An official website of the United States government
Here’s how you know
Official websites use .gov A
.gov website belongs to an official government
organization in the United States.
Secure .gov websites use HTTPS A
lock (
) or https:// means you’ve safely connected to
the .gov website. Share sensitive information only on official,
secure websites.
For SSP-specific content, each main section of the SSP is represented in this section, along with OSCAL code snippets for representing the information in OSCAL syntax. There is also XPath syntax for querying the code in an OSCAL-based FedRAMP SSP represented in XML format.
Content that is common across OSCAL file types is described in the FedRAMP OSCAL Documentation. This includes the following:
It is not necessary to represent the following sections of the SSP template in OSCAL; however, tools should present users with this content where it is appropriate:
Any blue-text instructions found in the SSP template where the instructions are related to the content itself
Table of contents
Introductory and instructive content in section 1, such as references to NIST SP 800-60, Guide to Mapping Types and the definitions from FIPS Pub 199
The control origination definitions are in appendix A of the SSP template; however, please note that hybrid and shared are represented in OSCAL by specifying more than one control origination.
The OSCAL syntax in this documentation may be used to represent the High, Moderate, Low and LI-SaaS FedRAMP SSP Templates. Simply ensure the correct FedRAMP baseline is referenced using the import-profile statement.
NOTE: The FedRAMP SSP template screenshots in the sections that follow vary slightly from the most current version of the FedRAMP rev 5 SSP template.
<system-security-plan><metadata><!-- CSP Name --><partyuuid=”uuid-of-csp”type=”organization”><name>Cloud Service Provider (CSP) Name</name></party></metadata></system-security-plan>
The remainder of the system information is provided in the
system-characteristics assembly.
The FedRAMP-assigned application number is the unique ID for a FedRAMP system. OSCAL supports several system identifiers, which may be assigned by different organizations.
For this reason, OSCAL requires the identifier-type flag be present and have a value that uniquely identifies the issuing organization. FedRAMP requires its value to be “https://fedramp.gov” for all FedRAMP-issued application numbers.
<system-security-plan><metadata><!-- CSP Name --><partyuuid="uuid-of-csp"type="organization"><name>Cloud Service Provider (CSP) Name</name></party></metadata><system-characteristics><!-- System Name & Abbreviation --><system-name>System's Full Name</system-name><system-name-short>System's Short Name or Acronym</system-name-short><!-- FedRAMP Unique Identifier --><system-ididentifier-type="http://fedramp.gov">F00000000</system-id><!-- cut --></system-characteristics><!-- cut --></system-security-plan>
Information System Name:
/*/system-characteristics/system-name
Information System Abbreviation:
/*/system-characteristics/system-name-short
FedRAMP Unique Identifier:
/*/system-characteristics/system-id[@identifier-type="https://fedramp.gov"]
<system-security-plan><metadata><!-- CSP Name --><partyuuid="uuid-of-csp"type="organization"><name>Cloud Service Provider (CSP) Name</name></party></metadata><system-characteristics><!-- System Name & Abbreviation --><system-name>System's Full Name</system-name><system-name-short>System's Short Name or Acronym</system-name-short><!-- FedRAMP Unique Identifier --><system-ididentifier-type="http://fedramp.gov">F00000000</system-id><!-- Service Model --><propname="cloud-service-model"value="saas"><remarks><p>Remarks are required if service model is "other". Optional otherwise.</p></remarks></prop><!-- cut --></system-characteristics><!-- cut --></system-security-plan>
Service Model:
/*/system-characteristics/prop[@name="cloud-service-model"]/@value
Remarks on System's Service Model:
/*/system-characteristics/prop[@name="cloud-service-model"]/remarks/node()
NOTE:
A cloud service provider may define two or more cloud service models for the cloud service offering defined in the system security plan if applicable for customer use (IaaS and PaaS; IaaS and PaaS and SaaS; PaaS and SaaS). Cloud service providers may use a “cloud-service-model” prop for each applicable cloud service model.
If the service model is “other”, the remarks field is required. Otherwise, it is optional.
