Skip to main content

Roles

Every FedRAMP assessment package must identify the party (individual, team or organization) responsible for pre-defined roles, such as system owner and information system security officer (ISSO).

Representing this information in OSCAL requires four important elements:

  • roles to define the roles
  • parties to represent individuals, teams or organizations
  • responsible-parties linking roles to parties
  • Canonical role ID values for required roles ensure consistency for tool processing

This is represented in OSCAL metadata.

  • A roles entry must exist that includes:
    • id with an canonical role ID value
    • title with a human-readable name for the role as it appears in the FedRAMP authorization package
  • One or more parties entries must exist that includes:
    • uuid with a unique value
    • type with a value of individual for people or organization for teams and organizations
    • name with the name of the person, team or organization.
    • other fields as needed, such as email-addresses, telephone numbers, addresses or location-uuid.
  • A responsible-parties entry must exist that includes:
    • role-id with the same value as in roles/id above.
    • party-uuids array with one or more UUIDs that reference parties entries above.
  • Optional locations entries that can be linked from party entries
Representation
  metadata:
    roles:
    - id: system-owner
      title: System Owner
    - id: authorizing-official
      title: Authorizing Official

    locations:
    - uuid: 11111111-2222-4000-8000-003000000001
      title: CSP HQ
      address:
        type: work
        addr-lines:
        - Suite 0000
        - 1234 Some Street
        city: Haven
        state: ME
        postal-code: '00000'
        
    parties:
    - uuid: 11111111-2222-4000-8000-004000000003
      type: individual
      name: A. Person
      email-addresses:
      - a.person@example.com
      location-uuids:
      - 11111111-2222-4000-8000-003000000001
    
    responsible-parties:
    - role-id: authorizing-official
      party-uuids:
      - 11111111-2222-4000-8000-004000000003

Canonical Role ID Values

The following values are canonical for roles and must be used for id in roles and role-id in responsible-parties to ensure consistent tool processing:

Roles for All FedRAMP Artifacts
This role ID identifies
prepared-by who prepared the FedRAMP artifact
prepared-for for whom the artifact was prepared
Roles for System Security Plan (SSP)
This role ID identifies
cloud-service-provider the Cloud Service Provider's organization
system-owner the CSP officer legally responsible for system
system-poc-management the system's prmariy management contact
system-poc-technical the system's primary technical contact
authorizing-official an Agency's authorizing official (AO)
authorizing-official-poc an Agency's primary point of contact on behalf of the AO.
system-poc-other additional points of contact for the system
information-system-security-officer the individual responsible for the the secure operation of the system
privacy-poc the individual responsible for ensuring appropriate protection of privacy information within the system
Roles for Plan of Action and Milestones (POA&M)

To be added in Phase 2

Roles for Security Assessment Plan (SAP)

To be added in Phase 3

Roles for Security Assessment Report (SAR)

To be added in Phase 3

Back to top