System Information
System Information
Cloud Service Provider (CSP) Name
The cloud service provider (CSP) must be provided as one of the party assemblies within the metadata.
OSCAL Representation
<system-security-plan>plan:
<metadata>uuid: <!-11111111-2222-4000-8000-000000000000
metadata:
- CSPuuid: Name11111111-2222-4000-8000-004000000001
-->type: <partyorganization
uuid=”uuid-of-csp”name: type=”organization”>
<name>Cloud Service Provider (CSP) Name</name>
</party>short-name: </metadata>CSP </system-security-plan>Acronym/Short Name
XPath Queries
Cloud Service Provider (CSP) Name:
/*/metadata/party[@uuid='uuid-of-csp']/name
System Name, Abbreviation, and FedRAMP Unique Identifier
The remainder of the system information is provided in the system-characteristics assembly.
The FedRAMP-assigned application number is the unique ID for a FedRAMP system. OSCAL supports several system identifiers, which may be assigned by different organizations.
For this reason, OSCAL requires the identifier-type flag be present and have a value that uniquely identifies the issuing organization. FedRAMP requires its value to be "https://fedramp.gov" for all FedRAMP-issued application numbers.
This assembly defines the full name of the system and its short name. A FedRAMP OSCAL SSP must define the system name and its short name.
OSCAL Representation
<
system-security-plan>plan:
<metadata>system-characteristics:
<!--system-name: CSP Name -->
<party uuid="uuid-of-csp" type="organization">
<name>Cloud Service Provider (CSP) Name</name>
</party>
</metadata>
<system-characteristics>
<!-- System Name & Abbreviation -->
<system-name>System's Full Name</system-name>
<system-name-short>short: System's Short Name or Acronym</
system-name-short>ids:
<!-- FedRAMPidentifier-type: Unique Identifier -->
<system-id identifier-type="http://fedramp.gov">gov/ns/oscal
id: F00000000</system-id>
<!-- cut -->
</system-characteristics>
<!-- cut -->
</system-security-plan>
FedRAMP Allowed Value
Required Identifier Type:
- identifier-type="https://fedramp.gov"
XPath Queries
Information System Name:
/*/system-characteristics/system-name
Information System Abbreviation:
/*/system-characteristics/system-name-short
FedRAMP Unique Identifier:
/*/system-characteristics/system-id[@identifier-type="https://fedramp.gov"]
Service Model
The core-OSCAL system-characteristics assembly has a property for the cloud service model.
OSCAL Representation
<
system-security-plan>plan:
<metadata>system-characteristics:
<!-props:
- CSPname: Name -->
<party uuid="uuid-of-csp" type="organization">
<name>Cloud Service Provider (CSP) Name</name>
</party>
</metadata>
<system-characteristics>
<!-- System Name & Abbreviation -->
<system-name>System's Full Name</system-name>
<system-name-short>System's Short Name or Acronym</system-name-short>
<!-- FedRAMP Unique Identifier -->
<system-id identifier-type="http://fedramp.gov">F00000000</system-id>
<!-- Service Model -->
<prop name="cloud-service-model"model
value="saas">value: <remarks>saas
<p>remarks: Remarks are required if service model is "other". Optional otherwise.</p>
</remarks>
</prop>
<!-- cut -->
</system-characteristics>
<!-- cut -->
</system-security-plan>
OSCAL Allowed Values
Valid Service Model values:
- saas
- paas
- iaas
- other
XPath Queries
Service Model:
/*/system-characteristics/prop[@name="cloud-service-model"]/@value
Remarks on System's Service Model:
/*/system-characteristics/prop[@name="cloud-service-model"]/remarks/node()
NOTE:
- A cloud service provider may define two or more cloud service models for the cloud service offering defined in the system security plan if applicable for customer use (IaaS and PaaS; IaaS and PaaS and SaaS; PaaS and SaaS). Cloud service providers may use a "cloud-service-model" prop for each applicable cloud service model.
- If the service model is "other", the remarks field is required. Otherwise, it is optional.
Deployment Model
The core-OSCAL system-characteristics assembly has a property for the cloud deployment model.