<system-security-plan><metadata><!-- CSP Name --><partyuuid="uuid-of-csp"type="organization"><name>Cloud Service Provider (CSP) Name</name></party></metadata><system-characteristics><!-- System Name & Abbreviation --><system-name>System's Full Name</system-name><system-name-short>System's Short Name or Acronym</system-name-short><!-- FedRAMP Unique Identifier --><system-ididentifier-type="http://fedramp.gov">F00000000</system-id><!-- Service Model --><propname="cloud-service-model"value="saas"><remarks><p>Remarks are required if service model is "other". Optional otherwise.</p></remarks></prop><!-- Deployment Model --><propname="cloud-deployment-model"value="public-cloud"><remarks><p>Remarks are required if deployment model is "hybrid". Optional otherwise.</p></remarks></prop><!-- cut --></system-characteristics><!-- cut --></system-security-plan>
FedRAMP Accepted Values
name=“cloud-deployment-model”
Valid: public-cloud, private-cloud, government-only-cloud, hybrid-cloud, other
Deployment Model:
/*/system-characteristics/prop[@name="cloud-deployment-model"]/@value
Remarks on System's Deployment Model:
/*/system-characteristics/prop[@name="cloud-deployment-model"]/remarks/node()
NOTE:
A cloud service provider may define one and only one cloud deployment model in the system security plan for a cloud service offering.
OSCAL 1.0.0 permits a cloud-deployment-model of value community-cloud, but FedRAMP does not permit such a deployment model for cloud service offerings and is not permitted for a FedRAMP OSCAL-based system security plan.
If the deployment model is "hybrid", the remarks field is required. Otherwise, it is optional.
The digital identity level identified in the FedRAMP SSP template document, illustrated in the figure below, isexpressed through the following core OSCAL properties.
<system-security-plan><metadata><!-- cut CSP Name --></metadata><system-characteristics><!-- System Name & Abbreviation --><system-name>System's Full Name</system-name><system-name-short>System's Short Name or Acronym</system-name-short><!-- FedRAMP Unique Identifier --><system-ididentifier-type="http://fedramp.gov">F00000000</system-id><!-- cut Service Model --><!-- cut Deployment Model --><!-- DIL Determination --><propname="identity-assurance-level"value="1"/><propname="authenticator-assurance-level"value="1"/><propname="federation-assurance-level"value="1"/><!-- cut --></system-characteristics><!-- cut --></system-security-plan>
OSCAL Allowed Values
Valid IAL, AAL, and FAL values (as defined by NIST SP 800-63):
The privacy system designation in in the FedRAMP SSP template document, illustrated in the figure below, is expressed through the following core OSCAL property.
<system-security-plan><metadata><!-- cut CSP Name --></metadata><system-characteristics><!-- System Name & Abbreviation --><system-name>System's Full Name</system-name><system-name-short>System's Short Name or Acronym</system-name-short><!-- FedRAMP Unique Identifier --><system-ididentifier-type="http://fedramp.gov">F00000000</system-id><!-- cut Service Model --><!-- cut Deployment Model --><!-- cut DIL Determination --><!-- FIPS PUB 199 Level (SSP Attachment 10) --><security-sensitivity-level>fips-199-moderate</security-sensitivity-level><!-- cut --></system-characteristics><!-- cut --></system-security-plan>
System Sensitivity Level:
/*/system-characteristics/security-sensitivity-level
NOTES:
The identified System Sensitivity Level governs which FedRAMP baseline applies. See the Importing the FedRAMP Baseline section for more information about importing the appropriate FedRAMP baseline.
The system status in the FedRAMP SSP template document is specified in the “Fully Operational as of” table cell illustrated in the figure below. OSCAL has a status assembly that is used to describe the operational status of the system. In addition, FedRAMP has defined an extension that must be used to provide the date when the system became operational.
