Generating Content from OSCAL-based SSP
The following artifacts are historically generated by hand to summarize content found in other portions of the FedRAMP SSP. When using OSCAL, these artifacts can be generated from content found elsewhere in this document. This includes the:
- Control Information Summary (CIS)
- Customer Responsibility Matrix (CRM)
If delivering SSP content in OSCAL, CSPs are no longer required to manually generate and maintain these artifacts, provided that the content in their OSCAL-based FedRAMP SSP remains accurate.
Tool developers are encouraged to develop their own solutions to generating this content.
Generating the Control Information Summary (CIS)
There are many ways a tool developer can generate the CIS. FedRAMP is developing an Extensible Stylesheet Language Transformation (XSLT) file to generate the FedRAMP CIS. When ready, FedRAMP will make this freely available to the public here:
https://github.com/GSA/fedramp-automation/tree/master/dist/content/rev5/resources
Generating the Customer Responsibility Matrix (CRM)
There are many ways a tool developer can generate the CRM. FedRAMP plans to develop open-source tooling to generate the FedRAMP CRM. When ready, FedRAMP will make this freely available to the public on the FedRAMP Automation GitHub repository.
Useful CRM XPath Queries
|
|
Working with Components
OSCAL is designed such that a system architect can express all aspects of the system as components. A component is anything that can satisfy a control requirement. This includes hardware, software, services, and underlying service providers, as well as policies, plans, and procedures. There are several ways to use components in an OSCAL-based SSP. The following defines FedRAMP’s minimum initial use.
This section will likely be updated as OSCAL continues to evolve its approach to components, and as FedRAMP receives feedback from stakeholders.
FedRAMP-defined component identifiers are cited in relevant portions of this documentation and summarized in the FedRAMP OSCAL Registry.
Minimum Required Components
There must be a component that represents the entire system itself. It should be the only component with the component-type set to “this-system”.
The following is an example of a defined component.
Minimum Required Component Representation
|
|
Common Additional Components
For each FIPS 140 validated module, there must be a component
that represents the service (e.g., cryptographic module, service, software, hardware, etc) that is validated, and another component
of type validation
that represents the validation certificate itself. A reference link
with rel
set to “validation” and href
set to the UUID of the validation component must be used to specify the validation for the component.
Common Additional Component Representation
|
|
Components as a Basis for System Inventory
OSCAL’s approach to component-based system modeling is to reduce redundancy of information and increase flexibility. OSCAL accomplishes this with separate component and inventory item modeling.
This is a one-to-many relationship: one component to many inventory item instances.
For example, if an open-source operating system (OS) is used in many places throughout the system, it is defined once as a component. All information about the product, vendor, and support are modeled within the component detail. If the OS is used four times within the system, each use is an inventory item, with the details pertain to each individual use, such as IP address.
FedRAMP requires a component
assembly for each model of infrastructure device used, and each version of software and database used within the system. FedRAMP is not asking for more detail than provided in the legacy inventory workbook, only that the information is organized differently.
As OSCAL continues to evolve its component approach, FedRAMP will re-evaluate its approach to system inventory representation.
Converting a Legacy SSP to OSCAL
OSCAL is designed such that a system architect can express all aspects of the system as components. A component is anything that can satisfy a control requirement. This includes hardware, software, services, and underlying service providers, as well as policies, plans, and procedures.
OSCAL is also designed to support legacy conversion of SSPs without individual components defined and enables an SSP author to migrate to the component approach gradually over time. In this instance, only a single component
is initially required, representing the system as a whole and designated with the special component type, “this-system”. The following provides an example of FedRAMP’s minimum required component approach:
Example control for legacy SSP conversion
|
|