Skip to main content

7. External Systems and Services Not Having FedRAMP Authorization

FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using component assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.

system security plan external systems and services page image

OSCAL Representation

system-security-plan:
  system-implementation:
    component:
      uuid: 11111111-2222-4000-8000-009000200001
      type: interconnection
      title: "[EXAMPLE]External System / Service Name"
      description: "Briefly describe the interconnection details."
      prop:
        - ns: "https://fedramp.gov/ns/oscal"
          name: service-processor
          value: "[SAMPLE] Telco Name"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-type
          value: "1"
        - name: direction
          value: incoming
        - name: direction
          value: outgoing
        - ns: "https://fedramp.gov/ns/oscal"
          name: nature-of-agreement
          value: contract
        - ns: "https://fedramp.gov/ns/oscal"
          name: still-supported
          value: yes
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-data-type
          value: "C.3.5.1"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-data-type
          value: "C.3.5.8"
        - ns: "https://fedramp.gov/ns/oscal"
          class: "C.3.5.1"
          name: interconnection-data-categorization
          value: low
        - ns: "https://fedramp.gov/ns/oscal"
          class: "C.3.5.8"
          name: interconnection-data-categorization
          value: moderate
        - ns: "https://fedramp.gov/ns/oscal"
          name: authorized-users
          value: "SecOps engineers"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-compliance
          value: "PCI SOC 2"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-compliance
          value: "ISO/IEC 27001"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-hosting-environment
          value: PaaS
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-risk
          value: None
        - name: isa-title
          value: "system interconnection agreement"
        - name: isa-date
          value: "2023-01-01T00:00:00Z"
        - name: ipv4-address
          class: local
          value: "10.1.1.1"
        - name: ipv4-address
          class: remote
          value: "10.2.2.2"
        - name: ipv6-address
          value: "::ffff:10.2.2.2"
        - ns: "https://fedramp.gov/ns/oscal"
          name: information
          value: "Describe the information being transmitted."
        - ns: "https://fedramp.gov/ns/oscal"
          name: port
          class: remote
          value: "80"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-security
          value: ipsec
          link:
            - href: "#uuid-of-ICA-resource-in-back-matter"
              rel: isa-agreement
  back-matter:
    resource:
      uuid: "11111111-2222-4000-8000-001000000050"
      title: "[SAMPLE]Interconnection Security Agreement Title"
      props:
      - name: published
        value: '2023-01-01T00:00:00Z'
      - name: version
        value: Document Version
      - name: type
        value: agreement
        class: interconnection-security-agreement
      rlinks:
      - href: ./attachments/ISAs/ISA-1.docx

External System and Services

To map the legacy FedRAMP SSP table for External Systems and Services into a machine-readable OSCAL format, the data is primarily stored within the system-implementation section, specifically under component definitions where the type is set to interconnection.

The following data points are captured using various OSCAL fields and FedRAMP-specific properties (prop):

  • Identity & Nature: The system, service, or API name is defined by the component title, while the specific interconnection-type (e.g., dedicated line, VPN) and the nature-of-agreement (e.g., MOU, ISA) are captured as properties.
  • Operational Details: Connection characteristics are recorded via properties for direction (inbound/outbound), whether the service is still-supported (Y/N), and a general description of the interface.
  • Data Characteristics: The data-type and its associated data-categorization (Security Impact Level) are explicitly defined to track what information is leaving or entering the boundary.
  • User Access: Information regarding authorized-users and their specific privilege-level is linked back to the user definitions within the system implementation.
  • Compliance & Risk: Any other-compliance-programs (like SOC2 or ISO), the specific hosting-environment, and a summary of the risk-impact-mitigation strategies are all stored as specific metadata properties attached to the interconnection component.

When documenting multiple external services, each service is treated as a separate instance of an interconnection component within the OSCAL file.

Rene M. Tshiteya
Rene M. Tshiteya  commented 1 week ago
#1

Todo: Convert XPath queries to JSON Pointer

No comments to display

Back to top