<system-security-plan><metadata><!-- cut CSP Name --></metadata><system-characteristics><!-- System Name & Abbreviation --><system-name>System's Full Name</system-name><system-name-short>System's Short Name or Acronym</system-name-short><!-- FedRAMP Unique Identifier --><system-ididentifier-type=“http://fedramp.gov/ns/oscal”>F00000000</system-id><!-- cut Service Model --><!-- cut Deployment Model --><!-- cut DIL Determination --><!-- FIPS PUB 199 Level (SSP Attachment 10) --><security-sensitivity-level>fips-199-moderate</security-sensitivity-level><!-- Fully Operational as of --><statusstate="operational"><remarks><p>If the status is “other”, the remarks field is required.</p><p>Otherwise, it is optional.</p></remarks></status><propns="https://fedramp.gov/ns/oscal"name="fully-operational-date"value="mm/dd/yyyy"/><!-- cut --></system-characteristics><!-- cut --></system-security-plan>
System's Operational Status:
/*/system-characteristics/status/@state
Remarks on System's Operational Status:
/*/system-characteristics/status/remarks/node()
Fully Operational As Of Date:
/*/system-characteristics/prop[@name="fully-operational-date"][@ns="https://fedramp.gov/ns/oscal"]/@value
NOTE:
If the status is “other”, the remarks field is required. Otherwise, it is optional.
While under-development and disposition are valid OSCAL values, systems with either of these operational status values are not eligible for a FedRAMP Authorization.
The system functionality in the FedRAMP SSP template document is specified in the “General System Description” table cell illustrated in the figure below. OSCAL has a description field within the system-characteristics assembly that is used to describe the system and its functionality.
<system-security-plan><metadata><!-- cut CSP Name --></metadata><system-characteristics><!-- System Name & Abbreviation --><system-name>System's Full Name</system-name><system-name-short>System's Short Name or Acronym</system-name-short><!-- FedRAMP Unique Identifier --><system-ididentifier-type=“http://fedramp.gov/ns/oscal”>F00000000</system-id><!-- cut Service Model --><!-- cut Deployment Model --><!-- cut DIL Determination --><!-- FIPS PUB 199 Level (SSP Attachment 10) --><security-sensitivity-level>fips-199-moderate</security-sensitivity-level><!-- cut Fully Operational as of --><!-- system functionality --><description><p>Describe the purpose and functions of this system here.</p><!-- list of services/features in scope --><!-– (use paragraph, list item, or table) --></description></system-characteristics><!-- cut --></system-security-plan>
A role with an ID value of "system-owner" is required. Use the responsible-party assembly to associate this role with the party assembly containing the System Owner’s information.
<metadata><!-- cut --><roleid="system-owner"><!-- cut --></role><locationuuid="uuid-of-hq-location"><title>CSP HQ</title><addresstype="work"><addr-line>1234 Some Street</addr-line><city>Haven</city><state>ME</state><postal-code>00000</postal-code></address></location><partyuuid="uuid-of-csp"type="organization"><name>Cloud Service Provider (CSP) Name</name></party><partyuuid="uuid-of-person-1"type="person"><name>[SAMPLE]Person Name 1</name><propname="job-title"value="Individual's Title"/><propname="mail-stop"value="A-1"/><email-address>name@example.com</email-address><telephone-number>202-000-0000</telephone-number><location-uuid>uuid-of-hq-location</location-uuid><member-of-organization>uuid-of-csp</member-of-organization></party><responsible-partyrole-id="system-owner"><party-uuid>uuid-of-person-1</party-uuid></responsible-party></metadata>
System Owner's Name:
/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id="system-owner"]/party-uuid]]/name
NOTE: Replace "name" with "email-address" or "telephone-number" above as needed.
System Owner’s Address:
/*/metadata/location[@uuid=/*/metadata/party[@uuid=[/*/metadata/responsible-party [@role-id="system-owner"]/party-uuid]]/location-uuid]/address/addr-line
NOTE: Replace "addr-line" with "city", "state", or "postal-code" above as needed.
System Owner's Title:
/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id="system-owner"]/party-uuid]]/prop[@name='job-title']/@value
Company/Organization:
/*/metadata/party[@uuid=/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id="system-owner"]/party-uuid]]/member-of-organization]/name
NOTE:
If no country is provided, FedRAMP tools will assume a US address.
