Skip to main content

Roles

FedRAMP established several specific roles for every assessment package where the party (individual, team or organization) must be identified.

Representing this information in OSCAL requires four important elements:

  • Define roles
  • Deine parties (individuals, teams, organizations)
  • Link roles to parties using responsible-parties
  • Use canonical role ID values for FedRAMP required roles

This is represented in OSCAL metadata.

  • A roles entry must exist that includes:
    • id with an allowed value
    • title with a human-readable name for the role
  • One or more parties entries must exist that includes:
    • uuid with a unique value
    • type with a value of individual or organization
    • name with the name of the person, team or organization.
    • other fields as needed, such as email-addresses, telephone numbers or addresses. (See below)
  • A responsible-parties entry must exist that includes:
    • role-id with the same value as in roles/id above.
    • party-uuids array with one or more UUIDs that reference parties entries above.
  • Optional locations entries that can be linked from party entries
Representation
  metadata:
    roles:
    - id: system-owner
      title: System Owner
    - id: authorizing-official
      title: Authorizing Official

    locations:
    - uuid: 11111111-2222-4000-8000-003000000001
      title: CSP HQ
      address:
        type: work
        addr-lines:
        - Suite 0000
        - 1234 Some Street
        city: Haven
        state: ME
        postal-code: '00000'
        
    parties:
    - uuid: 11111111-2222-4000-8000-004000000003
      type: individual
      name: A. Person
      email-addresses:
      - a.person@example.com
      location-uuids:
      - 11111111-2222-4000-8000-003000000001
    
    responsible-parties:
    - role-id: authorizing-official
      party-uuids:
      - 11111111-2222-4000-8000-004000000003

Canonical Role ID Values

The following values are canonical for roles and must be used for id in roles and role-id in responsible-parties to ensure consistent tool processing:

Roles for All FedRAMP Artifacts
This role ID identifies
prepared-by who prepared the FedRAMP artifact
prepared-for for whom the artifact was prepared
Roles for System Security Plan (SSP)
This role ID identifies
cloud-service-provider the Cloud Service Provider's organization
system-owner the CSP officer legally responsible for system
system-poc-management the system's prmariy management contact
system-poc-technical the system's primary technical contact
authorizing-official an Agency's authorizing official (AO)
authorizing-official-poc an Agency's primary point of contact on behalf of the AO.
system-poc-other additional points of contact for the system
information-system-security-officer the individual responsible for the the secure operation of the system
privacy-poc the individual responsible for ensuring appropriate protection of privacy information within the system
Roles for Plan of Action and Milestones (POA&M)
Roles for Security Assessment Plan (SAP)
Roles for Security Assessment Report (SAR)
Back to top