An official website of the United States government
Here’s how you know
Official websites use .gov A
.gov website belongs to an official government
organization in the United States.
Secure .gov websites use HTTPS A
lock (
) or https:// means you’ve safely connected to
the .gov website. Share sensitive information only on official,
secure websites.
Classic FedRAMP attachments include a mix of items. Some lend well to
machine-readable format, while others do not. Machine-readable content
is typically addressed within the OSCAL-based FedRAMP SSP syntax, while
policies, procedures, plans, guidance, and the rules of behavior
documents are all treated as classic attachments, as described in the
Attachments and Embedded Content section.
The resource’s title and description must be used to provide a
human-readable indicator of what attachment is being referenced;
however, OSCAL extensions must also be provided when applicable for
machine readability. The following table describes how each attachment
is handled:
The following OSCAL representation of a FedRAMP SSP attachment demonstrates the back-matter and resource approach that must be implemented for classic SSP attachments that are not machine-readable, such as policies, procedures, plans, guidance, and rules of behavior documents.
The Number of Policies Attached:
count(/*/back-matter/resource/prop[@name="type"][@ns="http://fedramp.gov/ns/oscal"][string(./@value)="policy"])
Attachment (Embedded Base64 encoded):
/*/back-matter/resource[@id="att-policy-1"]/base64
OR (Relative Link):
/*/back-matter/resource[@id="att-policy-1"]/rlink/@href
Title of First Policy Document:
/*/back-matter/resource/prop[@name="type"][@ns="http://fedramp.gov/ns/oscal"][string(.)="policy"][1]/../prop[@name="title"][@ns="http://fedramp.gov/ns/oscal"]
OSCAL makes two approaches available for depicting the system inventory:
Flat-File Approach: Similar to today’s FedRAMP Integrated inventory workbook where all of the information on a spreadsheet row is captured in a single assembly.
Component-Based Approach: A component is defined once with as much known detail as possible, and inventory-items point to components for common information.
FedRAMP prefers the component-based approach but accepts the flat-file approach to aid CSPs who are converting their existing MS-Excel based FedRAMP Integrated Inventory Workbook to OSCAL. FedRAMP SSP tools must support both approaches.
With the flat-file approach, all content on a spreadsheet row appears in a single OSCAL inventory-item assembly. This results in a great deal of redundant information but is a simple transition from the current spreadsheet approach.
With the component-based approach, common information is captured once in a component assembly. Each instance of that component has its own inventory-item assembly, which cites the relevant component and only includes information unique to that instance.
For example, if the same Linux operating system is used as the platform for all database and web servers, most of the details about the Linux operating system can be captured once as a component. This includes information such as vendor name, version number, and patch level. If four Linux instances are used, each instance is an inventory item with a unique IP address and MAC address. Only those unique pieces are captured at the inventory level. All four inventory-items point back to the component for vendor name, version number, and patch level.
<!-- cut --><system-implementation><!-- interconnection --><system-inventory><inventory-itemuuid="uuid-value"asset-id="unique-asset-id"><description><p>Flat-File Example (No implemented-component).</p></description><propname="ipv4-address"value="0.0.0.0"/><propname="ipv6-address"value="0000:0000:0000:0000"/><propname="virtual"value="no"/><propname="public"value="no"/><propname="fqdn"value="example.com"/><propname="uri"value="https://example/query?key=value#anchor"/><propname="netbios-name"value="netbios-name"/><propname="mac-address"value="00:00:00:00:00:00"/><propname="software-name"value="software-name"/><propname="version"value="V 0.0.0"/><propname="asset-type"value="os"/><propname="vendor-name"value="Vendor Name"/><propname="model"value="Model Number"/><propname="patch-level"value="Patch-Level"/><propname="serial-number"value="Serial #"/><propname="asset-tag"value="Asset Tag"/><propname="vlan-id"value="VLAN Identifier"/><propname="network-id"value="Network Identifier"/><propname="scan-type"ns="http://fedramp.gov/ns/oscal"value="infrastructure"/><propname="allows-authenticated-scan"value="no"><remarks><p>If no, explain why. If yes, omit remarks field.</p></remarks></prop><propname="baseline-configuration-name"value="Baseline Config. Name"/><propname="physical-location"value="Physical location of Asset"/><propname="is-scanned"value="yes"/><propname="function"value="Required brief, text-based description."/><linkrel="validation"href="#uuid-of-validation-component"/><statusstate="operational"/><responsible-partyrole-id="asset-owner"><party-id>person-7</party-id></responsible-party><responsible-partyrole-id="asset-administrator"><party-id>it-dept</party-id></responsible-party><implemented-componentcomponent-uuid="component-uuid-value "/><remarks><p>COMMENTS: Additional information about this item.</p></remarks></inventory-item><!-- Repeat the inventory-item assembly for each item in the inventory --></system-inventory><!-- system-implementation remarks --></system-implementation>
Notes:
The value of asset-type determines whether the identified
asset-administrator is managing a system or an application. Currently, any FedRAMP-defined asset-type implies the management of a system, and therefore, is to be scanned as infrastructure.