A role with an ID value of “authorizing-official” is required. Use the responsible-party assembly to associate this role with the party assembly containing the Authorizing Official’s information.
FedRAMP SSP template federal authorizing officials.
A role with an ID value of “information-system-security-officer” is
required. Use the responsible-party assembly to associate this role with the party assembly containing the Information
System Security Officer’s information.
FedRAMP SSP template security point of contact.
NOTES ON ADDRESSES
Preferred Approach: When multiple parties share the same address, such as multiple staff members at a company HQ, define the location once as a location assembly, then use the location-uuid field within each party assembly to identify the location of that individual or team.
Alternate Approach: If the address is unique to this individual, it may be included in the party assembly itself.
Hybrid Approach: It is possible to include both a location-uuid and an address assembly within a party assembly. This may be used where multiple staff are in the same building but have different office numbers or mail stops. Use the location-uuid to identify the shared building, and only include a single addr-line field within the party’s address assembly.
A tool developer may elect to always create a location assembly, even when only used once; however, tools must recognize and handle all of the approaches above when processing OSCAL files.
<metadata><!-- cut --><roleid="information-system-security-officer"><!-- cut --><title>Information System Security Officer (or Equivalent)</title></role><locationuuid="uuid-of-hq-location"><title>CSP HQ</title><addresstype="work"><addr-line>1234 Some Street</addr-line><city>Haven</city><state>ME</state><postal-code>00000</postal-code></address></location><partyuuid="uuid-of-csp"type="organization"><name>Cloud Service Provider (CSP) Name</name></party><partyuuid="uuid-of-person-10"type="person"><name>[SAMPLE]Person Name 10</name><propname="job-title"value="Individual's Title"/><email-address>name@org.domain</email-address><telephone-number>202-000-0000</telephone-number><location-uuid>uuid-of-hq-location</location-uuid><member-of-organization>uuid-of-csp</member-of-organization></party><!-- repeat party assembly for each person --><responsible-partyrole-id="system-poc-technical"><party-uuid>uuid-of-person-7</party-uuid></responsible-party></metadata>
ISSO POC Name:
/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id="information-system-security-officer"]/party-uuid]]/name
NOTE: Replace "name" with "email-address" or "telephone-number" above as needed.
ISSO POC’s Address:
/*/metadata/location[@uuid=/*/metadata/party[@uuid=[/*/metadata/responsible-party [@role-id="information-system-security-officer"]/party-uuid]]/location-uuid]/address/addr-line
NOTE: Replace "addr-line" with "city", "state", or "postal-code" above as needed.
ISSO POC's Title:
/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id="information-system-security-officer"]/party-uuid]]/prop[@name='job-title']
Company/Organization:
/*/metadata/party[@uuid=/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id="information-system-security-officer"]/party-uuid]]/member-of-organization]/name
If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the system-implementation assembly. There must be one leveraged-authorization assembly and one matching component assembly for each leveraged authorization.
The leveraged-authorization assembly includes the leveraged system’s name, point of contact (POC), and authorization date. The component assembly must be linked to the leveraged-authorization assembly using a property (prop) field with the name leveraged-authorization-uuid and the
UUID value of its associated leveraged-authorization assembly. The component assembly enables controls to reference it with the by-component responses described in the Control Implementation Descriptions section. The implementation-point property value must be set to “external”.
If the leveraged system owner provides a UUID for their system, such as in an OSCAL-based Inheritance and Responsibility document (similar to a CRM), it should be provided as the inherited-uuid property value.
A leveraged-system-identifier property must be provided within each leveraged-authorization field. The value of this property must be from the same Cloud Service Provider as identified in the title field.
