<name>[SAMPLE]Person Name 2</name>
<prop name="job-title" value="Individual's Title"/>
<email-address>name@example.com</email-address>
<telephone-number>2020000002</telephone-number>
<address type="work">
<addr-line>Address Line</addr-line>
<city>City</city>
<state>ST</state>
<postal-code>00000</postal-code>
<country>US</country>
</address>
<member-of-organization>11111111-2222-4000-8000-004000000001</member-of-organization>
</party>
<party uuid="11111111-2222-4000-8000-004000000012" type="person">
<name>[SAMPLE]Person Name 3</name>
<prop name="job-title" value="Individual's Title"/>
<email-address>name@example.com</email-address>
<telephone-number>2020000003</telephone-number>
<address type="work">
<addr-line>Address Line</addr-line>
<city>City</city>
<state>ST</state>
<postal-code>00000</postal-code>
<country>US</country>
</address>
<member-of-organization>11111111-2222-4000-8000-004000000001</member-of-organization>
</party>
<party uuid="11111111-2222-4000-8000-004000000013" type="person">
<name>[SAMPLE]Person Name 4</name>
<prop name="job-title" value="Individual's Title"/>
<email-address>name@example.com</email-address>
<telephone-number>2020000004</telephone-number>
<address type="work">
<addr-line>Address Line</addr-line>
<city>City</city>
<state>ST</state>
<postal-code>00000</postal-code>
<country>US</country>
</address>
<member-of-organization>11111111-2222-4000-8000-004000000001</member-of-organization>
</party>
<party uuid="11111111-2222-4000-8000-004000000014" type="person">
<name>[SAMPLE]Person Name 5</name>
<prop name="job-title" value="Individual's Title"/>
<email-address>name@example.com</email-address>
<telephone-number>2020000005</telephone-number>
<address type="work">
<addr-line>Address Line</addr-line>
<city>City</city>
<state>ST</state>
<postal-code>00000</postal-code>
<country>US</country>
</address>
<member-of-organization>11111111-2222-4000-8000-004000000001</member-of-organization>
</party>
<party uuid="11111111-2222-4000-8000-004000000015" type="person">
<name>[SAMPLE]Person Name 6</name>
<prop name="job-title" value="Individual's Title"/>
<email-address>name@example.com</email-address>
<telephone-number>2020000006</telephone-number>
<address type="work">
<addr-line>Address Line</addr-line>
<city>City</city>
<state>ST</state>
<postal-code>00000</postal-code>
<country>US</country>
</address>
<member-of-organization>11111111-2222-4000-8000-004000000004</member-of-organization>
</party>
<party uuid="11111111-2222-4000-8000-004000000016" type="person">
<name>[SAMPLE]Person Name 7</name>
<prop name="job-title" value="Individual's Title"/>
<email-address>name@example.com</email-address>
<telephone-number>2020000007</telephone-number>
<address type="work">
<addr-line>Address Line</addr-line>
<city>City</city>
<state>ST</state>
<postal-code>00000</postal-code>
<country>US</country>
</address>
<member-of-organization>11111111-2222-4000-8000-004000000001</member-of-organization>
</party>
<party uuid="11111111-2222-4000-8000-004000000017" type="organization">
<name>[SAMPLE] IT Department</name>
</party>
<party uuid="11111111-2222-4000-8000-004000000018" type="organization">
<name>[SAMPLE]Security Team</name>
</party>
<party uuid="11111111-2222-4000-8000-c0040000000a" type="person">
<name>Leveraged Authorization User</name>
</party>
<party uuid="22222222-2222-4000-8000-004000000001" type="organization">
<name>Name of Leveraged System A Provider</name>
</party>
<party uuid="33333333-2222-4000-8000-004000000001" type="organization">
<name>Name of Leveraged System B Provider</name>
</party>
<party uuid="44444444-2222-4000-8000-004000000001" type="organization">
<name>Name of Leveraged System C Provider</name>
</party>
<party uuid="55555555-2222-4000-8000-004000000001" type="organization">
<name>Name of Service Provider</name>
</party>
<party uuid="66666666-2222-4000-8000-004000000001" type="organization">
<name>Name of Telco Provider</name>
</party>
<responsible-party role-id="provider">
<party-uuid>11111111-2222-4000-8000-004000000018</party-uuid>
</responsible-party>
<responsible-party role-id="cloud-service-provider">
<party-uuid>11111111-2222-4000-8000-004000000001</party-uuid>
<party-uuid>22222222-2222-4000-8000-004000000001</party-uuid>
<remarks>
<p>Zero or more</p>
</remarks>
</responsible-party>
<!-- Page 3 -->
<responsible-party role-id="prepared-by">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
<remarks>
<p>Exactly one</p>
</remarks>
</responsible-party>
<responsible-party role-id="prepared-for">
<!-- Exacty one -->
<party-uuid>11111111-2222-4000-8000-004000000001</party-uuid>
</responsible-party>
<!-- Page 6 -->
<responsible-party role-id="content-approver">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
<remarks>
<p>One or more</p>
</remarks>
</responsible-party>
<responsible-party role-id="system-owner">
<!-- Section 4 - System Owner -->
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
<remarks>
<p>Exactly one</p>
</remarks>
</responsible-party>
<responsible-party role-id="authorizing-official">
<party-uuid>11111111-2222-4000-8000-004000000003</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000015</party-uuid>
<remarks>
<p>One or more</p>
</remarks>
</responsible-party>
<responsible-party role-id="system-poc-management">
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
<remarks>
<p>Exactly one</p>
</remarks>
</responsible-party>
<responsible-party role-id="system-poc-technical">
<party-uuid>11111111-2222-4000-8000-004000000013</party-uuid>
<remarks>
<p>Exactly one</p>
</remarks>
</responsible-party>
<!-- Section 5 - Assignment of Security Responsibility -->
<responsible-party role-id="information-system-security-officer">
<party-uuid>11111111-2222-4000-8000-004000000014</party-uuid>
<remarks>
<p>Exactly one</p>
</remarks>
</responsible-party>
<responsible-party role-id="authorizing-official-poc">
<party-uuid>11111111-2222-4000-8000-004000000015</party-uuid>
<remarks>
<p>Exactly one</p>
</remarks>
</responsible-party>
<responsible-party role-id="privacy-poc">
<party-uuid>11111111-2222-4000-8000-004000000016</party-uuid>
<remarks>
<p>Exactly one</p>
<ul>
<li>test<b>test</b><p>hello</p></li>
</ul>
</remarks>
</responsible-party>
</metadata>
<import-profile
href="https://raw.githubusercontent.com/GSA/fedramp-automation/refs/heads/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml">
<remarks>
<p>This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official
FedRAMP 3.0.0 release.</p>
<p>Must adjust accordingly for applicable baseline and revision.</p>
</remarks>
</import-profile>
<system-characteristics>
<!-- Section 3 - System Information -->
<!-- Table 3.1 Information System Name and Title -->
<system-id identifier-type="http://fedramp.gov">F00000000</system-id>
<system-name>System's Full Name</system-name>
<system-name-short>System's Short Name or Acronym</system-name-short>
<!-- General System Description -->
<description>
<p>[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above]
offering using a multi-tenant [insert based on the Deployment Model above] cloud
computing environment. It is available to [Insert scope of customers in accordance with
instructions above (for example, the public, federal, state, local, and tribal
governments, as well as research institutions, federal contractors, government
contractors etc.)].</p>
<p>NOTE: Additional description, including the purpose and functions of this system may be
added here. This includes any narrative text usually included in section 9.1 of the
SSP.</p>
<p>NOTE: The description is expected to be at least 32 words in length.</p>
</description>
<!-- Service & Deployment Model -->
<prop name="cloud-service-model" value="saas">
<remarks>
<p>Remarks are required if service model is "other". Optional otherwise.</p>
</remarks>
</prop>
<prop name="cloud-deployment-model" value="government-only-cloud">
<!-- Rev5 update - switch to core prop -->
<remarks>
<p>Remarks are required if deployment model is "hybrid-cloud" or "other". Optional
otherwise.</p>
</remarks>
</prop>
<!-- Digital Identity Level (DIL) Determination -->
<!-- 1 = low, 2= moderate, 3 = high -->
<prop name="identity-assurance-level" value="2"/>
<prop name="authenticator-assurance-level" value="2"/>
<prop name="federation-assurance-level" value="2"/>
<prop ns="http://fedramp.gov/ns/oscal" name="fully-operational-date" value="2023-12031T00:00:00z"/>
<!-- Rev5 update - new prop -->
<!-- FedRAMP Authorization Path: fedramp-jab, fedramp-agency, or fedramp-li-saas -->
<prop ns="http://fedramp.gov/ns/oscal" name="authorization-type" value="fedramp-agency"/>
<!-- FIPS PUB 199 Level -->
<security-sensitivity-level>fips-199-high</security-sensitivity-level>
<system-information>
<!-- Rev5 update - PIA/PTAs are no longer required by FedRAMP -->
<!-- Table K.1 - Use the information-type element to provide details about all information types that are stored, processed, or transmitted by the system -->
<information-type uuid="11111111-2222-4000-8000-006000000001">
<title>Information Type Name</title>
<description>
<p>A description of the information.</p>
</description>
<categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1">
<information-type-id>C.2.4.1</information-type-id>
</categorization>
<confidentiality-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-moderate</base>
<selected>fips-199-low</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</integrity-impact>
<availability-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</availability-impact>
</information-type>
<information-type uuid="11111111-2222-4000-8000-006000000002">
<title>Information Type Name</title>
<description>
<p>A description of the information.</p>
</description>
<categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1">
<information-type-id>C.3.5.1</information-type-id>
</categorization>
<confidentiality-impact>
<base>fips-199-moderate</base>
<selected>fips-199-low</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</integrity-impact>
<availability-impact>
<base>fips-199-moderate</base>
<selected>fips-199-high</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</availability-impact>
</information-type>
<information-type uuid="11111111-2222-4000-8000-006000000003">
<title>Information Type Name</title>
<description>
<p>A description of the information.</p>
</description>
<categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1">
<information-type-id>C.3.5.8</information-type-id>
</categorization>
<confidentiality-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</integrity-impact>
<availability-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</availability-impact>
</information-type>
</system-information>
<!-- Security Impact Level -->
<security-impact-level>
<security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
<security-objective-integrity>fips-199-moderate</security-objective-integrity>
<security-objective-availability>fips-199-moderate</security-objective-availability>
</security-impact-level>
<!-- Fully Operational as of -->
<status state="operational">
<remarks>
<p>Remarks are optional if status/state is "operational".</p>
<p>Remarks are required otherwise.</p>
</remarks>
</status>
<!-- Section 8 - Illustrated Architecture and Narrative -->
<authorization-boundary>
<!-- Section 8.2 Narrative (boundary) -->
<description>
<p>A holistic, top-level explanation of the FedRAMP authorization boundary.</p>
</description>
<!-- Section 8.1 Illustrated Architecture (boundary diagram) -->
<diagram uuid="11111111-2222-4000-8000-007000000001">
<description>
<p>A diagram-specific explanation.</p>
</description>
<link href="#11111111-2222-4000-8000-001000000054" rel="diagram"/>
<caption>Authorization Boundary Diagram</caption>
</diagram>
</authorization-boundary>
<network-architecture>
<!-- Section 8.2 Narrative (network) -->
<description>
<p>A holistic, top-level explanation of the network architecture.</p>
</description>
<!-- Section 8.1 Illustrated Architecture (network diagram) -->
<diagram uuid="11111111-2222-4000-8000-007000000002">
<description>
<p>A diagram-specific explanation.</p>
</description>
<link href="#11111111-2222-4000-8000-001000000055" rel="diagram"/>
<caption>Network Diagram</caption>
</diagram>
</network-architecture>
<data-flow>
<!-- Section 8.2 Narrative (data flows) -->
<description>
<p>A holistic, top-level explanation of the system's data flows.</p>
</description>
<!-- Section 8.1 Illustrated Architecture (data flows) -->
<diagram uuid="11111111-2222-4000-8000-007000000003">
<description>
<p>A diagram-specific explanation.</p>
</description>
<link href="#11111111-2222-4000-8000-001000000056" rel="diagram"/>
<caption>Data Flow Diagram</caption>
</diagram>
</data-flow>
</system-characteristics>
<system-implementation>
<!-- Section 6 - Leveraged Authorizations. -->
<!-- Add one for each leveraged system -->
<!-- There must be a corresponding component of type "system" for each leveraged authorization. -->
<leveraged-authorization uuid="11111111-2222-4000-8000-019000000001">
<title>AwesomeCloud Commercial(IaaS)</title>
<prop ns="http://fedramp.gov/ns/oscal" name="leveraged-system-identifier"
value="F9999999999"/>
<prop ns="http://fedramp.gov/ns/oscal" name="authorization-type" value="fedramp-agency">
<remarks>
<p>For now, this is a required field. In the future we intend
to pull this information directly from FedRAMP's records
based on the "leveraged-system-identifier" property's value.</p>
</remarks>
</prop>
<prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="fips-199-moderate">
<remarks>
<p>For now, this is a required field. In the future we intend
to pull this information directly from FedRAMP's records
based on the "leveraged-system-identifier" property's value.</p>
</remarks>
</prop>
<party-uuid>11111111-2222-4000-8000-c0040000000a</party-uuid>
<date-authorized>2015-01-01</date-authorized>
<remarks>
<p>Use one leveraged-authorization assembly for each underlying authorized
cloud system or general support system (GSS).</p>
<p>For each leveraged authorization there must also be a "system" component.
