Skip to main content

Roles

ThereFedRAMP documentation has several well defined roles where the responsible party must be identifyied. These are severaleach roles that must have individuals named inrepresented the SSP.same Documenting each of these rolesway in OSCAL followsmetadata.

  • A roles entry must exist that includes:
    • id with an allowed value
    • title with a human-readable name for the role
  • One or more parties entries must exist that includes:
    • uuid with a unique value
    • type with a value of individual or organization
    • name with the name of the person, team or organization.
    • other fields as needed, such as email-addresses, telephone numbers or addresses. (See below)
  • A responsible-parties entry must exist that includes:
    • role-id with the same patternvalue as Pareparedin By/For.

      roles/id above.
    • party-uuids array with one or more UUIDs that reference parties entries above.
Representation
  metadata:
    roles:
    - id: system-owner
      title: System Owner
    - id: authorizing-official
      title: Authorizing Official
    parties:
    - uuid: 11111111-2222-4000-8000-004000000003
      type: individual
      name: Anthony Official
    responsible-parties:
    - role-id: authorizing-official
      party-uuids:
      - 11111111-2222-4000-8000-004000000003

Use theThe following values are canonical for roles and must be used for role-id in roles and role-id in responsible-rolesparties: to ensure consistent tool processing:

  • authorizing-official: The authorizing official for this system.
  • authorizing-official-poc: The authorizing official's designated point of contact (POC) for this system.
  • system-owner: The executive ultimately accountable for the system.
  • system-poc-management: The primary management-level point of contact (POC) for the system.
  • system-poc-technical: The primary technical point of contact (POC) for the system.
  • system-poc-other: Other point of contact (POC) for the system that is not the management or technical POC.
  • information-system-security-officer: The primary role responsible for ensuring the organization operates the system securely.
  • privacy-poc: The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present.

Where use cases require roles that have no canonical value, other values may be used; however, we encourage engagement with the OSCAL Foundation on additional role values to increase consistency of role values across tools.

Representation
  metadata:
    roles:
    - id: system-owner
      title: System Owner
    - id: authorizing-official
      title: Authorizing Official
    parties:
    - uuid: 11111111-2222-4000-8000-004000000003
      type: individual
      name: Anthony Official
    responsible-parties:
    - role-id: authorizing-official
      party-uuids:
      - 11111111-2222-4000-8000-004000000003
XPath Queries
  • Authorizing Official Details: /*/metadata/party[@id=[/*/metadata/responsible-party[@role-id='authorizing-official']/party-id]]/name

NOTE: Replace "name" with "address/addr-line", "address/city", "address/state", or "address/zip" as needed. There may be more than one addr-line.

Back to top