An official website of the United States government
Here’s how you know
Official websites use .gov A
.gov website belongs to an official government
organization in the United States.
Secure .gov websites use HTTPS A
lock (
) or https:// means you’ve safely connected to
the .gov website. Share sensitive information only on official,
secure websites.
For SAP-specific content, each page of the SAP is represented in this
section, along with OSCAL code snippets for representing the information
in OSCAL syntax. There is also XPath syntax for querying the code in an
OSCAL-based FedRAMP SAP represented in XML format.
Content that is common across OSCAL file types is described in the
FedRAMP OSCAL Documentation.
This includes the following:
It is not necessary to represent the following sections of the SAP
template in OSCAL; however, tools should present users with this content
where it is appropriate:
Any blue-text instructions found in the SAP template where the
instructions are related to the content itself.
Table of contents.
Introductory and instructive content in each section.
The Annual SAP was used, which includes all information typically found
in the Initial SAP, plus a scope section that is unique to annual
assessments. OSCAL always requires a scope. For initial assessments, the
scope is all controls. For annual assessments, it is the controls
required by FedRAMP.
NOTE: The FedRAMP SAP template screenshots in the sections that follow
vary slightly from the most current version of the FedRAMP rev 5 SAP
template.
The Background, Purpose, and Applicable Laws sections of the
FedRAMP SAP template contain references to the CSP name, the CSO name,
and the independent assessor (IA) name. The information in these
sections may be represented as a part assembly within the
terms-and-conditions element of an OSCAL SSP. This approach is optional
as the specific data items can simply be queried from an OSCAL SAP and
its associated documents.
<!-- cut --><terms-and-conditions><!-- Section 2 Background --><partns="http://fedramp.gov/ns/oscal"name="background"><title>Background</title><p>Insert text from FedRAMP template</p><p> Insert text from FedRAMP template </p><partns="http://fedramp.gov/ns/oscal"name="nist-sp800-39"><p> Insert text from FedRAMP template</p></part><!-- Section 2.1 --><partns="http://fedramp.gov/ns/oscal"name="purpose"><title>Purpose</title><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="001"/><p>This SAP has been developed by [IA Name] and is for [an initial assessment/an annual assessment/an annual assessment and significant change assessment/a significant change assessment] of the [CSP Name], [CSO Name]. The SAP provides the goals for the assessment and details how the assessment will be conducted.</p></part><!-- Section 2.2 --><partns="http://fedramp.gov/ns/oscal"name="laws-regulations"><title>Applicable Laws, Regulations, Standards and Guidance</title><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="002"/><p>The FedRAMP-applicable laws, regulations, standards and guidance are included in the [CSO Name] SSP section – System Security Plan Approvals. Additionally, in Appendix L of the SSP, the [CSP Name] has included laws, regulations, standards, and guidance that apply specifically to this system.</p></part></part><!-- cut --></terms-and-conditions>
(SAP) IA Name:
/assessment-plan/metadata/party[@uuid="uuid-of-ia"]/name
(SAP) Initial assessment, annual assessment, or significant change?
/assessment-plan/metadata/prop[@ns="http://fedramp.gov/ns/oscal" and @name="assessment-type"]/@value
(SAP) Are there no/one/many significant changes in SAP scope?
/assessment-plan/metadata/prop[@ns="http://fedramp.gov/ns/oscal" and @name="significant-changes-scope"]/@value
(SAP) CSP Name:
/assessment-plan/metadata/party[@uuid="uuid-of-csp"]/name
(SSP) CSO Name:
/system-security-plan/system-characteristics/system-name
This information should come entirely from the imported SSP. If the
OSCAL-based SSP exists and is accurate, the tool should query that file
for this information as follows:
Table 2-1
(SSP) Unique Identifier:
/*/system-characteristics/system-id[@identifier-type='http://fedramp.gov/ns/oscal']
(SSP) Information System Name:
/*/system-characteristics/system-name
(SSP) Information System Abbreviation:
/*/system-characteristics/system-name-short
If no OSCAL-based SSP exists, as described in the If No OSCAL-based SSP Exists section, the resource with the “no-oscal-ssp” type must designate the system’s identifier, name, and abbreviation.
NOTE:
The system’s authorization date, purpose, and description have not
historically been displayed in the SAP but must be present when the SAR
references this content.
The SAP references location information in the SSP using its ID and must
explicitly cite each location within the scope of the assessment. While
all is valid OSCAL syntax, FedRAMP requires locations to be explicitly
cited so that the assessor can add their own description of the
location. Also, the SSP will likely also contain locations that are not
data centers.
<assessment-subjecttype="location"><description><p>A description of the locations.</p></description><include-subjectsubject-uuid="uuid-of-location-in-SSP-metadata"type="token"><remarks><p>Briefly describe the components at this location.</p></remarks></include-subject><include-subjectsubject-uuid="uuid-of-location-in-SAP-metadata"type="token"><remarks><p>Briefly describe the components at this location.</p></remarks></include-subject></assessment-subject>
(SSP) List the Data Center UUIDs in the SSP (Primary and Alternate):
/*/metadata/location[prop[@name='type'][@value='data-center']]/@uuid
(SSP) List the Primary Data Center UUIDs in the SSP:
/*/metadata/location[prop[@name='type'][@value='data-center'][@class='primary']]/@uuid
NOTE: For just alternate data centers, replace 'primary' with 'alternate'.
(SAP) Location UUID (First Location cited in SAP):
/*/assessment-subject[@type='location']/include-subject[1]/@subject-uuid
NOTE: Replace "[1]" with "[2]", "[3]", etc.
(SSP) Data Center Site Name (Lookup in SSP, using ID cited in SAP):
/*/metadata/location[@id='location-2']/prop[@name='title'] [@ns='http://fedramp.gov/ns/oscal']
NOTE: Replace 'location-2' with the SSP location as cited in the SAP.
(SSP or SAP) Address:
/*/metadata/location[@uuid='uuid-value-from-SAP']/address/addr-line
NOTE: Replace addr-line with city, state, and postal-code as needed.
There may be more than one addr-line.