The corrisponding "system" component must include a
"leveraged-authorization-uuid" property
that links it to this leveraged authorization.</p>
</remarks>
</leveraged-authorization>
<user uuid="11111111-2222-4000-8000-008000000001">
<authorized-privilege>
<title></title>
<function-performed>none</function-performed>
</authorized-privilege>
<remarks>
<p>The user assembly is being reviewed for continued applicability
under FedRAMP's adoption of Rev 5.</p>
<p>Currently, FedRAMP will only process user content if it includes the
FedRAMP "separation-of-duties-matrix" property/extension. All other user
entries will be ignored by validation rules, but may be displayed by tools. </p>
</remarks>
</user>
<user uuid="11111111-2222-4000-8000-008000000002">
<prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal" />
<authorized-privilege>
<title>Add/Remove Admins</title>
<function-performed>This can add and remove admins.</function-performed>
</authorized-privilege>
</user>
<user uuid="11111111-2222-4000-8000-008000000003">
<prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal" />
<authorized-privilege>
<title></title>
<function-performed>add/remove non-privliged admins</function-performed>
</authorized-privilege>
</user>
<user uuid="11111111-2222-4000-8000-008000000004">
<prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal" />
<authorized-privilege>
<title></title>
<function-performed>Manage services and components within the virtual cloud environment.</function-performed>
</authorized-privilege>
</user>
<user uuid="11111111-2222-4000-8000-008000000005">
<prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal" />
<authorized-privilege>
<title></title>
<function-performed>Add and remove users from the virtual cloud environment.</function-performed>
</authorized-privilege>
</user>
<!-- ========= MINIMUM REQUIRED COMPONENT: THIS SYSTEM ======= -->
<!-- There must be a "this-system" component -->
<component uuid="11111111-2222-4000-8000-009000000000" type="this-system">
<title>This System</title>
<description>
<p>This component represents the entire authorization boundary,
as depicted in the system authorization boundary diagram.</p>
<p>FedRAMP requires exactly one "this-system" component, which is used
in control implementation responses and interconnections.</p>
</description>
<status state="operational"/>
<remarks>
<p>A FedRAMP SSP must always have exactly one "this-system" component
that represents the whole system.</p>
<p>It does not need system details, as those exist elsewhere in this SSP.</p>
</remarks>
</component>
<!-- ============= EXTERNAL COMPONENTS ============= -->
<!-- ==== ================================================================= ====- -->
<!-- ==== Table 6.1 Leveraged Authorizations ====- -->
<!-- ==== ================================================================= ====- -->
<!-- Leveraged FedRAMP-Authorized Systems -->
<component uuid="11111111-2222-4000-8000-009000100001" type="system">
<title>Awesome Cloud IaaS (Leveraged Authorized System)</title>
<description>
<p>Briefly describe the leveraged system.</p>
</description>
<prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
<prop name="implementation-point" value="external"/>
<prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001" />
<prop name="nature-of-agreement" value="sla" ns="http://fedramp.gov/ns/oscal"/>
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal">
<remarks>
<p>If 'yes', describe the authentication method.</p>
<p>If 'no', explain why no authentication is used.</p>
<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop>
<prop name="information-type" value="C.3.5.1" class="incoming" ns="http://fedramp.gov/ns/oscal"/>
<prop name="information-type" value="C.3.5.8" class="outgoing" ns="http://fedramp.gov/ns/oscal"/>
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>11111111-2222-4000-8000-c0040000000a</party-uuid>
<remarks>
<p>The "provider" role is required for the component representing
a leveraged system. It must reference exactly one party
(via party-uuid), which points to a party of type "organization"
representing the organization that owns the leveraged system.</p>
</remarks>
</responsible-role>
<responsible-role role-id="administrator">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000005" ns="http://fedramp.gov/ns/oscal" />
</responsible-role>
<remarks>
<p>This is a leveraged system within which this system operates.
It is explicitly listed on the FedRAMP marketplace with a status of
"FedRAMP Authorized".</p>
<h1>Requirements</h1>
<p>Each leveraged system must be expressed as a "system" component, and must have:</p>
<ul>
<li>the name of the system in the title - exactly as it appears in the FedRAMP
Marketplace</li>
<li>a "leveraged authorization-uuid" core property that links this component to the
leveraged-authorization entry</li>
<li>an "implementation-point" core property with a value of "external"</li>
<li>A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is
"other", use the proeprty's remarks to descibe the agreement.</li>
<li>an "authentication-method" property/extension with a value of "yes", "no" or
"not-applicable" with commentary in the remarks.</li>
<li>One or more "information-type" property/extensions, where the a
llowed values are the 800-63
information type identifiers.</li>
<li>A "provider" responsible-role with exactly one party-uuid entry
that indicates which organization is the provider of this leveraged system.</li>
<li>a status with a state value of "operational"</li>
<li>At least one responsible-role (other than "provider") that indicates any authorized
users. This must have one or more "privilege-uuid" property/extensions. Each references
a user assembly entry.</li>
</ul>
<p/>
<p>Where relevant, this component should also have:</p>
<ul>
<li>An "inherited-uuid" property if the leveraged system's owner provides a UUID for
their system (such as in an OSCAL-based CRM).</li>
</ul>
<p/>
<p>Links to the vendor website describing the system are encouraged, but not required.</p>
<h1>Services</h1>
<p>A service within the scope of the leveraged system's authorization boundary
is considered an "authorized service". Any other service offered by the
leveraged system is considered a "non-authorized service"</p>
<p>Represent each authorized or non-authorized leveraged services using a
"service" component. Both authorized and non-authorized service components
are represented the same in OSCAL with the following exceptions:</p>
<ul>
<li>The component for an authorized servcie includes a
"leveraged-authorization-uuid" property. This
property must be excluded from the component of a
non-authorized leveraged service.</li>
<li>The component for a non-authorized service must include
a "still-supported" property/extension.</li>
<li>The component for a non-authorized service must have
a "poam-item" link that references a corrisponding entry in this system's
POA&M.</li>
</ul>
<p>Both authorized and non-authorized leveraged services include:</p>
<ul>
<li>a "provided-by" link with a URI fragment that points
to the "system" component representing the leveraged system.
(Example: <code>"#11111111-2222-4000-8000-009000100001"</code>)</li>
<li>the name of the service in the title (for authorized services this should be
exactly as it appears in the FedRAMP Marketplace</li>
<li>an "implementation-point" core property with a value of "external"</li>
<li>an "authentication-method" property/extension with a value of "yes", "no" or
"not-applicable" with commentary in the remarks.</li>
<li>One or more "information-type" property/extensions, where the a
llowed values are the 800-63
information type identifiers.</li>
<li>a status with a state value of "operational"</li>
<li>At least one responsible-role (other than "provider") that indicates any authorized
users. This must have one or more "privilege-uuid" property/extensions. Each references
a user assembly entry.</li>
</ul>
<p>Although SSP Table 7.1 also requires data categoriation and hosting
environment information about non-authorized leveraged services,
these datails are derived from other content in this SSP.</p>
</remarks>
</component>
<!-- Authorized Service from a Leveraged FedRAMP-Authorized System -->
<component uuid="11111111-2222-4000-8000-009000500001" type="service">
<title>Service A</title>
<description>
<p>An authorized service provided by the Awesome Cloud leveraged authorization.</p>
<p>Describe the service and what it is used for.</p>
</description>
<prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
<prop name="implementation-point" value="external"/>
<prop ns="http://fedramp.gov/ns/oscal" name="connection-security" value="tls-1.3" />
<prop ns="http://fedramp.gov/ns/oscal" class="incoming" name="information-type" value="C.3.5.1"/>
<prop ns="http://fedramp.gov/ns/oscal" class="outgoing" name="information-type" value="C.3.5.8"/>
<link rel="provided-by" href="#11111111-2222-4000-8000-009000100001"/>
<status state="operational"/>
<responsible-role role-id="administrator">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000005" ns="http://fedramp.gov/ns/oscal" />
<party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
</responsible-role>
<remarks>
<p>This is a service offered by a leveraged system and used by this system.
It is explicitly listed on the FedRAMP marketplace as being included in the
scope of this leveraged system's ATO, thus is considered an "Authorized Service.</p>
<p/>
<p>Each leveraged service must be expressed as a "service" component, and must have:</p>
<ul>
<li>the name of the service in the title - exactly as it appears in the FedRAMP
Marketplace</li>
<li>a "leveraged authorization-uuid" property that links this component to the
leveraged-authorization entry</li>
<li>an "implementation-point" property with a value of "external"; and</li>
<li>a "provided-by" link with a URI fragment that points to the
"system" component representing the leveraged system. (Example: <code>"#11111111-2222-4000-8000-009000100001"</code>)</li>
</ul>
<p/>
<p>Where relevant, this component should also have:</p>
<ul>
<li>One or more "information-type" properties, where the allowed values are the 800-63
information type identifiers.</li>
<li>At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly
one or more party-uuid entries that indicates which users within this system may
interact with the leveraged systeme.</li>
<li>An "inherited-uuid" property if the leveraged system's owner provides a UUID for
their system (such as in an OSCAL-based CRM).</li>
</ul>
<p>Link(s) to the vendor's web site describing the service are encouraged, but not
required.</p>
<p>The following fields from the Leveraged Authorization Table are handled in the
leveraged-authorization assembly:</p>
<ul>
<li>Package ID, Authorization Type, Impact Level</li>
</ul>
<p/>
<p>The following fields from the Leveraged Authorization Table are handled in the
"system" component representing the leveraged system as a whole:</p>
<p>- Nature of Agreement, CSP Name</p>
</remarks>
</component>
<!-- ==== ================================================================= ====- -->
<!-- ==== Table 7.1 External Services, Interconnections, and Non-Authorized ====- -->
<!-- ==== ================================================================= ====- -->
<!-- Table 7.1 Scenario 1: A non-authorized service from a FedRAMP leveraged authorization -->
<component uuid="11111111-2222-4000-8000-009000500002" type="service">
<title>Service B</title>
<description>
<p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
<p>Describe the service and what it is used for.</p>
</description>
<prop name="implementation-point" value="external" />
<prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal" />
<prop name="still-supported" value="yes" ns="http://fedramp.gov/ns/oscal" />
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal" >
<remarks>
<p>If 'yes', describe the authentication method.</p>
<p>If 'no', explain why no authentication is used.</p>
<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop>
<prop name="information-type" value="C.3.5.1" class="incoming" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" value="C.3.5.8" class="outgoing" ns="http://fedramp.gov/ns/oscal" />
<link rel="provided-by" href="#11111111-2222-4000-8000-009000100001" />
<link rel="poam-item" href="#11111111-2222-4000-8000-001000000048" resource-fragment="11111111-3333-4000-8000-000000000001" />
<status state="operational" />
<responsible-role role-id="administrator">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
</responsible-role>
<remarks>
<!-- TODO: Validate this description -->
<p>This is a service offered by a leveraged system and used by this system.