<!-- cut --><system-implementation><componentuuid="uuid-value"type="software"><propname="virtual"value="no"/><propname="software-name"value="software-name"/><propname="version"value="V 0.0.0"/><propname="asset-type"value="operating-system"/><propname="vendor-name"value="Vendor Name"/><propname="model"value="Model Number"/><propname="patch-level"value="Patch-Level"/><propname="scan-type"ns="http://fedramp.gov/ns/oscal"value="infrastructure"/><propname="allows-authenticated-scan"value="no"><remarks><p>If no, explain why. If yes, omit remarks field.</p></remarks></prop><propname="baseline-configuration-name"value="Baseline Config. Name"/><propname="function"value="Required brief, text-based description."><remarks><p>Optional, longer, formatted description.</p></remarks></prop><linkrel="validation"href="#uuid-of-validation-component"/><statusstate="operational"/><responsible-partyrole-id="asset-owner"><party-id>person-7</party-id></responsible-party><responsible-partyrole-id="asset-administrator"><party-id>it-dept</party-id></responsible-party></component><!-- service, interconnection --><system-inventory><inventory-itemuuid="uuid-value"asset-id="unique-asset-id"><description><p>If needed, describe this instance.</p></description><propname="ipv4-address"value="0.0.0.0"/><propname="public"value="no"/><propname="fqdn"value="example.com"/><propname="uri"value="https://example/query?key=value#anchor"/><propname="mac-address"value=">00:00:00:00:00:00"/><propname="serial-number"value="Serial #"/><propname="vlan-id"value="VLAN Identifier"/><propname="network-id"value="Network Identifier"/><propname="is-scanned"value="yes"/><implemented-componentcomponent-uuid="component-uuid-value "/><remarks><p>COMMENTS: Additional information about this item.</p></remarks></inventory-item><!-- Repeat the inventory-item assembly for each use of the above component --></system-inventory><!-- system-implementation remarks --></system-implementation>
Notes:
If component-sample is an image of a Linux virtual machine (VM), and 10 instances of that VM are in use, there would be one (1) component assembly and ten (10) inventory-item assemblies, all referencing the same component.
Number of Inventory Items:
count(/*/system-implementation/system-inventory/inventory-item)
Number of Hardware Components:
count(/*/system-implementation/component[@type="hardware"])
Number of Software Components:
count(/*/system-implementation/component[@type="software"])
In Latest Scan?:
/*/system-implementation/system-inventory/inventory-item[1]/prop[@name="is-scanned"]/@value
List Inventory Items Not Scanned:
/*/system-implementation/system-inventory/inventory-item/prop[@name="is-scanned"][@value='no']/../prop[@name='ipv4-address']
List of Reasons Inventory Items Were Not Scanned:
/*/system-implementation/system-inventory/inventory-item/prop[@name="is-scanned"][@value='no']/remarks/node()
Unlike most XPath 2.0 queries in this
document, the following queries cannot be easily converted to XPath 1.0.
If working with XPath 1.0, it may be necessary to perform each search
with two separate queries. These queries will list all the IPv4
addresses for each scan type (infrastructure, web, and database),
whether using the flat-file inventory approach or the component-based
approach.
IPv4 Address of All Inventory Items Identified for Infrastructure Scanning:
distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='infrastructure']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/ prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'] [string(.)='infrastructure']]) )
IPv4 Address of All Inventory Items Identified for Web Scanning:
distinct-values( (let $key:=/*/system-implementation/component[prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']='web']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='web']]))
IPv4 Address of All Inventory Items Identified for Database Scanning:
distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='database']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='database']]))
IPv4 Address of All Items Where an Authenticated Scan is Possible:
distinct-values( (/*/system-implementation/system-inventory/inventory-item/prop [@name='ipv4-address'][../prop[@name="allows-authenticated-scan"][@value='yes']] ) | (let $key:=/*/system-implementation/component[prop [@name='allows-authenticated-scan'][@value='yes']]/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']))
IPv4 Address of All Items Where an Authenticated Scan is Not Possible:
distinct-values( (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name="allows-authenticated-scan"][@value='no']] ) | ( let $key:=/*/system-implementation/component[prop [@name='allows-authenticated-scan'][@value='no']]/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) )
Authenticated Scan Justification (if Authenticate Scan is "no"):
/*/system-implementation/system-inventory/inventory-item/prop[@name="allows-authenticated-scan"][@value="no"]/remarks/node()
OR
/*/system-implementation/component/prop[@name="allows-authenticated-scan"] [@value="no"]/remarks/node()