Name of first leveraged system:
/*/system-implementation/leveraged-authorization[1]/title
Name of first leveraged system CSO service (component):
(//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/title)[1]
Description of first leveraged system CSO service (component):
(//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/description)[1]
Authorization type of first leveraged system:
/system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="authorization-type"]/@value
FedRAMP package ID# of the first leveraged system:
/system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="leveraged-system-identifier"]/@value
Nature of Agreement for first leveraged system:
(//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/prop[@ns="https://fedramp.gov/ns/oscal" and @name="nature-of-agreement"]/@value)[1]
FedRAMP impact level of the first leveraged system:
/system-security-plan/system-implementation[1]/leveraged-authorization[1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="impact-level"]/@value
Data Types transmitted to, stored or processed by the first leveraged system CSO:
(//*/component/prop[@name="leveraged-authorization-uuid" and @value="uuid-of-leveraged-system"]/parent::component/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-data-type"]/@value)
Authorized Users of the first leveraged system CSO:
//system-security-plan/system-implementation/user[@uuid="uuid-of-user"]
Corresponding Access Level:
//system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/prop[@name="privilege-level"]/@value
Corresponding Authentication method:
//system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="authentication-method"]/@value
Replace XPath predicate “[1]” with “[2]”, “[3]”, etc.
FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using component assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.
FedRAMP SSP template external systems (not FedRAMP authorized).
<!-- list any external connections as components in the system-characteristics --><componentuuid="uuid-value"type="interconnection"><title>[EXAMPLE]External System / Service Name</title><description><p>Briefly describe the interconnection details.</p></description><!-- Props for table 7.1 columns --><propns="https://fedramp.gov/ns/oscal"name="service-processor"value="[SAMPLE] Telco Name"/><propns="https://fedramp.gov/ns/oscal"name="interconnection-type"value="1"/><propname="direction"value="incoming"/><propname="direction"value="outgoing"/><propns="https://fedramp.gov/ns/oscal"name="nature-of-agreement"value="contract"/><propns="https://fedramp.gov/ns/oscal"name="still-supported"value="yes"/><propns="https://fedramp.gov/ns/oscal"class="fedramp"name="interconnection-data-type"value="C.3.5.1"/><propns="https://fedramp.gov/ns/oscal"class="fedramp"name="interconnection-data-type"value="C.3.5.8"/><propns="https://fedramp.gov/ns/oscal"class="C.3.5.1"name="interconnection-data-categorization"value="low"/><propns="https://fedramp.gov/ns/oscal"class="C.3.5.8"name="interconnection-data-categorization"value="moderate"/><propns="https://fedramp.gov/ns/oscal"name="authorized-users"value="SecOps engineers"/><propns="https://fedramp.gov/ns/oscal"class="fedramp"name="interconnection-compliance"value="PCI SOC 2"/><propns="https://fedramp.gov/ns/oscal"class="fedramp"name="interconnection-compliance"value="ISO/IEC 27001"/><propns="https://fedramp.gov/ns/oscal"name="interconnection-hosting-environment"value="PaaS"/><propns="https://fedramp.gov/ns/oscal"name="interconnection-risk"value="None"/><propname="isa-title"value="system interconnection agreement"/><propname="isa-date"value="2023-01-01T00:00:00Z"/><propname="ipv4-address"class="local"value="10.1.1.1"/><propname="ipv4-address"class="remote"value="10.2.2.2"/><propname="ipv6-address"value="::ffff:10.2.2.2"/><propns="https://fedramp.gov/ns/oscal"name="information"value="Describe the information being transmitted."/><propns="https://fedramp.gov/ns/oscal"name="port"class="remote"value="80"/><propns="https://fedramp.gov/ns/oscal"name="interconnection-security"value="ipsec"><!-- cut ports, protocols --><linkhref="#uuid-of-ICA-resource-in-back-matter"rel="isa-agreement"/><!-- cut repeat responsible-party assembly for each required ICA role id --></component><!-- cut …. --><back-matter><resourceuuid="uuid-value"><title>[SAMPLE]Interconnection Security Agreement Title</title><propname="version"value="Document Version"/><rlinkhref="./documents/ISAs/ISA-1.docx"/><citation><!-- cut --></citation></resource><!-- repeat citation assembly for each ICA --></back-matter>
Refer to the XPath queries below and corresponding notes for guidance on what targets in an OSCAL SSP should be used to represent each column of the “External Systems and Services Not Having FedRAMP Authorization” table in the legacy SSP template.
