Working with Roles, Locations, People, and Organizations
An OSCAL file defines roles, locations, people, and organizations within the metadata as part of four separate assemblies:
-
role: A role
id
andtitle
are required. Other content, such as ashort-name
,description
, orremarks
is optional. -
location: Locations, such as corporate offices and data center addresses, are defined as
location
assemblies -
party: People and organizations are defined as
party
assemblies. An organization is any collection of people, and can represent a company, agency, department, or team. -
responsible-party: Links roles to parties. The same
role
can have more than oneparty
assigned to it. Also aparty
can be assigned to more than onerole
.
FedRAMP Defined Party Identifiers
FedRAMP has eliminated the use of FedRAMP-Defined Party Identifiers.
Working with Role Assemblies
All roles within the document are defined under the metadata element as follows:
|
|
To ensure consistent processing, FedRAMP has defined a specific set of roles that must exist with a FedRAMP SSP, SAP, SAR, or POA&M. Most are pre-populated in the OSCAL-based FedRAMP Templates. They vary by template.
OSCAL-based FedRAMP tools must ensure these roles, titles, and descriptions exist using the prescribed role IDs within an OSCAL-based FedRAMP file. Additional roles may be added, provided these roles remain.
Working with Location Assemblies
The location
assembly is intended to represent a physical address,
such as the HQ of a CSP or 3PAO, a data center, or an Agency.
Some locations are required. For example, the SSP must contain at
least one location
assembly with the primary business address of the
CSP. The SAP and SAR must contain at least one location
assembly with
the primary business address of the assessor.
OSCAL allows the location title
field to be optional. FedRAMP strongly encourages
its use. If the country
field is missing, FedRAMP tools must assume the
address is within the United States of America.
|
|
Some locations require type properties to ensure FedRAMP tools can
accurately identify required content. For example, the location assembly
for a data center must include a type
property with a value of
data-center
. The class
may be used to indicate whether the data
center is primary
or alternate
.
Working with Party Assemblies
Party assemblies may be used to represent individuals, teams, or an
entire company/agency. When representing an individual, the type
flag
must have a value of person
. When representing a team, company or
agency, the type
flag must have a value of organization
. FedRAMP
artifacts typically require an individual’s title to be identified; the
prop
name job-title
is designated for this purpose.
Contact details, such as an individual’s email address and phone
number, or a business web site may be included and are often required
within FedRAMP artifacts. A short-name
field provides an ability to
define an organization’s acronym or desired abbreviation. This is
required for the CSP, assessor, and any Agency.
|
|
Identifying Organizational Membership of Individuals
An individual may be affiliated with one or more teams/organizations. Use one member-of-organization
field for each team, and one to link the
individual to their employer.
|
|
Identifying the Address of People and Organizations
Representing the address of people or organizations (parties) may be accomplished with one of three approaches:
-
Preferred Approach: When multiple parties share the same address, such as multiple staff members at a company HQ, define the address once as a
location
assembly, then use thelocation-uuid
field within eachparty
assembly to identify the location of that individual or team. -
Alternate Approach: If the address is unique to this individual, it may be included in the
party
assembly itself. -
Hybrid Approach: It is possible to include both a
location-uuid
and anaddress
assembly within aparty
assembly. This may be used where multiple staff are in the same building, yet have different office numbers or mail stops. Use thelocation-uuid
to identify the shared building, and only include a singleaddr-line
field within the party’saddress
assembly.
A tool developer may elect to always create a location assembly, even when only used once; however, tools must recognize and handle all of the approaches above when processing OSCAL files.
|
|
Using Responsible Party Assemblies
The responsible party assembly links party assemblies (people and organizations) to defined roles. FedRAMP tools rely on these linkages to find required content.
For example, an OSCAL-based SSP must have a role defined for the System
Owner using the role ID value system-owner
. The responsible-party
assembly links this required role to the individual (party). FedRAMP
tools follow this linkage to verify that a system owner was identified
in the SSP, and to display that information to reviewers.
|
|