It is NOT explicitly listed on the FedRAMP marketplace as being included
in the scope of the leveraged system's ATO, thus is treated as a
non-authorized, leveraged service.</p>
<p/>
<p>Each non-authorized leveraged service must be expressed as a "service" component, and must have:</p>
<ul>
<li>the name of the service in the title - exactly as it appears in the FedRAMP
Marketplace</li>
<li>an "implementation-point" property with a value of "external"; and</li>
<li>One or more "information-type" property/extensions, where the allowed values are the 800-63
information type identifiers, and the cited types are included full list of system information types.</li>
<li>exactly one "poam-item" link, with an href value that references the
POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M)
or poam-item UUID (OSCAL POA&M)</li>
<li>a "provided-by" link with a URI fragment that points to the
"system" component representing the leveraged system. (Example: <code>"#11111111-2222-4000-8000-009000100001"</code>)</li>
</ul>
<p>The "leveraged-authorization-uuid" property must NOT be present, as this is how
tools are able to distinguish between authorized and non-authorized services
from the same leveraged provider.</p>
<p/>
<p>Where relevant, this component should also have:</p>
<ul>
<li>At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly
one or more party-uuid entries that indicates which users within this system may
interact with the leveraged systeme.</li>
<li>An "inherited-uuid" property if the leveraged system's owner provides a UUID for
their system (such as in an OSCAL-based CRM).</li>
</ul>
<p>Link(s) to the vendor's web site describing the service are encouraged, but not
required.</p>
<p>The following fields from the Leveraged Authorization Table are handled in the
leveraged-authorization assembly:</p>
<ul>
<li>Package ID, Authorization Type, Impact Level</li>
</ul>
<p/>
<p>- An "inherited-uuid" property if the leveraged system's owner provides a UUID for
their system (such as in an OSCAL-based CRM).</p>
<p>Link(s) to the vendor's web site describing the service are encouraged, but not
required.</p>
<p/>
<p>The following fields from the Leveraged Authorization Table are handled in the
leveraged-authorization assembly:</p>
<p>- Package ID, Authorization Type, Impact Level</p>
<p/>
<p>The following fields from the Leveraged Authorization Table are handled in the
"system" component assembly:</p>
<p>- Nature of Agreement, CSP Name</p>
<p/>
<p>An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.</p>
</remarks>
</component>
<!-- Table 7.1 Scenario 2: An interconnection between this system and an external system -->
<!-- Table 7.1 Scenario 2 - Part 1: An external system with which this system has an interconnection -->
<component uuid="11111111-2222-4000-8000-009000100002" type="system">
<title>Other Cloud SaaS</title>
<description>
<p>An external system to which this system shares an interconnection.</p>
</description>
<prop name="asset-type" value="saas"/>
<prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001" />
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>33333333-2222-4000-8000-004000000001</party-uuid>
</responsible-role>
<responsible-role role-id="authorizing-official">
<party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
</responsible-role>
<responsible-role role-id="system-owner">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-role>
<responsible-role role-id="system-poc-management">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role>
<responsible-role role-id="system-poc-technical">
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
</responsible-role>
<protocol name="ldap" uuid="11111111-2222-4000-8000-010000000002">
<title>services</title>
<port-range start="389" end="389" transport="TCP" />
</protocol>
<remarks>
<!-- TODO: Validate this description -->
<p>Each interconnection to one or more remote systems must have:</p>
<ul>
<li>a "system" component (this component)</li>
<li>an "interconnection" component</li>
</ul>
<p>Each "system" component must have:</p>
<ul>
<li>an "asset-type" property with a value of "saas", "paas", "iaas" or "other"</li>
<li>an "implementation-point" property with a value of "external"</li>
<li>a "status" field with a state value of "operational"</li>
<li>if an interconnection exists with this system and there are
remote listening ports, one or more "protocol" assemblies must
be provided.</li>
</ul>
<p>While not required, each "system" component should have:</p>
<ul>
<li>an "inherited-uuid" property if the value was provided by the system owner</li>
<li>a "compliance" property/extension if appropriate</li>
<li>an "authorizing-official" responsible-role</li>
<li>an "system-owner" responsible-role</li>
<li>an "system-poc-management" responsible-role</li>
<li>an "system-poc-technical" responsible-role</li>
</ul>
<p>Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP
properties/extensions for these roles, instead favor the core OSCAL
responsible-roles constructs, and the NIST-standard roles of
"authorizing-official", "system-owner", "system-poc-management
and "system-poc-technical"</p>
</remarks>
</component>
<!-- Table 7.1 Scenario 2 - Part 2: Interconnection to external system -->
<component uuid="11111111-2222-4000-8000-009000200001" type="interconnection">
<!-- Use title element to provid System/ Service/ API/CLI Name -->
<title>[EXAMPLE]Authorized Connection Information System Name</title>
<description>
<p>Describe the purpose of the external system/service; specifically, provide reasons
for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p>
</description>
<prop name="nature-of-agreement" value="contract" ns="http://fedramp.gov/ns/oscal" />
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal" >
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop>
<prop class="incoming" name="information-type" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal" />
<prop class="incoming" name="information-type" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal" />
<prop name="compliance" value="soc-2-type-1" ns="http://fedramp.gov/ns/oscal" />
<prop name="compliance" value="pci-dss" ns="http://fedramp.gov/ns/oscal" />
<prop name="compliance" value="iso-27001" ns="http://fedramp.gov/ns/oscal" />
<prop name="hosting-environment" value="see-remarks" ns="http://fedramp.gov/ns/oscal" >
<remarks>
<p>Describe the hosting of the interconnection itself (NOT the hosting of the remote system).</p>
</remarks>
</prop>
<prop name="ipv4-address" class="local" value="10.1.1.1"/>
<prop name="ipv6-address" class="local" value="::ffff:10.1.1.1"/>
<prop name="ipv4-address" class="remote" value="10.2.2.2"/>
<prop name="ipv6-address" class="remote" value="::ffff:10.2.2.2"/>
<prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal" />
<link rel="attachment" href="#11111111-2222-4000-8000-001000000058">
<text>ISA</text>
</link>
<link rel="used-by" href="#11111111-2222-4000-8000-009000000000" >
<text>UUID of "this system" or a component within this system's boundary</text>
</link>
<link rel="used-by" href="#11111111-2222-4000-8000-009000100002" >
<text>UUID of remote system</text>
</link>
<link rel="poam-item" href="https://raw.githubusercontent.com/usnistgov/oscal-content/refs/heads/main/examples/poam/xml/ifa_plan-of-action-and-milestones.xml" resource-fragment="11111111-3333-4000-8000-000000000001" />
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
</responsible-role>
<responsible-role role-id="isa-poc-remote">
<party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
</responsible-role>
<responsible-role role-id="isa-poc-local">
<party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
</responsible-role>
<responsible-role role-id="administrator">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
</responsible-role>
<remarks>
<!-- TODO: Validate this description -->
<p>Each interconnection to one or more remote systems must have:</p>
<ul>
<li>one "system" component for each remote system sharing the connection</li>
<li>an "interconnection" component (this component)</li>
</ul>
<p>Each "interconnection" component must have:</p>
<ul>
<li>an "implementation-point" property with a value of "external"</li>
<li>a "status" field with a state value of "operational"</li>
<li>a "nature-of-agreement" property/extension</li>
<li>one or more "authentication-method" properties/extensions.</li>
<li>a "hosting-environment" proptery/extension</li>
<li>at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local" </li>
<li>at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote" </li>
<li>at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.</li>
<li>at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)</li>
<li>exactly one "used-by" link with an href value that refers to the "this-system" component.</li>
<li>one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.</li>
<li>exactly one "poam-item" link, with an href value that references the
POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M)
or poam-item UUID (OSCAL POA&M)</li>
<li>exactly one "provider" responsible role that references the party information for the organization the provides the connection.</li>
</ul>
<p>Authentication methods must address both system-authentication as well as
user authentication mechanisms.</p>
<p>Describe the hosting of the interconnection itself (NOT the hosting of the remote system).</p>
<p>If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider</p>
<p />
<p>While not required, each "interconnection" component should have:</p>
<ul>
<li>an "inherited-uuid" property if the value was provided by the system owner</li>
<li>a "compliance" property/extension if appropriate</li>
<li>an "system-poc-management" responsible-role</li>
<li>an "system-poc-technical" responsible-role</li>
</ul>
<p>Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP
properties/extensions for these roles, instead favor the core OSCAL
responsible-roles constructs, and the NIST-standard roles of
"system-poc-management" and "system-poc-technical". With an interconnection,
the system POC roles reference parties that represent the connection provider.</p>
</remarks>
</component>
<!-- Table 7.1 Scenario 3: A service from an external system other than the leveraged system -->
<!-- Table 7.1 Scenario 3 - Part 1: An external system that offers a service used by this system -->
<component uuid="11111111-2222-4000-8000-009000100003" type="system">
<title>Other Cloud SaaS</title>
<description>
<p/>
</description>
<prop ns="http://fedramp.gov/ns/oscal" name="asset-type" value="saas"/>
<prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="isa" />
<prop name="implementation-point" value="external" />
<prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001" />
<status state="operational"/>
<responsible-role role-id="system-owner">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-role>
<responsible-role role-id="system-poc-management">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role>
<responsible-role role-id="system-poc-technical">
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
</responsible-role>
<remarks>
<p>For each external system with which this system connects:</p>
<p>Must have a "system" component (this component).</p>
<p>Must have an "interconnection" component that connects this component with the
"this-system" component.</p>
<p>If the leveraged system owner provides a UUID for their system (such as in an
OSCAL-based CRM), it should be reflected in the <code>inherited-uuid</code>
property.</p>
<p>Must include all leveraged services and features from the leveraged authorization
here.</p>
<p>For an external system, the "implementation-point" property must always be present
with a value of "external".</p>
<p>Each interconnection must be defined with both an "system" component and an
"interconnection" component.</p>
<p>Must include all leveraged services and features from the leveraged authorization
here.</p>
</remarks>
</component>
<!-- Table 7.1 Scenario 3 - Part 2: An external service -->
<component uuid="11111111-2222-4000-8000-009000500003" type="service">
<title>Service C</title>
<description>
<p>A service provided by an external system other than the leveraged system.</p>
<p>Describe the service and what it is used for.</p>
</description>
<prop name="implementation-point" value="external"/>
<prop ns="http://fedramp.gov/ns/oscal" name="connection-security" value="ipsec" />
<prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
<prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop>
<prop ns="http://fedramp.gov/ns/oscal" class="incoming" name="information-type" value="C.3.5.1"/>
<prop ns="http://fedramp.gov/ns/oscal" class="outgoing" name="information-type" value="C.3.5.8"/>
<prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001">
<remarks>
<p>This can only be known if provided by the leveraged system.
such as via an OSCAL-based CRM, component definition,
or as a result to the leveraged system's OSCAL-based SSP.</p>
</remarks>
</prop>
<link rel="provided-by" href="#11111111-2222-4000-8000-009000100003" />
<link rel="poam-item" href="./attachments/plan-of-action-and-milestones.xlxs" resource-fragment="V-1234" />
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>11111111-2222-4000-8000-c0040000000a</party-uuid>
</responsible-role>
<responsible-role role-id="administrator">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
</responsible-role>
<protocol name="abc" uuid="11111111-2222-4000-8000-010000000003">
<title></title>
<port-range start="5432" end="5432" transport="TCP" />
</protocol>
<remarks>
<!-- TODO: Revise this description -->
<p>This is a service provided by an external system other than the leveraged system.</p>
<p>As a result, the "leveraged-authorization-uuid" property is not applicable and must
NOT be used.</p>
<p/>
<p>Each external service used from a leveraged authorization must have:</p>
<ul>
<li>a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).</li>
<li>a "service" component (this component).</li>
</ul>
<p/>
<p>This component must always have:</p>
<ul>
<li>The name of the service in the title - preferably exactly as it appears on the
vendor's web site</li>
<li>An "implementation-point" property with a value of "external".</li>
<li>A "provided-by" link with a URI fragment that points to the UUID of the above
"system" component.</li>
<li>exactly one "poam-item" link, with an href value that references the
POA&M and a resource-fragment that represents the POAM&M ID (legacy/Excel POA&M)
or poam-item UUID (OSCAL POA&M)</li>
<li>a status with a state value of "operational"</li>
</ul>
<p/>
<p>Where relevant, this component should also have:</p>
<ul>
<li>One or more "information-type" properties, where the allowed values are the 800-63
information type identifiers.</li>
<li>A responsible-role with a role-id of "leveraged-authorization-users" and exactly
one or more party-uuid entries that indicates which users within this system may
interact with the leveraged systeme.</li>
<li>An "inherited-uuid" property if the leveraged system's owner provides a UUID for
their system (such as in an OSCAL-based CRM).</li>
<li>Link(s) to the vendor's web site describing the service are encouraged, but not
required.</li>
</ul>
<p/>
<p>The following fields from the Leveraged Authorization Table are handled in the
leveraged-authorization assembly:</p>
<p>- Package ID, Authorization Type, Impact Level</p>
<p/>
<p>The following fields from the Leveraged Authorization Table are handled in the
"system" component assembly:</p>
<p>- Nature of Agreement, CSP Name</p>
<p/>
<p>An unauthorized service from an underlying leveraged authorization
must NOT have the "leveraged-authorization-uuid" property. The presence
or absence of this property is how the authorization status of a service is indicated.</p>
</remarks>
</component>
<!-- Table 7.1 Scenario 4: A service from this system offered to external systems -->
<!-- Table 7.1 Scenario 4 - Part 1: An external API client that accesses this API service -->
<component uuid="11111111-2222-4000-8000-009000100004" type="external-client">
<title>Undetermined External API Clients</title>
<description>
<p>This component represents any of the public API clients that may
access this systems'API service.</p>
</description>
<prop name="asset-type" value="api-client"/>
<prop name="implementation-point" value="external" />
<status state="operational"/>
<responsible-role role-id="public" />
<remarks>
<p>When an API service is offered to a large community, this one component
bay be used to represent the collection of API clients that may connect
from that community. This must have:</p>
<ul>
<li>a component type set to "external-client"</li>
<li>an "implementation-point" property set to "external"</li>
<li>one or more responsible roles should be defined representing
the community of potential API client users. If the servvice
is open to the public, use the "public" responsible-role ID.</li>
</ul>
</remarks>
</component>
<component uuid="11111111-2222-4000-8000-009000500004" type="service">
<title>API Service</title>
<description>
<p>A service offered by this system to external systems, such as an API.