OSCAL Representation
<system-security-plan>plan:
<metadata>system-characteristics:
<!-props:
- CSPname: Name -->
<party uuid="uuid-of-csp" type="organization">
<name>Cloud Service Provider (CSP) Name</name>
</party>
</metadata>
<system-characteristics>
<!-- System Name & Abbreviation -->
<system-name>System's Full Name</system-name>
<system-name-short>System's Short Name or Acronym</system-name-short>
<!-- FedRAMP Unique Identifier -->
<system-id identifier-type="http://fedramp.gov">F00000000</system-id>
<!-- Service Model -->
<prop name="cloud-service-model" value="saas">
<remarks>
<p>Remarks are required if service deployment-model
isvalue: "other".government-only-cloud
Optionalremarks: otherwise.</p>
</remarks>
</prop>
<!-- Deployment Model -->
<prop name="cloud-deployment-model" value="public-cloud">
<remarks>
<p>Remarks are required if deployment model is "hybrid"hybrid-cloud" or "other". Optional otherwise.</p>
</remarks>
</prop>
<!-- cut -->
</system-characteristics>
<!-- cut -->
</system-security-plan>
FedRAMP Accepted Values
-
name="cloud-deployment-model"
Valid: public-cloud, private-cloud, government-only-cloud, hybrid-cloud, other
XPath Queries
Deployment Model:
/*/system-characteristics/prop[@name="cloud-deployment-model"]/@value
Remarks on System's Deployment Model:
/*/system-characteristics/prop[@name="cloud-deployment-model"]/remarks/node()
NOTE:
-
A cloud service provider may define one and only one cloud deployment model in the system security plan for a cloud service offering.
-
OSCAL 1.0.0 permits a cloud-deployment-model of value community-cloud, but FedRAMP does not permit such a deployment model for cloud service offerings and is not permitted for a FedRAMP OSCAL-based system security plan.
-
If the deployment model is "hybrid", the remarks field is required. Otherwise, it is optional.
System Status
The system status in the FedRAMP SSP template document is specified in the "Fully Operational as of" table cell illustrated in the figure below. OSCAL has a status assembly that is used to describe the operational status of the system. In addition, FedRAMP has defined an extension that must be used to provide the date when the system became operational.
OSCAL Representation
<system-security-plan>plan:
<metadata>system-characteristics:
<!--status:
cutstate: CSPoperational
Nameremarks: -->'Remarks </metadata>are <system-characteristics>optional <!--if System Name & Abbreviation -->
<system-name>System's Full Name</system-name>
<system-name-short>System's Short Name or Acronym</system-name-short>
<!-- FedRAMP Unique Identifier -->
<system-id identifier-type=“http://fedramp.gov/ns/oscal”>F00000000</system-id>
<!-- cut Service Model -->
<!-- cut Deployment Model -->
<!-- cut DIL Determination -->
<!-- FIPS PUB 199 Level (SSP Attachment 10) -->
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
<!-- Fully Operational as of -->
<status state="operational">
<remarks>
<p>If the statusstatus/state is “other”,"operational".
theRemarks remarksare fieldrequired is required.</p>
<p>Otherwise, it is optional.</p>
</remarks>
</status>
<prop ns="https://fedramp.gov/ns/oscal" name="fully-operational-date" value="mm/dd/yyyy"/>
<!-- cut -->
</system-characteristics>
<!-- cut -->
</system-security-plan>otherwise.'
OSCAL Allowed Values
FedRAMP only accepts those in bold:
- operational
- under-development
- under-major-modification
- disposition
- other
XPath Queries
System's Operational Status:
/*/system-characteristics/status/@state
Remarks on System's Operational Status:
/*/system-characteristics/status/remarks/node()
Fully Operational As Of Date:
/*/system-characteristics/prop[@name="fully-operational-date"][@ns="https://fedramp.gov/ns/oscal"]/@value
NOTE:
-
If the status is "other", the remarks field is required. Otherwise, it is optional.
-
While under-development and disposition are valid OSCAL values, systems with either of these operational status values are not eligible for a FedRAMP Authorization.
System Functionality
The system functionality in the FedRAMP SSP template document is specified in the “General System Description” table cell illustrated in the figure below. OSCAL has a description field within the system-characteristics assembly that is used to describe the system and its functionality.
OSCAL Representation
<system-security-plan>plan:
<metadata>system-characteristics:
<!--description: cut'\[Insert CSPCSO NameName\] -->is </metadata>delivered <system-characteristics>as <!--\[a/an\] System\[insert Namebased &on Abbreviation -->
<system-name>System's Full Name</system-name>
<system-name-short>System's Short Name or Acronym</system-name-short>
<!-- FedRAMP Unique Identifier -->
<system-id identifier-type=“http://fedramp.gov/ns/oscal”>F00000000</system-id>
<!-- cutthe Service Model -->above\] <!--offering cutusing a multi-tenant \[insert based on the Deployment Model -->above\] <!--cloud cutcomputing DILenvironment. DeterminationIt -->is <!--available FIPSto PUB\[Insert 199scope Levelof customers in accordance with instructions above (SSPfor Attachmentexample, 10)the -->public, <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>federal, <!--state, cutlocal, Fullyand Operationaltribal governments, as ofwell -->as <!--research systeminstitutions, functionalityfederal -->contractors, <description>government <p>Describecontractors the purpose and functions of this system here.</p>
<!-- list of services/features in scope -->
<!-– (use paragraph, list item, or table) -->
</description>
</system-characteristics>
<!-- cut -->
</system-security-plan>etc.)\].'
XPath Queries
System Function or Purpose: First paragraph in description
/*/system-characteristics/description/node()