(SSP) CSP's Description of Location (from SSP):
/*/metadata/location[@uuid='uuid-value-for-location-2']/remarks
(SAP) Assessor's Description of Components at the first location:
/*/assessment-subject[@type='location']/include-subject[1]/remarks/node()
NOTE: Replace "[1]" with "[2]", "[3]", etc.
If no OSCAL-based SSP exists, or the location of components is not
accurately reflected in the SSP, this information may be added to the
SAP’s metadata section using the same syntax as the SSP. The
include-subject citations are still required as described above;
however, the IDs point to the SAP’s location data instead of the
SSP’s.
The same queries work as presented above; however, the queries are used
in the SAP instead of the SSP.
The SAP references SSP content for this information. Each subnet should
be represented in the SSP as a component with type="subnet". If the
SSP does not enumerate subnets in this way, the SAP tool should allow
the assessor to add them to the SAP’s local-definitions as components.
Beyond subnets, this section is an enumeration of the SSP’s
inventory-item assemblies, which always contain the hostname and IP
address of the item. Other details, such as the software and version
information, may be found in the inventory item itself, or the SSP
inventory item may be linked to an SSP component containing those
details, depending on whether the SSP is using the legacy (flat)
approach or the preferred component approach.
If the assessor needs to add missing component or inventory-item
entries, or if the assessor needs to correct this information, the SAP
tool must add this assessor-provided information to the SAP’s
local-definitions.
See the Guide to OSCAL-based FedRAMP System Security Plans
to learn more about legacy (flat-file) and component-based inventory
approaches. Use a combination of include-subject and exclude-subject
assemblies to specify the SSP IDs of all in-scope components and
inventory-items. Excluding items is typically used in association with
the rules of engagement.
If an inventory-item is linked to a component in the SSP, the component
is automatically within scope as this is often necessary to get the
software and version information. Tools should honor this relationship
and consider linked components to be implicitly in-scope even if the
component was not explicitly cited in the SAP.
<assessment-subjecttype="component"><description><p>A description of the included component.</p></description><include-all/><exclude-subjectsubject-uuid="uuid-of-SSP-component-to-exclude"type="token"/></assessment-subject><assessment-subjecttype="inventory-item"><description><p>Description of the included inventory.</p></description><include-all/><exclude-subjectsubject-uuid="uuid-of-SSP-inventory-item-to-exclude"type="token"/><exclude-subjectsubject-uuid="uuid-of-SSP-inventory-item-to-exclude"type="token"/></assessment-subject><!-- OR --><assessment-subjecttype="inventory-item"><description><p>Description of the included inventory.</p></description><include-subjectsubject-uuid="uuid-of-SSP-inventory-item-to-include"type="token"/><include-subjectsubject-uuid="uuid-of-SSP-inventory-item-to-include"type="token"/><include-subjectsubject-uuid="uuid-of-SSP-inventory-item-to-include"type="token"/></assessment-subject>
(SAP) Should all inventory-items be included? (true/false):
boolean(/*/assessment-subject[@type='inventory-item']/include-all)
NOTE: This means all inventory-items in the SSP's system-implementation as well as all inventory-items in the SAP's local definitions
(SAP) Get the first inventory-item UUID from the SAP:
/*/assessment-subject[@type='inventory-item']/include-subject[1]/@subject-uuid
(SSP) Get Host Name from inventory-item in the SSP:
/*/system-implementation/system-inventory/inventory-item[@uuid='uuid-value-from-above']/prop[@name='fqdn']
If no OSCAL-based SSP exists, or the inventory information is not
accurately reflected in the SSP, this information may be added to the
SAP’s local-definition section as described below. The include-subject
citations are still required as described above; however, the UUIDs
point to the SAP’s local definitions instead of the SSP’s.
<local-definitions><inventory-itemuuid="uuid-value"><description><p>A Windows laptop, not defined in the SSP inventory.</p></description><propname="ipv4-address"value="10.1.1.99"/><propname="virtual"value="no"/><propname="public"value="no"/><propname="fqdn"value="dns.name"/><propname="mac-address"value="00:00:00:00:00:00"/><propname="software-name"value="Windows 10"/><propname="version"value="V 0.0.0"/><propname="asset-type"value="os"/><!-- Use any needed prop allowed in an SSP inventory item --></inventory-item><inventory-itemuuid="uuid-value"asset-id="none"><description><p>A subnet not defined in the SSP inventory.</p></description><propname="ipv4-subnet">10.20.30.0/24</prop><!-- Use any needed prop allowed in an SSP inventory item --></inventory-item></local-definitions><assessment-subjecttype="inventory-item"><description><p>Description of the included inventory.</p></description><include-subjectsubject-uuid="uuid-of-SAP-inventory-item-to-include"type="token"/><include-subjectsubject-uuid="uuid-of-SAP-inventory-item-to-include"type="token"/></assessment-subject>
(SAP) Get the included ID the same way:
/*/assessment-subject[@type='inventory-item']/include-subject[2]/@subject-uuid
(SAP) Get Subnet from inventory-item in the SAP:
/*/local-definitions/inventory-item[@uuid='value-from-above']/prop[@name='ipv4-subnet']/@value
This typically appears in the inventory-item itself with the legacy
approach and appears in a component associated with the inventory-item
if the SSP is using the component-based approach. See the Guide to OSCAL-based System Security Plans (SSP) for details on the flat-file and component-based approaches.
FedRAMP expects the assessor to review and validate the list of
identified web applications, both initially in the SAP and as a result
of the discovery scans once the assessment begins. SAP tools should
facilitate this review and adjustment of inventory data as needed for
the assessor to properly identify all web applications for testing.
For every web interface to be tested, whether pre-identified in the SSP
inventory or identified by the assessor, there must be a task entry. If
the inventory-item already contains the login-url, the tool should
duplicate it here. If not, the tool should enable the assessor to add it
here. A SAP tool should also enable the assessor to add a login-id for
test users here. Both use FedRAMP extensions.
