Skip to main content

System Roles

There are several roles that must have individuals named in the SSP. Documenting each of these roles in OSCAL follows the same pattern as Parepared By/For.

Use the following values for role-id in roles and responsible-roles:

  • authorizing-official: The authorizing official for this system.
  • authorizing-official-poc: The authorizing official's designated point of contact (POC) for this system.
  • system-owner: The executive ultimately accountable for the system.
  • system-poc-management: The primary management-level point of contact (POC) for the system.
  • system-poc-technical: The primary technical point of contact (POC) for the system.
  • system-poc-other: Other point of contact (POC) for the system that is not the management or technical POC.
  • information-system-security-officer: The primary role responsible for ensuring the organization operates the system securely.
  • privacy-poc: The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present.
Representation
  metadata:
    roles:
    - id: system-owner
      title: System Owner
    - id: authorizing-official
      title: Authorizing Official
    parties:
    - uuid: 11111111-2222-4000-8000-004000000003
      type: individual
      name: Anthony Official
    responsible-parties:
    - role-id: authorizing-official
      party-uuids:
      - 11111111-2222-4000-8000-004000000003
XPath Queries
  • Authorizing Official Details: /*/metadata/party[@id=[/*/metadata/responsible-party[@role-id='authorizing-official']/party-id]]/name

NOTE: Replace "name" with "address/addr-line", "address/city", "address/state", or "address/zip" as needed. There may be more than one addr-line.

Back to top