System Information

CSP Name

The cloud service provider (CSP) name and abbreviation are represented in the SSP metadata.

A roles extry must exist with id = cloud-service-provider
A parties entry must exist with the CSP's name and short-name.
A responsible-parties entry must exist to link the parties UUID value to the cloud-service-provider role.

OSCAL Representation

system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  metadata:
    roles:
    - id: cloud-service-provider
      title: Cloud Service Provider
      short-name: CSP

  parties:  
    - uuid: 11111111-2222-4000-8000-004000000001
      type: organization
      name: Cloud Service Provider (CSP) Name
      short-name: CSP Acronym/Short Name

  responsible-parties:
    - role-id: cloud-service-provider
      party-uuids:
      - 11111111-2222-4000-8000-004000000001

CSO Name

The CSO name and abbreviation are represented in system-characteristics.

The system-name field contains the CSO Name
The system-name-short field contains the CSO abbreviation.

OSCAL Representation


system-security-plan:
  system-characteristics:
    system-name: System's Full Name
    system-name-short: System's Short Name or Acronym
    system-ids:
    - identifier-type: http://fedramp.gov/ns/oscal
      id: F00000000

FedRAMP Package ID

The FedRAMP Package ID is represented in system-characteristics.

A system-ids entry must exist that includes:
- identifier-type set to http://fedramp.gov/ns/oscal
- id set to the FedRAMP Package ID

OSCAL Representation


system-security-plan:
  system-characteristics:
    system-ids:
    - identifier-type: http://fedramp.gov/ns/oscal
      id: F00000000

FedRAMP Allowed Value

Required Identifier Type:

identifier-type="https://fedramp.gov"

Service Model

The Service Model is represented in system-characteristics.

A system-characteristics property (prop) entry must exist that includes:
- A name set to cloud-service-model
- A value set to one of the allowed service model values below.
- If the value is set to other, remarks is used to explain.

If more than one service model type is applicable (IaaS and PaaS; IaaS and PaaS and SaaS; PaaS and SaaS), use one "cloud-service-model" prop for each applicable cloud service model.

OSCAL Representation


system-security-plan:
  system-characteristics:
    props:
    - name: cloud-service-model
      value: iaas
    - name: cloud-service-model
      value: paas
    - name: cloud-service-model
      value: other
      remarks: Remarks are required if service model is "other". Optional otherwise.

OSCAL Allowed Values

Valid cloud-service-model property values:

saas
paas
iaas
other

Digital Identity Level (DIL) Determination

See Appendix E for appropriate OSCAL representation.

FIPS PUB 199 Level

See Appendix K for appropriate OSCAL representation.

Fully Operational as of

The fully operational date is represented in system-characteristics.

A system-characteristics property (prop) entry must exist that includes:
- A name set to fully-operational-date
- A ns set to http://fedramp.gov/ns/oscal
- A value set to the operational date.

Although the value field is a string, the date should be treated as an OSCAL date-time-with-timezone data type.

OSCAL Representation

system-security-plan:
  system-characteristics:
    props:
    - name: fully-operational-date
      ns: http://fedramp.gov/ns/oscal
      value: '2023-12-31T00:00:00Z'

Deployment Model

The Deployment Model is represented in system-characteristics.

A system-characteristics property (prop) entry must exist that includes:
- A name set to deployment-model
- A value set to one of the allowed deployment model values below.
- If the value is set to other, remarks is used to explain.
Only one cloud-deployment-model property is permitted.

If the deployment model is hybrid or other, the remarks field is required. Otherwise, it is optional.

OSCAL Representation

system-security-plan:
  system-characteristics:
    props:
    - name: cloud-deployment-model
      value: hybrid-cloud
      remarks: Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.

FedRAMP Accepted Values Valid cloud-deployment-model property values:

public-cloud
private-cloud
government-only-cloud
hybrid-cloud
other

Although core OSCAL also allows community-cloud, FedRAMP authorizations do not include community clouds.

Authorization Path

This is an obsolete concept and does not need to be represented in OSCAL.

General System Description

The General System Description is represented in system-characteristics.

The description field contains the general system description.
This is a markup-multiline field.

OSCAL Representation

system-security-plan:
  system-characteristics:
    description: '\[Insert CSO Name\] is delivered as \[a/an\] \[insert based on the Service Model above\] offering using a multi-tenant \[insert based on the Deployment Model above\] cloud computing environment. It is available to \[Insert scope of customers in accordance with instructions above (for example, the public, federal, state, local, and tribal governments, as well as research institutions, federal contractors, government contractors etc.)\].'