<local-definitions><activityuuid="uuid-of-web-application-activity"><title>Web Application Test #1</title><description><p>Describe this web application test.</p></description><propname="type"ns="http://fedramp.gov/ns/oscal"value="web-application"/></activity></local-definitions><!-- cut: terms-and-conditions, reviewed-controls, assessment-subject --><taskuuid="task-uuid-value"><title>Web Application Tests</title><taskuuid="uuid-value"><title>Web Application Test #1</title><propname="type"ns="http://fedramp.gov/ns/oscal"value="web-application"/><propname="login-url"ns="http://fedramp.gov/ns/oscal"value="https://service.offering.com/login"/><propname="login-id"ns="http://fedramp.gov/ns/oscal"value="test-user"/><associated-activityactivity-uuid="uuid-of-web-application-activity"><subjecttype="inventory-item"><include-subjectsubject-uuid="uuid-of-SSP-inventory-item"type="inventory-item"/></subject></associated-activity></task></task>
(SAP) Login URL:
(/*//task[prop[@name='type'][@ns="http://fedramp.gov/ns/oscal"][@value='web-application']])[1]/prop[@name='login-url'][@ns="http://fedramp.gov/ns/oscal"]
(SAP) Login ID:
(/*//task[prop[@name='type'][@ns="http://fedramp.gov/ns/oscal"][@value='web-application']])[1]/prop[@name='login-id'][@ns="http://fedramp.gov/ns/oscal"]
(SAP) Inventory-ID of host:
(/*//task[prop[@name='type'][@ns="http://fedramp.gov/ns/oscal"][@value='web-application']])[1]/ associated-activity/subject[@type='inventory-item']/include-subject/@subject-uuid
NOTE: Replace "[1]" with "[2]", "[3]", etc.
REMEMBER: The inventory-item could be in the SSP's system-implementation or the SAP's local-definitions.
This typically appears in the inventory-item itself with the legacy
(flat-file) approach and appears in a component associated with the
inventory-item if the SSP is using the component-based approach. See the
Guide to OSCAL-based System Security Plans (SSP) for details on the flat-file and component-based approaches.
FedRAMP expects the assessor to review and validate the list of
identified databases, both initially in the SAP and as a result of
discovery scans once the assessment begins. SAP tools should facilitate
this review and adjustment of inventory data as needed for the assessor
to properly identify all databases for testing.
(SSP) Host name of first database in SSP (flat file approach):
(/*/system-implementation/system-inventory/inventory-item/prop[@name='scan-type'][string()='database'])[1]/../prop[@name='fqdn']
(SSP) Host name of the first database in SSP (component approach) [xPath 2.0+ only]:
(let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='database']/@id return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-id=$key]/prop[@name='fqdn'])[1]
If no OSCAL-based SSP exists, or an item is missing completely from the
SSP inventory, it should have already been added as described in the If No OSCAL-based SSP Exists section.
If a pre-existing SSP inventory item fails to properly identify a
database, the tool should enable the assessor to add this designation
with an entry in the SAP local-definitions, except the value of database
should be used instead of web for the scan-type.
Historically, FedRAMP assessors often identified generalized roles for
testing, such as internal, external, and privileged rather
than citing the specific roles enumerated in the SSP. This is in
response to a FedRAMP requirement to test roles from each perspective.
Assessors must ensure all roles are included for testing and identify
roles excluded from testing. When processing an OSCAL SAP, SAP tools
should present assessors with the roles from the associated (import-ssp)
SSP so the assessor can select specific roles for testing. SAP tools
should allow the assessor to easily identify roles that are excluded.
The SSP - Responsible Roles and Parameter Assignments section describes personnel roles and privileges with examples illustrating how
to identify them in an OSCAL SSP. If the roles slated for testing
exist in the SSP, the SSP roles are referenced from the SAP using their
SSP IDs as defined in the SSP user assemblies in the system-implementation section of the OSCAL-based SSP file. Note that in this case, the SAP role must actually map to the uuid of the user assembly in the SSP.
Assessors should ensure the selection of at least one SSP-defined role
from each of the common generalized role categories (“internal”,
“external”, and “privileged”). If the assessor elects to reference more
generic roles, the SAP tool should enable the assessor to create these
generic roles locally in the SAP local-definitions assembly.
<local-definitions><!-- add user assembly for each role to be assessed --><useruuid=”uuid-value”><title>Assessor Specified Role</title><propname=”sensitivity”ns=”http://fedramp.gov/ns/oscal”value=”limited”/><propname=”type”value=”external”/><propname=”privilege-level”value=”no-logical-access”/><role-id>id-for-assessor-specified-role</role-id><authorized-privilege><title>Full administrative access (root)</title><function-performed>Add/remove users and hardware</function-performed><function-performed>install and configure software</function-performed><function-performed>OS updates, patches and hotfixes</function-performed><function-performed>perform backups</function-performed></authorized-privilege></user></local-definitions>
For every role to be tested, whether pre-identified in the SSP or
identified by the assessor, there must be an assessment-subject entry,
and at least one corresponding task. A SAP tool should enable the
assessor to add a test user ID here via FedRAMP extension properties.
<assessment-plan><!-- cut metadata --><!-- cut import-ssp, local-definitions, terms-and-conditions, reviewed-controls --><!-- set type to 'user' --><assessment-subjecttype="user"><description><p>A description of the included roles.</p><p>A description of an excluded role.</p></description><!-- uuid from SSP or SAP lcocal-definitions --><include-subjectsubject-uuid="user-uuid-from-SSP"type="token"/><exclude-subjectsubject-uuid="user-uuid-from-SSP"type="token"/></assessment-subject><!-- cut assessment-assets --><taskuuid="task-uuid"type="action"><title>Role-Based Tests</title><taskuuid="test1-uuid"type="action"><title>Role Based Test #1</title><propname="test-type"ns="http://fedramp.gov/ns/oscal"value="role-based"/><propname="login-id"ns="http://fedramp.gov/ns/oscal"value="test-user"/><!-- uuid from SSP or SAP lcocal-definitions --><propname="user-uuid"ns="http://fedramp.gov/ns/oscal"value="user-uuid-value"/><associated-activityactivity-uuid="uuid-of-role-testing-activity"/></task><taskuuid="test2-uuid"type="action"><title>Role Based Test #2</title><propname="test-type"ns="http://fedramp.gov/ns/oscal"value="role-based"/><propname="login-id"ns="http://fedramp.gov/ns/oscal"value="test-admin"/><!-- uuid from SSP or SAP lcocal-definitions --><propname="user-uuid"ns="http://fedramp.gov/ns/oscal"value="user-uuid-value"/><associated-activityactivity-uuid="uuid-of-role-testing-activity"/></task></task><!-- cut back-matter --></assessment-plan>
SAP Assumptions use syntax similar to OSCAL control catalog statements.
