Generating Content from OSCAL-based SAR

The following artifacts are historically generated by hand to summarize content found in other portions of the FedRAMP SAR. When using OSCAL, these artifacts may be generated from content found elsewhere in this document. This includes the:

  • Executive Summary
  • Purpose
  • Laws, Regulations, Standards, and Guidance
  • Scope
  • Controls to be Assessed
  • System Overview
  • Assessment Methodology
  • Performed Tests
  • Assessment Deviations
  • Risk Exposure Table
  • Risks Corrected During Testing
  • Risks Known for Interconnected Systems
  • Scan Results (Infrastructure, Database, Web Application, Container, Other, and Unauthenticated)
    • Inventory of Items Scanned
    • False Positive Report
  • Document Results
  • Manual Test Results
  • Test Case Workbook’s System Tab
  • Test Case Workbook’s Control Summary Tab

If delivering SAR content in OSCAL, CSPs are no longer required to manually generate and maintain these artifacts, provided the content in their OSCAL-based FedRAMP SAR remains accurate.

Tool developers are encouraged to develop their own solutions to generating this content.

There are many ways a tool developer can generate these artifacts. FedRAMP is developing Extensible Stylesheet Language Transformation (XSLT) files to generate these artifacts. When ready, FedRAMP will make this freely available to the public here:

https://github.com/GSA/fedramp-automation/tree/master/dist/content/rev5/resources

CVSS Scoring

Common Vulnerability Scoring System (CVSS) metrics may be added to any risk assembly using facet fields.

Tools should accept either the upper-case abbreviation or the lower-case name on a field-by-field basis. For example, it should be acceptable to use "AV" for access vector, and "privileges-required" for privileges required, provided both have a system value of "http://www.first.org/cvss/v3.1".

All CVSS metrics must be in the same CVSS version, as identified by the system flag, for successful computation. Tool developers should ensure the tool performs CVSS calculations as defined by the Forum of Incident Response and Security Teams (FIRST) at https://www.first.org/cvss/.

Representation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

<risk id="risk-3-1">
    <!-- title, description, statement, status -->
    <characterization>
        <origin>
            <actor type="party" 
                   actor-uuid="9d194268-a9d1-4c38-839f-9c4aa57bf71e" />
        </origin>
        
        <!-- CVSS Metrics using V3.1 using abbreviations -->
        <facet name="AV" system="http://www.first.org/cvss/v3.1" value="network"/>
        <facet name="AC" system="http://www.first.org/cvss/v3.1" value="high"/>
        <facet name="PR" system="http://www.first.org/cvss/v3.1" value="low"/>
        
        <!-- CVSS Metrics using V3.1 using names -->
        <facet name="access-vector" system="http://www.first.org/cvss/v3.1" 
               value="network"/>
        
        <facet name="access-complexity" system="http://www.first.org/cvss/v3.1" 
               value="high"/>
        
        <facet name="privileges-required" system="http://www.first.org/cvss/v3.1" 
               value="low"/>
    </characterization>
</risk>