Skip to main content

Roles

FedRAMP documentation has several well defined roles where the responsible party must be identifyied. These are each represented the same way in OSCAL metadata.

  • A roles entry must exist that includes:
    • id with an allowed value
    • title with a human-readable name for the role
  • One or more parties entries must exist that includes:
    • uuid with a unique value
    • type with a value of individual or organization
    • name with the name of the person, team or organization.
    • other fields as needed, such as email-addresses, telephone numbers or addresses. (See below)
  • A responsible-parties entry must exist that includes:
    • role-id with the same value as in roles/id above.
    • party-uuids array with one or more UUIDs that reference parties entries above.
Representation
  metadata:
    roles:
    - id: system-owner
      title: System Owner
    - id: authorizing-official
      title: Authorizing Official
    parties:
    - uuid: 11111111-2222-4000-8000-004000000003
      type: individual
      name: Anthony Official
    responsible-parties:
    - role-id: authorizing-official
      party-uuids:
      - 11111111-2222-4000-8000-004000000003

The following values are canonical for roles and must be used for id in roles and role-id in responsible-parties to ensure consistent tool processing:

  • authorizing-official: The authorizing official for this system.
  • authorizing-official-poc: The authorizing official's designated point of contact (POC) for this system.
  • system-owner: The executive ultimately accountable for the system.
  • system-poc-management: The primary management-level point of contact (POC) for the system.
  • system-poc-technical: The primary technical point of contact (POC) for the system.
  • system-poc-other: Other point of contact (POC) for the system that is not the management or technical POC.
  • information-system-security-officer: The primary role responsible for ensuring the organization operates the system securely.
  • privacy-poc: The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present.

Where use cases require roles that have no canonical value, other values may be used; however, we encourage engagement with the OSCAL Foundation on additional role values to increase consistency of role values across tools.

XPath Queries
  • Authorizing Official Details: /*/metadata/party[@id=[/*/metadata/responsible-party[@role-id='authorizing-official']/party-id]]/name

NOTE: Replace "name" with "address/addr-line", "address/city", "address/state", or "address/zip" as needed. There may be more than one addr-line.

Back to top