They have a sort-id, which a tool can use to ensure the intended
sequence is maintained.
The insert elements can be used by tool developers as insertion points
for data items that the tool may manage as parameters. The use of insert
within an OSCAL part is described on the NIST OSCAL Concepts page.
<terms-and-conditions><partname="assumptions"><partname="assumption"><propname="sort-id"value="001"/><p>This SAP is based on <inserttype="param"id-ref="cso_name_prm"/>...</p></part><partname="assumption"><propname="sort-id"value="002"/><p>The <inserttype="param"id-ref="csp_name_prm"/> ... </p></part><partname="assumption"><propname="sort-id"value="003"/><p>The <inserttype="param"id-ref="ia_name_prm"/> ... </p></part><partname="assumption"><propname="sort-id"value="004"/><p>The <inserttype="param"id-ref="csp_name_prm"/>... </p></part><partname="assumption"><propname="sort-id"value="005"/><p>Security controls that ... on these security controls.</p></part></part></terms-and-conditions>
(SAP) Obtain Sort IDs, for sorting by the SAP tool:
/*/terms-and-conditions/part[@name='assumptions']/ part[@name='assumption']/prop[@name='sort-id']
(SAP) The first assumption statement:
/*/terms-and-conditions/part[@name='assumptions']/ part[@name='assumption']/prop[@name='sort-id'] [.='001']/../(* except prop)
NOTE: Replace '001' with '002', '003', etc. for each sort-id based on desired order.
NOTES:
If the tool is using XPath 1.0 or 2.0, the tool must sort the
results of the sort-id list, and then obtain the assumptions in the
intended sequence. XPath 3.0 has a sort function, which can perform
the sort for the tool.
OSCAL does not support the insertion of values within Markup
Multiline at this time. The tool must either replace each "[CSP
Name]" and "[3PAO Name]" with the appropriate value or enable
the assessor to manually make those changes. This feature may be
added to a future version of OSCAL.
In general, the methodology is simply a single markup multiline field, which enables the assessor to modify the content using rich text formatting. The FedRAMP SAP template includes subsections for Control Testing, Data Gathering, Sampling, and Penetration Test. Each of these sections must be present in the FedRAMP OSCAL SAP terms-and-condition assembly as subparts within a part named “methodology”. The subparts are specifically defined for FedRAMP SAP, so they have namespace “http://fedramp.gov/ns/oscal" and attributes named “control-testing”, “data-gathering”, “sampling”, and “pen-testing”.
<terms-and-conditions><!-- Section 5 --><partname="methodology"><title>Methodology</title><!-- Section 5.1 Control Testing --><partns="http://fedramp.gov/ns/oscal"name="control-testing"><title>Control Testing</title><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="001"/><p>[IA Name] will ... </p></part><!-- Section 5.2 Data Gathering --><partns="http://fedramp.gov/ns/oscal"name="data-gathering"><title>Data Gathering</title><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="002"/><p>[IA Name] data gathering activities will ... </p></part><!-- Section 5.3 Sampling --><partns="http://fedramp.gov/ns/oscal"name="sampling"><title>Sampling</title><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="003"/><propns="http://fedramp.gov/ns/oscal"name="sampling"value="no"/><p>The sampling methodology for evidence/artifact gathering, related to controls assessment, is described in Appendix B.</p><p>[IA Name] [will/will not] ... </p></part><!-- Section 5.4 Penetration Test --><partns="http://fedramp.gov/ns/oscal"name="pen-testing"><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="004"/><p>The Penetration Test Plan and Methodology is attached in Appendix C.</p></part></part><!-- cut --></terms-and-conditions>
FedRAMP requires the presence of the sampling property, which indicates whether sampling will be used by the
assessor for the assessment. The insert elements can be used by tool developers for insertion points for data items that the tool may manage as parameters. CSP tools must display a definitive statement based on the value of the sampling property.
<terms-and-conditions><!-- Section 5 --><partname="methodology"><title>Methodology</title><!-- Section 5.3 Sampling --><partns="http://fedramp.gov/ns/oscal"name="sampling"><title>Sampling</title><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="003"/><propns="http://fedramp.gov/ns/oscal"name="sampling"value="no"/><p>The sampling methodology for evidence/artifact gathering, related to controls assessment, is described in Appendix B.</p><p>[IA Name] [will/will not] ... </p></part></part><!-- cut --></terms-and-conditions>
(SAP) Will the assessor use sampling?:
/*/terms-and-conditions/part[@name='methodology']/prop[@name='sampling']/@value
(SAP) Methodology Description:
/*/terms-and-conditions/part[@name='methodology']/(* except prop)
NOTES:
The SAP tool should provide the assessor with an automated way to
replace [CSP Name] and [3PAO Name] with the actual names of
those parties.
The SAP tool should allow the assessor to modify this content as
needed.
An OSCAL SAP must always explicitly select the in-scope controls from
the applicable FedRAMP Baseline/Profile. For initial assessments, this
can be as simple as specifying include-all. For annual assessments, use
include-control instead, one for each control included in the
assessment. Controls may also be explicitly excluded from the control
scope.
