# 7. External Systems and Services Not Having FedRAMP Authorization

FedRAMP authorized services should be used, whenever possible, since their risk is defined.  However, there are instances where CSOs have external systems or services that are not FedRAMP authorized.  In OSCAL, these external systems and services must be identified using `component` assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.  


<img class="page-image-landscape" src="/uploads/images/gallery/2026-02/ssp-07-external-systems.png" alt="system security plan external systems and services page image" />

#### OSCAL Representation
```yaml
system-security-plan:
  system-implementation:
    component:
      uuid: 11111111-2222-4000-8000-009000200001
      type: interconnection
      title: "[EXAMPLE]External System / Service Name"
      description: "Briefly describe the interconnection details."
      prop:
        - ns: "https://fedramp.gov/ns/oscal"
          name: service-processor
          value: "[SAMPLE] Telco Name"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-type
          value: "1"
        - name: direction
          value: incoming
        - name: direction
          value: outgoing
        - ns: "https://fedramp.gov/ns/oscal"
          name: nature-of-agreement
          value: contract
        - ns: "https://fedramp.gov/ns/oscal"
          name: still-supported
          value: yes
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-data-type
          value: "C.3.5.1"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-data-type
          value: "C.3.5.8"
        - ns: "https://fedramp.gov/ns/oscal"
          class: "C.3.5.1"
          name: interconnection-data-categorization
          value: low
        - ns: "https://fedramp.gov/ns/oscal"
          class: "C.3.5.8"
          name: interconnection-data-categorization
          value: moderate
        - ns: "https://fedramp.gov/ns/oscal"
          name: authorized-users
          value: "SecOps engineers"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-compliance
          value: "PCI SOC 2"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-compliance
          value: "ISO/IEC 27001"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-hosting-environment
          value: PaaS
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-risk
          value: None
        - name: isa-title
          value: "system interconnection agreement"
        - name: isa-date
          value: "2023-01-01T00:00:00Z"
        - name: ipv4-address
          class: local
          value: "10.1.1.1"
        - name: ipv4-address
          class: remote
          value: "10.2.2.2"
        - name: ipv6-address
          value: "::ffff:10.2.2.2"
        - ns: "https://fedramp.gov/ns/oscal"
          name: information
          value: "Describe the information being transmitted."
        - ns: "https://fedramp.gov/ns/oscal"
          name: port
          class: remote
          value: "80"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-security
          value: ipsec
          link:
            - href: "#uuid-of-ICA-resource-in-back-matter"
              rel: isa-agreement
  back-matter:
    resource:
      uuid: "11111111-2222-4000-8000-001000000050"
      title: "[SAMPLE]Interconnection Security Agreement Title"
      props:
      - name: published
        value: '2023-01-01T00:00:00Z'
      - name: version
        value: Document Version
      - name: type
        value: agreement
        class: interconnection-security-agreement
      rlinks:
      - href: ./attachments/ISAs/ISA-1.docx
```

### External System and Services

To map the legacy FedRAMP SSP table for **External Systems and Services** into a machine-readable OSCAL format, the data is primarily stored within the `system-implementation` section, specifically under `component` definitions where the `type` is set to `interconnection`.

The following data points are captured using various OSCAL fields and FedRAMP-specific properties (`prop`):

* **Identity & Nature:** The system, service, or API name is defined by the component `title`, while the specific `interconnection-type` (e.g., dedicated line, VPN) and the `nature-of-agreement` (e.g., MOU, ISA) are captured as properties.
* **Operational Details:** Connection characteristics are recorded via properties for `direction` (inbound/outbound), whether the service is `still-supported` (Y/N), and a general `description` of the interface.
* **Data Characteristics:** The `data-type` and its associated `data-categorization` (Security Impact Level) are explicitly defined to track what information is leaving or entering the boundary.
* **User Access:** Information regarding `authorized-users` and their specific `privilege-level` is linked back to the `user` definitions within the system implementation.
* **Compliance & Risk:** Any `other-compliance-programs` (like SOC2 or ISO), the specific `hosting-environment`, and a summary of the `risk-impact-mitigation` strategies are all stored as specific metadata properties attached to the interconnection component.



When documenting multiple external services, each service is treated as a separate instance of an interconnection component within the OSCAL file.

---