Roles
FedRAMP documentation hasestablished several well definedspecific roles for every assessment package where the responsibleparty party(individual, team or organization) must be identifyied.identified.
Representing arethis eachinformation in OSCAL requires four important elements:
- Define
roles - Deine
parties(individuals, teams, organizations) - Link
rolestopartiesusingresponsible-parties - Use canonical role ID values for FedRAMP required roles
This is represented the same way in OSCAL metadata.
- A
rolesentry must exist that includes:idwith an allowed valuetitlewith a human-readable name for the role
- One or more
partiesentries must exist that includes:uuidwith a unique valuetypewith a value ofindividualororganizationnamewith the name of the person, team or organization.- other fields as needed, such as
email-addresses,telephone numbersoraddresses. (See below)
- A
responsible-partiesentry must exist that includes:role-idwith the same value as inroles/idabove.party-uuidsarray with one or more UUIDs that referencepartiesentries above.
- Optional
locationsentries that can be linked from party entries
Representation
metadata:
roles:
- id: system-owner
title: System Owner
- id: authorizing-official
title: Authorizing Official
locations:
- uuid: 11111111-2222-4000-8000-003000000001
title: CSP HQ
address:
type: work
addr-lines:
- Suite 0000
- 1234 Some Street
city: Haven
state: ME
postal-code: '00000'
parties:
- uuid: 11111111-2222-4000-8000-004000000003
type: individual
name: AnthonyA. OfficialPerson
email-addresses:
- a.person@example.com
location-uuids:
- 11111111-2222-4000-8000-003000000001
responsible-parties:
- role-id: authorizing-official
party-uuids:
- 11111111-2222-4000-8000-004000000003
Canonical Role ID Values
The following values are canonical for roles and must be used for id in roles and role-id in responsible-parties to ensure consistent tool processing:
- for All FedRAMP Artifacts
This role ID identifies prepared-bywho prepared the FedRAMP artifact prepared-forfor whom the artifact was prepared Roles for System Security Plan (SSP)
This role ID identifies cloud-service-providerthe Cloud Service Provider's organization system-ownerthe CSP officer legally responsible for system system-poc-managementthe system's prmariy management contact system-poc-technicalthe system's primary technical contact authorizing-official:Thean Agency's authorizing official for(AO)thissystem.authorizing-official-poc:Thean authorizing official'Agency'sdesignatedprimary point of contact(POC)onforbehalfthis system.system-owner: The executive ultimately accountable forof thesystem.system-poc-management:Theprimary management-level point of contact (POC) for the system.system-poc-technical: The primary technical point of contact (POC) for the system.system-poc-other:Otheradditional pointpoints of contact(POC)for the systemthatisnot the management or technical POC.information-system-security-officer:Thethe primaryindividualroleresponsible for the the secure operation of the systemprivacy-pocthe individual responsible for ensuring theappropriateorganization operates the system securely.privacy-poc: The pointprotection ofcontact (POC) responsible for identifyingprivacy information within thesystem,systemRoles for Plan of Action and
ensuringMilestonesits(POA&M)protection if present.
Roles
Where use cases require roles that have no canonical value, other values may be used; however, we encourage engagement with the OSCAL Foundation on additional role values to increase consistency of role values across tools.
Roles for Security Assessment Plan (SAP)
XPathRoles Queriesfor Security Assessment Report (SAR)
Authorizing Official Details:/*/metadata/party[@id=[/*/metadata/responsible-party[@role-id='authorizing-official']/party-id]]/name
NOTE: Replace "name" with "address/addr-line", "address/city", "address/state", or "address/zip" as needed. There may be more than one addr-line.