<!-- metadata --><reviewed-controls><control-selection><description><p>Include all controls in the baseline.</p><p>Then exclude any specific controls if necessary.</p><p>Provide rationale/justification for control exclusion here.</p></description><include-all/><exclude-controlcontrol-id="ac-1"/><!-- OR --><include-controlcontrol-id="ac-2"/><include-controlcontrol-id="ac-3"/><!-- repeat as needed for each control --></control-selection><!-- control-objectives --><!-- objectives --><control-objective-selection><!-- cut --></control-objective-selection></reviewed-controls><!-- assessment-subject -->
(SAP) Include All Controls? (true or false):
boolean(/*/objectives/controls/include-all)
(SAP) Exclude Controls Specified? (true or false):
boolean(/*/objectives/controls/exclude-control)
(SAP) Exclude Controls Total (integer):
count(/*/objectives/controls/exclude-control)
(SAP) Exclude Specific Control (string):
/*/objectives/controls/exclude-control[1]/@control-id
NOTE: Replace "exclude-control" with "include-control" above for any explicitly included controls; however, this is redundant when used with 'all'.
NOTES:
Tools should validate the control IDs for explicitly included or
excluded controls using the relevant baseline.
FedRAMP’s guidance and requirements regarding which controls are
in-scope for each assessment do not change with OSCAL.
The SAP’s metadata is used to represent
the assessor’s name address and URL. This uses the OSCAL common role,
party, and responsible-party assemblies. Some roles are specific to the
SAP. In the responsible-party assembly, the party-uuid may point to a
party in the SSP or SAP. The SAP tool must not assign a role ID or party
ID that duplicates one used in the SSP.
The SAP’s metadata is used to represent the assessment team and
assessment lead. This uses the OSCAL common role, party, and
responsible-party assemblies. Some roles are specific to the SAP. The
SAP tool must not assign a role ID or party ID that duplicates one used
in the SSP.
<metadata><!-- cut: title, published, last-modified, version, oscal-version, prop --><roleid="assessment-team"><title>Assessment Team</title><desc>The individual or individuals performing the assessment.</desc></role><partyid="sap-person-2"type="person"><person-name>[SAMPLE]Person Name 2</person-name><org-id>assessment-org</org-id><location-id>sap-location-1</location-id><email>name@org.domain</email><phone>202-000-0000</phone></party><!-- Repeat party for each person 3 - 5 --><responsible-partyrole-id="assessment-team"><party-uuid>sap-person-2</party-uuid><party-uuid>sap-person-3</party-uuid><party-uuid>sap-person-4</party-uuid><party-uuid>sap-person-5</party-uuid></responsible-party></metadata>
(SAP) Number of Assessment Team Members (integer):
count(/*/metadata/responsible-party[@role-id='assessment-team']/party-uuid)
(SAP) Name of First Assessment Team Member:
/*/metadata/party[@id=/*/metadata/responsible-party[@role-id='assessment-team'] /party-uuid[1]]/person/person-name
(SAP) Role of First Assessment Team Member:
/*/metadata/role[@id='assessment-team'][1]/title
(SAP) Contact Information of First Assessment Team Member (phone):
/*/metadata/party[@id=/*/metadata/responsible-party[@role-id='assessment-team'] /party-uuid[1]]/person/phone
NOTE: Replace 'phone' with 'email'
NOTE: Replace [1] as needed with [2], [3], etc.
The SAP’s metadata is used to represent the CSP’s points of contact.
This uses the OSCAL common role, party, and responsible-party
assemblies. In the responsible-party assembly, the party-uuid may point
to a party in the SSP or SAP. The SAP tool must not assign a role ID or
party ID that duplicates one used in the SSP. If an individual is
already identified via a party assembly in the SSP, that individual’s
information should not be duplicated in the SAP. Instead, the SAP should
reference the SSP party ID for that individual.
<metadata><roleid="csp-assessment-poc"><title>CSP POCs During Testing</title><desc>At least three CSP POCs must be identified in a FedRAMP SAP.</desc></role><!-- Only define a CSP party in the SAP when no appropriate party exists in SSP --><responsible-partyrole-id="csp-assessment-poc"><!-- At least three --><party-uuid>person-1</party-uuid><party-uuid>person-2</party-uuid><party-uuid>soc</party-uuid></responsible-party></metadata>
(SAP) Number of CSP Assessment POCs (integer):
count(/*/metadata/responsible-party[@role-id='csp-assessment-poc']/party-uuid)
(SAP) ID of the first CSP Assessment POC:
/*/metadata/responsible-party[@role-id='csp-assessment-poc']/party-uuid[1]
NOTE: Replace [1] as needed with [2], [3], etc.
(SAP) Role:
/*/metadata/role[@id='csp-assessment-poc']/title
(SSP) Name of the first person or organization:
/*/metadata/party[@id='person-1']/(./person/person-name | ./org/org-name)
(SSP) Phone for the first person or organization:
/*/metadata/party[@id='person-1']//phone
(SSP) Email for the first person or organization:
/*/metadata/party[@id='person-1']//email
NOTE: Replace 'person-1' with each party-uuid found in the responsible role.
NOTES:
IDs used for roles or parties in the SAP must not duplicate IDs used
for roles or parties in the SSP.
Only define a CSP party in the SAP when no appropriate party exists
in the SSP.
Automated tools are enumerated in the assets section of the SAP using
the tools assembly. Each tool is listed using the same component syntax
available in the SSP.
<assessment-assets><componentuuid="assessor-component1-uuid"type="software"><title>XYZ Vulnerability Scanning Tool</title><description><p>Describe the purpose of the tool here.</p></description><propname="vendor"value="Vendor Name"/><propname="name"value="Tool Name"/><propname="version"value="1.2.3"/><statusstate="operational"/></component><componentuuid="assessor-componenet2-uuid"type="software"><title>XYZ Database Scanning Tool</title><description><p>Describe the purpose of the tool here.</p></description><propname="vendor"value="Vendor Name"/><propname="name"value="Tool Name"/><propname="version"value="1.2.3"/><statusstate="operational"/><remarks><p><!-- cut --></p></remarks></component></assessment-assets ><!-- assessment-activities -->
(SAP) Number of Tools (integer):
count(/*/assessment-assets/component)
(SAP) Name of first tool:
/*/assessment-assets/component[1]/prop[@name='name']/@value
(SAP) Vendor/Organization Name of first tool:
/*/assessment-assets/component[1]/prop[@name='vendor']/@value
(SAP) Version of first tool:
/*/assessment-assets/component[1]/prop[@name='version']/@value
(SAP) Purpose of first tool:
/*/assessment-assets/component[1]/description/node()
NOTE: Replace [1] as needed with [2], [3], etc.
