Skip to main content

6. Leveraged FedRAMP-Authorized Services

system security plan leveraged authoriations page image

The minimum required content for representing a leveraged authorization is:

  • a parties entry to indicate the organizaiton that owns the leveraged system
  • a leveraged-authorizations entry to provide primary details about the leveraged authoriation

In order to allocate control inheritence to a leveraged authorization, the following additional content is also required:

  • a components entry representing the leveraged system

IMPORTANT FOR LEVERAGED SYSTEMS:

While a leveraged system has no need to represent content here, its SSP must include special inheritance and responsibility information in the individual controls. See the Response: Identifying Inheritable Controls and Customer Responsibilities section for more information.

OSCAL Representation

system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  metadata:
    party:
      uuid: "22222222-2222-4000-8000-c0040000000a"
      name: "Example IaaS Provider"
      short-name: "E.I.P."
  system-implementation:
    leveraged-authorization:
      uuid: "11111111-2222-4000-8000-019000000001"
      title: "Name of Underlying System"
      prop:
        - name: leveraged-system-identifier
          ns: "https://fedramp.gov/ns/oscal"
          value: "Package_ID value"
        - ns: "https://fedramp.gov/ns/oscal"
          name: authorization-type
          value: fedramp-agency
        - ns: "https://fedramp.gov/ns/oscal"
          name: impact-level
          value: fips-199-moderate
      party-uuid: "11111111-2222-4000-8000-c0040000000a"
      date-authorized: "2015-01-01"
    component:
      uuid: "uuid-of-leveraged-system"
      type: leveraged-system
      title: "Name of Leveraged System"
      description: "Briefly describe leveraged system."
      prop:
        - name: leveraged-authorization-uuid
          value: "11111111-2222-4000-8000-019000000001"
        - name: inherited-uuid
          value: "22222222-0000-4000-9001-009000000001"
        - name: implementation-point
          value: external
      status:
        state: operational

The title field must match an existing FedRAMP authorized Cloud_Service_Provider_Package property value.

A leveraged-system-identifier property must be provided within each leveraged-authorization field. The value of this property must be from the same Cloud Service Provider as identified in the title field.

If this system is running on top of another FedRAMP-authorized cloud service offering, leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the system-implementation assembly. There must be one leveraged-authorization assembly and one matching component assembly for each leveraged authorization.

The leveraged-authorization assembly includes the leveraged system's name, point of contact (POC), and authorization date. The component assembly must be linked to the leveraged-authorization assembly using a property (prop) field with the name leveraged-authorization-uuid and the UUID value of its associated leveraged-authorization assembly. The component assembly enables controls to reference it with the by-component responses described in the Control Implementation Descriptions section. The implementation-point property value must be set to "external".

If the leveraged system owner provides a UUID for their system, such as in an OSCAL-based Inheritance and Responsibility document (similar to a CRM), it should be provided as the inherited-uuid property value.

Back to top