As a result, communication crosses the boundary.</p>
<p>Describe the service and what it is used for.</p>
</description>
<prop name="implementation-point" value="internal"/>
<prop name="public" value="yes"></prop>
<prop name="communicates-externally" value="yes" ns="http://fedramp.gov/ns/oscal"/>
<prop name="information-type" class="incoming-outgoing" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="outgoing" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal" />
<prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal" />
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal" >
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop>
<prop name="nature-of-agreement" value="other" ns="http://fedramp.gov/ns/oscal">
<remarks>
<p>Terms of Use</p>
</remarks>
</prop>
<prop name="allows-authenticated-scan" value="no" >
<remarks>
<p>Explain why authentication scans are not possible for this component.
Provide evidence if available, such as scanner tool or vendor links.</p>
</remarks>
</prop>
<prop name="scan-type" value="infrastructure" ns="http://fedramp.gov/ns/oscal" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000100003" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000100004" />
<link rel="poam-item" href="#11111111-2222-4000-8000-001000000048" resource-fragment="11111111-3333-4000-8000-000000000004" />
<link rel="api" href="https://api.example.com/v1" />
<status state="operational"/>
<responsible-role role-id="administrator">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
</responsible-role>
<protocol name="tls" uuid="11111111-2222-4000-8000-010000000002">
<title>API Service</title>
<port-range start="443" end="443" transport="TCP"/>
</protocol>
<remarks>
<p>This is a service provided by this system to external systems, such as an
offered API. The following is required:</p>
<ul>
<li>The "title" fields must have the name of the offered API.</li>
<li>The "description" field must include the purpose and use of the API.</li>
<li>The component "type" attribute must have a value of "service".</li>
<li>The "implementation-point" property must have a value of "internal".</li>
<li>The "communicates-externally" prop/extensions must have a value of "yes".</li>
<li>One or more "information-type" prop/extensions must be present with 800-60 information type values.</li>
<li>The "connection-security" prop/extensions must be present with an appropriate value.</li>
<li>The "authentication-method" prop/extensions must be present with an appropriate value.</li>
<li>The "authentication-method" prop/extensions "remarks" must provide additional content.</li>
<li>The "nature-of-agreement" prop/extension must identify any governing terms for the connection.</li>
<li>One or more "used-by" links must provide the component UUID of the other system.</li>
<li>A "poam-item" link, which must have an href value that references the POA&M and a
resource-fragment that represents the POAM&M ID (legacy/Excel POA&M)
or poam-item UUID (OSCAL POA&M)</li>
<li>A "status" field that must have a state of "operational"</li>
<li>One or more "responsible-role" fields with:
<ul>
<li>one or more roles by "role-id" [rquiried]</li>
<li>one or more "privilege-uuid" prop/extensions [required]</li>
<li>one or more "party-uuid" values to identify who has these privliges. [required]</li>
</ul>
</li>
<li>One or more "protocol" fields.</li>
</ul>
<p />
<p>Because this is softare that exists within the boundary, it is also requires the following
in satisfaction of inventory/CM/ConMon requirements:</p>
<ul>
<li>An "allows-authenticated-scan" property with an appropriate value.</li>
<li>An "scan-type" property/extension set to "infrastructure".</li>
<li>TODO: Revisit this list when working the inventory epic</li>
</ul>
</remarks>
</component>
<!-- Table 7.1 Scenario 5: A CLI that connects to leveraged or external systems -->
<component uuid="11111111-2222-4000-8000-009000300001" type="software">
<title>Management CLI</title>
<description>
<p>A CLI tool used from within this system's boundary to manage a
hypervisor, service, or other system outside this system's boundary,
resulting in communication that crosses the boundary.</p>
</description>
<prop name="asset-type" value="cli"/>
<prop name="implementation-point" value="internal"/>
<prop name="communicates-externally" value="yes" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="outgoing" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal" />
<prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal" />
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal" >
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop>
<prop name="nature-of-agreement" value="other" ns="http://fedramp.gov/ns/oscal">
<remarks>
<p>Terms of Use</p>
</remarks>
</prop>
<prop name="allows-authenticated-scan" value="no" >
<remarks>
<p>Explain why authentication scans are not possible for this component.
Provide evidence if available, such as scanner tool or vendor links.</p>
</remarks>
</prop>
<prop name="scan-type" value="infrastructure" ns="http://fedramp.gov/ns/oscal" />
<link rel="communicates-with" href="#11111111-2222-4000-8000-009000100001" />
<link rel="poam-item" href="#11111111-2222-4000-8000-001000000048" resource-fragment="11111111-3333-4000-8000-000000000005" />
<status state="operational"/>
<responsible-role role-id="administrator">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-role>
<remarks>
<p>When an internal CLI tool communicates with a system outside the boundary,
such as for management of the underlying leveraged system or interaction
with an external system, the following is required:</p>
<ul>
<li>The "title" fields must have the name of the CLI tool.</li>
<li>The "description" field must include the purpose and use of the tool within this system.</li>
<li>The component "type" attribute must have a value of "software".</li>
<li>The "asset-type" property must have a value of "cli".</li>
<li>The "implementation-point" property must have a value of "internal".</li>
<li>The "communicates-externally" prop/extensions must have a value of "yes".</li>
<li>One or more "information-type" prop/extensions must be present with 800-60 information type values.</li>
<li>The "connection-security" prop/extensions must be present with an appropriate value.</li>
<li>The "authentication-method" prop/extensions must be present with an appropriate value.</li>
<li>The "authentication-method" prop/extensions "remarks" must provide additional content.</li>
<li>The "nature-of-agreement" prop/extension must identify any governing terms for the connection.</li>
<li>One or more "communicates-with" link must provide the component UUID of the other system.</li>
<li>A "poam-item" link, which must have an href value that references the POA&M and a
resource-fragment that represents the POAM&M ID (legacy/Excel POA&M)
or poam-item UUID (OSCAL POA&M)</li>
<li>A "status" field that must have a state of "operational"</li>
<li>One or more "responsible-role" fields with:
<ul>
<li>one or more roles by "role-id" [rquiried]</li>
<li>one or more "privilege-uuid" prop/extensions [required]</li>
<li>one or more "party-uuid" values to identify who has these privliges. [required]</li>
</ul>
</li>
</ul>
<p />
<p>Because this is softare that exists within the boundary, it is also requires the following
in satisfaction of inventory/CM/ConMon requirements:</p>
<ul>
<li>An "allows-authenticated-scan" property with an appropriate value.</li>
<li>An "scan-type" property/extension set to "infrastructure".</li>
<li>TODO: Revisit this list when working the inventory epic</li>
</ul>
</remarks>
</component>
<!-- Table 7.1 Scenario 5 variant: An external CLI that connects to this system -->
<component uuid="11111111-2222-4000-8000-009000300003" type="software">
<title>External Management CLI</title>
<description>
<p>A CLI tool used by systems outside the authorization boundary to manage
or interact with this system..</p>
</description>
<prop name="asset-type" value="cli"/>
<prop name="implementation-point" value="external"/>
<prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal" />
<prop name="information-type" class="outgoing" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal" />
<prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal" />
<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal" >
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop>
<prop name="nature-of-agreement" value="other" ns="http://fedramp.gov/ns/oscal">
<remarks>
<p>Terms of Use</p>
</remarks>
</prop>
<link rel='communicates-with' href="#11111111-2222-4000-8000-009000100001" />
<link rel="poam-item" href="#11111111-2222-4000-8000-001000000048" resource-fragment="11111111-3333-4000-8000-000000000005" />
<status state="operational"/>
<responsible-role role-id="external-users">
<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal" />
</responsible-role>
<remarks>
<p>When a CLI tool outside the system communicates with this system,
such as for management of the user's hypervisor in this system, the
following is required:</p>
<ul>
<li>The "title" fields must have the name of the CLI tool.</li>
<li>The "description" field that describes how the tool can influence the operation of this system.</li>
<li>The component "type" attribute must have a value of "software".</li>
<li>The "asset-type" property must have a value of "cli".</li>
<li>The "implementation-point" property must have a value of "external".</li>
<li>One or more "information-type" prop/extensions must be present with 800-60 information type values.</li>
<li>The "connection-security" prop/extensions must be present with an appropriate value.</li>
<li>The "authentication-method" prop/extensions must be present with an appropriate value.</li>
<li>The "authentication-method" prop/extensions "remarks" must provide additional content.</li>
<li>The "nature-of-agreement" prop/extension must identify any governing terms for the connection.</li>
<li>One or more "communicates-with" link must provide the component UUID of the component within this system.</li>
<li>A "poam-item" link, which must have an href value that references the POA&M and a
resource-fragment that represents the POAM&M ID (legacy/Excel POA&M)
or poam-item UUID (OSCAL POA&M)</li>
<li>A "status" field that must have a state of "operational"</li>
<li>One or more "responsible-role" fields with:
<ul>
<li>one or more roles by "role-id" [rquiried]</li>
<li>one or more "privilege-uuid" prop/extensions [required]</li>
<li>one or more "party-uuid" values to identify who has these privliges. [optional]</li>
</ul>
</li>
</ul>
<p />
<p>As this is impelemented external to the system boundary, information such as "scan-type"
and "allows-authenticated-scanning" are not applicable and should not be present.</p>
</remarks>
</component>
<!-- ============= DOCUMENTS ============= -->
<!-- SSP Attachments - Policies -->
<component uuid="11111111-2222-4000-8000-009000600001" type="policy">
<title>Access Control and Identity Management Policy</title>
<description>
<p>This is a corporate policy used for the system.</p>
<p>The Access Control and Identity Management Policy governs how
user identities and access rights are managed.</p>
</description>
<prop name="implementation-point" class="corporate" value="external" />
<link href="#11111111-2222-4000-8000-001000000005" rel="attachment"/>
<status state="operational"/>
<remarks>
<p>A policy component is required for each policy that governs the system.</p>
<p>The title, description and status fields are required by core OSCAL.
The title field should reflect the actual title of the policy document.</p>
<p>For system-specific policies, the "implementation-point" property must be
present and set to "internal".</p>
<p>For corproate policies, the "implementation-point" property must be
present and set to "external" with its class set to "corporate".</p>
<p>For any policy that is niether system-specific, nor corporate, the
"implementation-point" property must be present and set to "external",
with a class set to anything other than "corporate" or no class
attribute at all.</p>
<p>An "attachment" link field must be present that identifies the back-matter
resource representing the attached policy.</p>
<p>The document version and date are represented in the linked resource. Not here.</p>
<p>At this time FedRAMP does not _require_ policy approver or
audience information in the SSP; however, both may be represented here
using the responsible-role field. If electing to include this information,
use the "approver" role ID to represent approvers. Any other role listed
is assumed to be audience.</p>
</remarks>
</component>
<component uuid="11111111-2222-4000-8000-009000600002" type="policy">
<title>AT Policy</title>
<description>
<p>The Awareness and Training Policy governs how access is managed and approved.</p>
</description>
<prop name="implementation-point" value="internal" />
<link href="#11111111-2222-4000-8000-001000000006" rel="attachment"/>
<status state="operational"/>
</component>
<!-- SSP Attachments - Procedures -->
<component uuid="11111111-2222-4000-8000-009000800001" type="process-procedure">
<title>Access Control Procedure</title>
<description>
<p>The Access Control Procedure governs how access is managed and approved.</p>
</description>
<prop name="implementation-point" class="corporate" value="external" />
<link href="#11111111-2222-4000-8000-001000000023" rel="attachment"/>
<status state="operational"/>
<responsible-role role-id="asset-owner">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-role>
<responsible-role role-id="approver">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role>
<remarks>
<p>A "process-procedure" component is required for each process or procedure
that governs the system.</p>
<p>The title, description and status fields are required by core OSCAL.