NOTES:
OSCAL syntax requires a status field within each component assembly.
For FedRAMP, assessment tool state should typically be
operational, otherwise a remark must be provided.
<local-definitions><activityuuid="2715174e-9355-4775-bea4-4068e59e916b"><title>Title of the Manual Test</title><description><p>Description of the manual test</p></description><propname="type"value="manual"/><propname="label"value="Test ID"/><stepuuid="fb039fd7-5a2b-4c0f-867c-88cce9c3778c "><description><p>Describe test step #1</p></description><propname="sort-id"value="001"/></step><stepuuid="fb039fd7-5a2b-4c0f-867c-88cce9c3778c "><description><p>Describe test step #2</p></description><propname="sort-id"value="002"/></step><stepuuid="fb039fd7-5a2b-4c0f-867c-88cce9c3778c "><description><p>Describe test step #3</p></description><propname="sort-id">003</prop></step></activity><activityuuid="3ba68918-80ef-4846-89e0-9f1def7e5223"><title>[SAMPLE]Forceful Browsing</title><description><p>We will login as a customer ...cut... browser to various URLs</p></description><propname="type"value="manual"/><propname="label"value="Test ID"/></activity></local-definitions>
(SAP) Number of manual test methods (integer):
count(/*/local-definitions/activity[prop[@name='type'][@value='manual']])
(SAP) Test ID of first manual test method:
(/*/local-definitions/activity[prop[@name='type'][@value='manual']]) [1]/prop[@name='label']
(SAP) Test Name of first manual test method:
(/*/local-definitions/activity[prop[@name='type'][@value='manual']]) [1]/title
(SAP) Description of first manual test method:
(/*/local-definitions/activity[prop[@name='type'][@value='manual']]) [1]/description/node()
NOTE: Replace [1] as needed with [2], [3], etc.
NOTES:
If a test method represents more than one test type, such as a manual
test that is also a role-based test, the test-type property should
appear twice, indicating each type.
The FedRAMP OSCAL SAP terms-and-condition assembly should contain a
part with ns="http://fedramp.gov/ns/oscal" name="manual-methods-testing" when needed to facilitate rendering of
OSCAL SAP by tools. The insert elements can be used by tool developers
as insertion points for data items such as test ID, test name, and test
description if the tool is able to manage them as parameters. The use of
insert within an OSCAL part is described on the NIST OSCAL Concepts page. The XPath queries below show how to identify manual test information within the OSCAL SAP.
<terms-and-conditions><!-- Section 6 Test Plan --><partns="http://fedramp.gov/ns/oscal"name="test-plan"><title>Test Plan</title><!-- Section 6.4 Testing performed using manual methods --><partns="http://fedramp.gov/ns/oscal"name="manual-methods-testing"><title>Testing Performed Using Manual Methods</title><propns="http://fedramp.gov/ns/oscal"name="sort-id"value="004"/><!-- Table 6-4 Describe what technical tests will be performed through manual methods without the use of automated tools. --><table><tr><th>Test ID</th><th>Test Name</th><th>Description</th></tr><tr><!-- Identifiers must be in the format MT-1, MT-2, etc., which indicates "Manual Test 1", "Manual Test 2", etc. --><td>[Insert test ID]</td><td>[Insert test name]</td><td>[Insert test description text]</td></tr></table></part></part><!-- cut --></terms-and-conditions>
(SAP) Test ID:
/assessment-plan/local-definitions[1]/activity[1]/prop[@ns="http://fedramp.gov/ns/oscal" and @name="label"]/@value
(SAP) Test Name:
/assessment-plan/local-definitions[1]/activity[1]/title
(SAP) Description:
/assessment-plan/local-definitions[1]/activity[1]/description/p
NOTE: Replace [1] as needed with [2], [3], etc.
<taskuuid="17030aaf-7712-4228-8607-a5a97a785efa"type="action"><title>Prepare Test Plan</title><description><p>optional description here</p></description><timing><within-date-rangestart="2020-06-01T00:00:00Z"end="2020-06-15T00:00:00Z"/></timing></task><taskuuid="b65e7779-bd3d-4a49-9de5-3122c290792f"type="action"><title>Meeting to Review Test Plan</title><description><p>optional description here</p></description><timing><within-date-rangestart="2020-06-01T00:00:00Z"end="2020-06-15T00:00:00Z"/></timing></task>
(SAP) Number of tasks in schedule (integer):
count(/*/task)
(SAP) Name of first task:
/*/task[1]/title
(SAP) Start date of first task:
/*/task[1]/timing/within-date-range/@start
(SAP) Finish date of first task:
/*/task[1]/timing/within-date-range/@end
(SAP) Optional Description of first task:
/*/task[1]/description/node()
NOTE: Replace [1] as needed with [2], [3], etc.
NOTES:
In the OSCAL file, the start and end fields must use the OSCAL data
type
dateTime-with-timezone.
The time may be entered as all zeros.
For FedRAMP, a SAP tool should display only the date and ignore the
time. The date should be presented to the user in a more
user-friendly format.
(SAP) Count scan origination addresses (integer):
count(/*/assessment-assets/assessment-platform/prop[@name='ipv4-address'])
(SAP) First scan origination address:
/*/assessment-assets/assessment-platform/prop[@name='ipv4-address'][1]
NOTE: Replace [1] as needed with [2], [3], etc.
NOTES:
A SAP tool should present the scan origination addresses using the
statement:
“All scans will originate from the following IP address(es):”,
followed by the list of addresses.