Interconnection # for first external system:
/*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-type"]/@value
System/Service/API/CLI Name:
/*/system-implementation/component[@type='interconnection']/title
Connection Details:
/*/system-implementation/component[@type='interconnection'][1]/prop[@name="direction"]/@value
Nature of Agreement for first external system:
/*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal" and @name="nature-of-agreement"]/@value
Still Supported (Y/N):
/*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal" and @name="still-supported"]/@value
Data Types:
/*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-data-type"]/@value
Data Categorization:
/*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-data-categorization"]/@value
Authorized Users:
//system-security-plan/system-implementation/user[@uuid="uuid-of-user"]
Corresponding Access Level:
//system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/prop @name="privilege-level"]/@value
Other Compliance Programs:
/*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-compliance"]/@value
Description:
/*/system-implementation/component[@type='interconnection'][1]/description
Hosting Environment:
/*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-hosting-environment"]/@value
Risk/Impact/Mitigation:
/*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal" and @name="interconnection-risk"]/@value
Replace XPath predicate “[1]” with “[2]”, “[3]”, etc.
The OSCAL approach to this type of diagram is to treat the image data as either a linked or base64-encoded resource in the back-matter section of the OSCAL file, then reference the diagram using the link field. The narrative describing the system architecture must be provided in the description field of the authorization-boundary assembly.
Overall Description:
/*/system-characteristics/authorization-boundary/description/node()
Count the Number of Diagrams (There should be at least 1):
count(/*/system-characteristics/authorization-boundary/diagram)
Link to First Diagram:
/*/system-characteristics/authorization-boundary/diagram[1]/link/@href
If the diagram link points to a resource within the OSCAL file:
/*/back-matter/resource[@uuid="uuid-of-boundary-diagram"]/base64
OR:
/*/back-matter/resource[@uuid="uuid-of-boundary-diagram-1"]/rlink/@href
Diagram-specific Description:
/*/system-characteristics/authorization-boundary/diagram[1]/description/node()
Replace XPath predicate “[1]” with “[2]”, “[3]”, etc.
Consistent with the Authorization Boundary guidance, the OSCAL approach to network architecture diagrams is to treat image data as either a linked or base64-encoded resource in the back-matter section of the OSCAL file, then reference the diagram using the link field. The narrative describing the network architecture must be provided in the description field of the network-architecture assembly.
Overall Description:
/*/system-characteristics/network-architecture/description/node()
Count the Number of Diagrams (There should be at least 1):
count(/*/system-characteristics/network-architecture/diagram)
Link to First Diagram:
/*/system-characteristics/network-architecture/diagram[1]/link/@href
If the diagram link points to a resource within the OSCAL file:
/*/back-matter/resource[@uuid="uuid-of-network-diagram-1"]/base64
OR:
/*/back-matter/resource[@uuid="uuid-of-network-diagram-1"]/rlink/@href
First Diagram Description:
/*/system-characteristics/network-architecture/diagram[1]/description/node()
Replace XPath predicate “[1]” with “[2]”, “[3]”, etc.
Consistent with the Authorization Boundary guidance, the OSCAL approach to data flow diagrams is to treat image data as either a linked or base64-encoded resource in the back-matter section of the OSCAL file, then reference the diagram using the link field. The narrative describing the data flows must be provided in the description field of the data-flow assembly.
Overall Description:
/*/system-characteristics/data-flow/description/node()
Count the Number of Diagrams (There should be at least 1):
count(/*/system-characteristics/data-flow/diagram)
Link to First Diagram:
/*/system-characteristics/data-flow/diagram[1]/link/@href
If the diagram link points to a resource within the OSCAL file:
/*/back-matter/resource[@uuid="uuid-of-dataflow-diagram-1"]/base64
OR:
/*/back-matter/resource[@uuid="uuid-of-dataflow-diagram-1"]/rlink/@href
First Diagram Description:
/*/system-characteristics/data-flow/diagram[1]/description/node()
Replace XPath predicate “[1]” with “[2]”, “[3]”, etc.