The title field should reflect the actual title of the document.</p>
<p>For system-specific processes or procedures, the "implementation-point" property must be
present and set to "internal".</p>
<p>For corproate processes or procedures, the "implementation-point" property must be
present and set to "external" with its class set to "corporate".</p>
<p>For any processes or procedures that is niether system-specific, nor corporate, the
"implementation-point" property must be present and set to "external",
with a class set to anything other than "corporate" or no class
attribute at all.</p>
<p>An "attachment" link field must be present that identifies the back-matter
resource representing the attached policy.</p>
<p>The document version and date are represented in the linked resource. Not here.</p>
<p>At this time FedRAMP does not _require_ policy approver or
audience information in the SSP; however, both may be represented here
using the responsible-role field. If electing to include this information,
use the "approver" role ID to represent approvers. Any other role listed
is assumed to be audience.</p>
</remarks>
</component>
<component uuid="11111111-2222-4000-8000-009000800002" type="process-procedure">
<title>Awareness and Training Procedure</title>
<description>
<p>The Awareness and Training Procedure governs how access is managed and approved.</p>
</description>
<prop name="implementation-point" value="internal" />
<link href="#11111111-2222-4000-8000-001000000024" rel="attachment"/>
<status state="operational"/>
</component>
<!-- ============= INTERNAL COMPONENTS ============= -->
<!-- ============= INTERNAL COMPONENTS ============= -->
<!-- ============= INTERNAL COMPONENTS - ENCRYPTED COMMUNICATION ============= -->
<component uuid="11111111-2222-4000-8000-009001400001" type="connection">
<title>Encrypted Communication</title>
<description>
<p>An encryptred communication between the web server and
the database server for the purpose of performing SQL queries.</p>
</description>
<prop name="asset-type" value="encrypted" />
<prop name="asset-id" value="ref-01" />
<prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000300100" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000300200" />
<status state="operational"></status>
<remarks>
<p>Any notes about this connection to appear in Table Q.</p>
</remarks>
</component>
<component uuid="11111111-2222-4000-8000-009000300100" type="software">
<title>Database Sample</title>
<description>
<p>None</p>
</description>
<prop name="asset-type" value="database"/>
<prop name="allows-authenticated-scan" value="yes"/>
<prop name="scan-type" value="database" ns="http://fedramp.gov/ns/oscal" />
<link rel="used-by" href="#11111111-2222-4000-8000-009000500006" />
<link rel="validation" href="#11111111-2222-4000-8000-009001200001" />
<status state="operational"/>
<protocol name="postgresql">
<port-range start="5432" end="5432" transport="TCP" />
<port-range start="5432" end="5432" transport="UDP" />
</protocol>
</component>
<component uuid="11111111-2222-4000-8000-009001200001" type="validation">
<title>Cryptographic Module Name</title>
<description>
<p>Provide a description and any pertinent note regarding the use of this CM.</p>
<p>For data-at-rest modules, describe type of encryption implemented (e.g., full disk,
file, record-level, etc.)</p>
<p>Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS
compliance (e.g., Module in Process).</p>
</description>
<prop name="asset-type" class="embedded" value="cryptographic-module" />
<prop name="validation-type" value="fips-140-2"/>
<prop name="validation-reference" value="3928"/>
<prop name="vendor-name" value="CM Vendor" ns="http://fedramp.gov/ns/oscal" />
<prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal">
<remarks>
<p>Usage statement</p>
</remarks>
</prop>
<link rel="proof-of-compliance"
href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3928"/>
<status state="operational"/>
<remarks>
<p>If the same FIPS-validated cryptographic module is deployed
in two or more different components, each deployment SHOULD
have its own "validation" component entry, such as if the same
module is embedded in a software product and an operating system.</p>
<p>The "asst-type" property is value is "cryptographic-module",
and the class must be present with one of the following values:</p>
<ul>
<li>"embeded": Embedded CM</li>
<li>"third-party": Third-party CM</li>
<li>"uses-os": Uses OS CM</li>
<li>"fips-mode": In FIPS Mode</li>
<li>"other": Other as described in the remarks</li>
</ul>
<p>Note that if the value is "other", additional detail must be
provided in the property's remarks field.</p>
</remarks>
</component>
<component uuid="11111111-2222-4000-8000-009001200002" type="validation">
<title>Cryptographic Module Name</title>
<description>
<p>Provide a description and any pertinent note regarding the use of this CM.</p>
<p>For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS
compliance (e.g., Module in Process).</p>
</description>
<prop name="asset-type" class="uses-os" value="cryptographic-module"/>
<prop name="validation-type" value="fips-140-3"/>
<prop name="validation-reference" value="3920"/>
<prop name="vendor-name" value="CM Vendor" ns="http://fedramp.gov/ns/oscal" />
<prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal">
<remarks>
<p>Usage statement</p>
</remarks>
</prop>
<link rel="proof-of-compliance"
href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3920"/>
<status state="operational"/>
</component>
<component uuid="11111111-2222-4000-8000-009000300200" type="software">
<title>Web Server</title>
<description>
<p>This is a web server that communicates with a database via
an encrypted connection</p>
</description>
<prop name="asset-type" value="web-server"/>
<prop name="allows-authenticated-scan" value="no" />
<prop name="scan-type" value="web" ns="http://fedramp.gov/ns/oscal" />
<link rel="validation" href="#11111111-2222-4000-8000-009001200002" />
<link rel="baseline" href="#11111111-2222-4000-8000-001000000059" />
<status state="operational"/>
</component>
<!-- ============= INTERNAL COMPONENTS - DATA AT REST ============= -->
<component uuid="11111111-2222-4000-8000-009000300200" type="software">
<title>Linux Operating System</title>
<description>
<p>This is a web server that communicates with a database via
an encrypted connection</p>
</description>
<prop name="asset-type" value="operating-system"/>
<prop name="allows-authenticated-scan" value="yes" />
<prop name="scan-type" value="web" ns="http://fedramp.gov/ns/oscal" />
<link rel="baseline" href="#11111111-2222-4000-8000-001000000059" />
<status state="operational"/>
</component>
<component uuid="11111111-2222-4000-8000-009001200002" type="validation">
<title>Cryptographic Module Name</title>
<description>
<p>Provide a description and any pertinent note regarding the use of this CM.</p>
<p>For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS
compliance (e.g., Module in Process).</p>
</description>
<prop name="asset-type" class="uses-os" value="cryptographic-module"/>
<prop name="validation-type" value="fips-140-3"/>
<prop name="validation-reference" value="3920"/>
<prop name="vendor-name" value="CM Vendor" ns="http://fedramp.gov/ns/oscal" />
<prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal">
<remarks>
<p>Usage statement</p>
</remarks>
</prop>
<link rel="proof-of-compliance"
href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3920"/>
<status state="operational"/>
</component>
<!-- ============= INTERNAL COMPONENTS ============= -->
<component uuid="11111111-2222-4000-8000-009000500005" type="service">
<title>Service D</title>
<description>
<p>A service that exists within the authorization boundary.</p>
<p>Describe the service and what it is used for.</p>
</description>
<prop name="implementation-point" value="internal"/>
<status state="operational"/>
</component>
<component uuid="11111111-2222-4000-8000-009001200002" type="software">
<title>Container Image</title>
<description>
<p>This is a container image used to create container instances within the system.</p>
</description>
<prop name="asset-type" value="image"/>
<prop name="asset-id" value="image"/>
<prop name="checksum" value="a1b2c3" ns="http://fedramp.gov/ns/oscal"/>
<link href="#11111111-2222-4000-8000-001000000059" rel="attachment"/>
<status state="operational" />
<responsible-role role-id="administrator">
<party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
</responsible-role>
</component>
<!-- Use Components to identify Security and Management Technologies (Table 8.1), -->
<!-- including Operating Systems, IAM/Access Management, Endpoint/Antivirus (AV), -->
<!-- File Integrity Monitoring (FIM), Code Repository, Service Desk / Ticketing, -->
<!-- Configuration Management, Firewall, VPN, Multifactor Authentication (MFA), -->
<!-- SIEM, Secrets Management, Vulnerability Scanning -->
<component uuid="11111111-2222-4000-8000-009000300002" type="software">
<title>[SAMPLE]Product Name</title>
<description>
<p>FUNCTION: Describe typical component function.</p>
</description>
<prop name="asset-type" value="operating-system"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<prop name="vendor-name" value="Vendor Name"/>
<prop name="model" value="Model Number"/>
<prop name="version" value="Version Number"/>
<prop name="patch-level" value="Patch Level"/>
<link rel="validation" href="#11111111-2222-4000-8000-009000000002"/>
<status state="operational"/>
<responsible-role role-id="admin-unix">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-role>
<remarks>
<p>COMMENTS: Provide other comments as needed.</p>
</remarks>
</component>
<component uuid="11111111-2222-4000-8000-009000300004" type="software">
<title>[SAMPLE]Product Name</title>
<description>
<p>FUNCTION: Describe typical component function.</p>
</description>
<prop name="asset-type" value="operating-system"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<prop name="vendor-name" value="Vendor Name"/>
<prop name="model" value="Model Number"/>
<prop name="version" value="Version Number"/>
<prop name="patch-level" value="Patch Level"/>
<link rel="validation" href="#11111111-2222-4000-8000-009000000002"/>
<status state="operational"/>
<responsible-role role-id="admin-unix">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-role>
<remarks>
<p>COMMENTS: Provide other comments as needed.</p>
</remarks>
</component>
<component type="service" uuid="11111111-2222-4000-8000-009000500006">
<title>Email Service</title>
<description>
<p>Email Service</p>
</description>
<prop name="is-scanned" value="yes"/>
<prop name="is-scanned" value="yes"/>
<link href="#11111111-2222-4000-8000-009000500005" rel="used-by" />
<status state="operational"/>
<protocol name="smtp">
<port-range start="23" end="23" transport="TCP" />
<port-range start="23" end="23" transport="UDP" />
</protocol>
</component>
<component uuid="11111111-2222-4000-8000-009000400001" type="hardware">
<title>[SAMPLE]Product</title>
<description>
<p>FUNCTION: Describe typical component function.</p>
</description>
<prop name="asset-type" value="database"/>
<prop name="scan-type" value="infrastructure" ns="http://fedramp.gov/ns/oscal" />
<prop name="scan-type" value="database" ns="http://fedramp.gov/ns/oscal" />
<prop name="vendor-name" value="Vendor Name"/>
<prop name="model" value="Model Number"/>
<prop name="version" value="Version Number"/>
<status state="operational"/>
<responsible-role role-id="asset-administrator">
<party-uuid>11111111-2222-4000-8000-004000000017</party-uuid>
</responsible-role>
<responsible-role role-id="asset-owner">
<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
</responsible-role>
<remarks>
<p>COMMENTS: Provide other comments as needed.</p>
</remarks>
</component>
<component uuid="11111111-2222-4000-8000-009000300005" type="software">
<title>OS Sample</title>
<description>
<p>None</p>
</description>
<prop name="asset-type" value="operating-system"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<prop name="allows-authenticated-scan" value="yes"/>
<link rel="baseline" href="#11111111-2222-4000-8000-001000000059" />
<status state="operational"/>
</component>
<component uuid="11111111-2222-4000-8000-009000300006" type="software">
<title>Database Sample</title>
<description>
<p>None</p>
</description>
<prop name="asset-type" value="database"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
<prop name="allows-authenticated-scan" value="yes"/>
<link href="#11111111-2222-4000-8000-009000500006" rel="used-by" />
<link rel="baseline" href="#11111111-2222-4000-8000-001000000059" />
<status state="operational"/>
<protocol name="postgresql">
<port-range start="5432" end="5432" transport="TCP" />
<port-range start="5432" end="5432" transport="UDP" />
</protocol>
</component>
<component uuid="11111111-2222-4000-8000-009000300007" type="software">
<title>Appliance Sample</title>
<description>
<p>None</p>
</description>
<prop name="asset-type" value="appliance"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="web"/>
<prop ns="http://fedramp.gov/ns/oscal" name="login-url"
value="https://admin.offering.com/login"/>
<prop name="allows-authenticated-scan" value="no">
<remarks>
<p>Vendor appliance. No admin-level access.</p>
</remarks>
</prop>
<link rel="baseline" href="#11111111-2222-4000-8000-001000000059" />
<status state="operational"/>
</component>
<!-- Network Segments -->
<component type="network" uuid="11111111-2222-4000-8000-009000000016">
<title>IPv4 Production Subnet</title>
<description>
<p>IPv4 Production Subnet.</p>
</description>
<!-- ip-address & is-scanned props apply to inventory-item (not component) -->
<!-- <prop name="ipv4-address" value="10.10.10.0/24"/> -->
<!-- <prop name="is-scanned" value="yes"/> -->
<status state="operational"/>
</component>
<component type="network" uuid="11111111-2222-4000-8000-009000000017">
<title>IPv4 Management Subnet</title>
<description>
<p>IPv4 Management Subnet.</p>
</description>
<!-- ip-address & is-scanned props apply to inventory-item (not component) -->
<!-- <prop name="ipv4-address" value="10.10.20.0/24"/> -->
<!-- is-scanned prop applies to inventory-item (not component) -->
<!-- <prop name="is-scanned" value="yes"/> -->
<status state="operational"/>
</component>
<!-- ============================================================= -->
<!-- Inventory -->
<inventory-item uuid="11111111-2222-4000-8000-011000000001">
<description>
<p>Legacy Example (No implemented-component).</p>
</description>
<!--<prop name="asset-id" value="unique-asset-ID-01"/>-->
<prop name="ipv4-address" value="10.1.1.1"/>
<prop name="ipv6-address" value="2001:db8:3333:4444:5555:6666:7777:8888"/>
<prop name="virtual" value="no"/>
<prop name="public" value="no"/>
<prop name="fqdn" value="dns.name"/>
<prop name="uri" value="uniform.resource.identifier"/>
<prop name="netbios-name" value="netbios-name"/>
<prop name="mac-address" value="00:00:00:00:00:00"/>
<prop name="software-name" value="software-name"/>