<terms-and-conditions><partname="disclosures"><partname="disclosure"><propname="sort-id"value="001"/><p>Any testing will be performed according to terms and conditions designed to minimize risk exposure that could occur during security testing.</p></part><partname="disclosure"><propname="sort-id"value="002"/><p>A disclosure statement</p></part></part></terms-and-conditions>
(SAP) Count other disclosure statements (integer):
count(/*/terms-and-conditions/part[@name='disclosures']/part[@name='disclosure'])
(SAP) Obtain Sort IDs, for sorting by the SAP tool:
/*/terms-and-conditions/part[@name='disclosures']/part[@name='disclosure']/prop[@name='sort-id']
(SAP) The first assumption statement:
/*/terms-and-conditions/part[@name='disclosures']/part[@name='disclosure']/prop[@name='sort-id'] [string()='001']/../(* except prop)
NOTE: Replace '001' with '002', '003', etc. for each sort-id based on desired order.
NOTES:
A SAP tool should present the scan origination addresses using the
statement:
“All scans will originate from the following IP address(es):”,
followed by the list of addresses.
SAP authors should describe the security testing that may be included
within the terms-and-conditions assembly, in the “included-activities”
part and its “included-activity” sub-parts.
<terms-and-conditions><partname="included-activities"><title>Included Activities</title><p>The following activities are to be included as part of the FedRAMP assessment.</p><partname="included-activity"></part><partname="included-activity"><p>Port scans and other network service interaction and queries</p></part><partname="included-activity"><p>Network sniffing, traffic monitoring, traffic analysis, and host discovery</p></part><partname="included-activity"><p>Attempted logins or other use of systems, with any account name/password</p></part><partname="included-activity"><p>Attempted structured query language (SQL) injection and other forms of input
parameter testing</p></part><!-- cut other included-activities --></part></terms-and-conditions>
(SAP) Number of Included Activities:
count(/*/terms-and-conditions/part[@name='included-activities']/part[@name='included-activity'])
(SAP) First Included Activity:
/*/terms-and-conditions/part[@name='included-activities']/part[@name='included-activity'][1]/node()
NOTE: Replace [1] as needed with [2], [3], etc.
NOTES:
An assessment tool should present a list of included activities with
a preceding phrase such as, “Security testing may include the
following activities:”
SAP authors should describe exclusive disclosures within the
terms-and-conditions assembly, in the “excluded-activities” part and its
“excluded-activity” sub-parts.
<terms-and-conditions><partname="excluded-activities"><title>Excluded Activities</title><p>The following activities are explicitly excluded from the assessment.</p><partname="excluded-activity"><p>Changes to assigned user passwords</p></part><partname="excluded-activity"><p>Modification of user files or system files</p></part><partname="excluded-activity"><p>Telephone modem probes and scans (active and passive)</p></part><partname="excluded-activity"><p>Intentional viewing of [CSP Name] staff email, Internet caches, and/or personnel
cookie files</p></part><partname="excluded-activity"><p>Denial of service attacks</p></part><partname="excluded-activity"><p>Exploits that will introduce new weaknesses to the system</p></part><partname="excluded-activity"><p>Intentional introduction of malicious code (viruses, Trojans, worms, etc.)</p></part></part></terms-and-conditions>
(SAP) Number of Excluded Activities:
count(/*/terms-and-conditions/part[@name='excluded-activities']/part[@name='excluded-activity'])
(SAP) First Excluded Activity:
/*/terms-and-conditions/part[@name='excluded-activities']/part[@name='excluded-activity'][1]/node()
NOTE: Replace [1] as needed with [2], [3], etc.
NOTES:
An assessment tool should present a list of included activities with
a preceding phrase such as, “Security testing will not include any
of the following activities:”
<metadata><roleid="csp-end-of-testing-poc"><title>CSP's End of Testing Notification POC</title><desc>A role for an individual within the CSP to be notified by the assessor when testing is complete.</desc></role><!-- Only define CSP party in SAP when no appropriate party exits in SSP --><responsible-partyrole-id="csp-end-of-testing-poc"><!-- At Least one --><party-uuid>person-2</party-uuid></responsible-party></metadata>
(SAP) Number of CSP Parties to notify at EOT (integer):
count(/*/metadata/responsible-party[@role-id='csp-end-of-testing-poc']/party-uuid)
(SAP) ID of the first CSP Party to Notify:
/*/metadata/responsible-party[@role-id='csp-end-of-testing-poc']/party-uuid[1]
NOTE: Replace [1] as needed with [2], [3], etc.
(SSP) Name of the first person or team:
/*/metadata/party[@id='person-2']/(./person/person-name | ./org/org-name)
(SSP) Phone for the first person or team:
/*/metadata/party[@id='person-2']//phone
(SSP) Email for the first person or team:
/*/metadata/party[@id='person-2']//email
NOTE: Replace 'person-2' with each party-uuid found in the responsible role.
NOTES:
IDs used for roles or parties in the SAP must not duplicate IDs used
for roles or parties in the SSP.
Only define a CSP party in the SAP when no appropriate party exists
in the SSP.
<metadata><roleid="csp-results-poc"><title>CSP Results POCs</title><desc>A role for the individuals within the CSP who are to receive the assessment results.</desc></role><!-- Only define CSP party in the SAP when no appropriate party exits in SSP --><responsible-partyrole-id="csp-results-poc"><!-- One or More --><party-uuid>person-1</party-uuid><party-uuid>person-2</party-uuid></responsible-party></metadata>
(SAP) Number of CSP Test Result POCs (integer):
count(/*/metadata/responsible-party[@role-id='csp-results-poc']/party-uuid)
(SAP) ID of the first CSP Assessment POC:
/*/metadata/responsible-party[@role-id='csp-results-poc']/party-uuid[1]
NOTE: Replace [1] as needed with [2], [3], etc.
(SSP) Name of the first person or organization:
/*/metadata/party[@id='person-1']/person/person-name
(SSP) Role/Title of the first person:
/*/metadata/party[@id='person-1']/person/prop[@name='title'] [@ns='http://fedramp.gov/ns/oscal']
(SSP) Phone for the first person or organization:
/*/metadata/party[@id='person-1']//phone
(SSP) Email for the first person or organization:
/*/metadata/party[@id='person-1']//email
NOTE: Replace 'person-1' with each party-uuid found in the responsible role.
NOTES:
IDs used for roles or parties in the SAP must not duplicate IDs used
for roles or parties in the SSP.
Only define a CSP party in the SAP when no appropriate party exists
in the SSP.
