Skip to main content

System Information

ssp_03_system_information.png

System Information

Cloud Service Provider (CSP)CSP Name

The cloud service provider (CSP) mustname beand providedabbreviation asare onerepresented ofin the partySSP assembliesmetadata.

within
  • A roles extry must exist with id = cloud-service-provider
  • A parties entry must exist with the metadata.

    CSP's name and short-name.
  • A responsible-parties entry must exist to link the parties UUID value to the cloud-service-provider role.

OSCAL Representation

system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  metadata:
    roles:
    - id: cloud-service-provider
      title: Cloud Service Provider
      short-name: CSP

  parties:  
    - uuid: 11111111-2222-4000-8000-004000000001
      type: organization
      name: Cloud Service Provider (CSP) Name
      short-name: CSP Acronym/Short Name
responsible-parties:

XPath- Queries

role-id: 
Cloudcloud-service-provider
      Serviceparty-uuids:
      Provider- (CSP) Name:
    /*/metadata/party[@uuid='uuid-of-csp']/name11111111-2222-4000-8000-004000000001

SystemCSO Name, Abbreviation, and FedRAMP Unique IdentifierName

The remainder of the system information is provided in the system-characteristics assembly.

The FedRAMP-assigned application number is the unique ID for a FedRAMP system. OSCAL supports several system identifiers, which may be assigned by different organizations.

For this reason, OSCAL requires the identifier-type flag be present and have a value that uniquely identifies the issuing organization. FedRAMP requires its value to be "https://fedramp.gov" for all FedRAMP-issued application numbers.

This assembly defines the full name of the system and its short name. A FedRAMP OSCAL SSP must define the systemCSO name and itsabbreviation are represented in system-characteristics.

  • The system-name field contains the CSO Name
  • The system-name-short name.

    field contains the CSO abbreviation.

OSCAL Representation


system-security-plan:
  system-characteristics:
    system-name: System's Full Name
    system-name-short: System's Short Name or Acronym
    system-ids:
    - identifier-type: http://fedramp.gov/ns/oscal
      id: F00000000

FedRAMP Package ID

The FedRAMP Package ID is represented in system-characteristics.

  • A system-ids entry must exist that includes:
    • identifier-type set to http://fedramp.gov/ns/oscal
    • id set to the FedRAMP Package ID

OSCAL Representation


system-security-plan:
  system-characteristics:
    system-ids:
    - identifier-type: http://fedramp.gov/ns/oscal
      id: F00000000

FedRAMP Allowed Value

Required Identifier Type:

  • identifier-type="https://fedramp.gov"

XPath Queries

Information System Name:
        /*/system-characteristics/system-name
    Information System Abbreviation:
        /*/system-characteristics/system-name-short
    FedRAMP Unique Identifier:
        /*/system-characteristics/system-id[@identifier-type="https://fedramp.gov"]

Service Model

The core-OSCALService Model is represented in system-characteristics.

assembly
    has
  • A asystem-characteristics property (prop) entry must exist that includes:
    • A name set to cloud-service-model
    • A value set to one of the allowed service model values below.
    • If the value is set to other, remarks is used to explain.

If more than one service model type is applicable (IaaS and PaaS; IaaS and PaaS and SaaS; PaaS and SaaS), use one "cloud-service-model" prop for theeach applicable cloud service model.

OSCAL Representation


system-security-plan:
  system-characteristics:
    props:
    - name: cloud-service-model
      value: saasiaas
    - name: cloud-service-model
      value: paas
    - name: cloud-service-model
      value: other
      remarks: Remarks are required if service model is "other". Optional otherwise.

OSCAL Allowed Values

Valid Servicecloud-service-model Modelproperty values:

  • saas
  • paas
  • iaas
  • other

XPath
Queries

Digital 
ServiceIdentity Model:Level /*/system-characteristics/prop[@name="cloud-service-model"]/@value(DIL) Remarks on System's Service Model:
        /*/system-characteristics/prop[@name="cloud-service-model"]/remarks/node()
Determination

NOTE:See Appendix E for appropriate OSCAL representation.

FIPS PUB 199 Level

See Appendix K for appropriate OSCAL representation.

Fully Operational as of

The fully operational date is represented in system-characteristics.

  • A cloudsystem-characteristics serviceproperty provider(prop) mayentry definemust twoexist orthat moreincludes: cloud
      service
    • A modelsname forset to fully-operational-date
    • A ns set to http://fedramp.gov/ns/oscal
    • A value set to the cloudoperational servicedate.
      • offering
    defined

Although the value field is a string, the date should be treated as an OSCAL date-time-with-timezone data type.