<prop name="asset-type" value="operating-system"/>
<!-- <prop name="vendor-name" value="Vendor Name"/> -->
<!-- <prop name="model" value="Model Number"/> -->
<!-- <prop name="patch-level" value="Patch-Level"/> -->
<prop name="serial-number" value="Serial #"/>
<prop name="asset-tag" value="Asset Tag"/>
<prop name="vlan-id" value="VLAN Identifier"/>
<prop name="network-id" value="Network Identifier"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/>
<prop name="allows-authenticated-scan" value="no">
<remarks>
<p>If no, explain why. If yes, omit remarks field.</p>
</remarks>
</prop>
<prop name="physical-location" value="Physical location of Asset"/>
<prop name="is-scanned" value="yes">
<remarks>
<p>If no, explain why. If yes, omit remarks field.</p>
</remarks>
</prop>
<prop name="function" value="Required brief, text-based description.">
<remarks>
<p>Optional, longer, formatted description.</p>
</remarks>
</prop>
<link rel="validation" href="#11111111-2222-4000-8000-009000000002"/>
<link rel="baseline" href="#11111111-2222-4000-8000-001000000059" />
<responsible-party role-id="asset-owner">
<party-uuid>11111111-2222-4000-8000-004000000016</party-uuid>
</responsible-party>
<responsible-party role-id="asset-administrator">
<party-uuid>11111111-2222-4000-8000-004000000017</party-uuid>
</responsible-party>
<implemented-component component-uuid="11111111-2222-4000-8000-009000300100">
<remarks>
<p>This links to a FIPS 140-2 validated software component that is used by this
inventory item. This type of linkage to a validation through the component is
preferable to the link[rel='validation'] example above.</p>
</remarks>
</implemented-component>
<remarks>
<p>COMMENTS: Additional information about this item.</p>
</remarks>
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000002">
<description>
<p>Component Inventory Example</p>
</description>
<prop name="asset-id" value="unique-asset-ID-02"/>
<prop name="ipv4-address" value="10.2.2.2"/>
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a02:0202"/>
<prop name="mac-address" value="00:00:00:00:00:00"/>
<prop name="asset-type" value="appliance"/>
<!-- Need to update schematron validation. appliance is a valid core OSCAL asset type -->
<prop name="virtual" value="no"/>
<prop name="public" value="no"/>
<prop name="fqdn" value="dns.name"/>
<prop name="uri" value="uniform.resource.locator"/>
<prop name="netbios-name" value="netbios-name"/>
<!-- patch-level applies to component, not inventory-item -->
<!-- <prop name="patch-level" value="Patch-Level"/> -->
<prop name="physical-location" value="Physical location of Asset"/>
<prop name="allows-authenticated-scan" value="no">
<remarks>
<p>If no, explain why. If yes, omit remark.</p>
</remarks>
</prop>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<link rel="baseline" href="#11111111-2222-4000-8000-001000000059" />
<responsible-party role-id="asset-owner">
<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
</responsible-party>
<responsible-party role-id="asset-administrator">
<party-uuid>11111111-2222-4000-8000-004000000017</party-uuid>
</responsible-party>
<implemented-component component-uuid="11111111-2222-4000-8000-009000300100">
<prop name="asset-id" value="unique-asset-ID-3"/>
</implemented-component>
<remarks>
<p>COMMENTS: If needed, provide additional information about this inventory item.</p>
</remarks>
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000003">
<description>
<p>None.</p>
</description>
<prop name="asset-id" value="unique-asset-ID-03"/>
<prop name="asset-type" value="web-server"/>
<prop name="virtual" value="yes"/>
<prop name="public" value="no"/>
<prop name="ipv4-address" value="10.3.3.3"/>
<!-- Todo: check why schematron validation is indicating that this is not a valid ipv4 value -->
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a03:0303"/>
<prop name="is-scanned" value="yes"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<implemented-component component-uuid="11111111-2222-4000-8000-009001200001"
> </implemented-component>
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000004">
<description>
<p>None.</p>
</description>
<prop name="asset-id" value="unique-asset-ID-04"/>
<prop name="asset-type" value="appliance"/>
<prop name="virtual" value="yes"/>
<prop name="public" value="no"/>
<prop name="ipv4-address" value="10.4.4.4"/>
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a04:0404"/>
<prop name="is-scanned" value="yes"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<implemented-component component-uuid="11111111-2222-4000-8000-009001200001" />
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000005">
<description>
<p>None.</p>
</description>
<prop name="asset-id" value="unique-asset-ID-05"/>
<prop name="asset-type" value="firewall"/>
<prop name="ipv4-address" value="10.5.5.5"/>
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a05:0505"/>
<prop name="virtual" value="no"/>
<prop name="public" value="yes"/>
<prop name="is-scanned" value="yes"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<implemented-component component-uuid="11111111-2222-4000-8000-009001200001" />
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000006">
<description>
<p>None.</p>
</description>
<prop name="asset-id" value="unique-asset-ID-06"/>
<prop name="ipv4-address" value="10.6.6.6"/>
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a06:0606"/>
<prop name="asset-type" value="router"/>
<prop name="virtual" value="no"/>
<prop name="public" value="no"/>
<prop name="is-scanned" value="no">
<remarks>
<p>Asset wasn't running at time of scan.</p>
</remarks>
</prop>
<implemented-component component-uuid="11111111-2222-4000-8000-009001200001"
> </implemented-component>
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000007">
<description>
<p>None.</p>
</description>
<prop name="asset-id" value="unique-asset-ID-07"/>
<prop name="asset-type" value="switch"/>
<prop name="ipv4-address" value="10.7.7.7"/>
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a07:0707"/>
<prop name="virtual" value="no"/>
<prop name="public" value="no"/>
<prop name="is-scanned" value="yes"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<implemented-component component-uuid="11111111-2222-4000-8000-009001200001"
> </implemented-component>
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000008">
<description>
<p>None.</p>
</description>
<prop name="asset-id" value="unique-asset-ID-08"/>
<prop name="asset-type" value="web-server"/>
<prop name="ipv4-address" value="10.8.8.8"/>
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/>
<prop name="virtual" value="yes"/>
<prop name="public" value="no"/>
<prop name="is-scanned" value="no">
<remarks>
<p>Asset wasn't running at time of scan.</p>
</remarks>
</prop>
<implemented-component component-uuid="11111111-2222-4000-8000-009001200001"
> </implemented-component>
</inventory-item>
<inventory-item uuid="11111111-2222-4000-8000-011000000009">
<description>
<p>Email-Service</p>
</description>
<prop name="asset-id" value="unique-asset-ID-09"/>
<prop name="asset-type" value="email-server"/>
<prop name="ipv4-address" value="10.10.10.100"/>
<prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/>
<prop name="virtual" value="yes"/>
<prop name="public" value="no"/>
<prop name="is-scanned" value="yes"/>
<prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
<implemented-component component-uuid="11111111-2222-4000-8000-009001200001"
> </implemented-component>
</inventory-item>
</system-implementation>
<control-implementation>
<description>
<p>This description field is required by OSCAL.</p>
<p>FedRAMP does not require any specific information here.</p>
<p />
<p></p>
</description>
<implemented-requirement control-id="ac-1" uuid="11111111-2222-4000-8000-012000010000">
<set-parameter param-id="ac-01_odp.01">
<value>all managers, administrators and users of the system</value>
<remarks>
<p>[Assignment: organization-defined personnel or roles]</p>
<p>This focuses on roles the POLICY is disseminated to.</p>
</remarks>
</set-parameter>
<set-parameter param-id="ac-01_odp.02">
<value>all managers and administrators of the system</value>
<remarks>
<p>[Assignment: organization-defined personnel or roles]</p>
<p>This focuses on roles PROCEDURES are disseminated to.</p>
</remarks>
</set-parameter>
<set-parameter param-id="ac-01_odp.03">
<value>System-level</value>
<remarks>
<p>[Selection (one or more): Organization-level; Mission/business process-level; Systemlevel]</p>
<p>This is a SELECT parameter. Use one "value" field for each selection.</p>
</remarks>
</set-parameter>
<set-parameter param-id="ac-01_odp.04">
<value>System Architect</value>
<remarks>
<p>[Assignment: organization-defined official]</p>
</remarks>
</set-parameter>
<set-parameter param-id="ac-01_odp.05">
<value>at least every 3 years</value>
<remarks>
<p>[Assignment: organization-defined frequency]</p>
</remarks>
</set-parameter>
<set-parameter param-id="ac-01_odp.06">
<value>change in organizational legal status or ownership</value>
<remarks>
<p>[Assignment:organization-defined events]</p>
</remarks>
</set-parameter>
<set-parameter param-id="ac-01_odp.07">
<value>at least annually</value>
<remarks>
<p>[Assignment: organization-defined frequency]</p>
</remarks>
</set-parameter>
<set-parameter param-id="ac-01_odp.08">
<value>change in policy or a security incident involving a failure of access control mechanisms</value>
<remarks>
<p>[Assignment:organization-defined events]</p>
</remarks>
</set-parameter>
<statement statement-id="ac-1_smt.a" uuid="11111111-2222-4000-8000-012000010100">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000010101">
<description>
<p>Describe how Part a is satisfied within the system as a whole.</p>
<p>FedRAMP prefers all policies and procedures be attached as a resource in the
back-matter. The link points to a resource.</p>
</description>
<implementation-status state="implemented" />
<remarks>
<p>This is the "this-system" component, which represents the system as a whole.</p>
<p>There are two reasons to provide a response here:</p>
<ul>
<li>When first converting a legacy/Word-based SSP to OSCAL, the entire control
response may be placed here until it can be parsed out into appropriate component
responses.</li>
<li>When it is necessary to explain how two or more components work together to
satisfy this requirement.</li>
</ul>
</remarks>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000600001"
uuid="11111111-2222-4000-8000-012000010102">
<description>
<p>Describe how this policy satisfies part a.</p>
</description>
<implementation-status state="operational"/>
<remarks>
<p>This is the "policy" component, which represents the Access Control and
Identity Management Policy.</p>
</remarks>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000800001"
uuid="11111111-2222-4000-8000-012000010103">
<description>
<p>Describe how this procedure satisfies part a.</p>
</description>
<implementation-status state="operational"/>
<remarks>
<p>This is the "process-procedure" component, which represents the Access Control Process.</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-1_smt.b" uuid="11111111-2222-4000-8000-012000010200">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000010201">
<description>
<p>Describe how Part b is satisfied within the system as a whole.</p>
</description>
<prop ns="http://fedramp.gov/ns/oscal" name="planned-completion-date"
value="2024-01-31Z"/>
<implementation-status state="partial">
<remarks>
<p>Describe the plan to complete the implementation.</p>
</remarks>
</implementation-status>
<remarks>
<p>This is the "this-system" component, which represents the system as a whole.</p>
<p>There are two reasons to provide a response here:</p>
<ul>
<li>When first converting a legacy/Word-based SSP to OSCAL, the entire control
response may be placed here until it can be parsed out into appropriate component
responses.</li>
<li>When it is necessary to explain how two or more components work together to
satisfy this requirement.</li>
</ul>
</remarks>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000013"
uuid="11111111-2222-4000-8000-012000010202">
<description>
<p>Describe how this policy currently satisfies part a.</p>
</description>
<prop ns="http://fedramp.gov/ns/oscal" name="planned-completion-date"
value="2024-01-31Z">
<remarks>
<p>Describe the plan for addressing the missing policy elements.</p>
</remarks>
</prop>
<implementation-status state="partial">
<remarks>
<p>Identify what is currently missing from this policy.</p>
</remarks>
</implementation-status>
</by-component>
</statement>
<statement statement-id="ac-1_smt.c" uuid="11111111-2222-4000-8000-012000010300">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000010301">
<description>
<p>Describe how Part b-1 is satisfied.</p>
</description>
<implementation-status state="operational"/>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2" uuid="11111111-2222-4000-8000-012000020000">
<set-parameter param-id="ac-2_prm_1">
<value>[SAMPLE]privileged, non-privileged</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_2">
<value>[SAMPLE]all</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_3">
<value>[SAMPLE]The Access Control Procedure</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_4">
<value>at least annually</value>
</set-parameter>
<statement statement-id="ac-2_smt.a" uuid="11111111-2222-4000-8000-012000020100">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000020101">
<description>
<h1>Description for the "this-system" component.</h1>
<p>Describe how AC-2, part a is satisfied within this system.</p>
<p>This points to the "This System" component, and is used any time a more
specific component reference is not available.</p>
</description>
<export>
<provided uuid="11111111-2222-4000-8000-015000000001">
<description>
<p>This system's statement of capabilities which may be inherited by a
customer's leveraging systems toward satisfaction of AC-2, part a.</p>
</description>
</provided>
<responsibility uuid="11111111-2222-4000-8000-016000000001"
provided-uuid="11111111-2222-4000-8000-015000000001">
<description>
<p>Leveraged system's statement of a leveraging system's responsibilities in
satisfaction of AC-2, part a.</p>
<p>Not associated with inheritance, thus associated this with the
by-component for "this system".</p>
</description>
<responsible-role role-id="cloud-service-provider">
<party-uuid>11111111-2222-4000-8000-004000000001</party-uuid>
</responsible-role>
</responsibility>
<remarks>
<p>Any content for the customer responsibility matrix must be included within <code>export</code>.</p>
<p><code>provided</code> is a statement about what </p>
</remarks>
</export>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000014"
uuid="11111111-2222-4000-8000-012000020102">
<description>
<p>For the portion of the control satisfied by the application component of this
system, describe <strong>how</strong> the control is met.</p>
</description>
<export>