The SAP muse document any limitation of liability within the terms-and-conditions assembly as a collection of liability-limitationpart assemblies, as illustrated in the OSCAL representation below.
<terms-and-conditions><partname="liability-limitations"><title>FedRAMP Required Limitation of Liability Statements</title><partname="liability-limitation"><propname="sort-id"value="001"/><p><inserttype="param"id-ref="3pao_name_prm"/>, and its stated partners, shall not be held liable to <inserttype="param"id-ref="csp_name_prm"/> for any and all liabilities, claims, or damages arising out of or relating to the security vulnerability testing portion of this agreement, howsoever caused and regardless of the legal theory asserted, including breach of contract or warranty, tort, strict liability, statutory liability, or otherwise.</p></part><partname="liability-limitation"><propname="sort-id"value="002"/><p><inserttype="param"id-ref="csp_name_prm"/> acknowledges that there are limitations inherent in the methodologies implemented, and the assessment of security and vulnerability relating to information technology is an uncertain process based on past experiences, currently available information, and the anticipation of reasonable threats at the time of the analysis. There is no assurance that an analysis of this nature will identify all vulnerabilities or propose exhaustive and operationally viable recommendations to mitigate all exposure.</p></part></part></terms-and-conditions>
(SAP) Count individual limitations of liability statements (integer):
count(/*/terms-and-conditions/part[@name='liability-limitations']/ part[@name='liability-limitation'])
(SAP) Obtain Sort IDs, for sorting by the SAP tool:
/*/terms-and-conditions/part[@name='liability-limitations']/part[@name='liability-limitation'] /prop[@name='sort-id']
(SAP) The first liability limitation statement:
/*/terms-and-conditions/part[@name='liability-limitations']/part[@name='liability-limitation']/prop [@name='sort-id'] [string()='001']/../(* except prop)
NOTE: Replace '001' with '002', '003', etc. for each sort-id based on desired order.
Using a machine-readable format such as OSCAL for SAP content creates a
challenge in the handling of acceptance signatures. Early adopters are
encouraged to approach the FedRAMP PMO to discuss specific solutions on
a case-by-case basis. Until such time as the FedRAMP PMO and JAB have a
well-established capability for handling signatures, one of the
following approaches is encouraged:
Manual “Wet” Signature Approach (Document or Letter)
(SAP) Link to signed SAP in PDF Format:
/*/back-matter/resource/prop[@name='type'] [.='signed-sap']/../rlink/@href
(SAP) Base64-encoded signed SAP in PDF Format:
/*/back-matter/resource/prop[@name='type'] [.='signed-sap']/../base64
An OSCAL SAP must always explicitly select the in-scope controls from
the applicable FedRAMP Baseline/Profile. See the Controls Testing section for additional guidance.
The assessment objectives and actions (Examine, Interview, and Test)
from the test case workbook are now part of the OSCAL-based FedRAMP
baselines,
with the detail imported from the OSCAL-based NIST SP 800-53 Catalog via
the baseline.
To include an assessment objective and associated actions in the SAP,
its control must be designated in-scope as described in the SAP Scope section. SAP tools should support and enforce this constraint.
In most cases, a FedRAMP assessor must adopt these without change. In
this case, a SAP tool may simply specify all, to indicate that all
assessment objectives should be included for all in-scope controls. If
needed, objectives can be explicitly included or excluded as well.
(SAP) Include All Objectives for in-scope controls? (true or false):
boolean(/*/reviewed-controls/control-objective-selection/include-all)
(SAP) Exclude Controls Specified? (true or false):
boolean(/*/objectives/control-objectives/exclude-objective)
(SAP) Exclude Objectives Total (integer):
count(/*/objectives/control-objectives/exclude-objective)
(SAP) Exclude Specific Objective (string):
/*/objectives/control-objectives/exclude-objective[1]/@objective-id
NOTE: Replace "exclude-objective" with "include-objective" above for any explicitly included objective; however, this is redundant when used with 'all'.
The sampling methodology may continue to be a separate, attached
document. This should be provided as a back-matter resource, containing
a FedRAMP “type” prop with an allowed value, sampling-methodology.
<back-matter><resourceuuid="uuid"><title>Sampling Methodology</title><description><p>Embed or reference copies of the sampling methodology for security controls assessment and vulnerability scanning (if applicable).</p></description><propns="http://fedramp.gov/ns/oscal"name="type"value="sampling-methodology"/><!-- Use rlink and/or base64 --><rlinkhref="./sampling-methodology-reference-1.pdf"media-type="application/pdf"/><rlinkhref="./sampling-methodology-reference-2.docx"media-type="application/msword"/></resource><back-matter>
The penetration test plan and methodology may continue to be a separate,
attached document. This should be provided as a back-matter resource,
containing a FedRAMP “type” prop with an allowed value,
penetration-test-plan.
<back-matter><resourceuuid="uuid"><title>Penetration Testing Plan and Methodology</title><description><p> . . . /p>
<!-- update the table to reflect the attack vectors, threat models,
and attack models being assessed. --><table><tr><th>Include</th><th>Mandatory Attack Vectors</th><th>Include</th><th>Threat Models</th><th>Include</th><th>Attack Models</th></tr><tr><td>x</td><td>External to Corporate</td><td></td><td>Internet based (untrusted)</td><td></td><td>Enterprise</td></tr><tr> . . . </tr></table></description><propns="http://fedramp.gov/ns/oscal"name="type"value="penetration-test-plan"/><!-- Use rlink and/or base64 --><rlinkhref="./pen_test_plan.pdf"media-type="application/pdf"/><base64filename="pen_test_plan.pdf"media-type="application/pdf">00000000</base64></resource><back-matter>
(SAP) Link to Penetration Test Plan:
/*/back-matter/resource/prop[@name='type'] [@value='penetration-test-plan']/../rlink/@href
(SAP) Base64-encoded Penetration Test Plan:
/*/back-matter/resource/prop[@name='type'] [@value='penetration-test-plan']/../base64
The significant change documentation must be provided as a back-matter
resource, containing a FedRAMP “type” prop with an allowed value,
significant-change-request.