OSCAL Representation

system-security-plan:
  system-characteristics:
    props:
    - name: fully-operational-date
      ns: http://fedramp.gov/ns/oscal
      value: '2023-12-31T00:00:00Z'

Deployment Model

The Deployment Model is represented in system-characteristics.

  • A system-characteristics property (prop) entry must exist that includes:
    • A name set to deployment-model
    • A value set to one of the systemallowed securitydeployment planmodel ifvalues applicable for customer use (IaaS and PaaS; IaaS and PaaS and SaaS; PaaS and SaaS). Cloud service providers may use a "cloud-service-model" prop for each applicable cloud service model.below.
    • If the servicevalue is set to other, remarks is used to explain.
  • Only one cloud-deployment-model property is permitted.

If the deployment model is "other"hybrid or other, the remarks field is required. Otherwise, it is optional.

Deployment Model

The core-OSCAL system-characteristics assembly has a property for the cloud deployment model.

OSCAL Representation

system-security-plan:
  system-characteristics:
    props:
    - name: cloud-deployment-model
      value: government-only-hybrid-cloud
      remarks: Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.

FedRAMP Accepted Values Valid cloud-deployment-model property values:

  • public-cloud

    • name="cloud-deployment-model"

  • private-cloud

    • Valid: public-cloud, private-cloud,

  • government-only-cloud,cloud
  • hybrid-cloud,cloud
  • other

Although core OSCAL also allows community-cloud, FedRAMP authorizations do not include community clouds.

XPath
Queries

Authorization 
Deployment Model:
        /*/system-characteristics/prop[@name="cloud-deployment-model"]/@value
    Remarks on System's Deployment Model:
        /*/system-characteristics/prop[@name="cloud-deployment-model"]/remarks/node()
Path

NOTE:This is an obsolete concept and does not need to be represented in OSCAL.

General System Description

The General System Description is represented in system-characteristics.

  • A cloud service provider may define one and only one cloud deployment model in the system security plan for a cloud service offering.

  • OSCAL 1.0.0 permits a cloud-deployment-model of value community-cloud, but FedRAMP does not permit such a deployment model for cloud service offerings and is not permitted for a FedRAMP OSCAL-based system security plan.

  • If the deployment model is "hybrid", the remarks field is required. Otherwise, it is optional.

System Status

The system status in the FedRAMP SSP template document is specified in the "Fully Operational as of" table cell illustrated in the figure below. OSCAL has a status assembly that is used to describe the operational status of the system. In addition, FedRAMP has defined an extension that must be used to provide the date when the system became operational.

OSCAL Representation

system-security-plan:
  system-characteristics:
    props:
    - name: fully-operational-date
      ns: http://fedramp.gov/ns/oscal
      value: '2023-12-31T00:00:00Z'
    status:
      state: operational
      remarks: 'Remarks are optional if status/state is "operational".
        Remarks are required otherwise.'

OSCAL Allowed Values

FedRAMP only accepts those in bold:

  • operational
  • under-development
  • under-major-modification
  • disposition
  • other

XPath Queries

System's Operational Status:
        /*/system-characteristics/status/@state
    Remarks on System's Operational Status:
        /*/system-characteristics/status/remarks/node()
    Fully Operational As Of Date:
        /*/system-characteristics/prop[@name="fully-operational-date"][@ns="https://fedramp.gov/ns/oscal"]/@value

NOTE:

  • If the status is "other", the remarks field is required. Otherwise, it is optional.

  • While under-development and disposition are valid OSCAL values, systems with either of these operational status values are not eligible for a FedRAMP Authorization.

System Functionality

The system functionality in the FedRAMP SSP template document is specified in the “General System Description” table cell illustrated in the figure below. OSCAL has a description field withincontains the system-characteristicsgeneral assemblysystem thatdescription.

  • This is useda tomarkup-multiline describefield.
    • the system and its functionality.

    OSCAL Representation

    system-security-plan:
  system-characteristics:
    description: '\[Insert CSO Name\] is delivered as \[a/an\] \[insert based on the Service Model above\] offering using a multi-tenant \[insert based on the Deployment Model above\] cloud computing environment. It is available to \[Insert scope of customers in accordance with instructions above (for example, the public, federal, state, local, and tribal governments, as well as research institutions, federal contractors, government contractors etc.)\].'

    XPath Queries

    System Function or Purpose: First paragraph in description
        /*/system-characteristics/description/node()
    Back to top