<provided uuid="11111111-2222-4000-8000-015000000002">
<description>
<p>Consumer-appropriate description of what may be inherited from this
application component by a leveraging system.</p>
<p>In the context of the application component in satisfaction of AC-2, part
a.</p>
</description>
<responsible-role role-id="customer">
<party-uuid>11111111-2222-4000-8000-004000000005</party-uuid>
</responsible-role>
</provided>
<responsibility uuid="11111111-0000-4000-9009-002001002002"
provided-uuid="11111111-2222-4000-8000-015000000002">
<description>
<p>Leveraging system's responsibilities with respect to inheriting this
capability from this application.</p>
<p>In the context of the application component in satisfaction of AC-2, part
a.</p>
</description>
<responsible-role role-id="customer">
<party-uuid>11111111-2222-4000-8000-004000000005</party-uuid>
</responsible-role>
</responsibility>
</export>
<remarks>
<p>The component-uuid above points to the "this system" component.</p>
<p>Any control response content that does not cleanly fit another system component
is placed here. This includes customer responsibility content.</p>
<p>This can also be used to provide a summary, such as a holistic overview of how
multiple components work together.</p>
<p>While the "this system" component is not explicitly required within every
<code>statement</code>, it will typically be present.</p>
</remarks>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000004"
uuid="11111111-2222-4000-8000-012000020103">
<description>
<p>For the portion inherited from an underlying FedRAMP-authorized provider,
describe <strong>what</strong> is inherited.</p>
</description>
<inherited provided-uuid="11111111-0000-4000-9009-002001002001"
uuid="11111111-2222-4000-8000-017000000001">
<description>
<p>Optional description.</p>
<p>Consumer-appropriate description of what may be inherited as provided by the
leveraged system.</p>
<p>In the context of this component in satisfaction of AC-2, part a.</p>
<p>The <code>provided-uuid</code> links this to the same statement in the
leveraged system's SSP.</p>
<p>It may be linked directly, but is more commonly provided via an OSCAL-based
CRM (Inheritance and Responsibility Model).</p>
</description>
</inherited>
<satisfied responsibility-uuid="11111111-0000-4000-9009-002001002002"
uuid="11111111-2222-4000-8000-018000000001">
<description>
<p>Description of how the responsibility was satisfied.</p>
<p>The <code>responsibility-uuid</code> links this to the same statement in the
leveraged system's SSP.</p>
<p>It may be linked directly, but is more commonly provided via an OSCAL-based
CRM (Inheritance and Responsibility Model).</p>
<p>Tools should use this to ensure all identified customer
<code>responsibility</code> statements have a corresponding
<code>satisfied</code> statement in the leveraging system's SSP.</p>
<p>Tool developers should be mindful that </p>
</description>
</satisfied>
</by-component>
</statement>
<statement statement-id="ac-2_smt.a" uuid="11111111-2222-4000-8000-012000020100">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000020101">
<description>
<p>Describe how AC-2, part a is satisfied within this system.</p>
<p>This points to the "This System" component, and is used any time a more
specific component reference is not available.</p>
</description>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-1" uuid="11111111-2222-4000-8000-012000030000">
<prop ns="http://fedramp.gov/ns/oscal" name="control-origination" value="sp-system"/>
<set-parameter param-id="ac-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ac-01_odp.05">
<value>at least every 3 years</value>
</set-parameter>
<set-parameter param-id="ac-01_odp.07">
<value>at least annually</value>
</set-parameter>
<statement statement-id="ac-1_smt.a" uuid="11111111-2222-4000-8000-012000030100">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000030101">
<description>
<p>Describe how Part a is satisfied within the system.</p>
<p>Legacy approach. If no policy component is defined, describe here how the
policy satisfies part a.</p>
<p>In this case, a link must be provided to the policy.</p>
<p>FedRAMP prefers all policies and procedures be attached as a resource in the
back-matter. The link points to a resource.</p>
</description>
<remarks>
<p>The specified component is the system itself.</p>
<p>Any control implementation response that can not be associated with another
component is associated with the component representing the system.</p>
</remarks>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000600001"
uuid="11111111-2222-4000-8000-012000030102">
<description>
<p>Describe how this policy satisfies part a.</p>
<p>Component approach. This links to a component representing the Identity
Management and Access Control Policy.</p>
<p>That component contains a link to the policy, so it does not have to be linked
here too.</p>
</description>
<implementation-status state="operational"/>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000700001"
uuid="11111111-2222-4000-8000-012000030103">
<description>
<p>Describe how this procedure satisfies part a.</p>
<p>Component approach. This links to a component representing the Identity
Management and Access Control Policy.</p>
<p>That component contains a link to the policy, so it does not have to be linked
here too.</p>
</description>
<implementation-status state="operational"/>
</by-component>
</statement>
<statement statement-id="ac-1_smt.b" uuid="11111111-2222-4000-8000-012000030200">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-012000030201">
<description>
<p>There </p>
</description>
<prop ns="http://fedramp.gov/ns/oscal" name="planned-completion-date"
value="2024-01-31Z"/>
<implementation-status state="partial">
<remarks>
<p>Describe the plan to complete the implementation.</p>
</remarks>
</implementation-status>
</by-component>
<by-component component-uuid="11111111-2222-4000-8000-009000000013"
uuid="11111111-2222-4000-8000-012000030202">
<description>
<p>Describe how this policy currently satisfies part a.</p>
</description>
<prop ns="http://fedramp.gov/ns/oscal" name="planned-completion-date"
value="2024-01-31Z">
<remarks>
<p>Describe the plan for addressing the missing policy elements.</p>
</remarks>
</prop>
<implementation-status state="partial">
<remarks>
<p>Identify what is currently missing from this policy.</p>
</remarks>
</implementation-status>
</by-component>
</statement>
<statement statement-id="ac-1_smt.c" uuid="11111111-2222-4000-8000-012000030300">
<by-component component-uuid="11111111-2222-4000-8000-009000000000"
uuid="11111111-2222-4000-8000-014000000005">
<description>
<p>Describe how Part b-1 is satisfied.</p>
</description>
<implementation-status state="operational"/>
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
<!-- SSP Attachments -->
<back-matter>
<!-- Cloud Service Provider (CSP) Signatures -->
<resource uuid="11111111-2222-4000-8000-001000000002">
<title>Signed System Security Plan</title>
<description>
<p>SSP Signature</p>
</description>
<prop name="type" class="signed-ssp" value="artifact"/>
<!-- Use rlink and/or base64 -->
<rlink href="./attachments/signed-ssp.pdf" media-type="application/pdf"/>
<base64 filename="ssp.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in
OSCAL, and welcome feedback on solutions.</p>
<p>For now, the PMO recommends one of the following:</p>
<ul>
<li>Render the OSCAL SSP content as a PDF that is digitally signed and attached.</li>
<li>Render the OSCAL SSP content as a printed page that is physically signed,
scanned, and attached.</li>
</ul>
<p>If your organization prefers another approach, please seek prior approval from the
FedRAMP PMO.</p>
</remarks>
</resource>
<!-- FedRAMP Laws -->
<resource uuid="11111111-2222-4000-8000-001000000003">
<title>FedRAMP Applicable Laws and Regulations</title>
<prop name="type" class="fedramp-citations" value="citation"/>
<rlink
href="https://www.fedramp.gov/assets/resources/templates/FedRAMP-Laws-Regulations-Standards-and-Guidance-Reference.xlsx"/>
<remarks>
<p>Must be present in a FedRAMP SSP.</p>
</remarks>
</resource>
<!-- Appendix C - Security Policy documents -->
<resource uuid="11111111-2222-4000-8000-001000000005">
<title>Access Control and Identity Management Policy</title>
<description>
<p>A single policy that addresses both the AC and IA families.</p>
</description>
<prop name="type" value="policy"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<prop name="version" value="1.2"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_AC_and_IA_policy.pdf"/>
<base64 filename="sample_AC_and_IA_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Each policy must be attached as back-matter resources, and must include:</p>
<ul>
<li>a title field with the attached document's published title.</li>
<li>a "type" property with a value of "policy".</li>
<li>a "published" property with the attached document's publication date.</li>
<li>a "version" property with the attached document's published version.</li>
<li>Either base64 embedded attachment or an rlink with a valid href value.</li>
<li>both base64 and rlink require a media-type for policies</li>
</ul>
<p>Each policy must have a corrisponding "policy" component.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000006">
<title>Awareness and Training Policy Title</title>
<description>
<p>AT Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_AT_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000007">
<title>Audit and Accountability Policy Title</title>
<description>
<p>AU Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_AU_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000008">
<title>Security Assessment and Authorization Policy Title</title>
<description>
<p>CA Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_CA_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000009">
<title>Configuration Management Policy Title</title>
<description>
<p>CM Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_CM_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000010">
<title>Contingency Planning Policy Title</title>
<description>
<p>CP Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_CP_policy.pdf"/>
<!-- Todo: Make base64 optional -->
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000011">
<title>Identification and Authentication Policy Title</title>
<description>
<p>IA Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_IA_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000012">
<title>Incident Response Policy Title</title>
<description>
<p>IR Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_IR_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000013">
<title>Maintenance Policy Title</title>
<description>
<p>MA Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="1.1"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_MA_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000014">
<title>Media Protection Policy Title</title>
<description>
<p>MP Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_MP_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000015">
<title>Physical and Environmental Protection Policy Title</title>
<description>
<p>PE Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_PE_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000016">
<title>Planning Policy Title</title>
<description>
<p>PL Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_PL_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000017">
<title>Personnel Security Policy Title</title>
<description>
<p>PS Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_PS_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000018">
<title>Risk Adjustment Policy Title</title>
<description>
<p>RA Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_RA_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000019">
<title>System and Service Acquisition Policy Title</title>
<description>
<p>SA Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SA_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000020">
<title>System and Communications Protection Policy Title</title>
<description>
<p>SC Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SC_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000021">
<title>System and Information Integrity Policy Title</title>
<description>
<p>SI Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SI_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000022">
<title>Supply Chain Risk Policy Title</title>
<description>
<p>SR Policy document</p>
</description>
<prop name="type" value="policy" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SR_policy.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Policy Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix C - Security Prodedure documents -->
<resource uuid="11111111-2222-4000-8000-001000000023">
<title>Access Control Procedure Title</title>
<description>
<p>AC Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/procedures/sample_AC_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Procedures must be attached as back-matter resources, and must include:</p>
<ul>
<li>a title field with the attached document's published title.</li>
<li>a "type" property with a value of "procedure".</li>
<li>a "published" property with the attached document's publication date.</li>
<li>a "version" property with the attached document's published version.</li>
<li>Either base64 embedded attachment or an rlink with a valid href value.</li>
<li>both base64 and rlink require a media-type for policies</li>
</ul>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000024">
<title>Awareness and Training Procedure Title</title>
<description>
<p>AT Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_AT_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000025">
<title>Audit and Accountability Procedure Title</title>
<description>
<p>AU Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_AU_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000026">
<title>Security Assessment and Authorization Procedure Title</title>
<description>
<p>CA Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_CA_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000027">
<title>Configuration Management Procedure Title</title>
<description>
<p>CM Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_CM_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000028">
<title>Contingency Planning Procedure Title</title>
<description>
<p>CP Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_CP_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000029">
<title>Identification and Authentication Procedure Title</title>
<description>
<p>IA Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_IA_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000030">
<title>Incident Response Procedure Title</title>
<description>
<p>IR Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_IR_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000031">
<title>Maintenance Procedure Title</title>