Entries in the ports, protocols, and services table are represented as component assemblies, with the component-type flag set to “service”. Use a protocol assembly for each protocol associated with the service. For a single port, set the port-range start flag and end flag to the same value.
FedRAMP SSP template ports, protocols, and services.
<system-implementation><!-- user --><componentuuid="uuid-of-service"type="service"><title>[SAMPLE]Service Name</title><description><p>Describe the service</p></description><purpose>Describe the purpose for which the service is needed.</purpose><linkhref="uuid-of-component-used-by"rel="used-by"/><linkhref="uuid-of-component-provided-by"rel="provided-by"/><statusstate="operational"/><protocolname="http"><port-rangestart="80"end="80"transport="TCP"/></protocol><protocolname="https"><port-rangestart="443"end="443"transport="TCP"/></protocol></component><!-- Repeat the component assembly for each row in Table 9.1 --><!-- system-inventory --></system-implementation>
OSCAL’s component model treats independent validation of products and services as if that validation were a separate component. This means when using components with FIPS 140 validated cryptographic modules, there must be two component assemblies:
The Validation Definition: A component that provides details about the validation.
The Product Definition: A component that describes the hardware or software product.
The validation definition is a component that provides details about the independent validation. Its type must have a value of “validation”. In the case of FIPS 140 validation, this must include a link field with a rel value set to “validation-details”. This link must point to the cryptographic module’s entry in the NIST Computer Security
Resource Center (CSRC) Cryptographic Module Validation Program Database.
The product definition is a product with a cryptographic module. It must contain all of the typical component information suitable for reference by inventory-items and control statements. It must also include a link field with a rel value set to “validation” and an href value containing
a URI fragment. The fragment must start with a hashtag (#) and include the UUID value of the validation component. This links the two together.
<!-- system-characteristics --><system-implementation><!-- user --><!-- Minimum Required Components --><!-- FIPS 140-2 Validation Certificate Information --><!-- Include a separate component for each relevant certificate --><componentuuid="uuid-value"type="validation"><title>Module Name</title><description><p>FIPS 140-2 Validated Module</p></description><propns="https://fedramp.gov/ns/oscal"name="asset-type"value="cryptographic-module"/><propns="https://fedramp.gov/ns/oscal"name="vendor-name"value="CM Vendor"/><propns="https://fedramp.gov/ns/oscal"name="cryptographic-module-usage"value="data-at-rest"/><propname="validation-type"value="fips-140-2"/><propname="validation-reference"value="0000"/><linkhref="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/0000"rel="validation-details"/><statusstate="operational"/></component><!-- FIPS 140-2 Validated Product --><componentuuid="uuid-value"type="software"><title>Product Name</title><description><p>A product with a cryptographic module.</p></description><linkhref="#uuid-of-validation-component"rel="validation"/><statusstate="operational"/></component><!-- service --></system-implementation><!-- control-implementation -->
<!-- system-characteristics --><system-implementation><!-- user --><!-- Minimum Required Components --><!-- FIPS 140-2 Validation Certificate Information --><!-- Include a separate component for each relevant certificate --><componentuuid="uuid-value"type="validation"><title>Module Name</title><description><p>FIPS 140-2 Validated Module</p></description><propns="https://fedramp.gov/ns/oscal"name="asset-type"value="cryptographic-module"/><propns="https://fedramp.gov/ns/oscal"name="vendor-name"value="CM Vendor"/><propns="https://fedramp.gov/ns/oscal"name="cryptographic-module-usage"value="data-in-transit"/><propname="validation-type"value="fips-140-2"/><propname="validation-reference"value="0000"/><linkhref="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/0000"rel="validation-details"/><statusstate="operational"/></component><!-- FIPS 140-2 Validated Product --><componentuuid="uuid-value"type="software"><title>Product Name</title><description><p>A product with a cryptographic module.</p></description><linkhref="#uuid-of-validation-component"rel="validation"/><statusstate="operational"/></component><!-- service --></system-implementation><!-- control-implementation -->