<description>
<p>MA Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_MA_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000032">
<title>Media Protection Procedure Title</title>
<description>
<p>MP Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_MP_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000033">
<title>Physical and Environmental Protection Procedure Title</title>
<description>
<p>PE Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_PE_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000034">
<title>Planning Procedure Title</title>
<description>
<p>PL Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink media-type="application/pdf" href="./attachments/policies/sample_PL_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000035">
<title>Personnel Security Procedure Title</title>
<description>
<p>PS Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_PS_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000036">
<title>Risk Adjustment Procedure Title</title>
<description>
<p>RA Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_RA_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000037">
<title>System and Service Acquisition Procedure Title</title>
<description>
<p>SA Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SA_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000038">
<title>System and Communications Protection Procedure Title</title>
<description>
<p>SC Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SC_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000039">
<title>System and Information Integrity Procedure Title</title>
<description>
<p>SI Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SI_procedure.pdf"/>
<base64 filename="sample_procedure.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000040">
<title>Supply Chain Risk Procedure Title</title>
<description>
<p>SR Procedure document</p>
</description>
<prop name="type" value="procedure" />
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/policies/sample_SR_procedure.pdf"/>
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix D - User Guide -->
<resource uuid="11111111-2222-4000-8000-001000000041">
<title>User's Guide</title>
<description>
<p>User's Guide</p>
</description>
<prop name="type" value="users-guide"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<rlink href="./attachments/guides/sample_guide.pdf"/>
<!--<base64 media-type="application/pdf" filename="sample_guide.pdf">00000000</base64>-->
<remarks>
<p>Table 12-1 Attachments: User's Guide Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix E - Digital Identity Worksheet -->
<!-- Note - This is specifid by 3 properties (//system-security-plan/system-characteristics/prop[contains(@name,"-assurance-level")]) and does not be to attached separately -->
<!-- Appendix F - Rules of Behavior -->
<resource uuid="11111111-2222-4000-8000-001000000042">
<title>Document Title</title>
<description>
<p>Rules of Behavior</p>
</description>
<prop name="type" value="rules-of-behavior"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/rob.docx" media-type="application/msword"/>
<base64 filename="rob.docx" media-type="application/msword">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Rules of Behavior (ROB)</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix G - Information System Contingency Plan (ISCP) -->
<resource uuid="11111111-2222-4000-8000-001000000043">
<title>Document Title</title>
<description>
<p>Contingency Plan (CP)</p>
</description>
<prop name="type" value="plan" class="information-system-contingency-plan"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/cp.docx" media-type="application/msword"/>
<base64 filename="cp.docx" media-type="application/msword">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Contingency Plan (CP) Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix H - Configuration Management Plan -->
<resource uuid="11111111-2222-4000-8000-001000000044">
<title>Document Title</title>
<description>
<p>Configuration Management (CM) Plan</p>
</description>
<prop name="type" value="plan" class="configuration-management-plan"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/CM_Plan.docx" media-type="application/msword"/>
<base64 filename="CM_Plan.docx" media-type="application/msword">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Configuration Management (CM) Plan Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix I - Incident Response Plan (IRP) -->
<resource uuid="11111111-2222-4000-8000-001000000045">
<title>Document Title</title>
<description>
<p>Incident Response (IR) Plan</p>
</description>
<prop name="type" value="plan" class="incident-response-plan"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/IR_Plan.docx" media-type="application/msword"/>
<base64 filename="IR_Plan.docx" media-type="application/msword">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Incident Response (IR) Plan Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix J - CIS and CRM Workbook -->
<!-- Note - This can be generated from the content in the Security Controls section and no longer needs to be maintained separately or attached. -->
<!-- Appendix K - FIPS 199 Worksheet -->
<!-- Note - This is specified in the document (see //system-security-plan/system-characteristics[1]/system-information[1]/information-type) and no longer need to be maintained separately or attached -->
<!-- Appendix L - CSP-Specific Required Laws and Regulations -->
<resource uuid="11111111-2222-4000-8000-001000000046">
<title>CSP-specific Law Citation</title>
<prop name="type" value="law"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<document-id scheme="https://www.doi.org/">Identification Number</document-id>
<rlink href="https://example.com/path/to/document.pdf"/>
<base64 filename="document.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>A CSP-specific law citation</p>
<p>The "type" property must be present and contain the value "law".</p>
</remarks>
<!-- Todo: Fix Schematron. Make base64 optional -->
</resource>
<!-- Appendix M - Integrated Inventory Workbook -->
<!-- Note - This is specified in the document (see //system-security-plan/system-implementation[1]/inventory-item) and no longer need to be maintained separately or attached -->
<!-- Appendix N - Continuous Monitoring Plan -->
<resource uuid="11111111-2222-4000-8000-001000000047">
<title>Document Title</title>
<description>
<p>Continuous Monitoring Plan</p>
</description>
<prop name="type" value="plan" class="continuous-monitoring-plan"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/ConMon_Plan.docx" media-type="application/msword"/>
<base64 filename="ConMon_Plan.docx" media-type="application/msword">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Continuous Monitoring Plan Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix O - POA&M -->
<resource uuid="11111111-2222-4000-8000-001000000048">
<title>Plan of Actions and Milestones (POAM)</title>
<prop name="published" value="2023-05-31T00:00:00Z"/>
<!-- If the "oscal-content" FRX is present, any rlink with media type of "application/xml",
"application/json" or "application/yaml" is expected to be OSCAL XML, JSON or YAML.
Other rlink media type values are allowed, but those rlink fieldss are ignored by FedRAMP.
-->
<prop ns="http://fedramp.gov/ns/oscal" name="type" value="fedramp-poam"/>
<rlink media-type="application/xml;oscal-model=poam" href="fedramp-poam-example.oscal.xml" />
<remarks>
<p>The POA&M attachment may either be a legacy Excel workbook or OSCAL file.
The resource must have:</p>
<ul>
<li>a title field with the the value, "Plan of Actions and Milestones (POAM)"</li>
<li>a "published" property with the effective date of the attached POA&M.</li>
<li>a "type" property with a value of "plan" and a class of "poam".</li>
<li>Either base64 embedded attachment or an rlink with a valid href value.</li>
<li>Both base64 and rlink require a media-type for policies</li>
</ul>
<p>A "version" property is optional.</p>
<p>The appropriate media types for OSCAL content
are, "application/xml", "application/json" or "application/yaml".</p>
<p>FedRAMP does not accept base64 POA&M contenta at this time.</p>
</remarks>
</resource>
<!-- Appendix P - Supply Chain Risk Management Plan (SCRMP) -->
<resource uuid="11111111-2222-4000-8000-001000000049">
<title>Supply Chain Risk Management Plan</title>
<description>
<p>Supply Chain Risk Management Plan</p>
</description>
<prop name="type" value="plan" class="supply-chain-risk-management-plan"/>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<rlink href="./attachments/plans/sample_SCRMP_procedure.pdf"/>
<base64 filename="sample_SCRMP.pdf" media-type="application/pdf">00000000</base64>
<remarks>
<p>Table 12-1 Attachments: Procedure Attachment</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
</remarks>
</resource>
<!-- Appendix Q - Cryptographic Modules Table -->
<!-- Note - This is specified in the document (see //*/component[@type="cryptographic-module"]) and doe not need to be maintained separately or attached -->
<!-- Other SSP attachements / documents -->
<resource uuid="11111111-2222-4000-8000-001000000050">
<title>Interconnection Security Agreement</title>
<prop name="published" value="2023-01-01T00:00:00Z"/>
<!-- document date -->
<prop name="version" value="Document Version"/>
<prop name="type" value="agreement" class="interconnection-security-agreement"/>
<rlink href="./attachments/ISAs/ISA-1.docx"/>
<!-- Todo: Make base64 optional -->
<base64 filename="ISA-1.docx" media-type="application/msword">00000000</base64>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000051">
<title>FedRAMP Logo</title>
<description>
<p>FedRAMP Logo</p>
</description>
<prop name="type" value="logo"/>
<rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
<!-- Todo: Make base64 optional -->
<base64 filename="logo-main-fedramp.png" media-type="image/png">00000000</base64>
<remarks>
<p>Must be present in a FedRAMP SSP.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000052">
<title>CSP Logo</title>
<description>
<p>CSP Logo</p>
</description>
<rlink href="./attachments/img/logo.png" media-type="image/png"/>
<base64 filename="logo.png" media-type="image/png">00000000</base64>
<remarks>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
<p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
<p>Images must be in sufficient resolution to read all detail when rendered in a browser
via HTML5.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000053">
<title>3PAO Logo</title>
<description>
<p>3PAO Logo</p>
</description>
<rlink href="./attachments/img/logo.png" media-type="image/png"/>
<base64 filename="logo.png" media-type="image/png">00000000</base64>
<remarks>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
<p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
<p>Images must be in sufficient resolution to read all detail when rendered in a browser
via HTML5.</p>
</remarks>
</resource>
<!-- Section 8.1 - SSP Diagrams -->
<resource uuid="11111111-2222-4000-8000-001000000054">
<title>Boundary Diagram</title>
<description>
<p>The primary authorization boundary diagram.</p>
</description>
<prop name="type" value="image" class="authorization-boundary" />
<rlink href="./attachments/diagrams/boundary.png"/>
<base64 filename="logo.png" media-type="image/png">00000000</base64>
<remarks>
<p>Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)</p>
<p>This should be referenced in the
system-characteristics/authorization-boundary/diagram/link/@href flag using a value
of "#11111111-2222-4000-8000-001000000054"</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
<p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
<p>Images must be in sufficient resolution to read all detail when rendered in a browser
via HTML5.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000055">
<title>Network Diagram</title>
<description>
<p>The primary network diagram.</p>
</description>
<prop name="type" value="image" class="network-architecture" />
<!-- Use rlink and/or base64 -->
<rlink href="./attachments/diagrams/network.png"/>
<base64 filename="network.png" media-type="image/png">00000000</base64>
<remarks>
<p>Section 8.1, Figure 8-2 Network Diagram (graphic)</p>
<p>This should be referenced in the
system-characteristics/network-architecture/diagram/link/@href flag using a value of
"#11111111-2222-4000-8000-001000000055"</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
<p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
<p>Images must be in sufficient resolution to read all detail when rendered in a browser
via HTML5.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000056">
<title>Data Flow Diagram</title>
<description>
<p>The primary data flow diagram.</p>
</description>
<prop name="type" value="image" class="data-flow" />
<rlink href="./attachments/diagrams/dataflow.png"/>
<base64 filename="dataflow.png" media-type="image/png">00000000</base64>
<remarks>
<p>Section 8.1, Figure 8-3 Data Flow Diagram (graphic)</p>
<p>This should be referenced in the system-characteristics/data-flow/diagram/link/@href
flag using a value of "#11111111-2222-4000-8000-001000000056"</p>
<p>May use <code>rlink</code> with a relative path, or embedded as
<code>base64</code>.</p>
<p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
<p>Images must be in sufficient resolution to read all detail when rendered in a browser
via HTML5.</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000058">
<title>Interconneciton Security Agreement (ISA)</title>
<prop name="type" value="agreement" class="interconnection-security-agreement"/>
<prop name="published" value="2024-01-31T00:00:00Z" />
<prop name="version" value="2.1"/>
<rlink href="./attachments/isa.pdf" media-type="application/pdf" />
</resource>
<resource uuid="11111111-2222-4000-8000-001000100001">
<title>41 CFR 201</title>
<prop name="type" class="law" value="citation"/>
<citation>
<text><q>Federal Acquisition Supply Chain Security Act; Rule,</q> 85 Federal Register 54263 (September 1, 2020), pp 54263-54271.</text>
</citation>
<rlink href="https://www.federalregister.gov/d/2020-18939"/>
<remarks>
<p>CSP-specific citation. Note the "type" property's class is "law"
and the value is "citation".</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000100002">
<title>CSP Acronyms</title>
<prop name="type" class="acronyms" value="citation"/>
<rlink href="./attachments/acronyms.pdf"/>
<remarks>
<p>CSP-specific citation. Note the "type" property's class is "acronyms"
and the value is "citation".</p>
</remarks>
</resource>
<resource uuid="11111111-2222-4000-8000-001000000059">
<title>Server Security Technical Implementation Guide (STIG)</title>
<prop name="type" value="external-guidance" class="stig"/>
<prop name="published" value="2024-01-31T00:00:00Z" />
<prop name="version" value="2.1"/>
<rlink href="./attachments/server-stig.pdf" media-type="application/pdf" />
</resource> </back-matter>
</system-security-plan>