7. External Systems and Services Not Having FedRAMP Authorization FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using component assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below. OSCAL Representation system-security-plan: system-implementation: component: uuid: 11111111-2222-4000-8000-009000200001 type: interconnection title: "[EXAMPLE]External System / Service Name" description: "Briefly describe the interconnection details." prop: - ns: "https://fedramp.gov/ns/oscal" name: service-processor value: "[SAMPLE] Telco Name" - ns: "https://fedramp.gov/ns/oscal" name: interconnection-type value: "1" - name: direction value: incoming - name: direction value: outgoing - ns: "https://fedramp.gov/ns/oscal" name: nature-of-agreement value: contract - ns: "https://fedramp.gov/ns/oscal" name: still-supported value: yes - ns: "https://fedramp.gov/ns/oscal" class: fedramp name: interconnection-data-type value: "C.3.5.1" - ns: "https://fedramp.gov/ns/oscal" class: fedramp name: interconnection-data-type value: "C.3.5.8" - ns: "https://fedramp.gov/ns/oscal" class: "C.3.5.1" name: interconnection-data-categorization value: low - ns: "https://fedramp.gov/ns/oscal" class: "C.3.5.8" name: interconnection-data-categorization value: moderate - ns: "https://fedramp.gov/ns/oscal" name: authorized-users value: "SecOps engineers" - ns: "https://fedramp.gov/ns/oscal" class: fedramp name: interconnection-compliance value: "PCI SOC 2" - ns: "https://fedramp.gov/ns/oscal" class: fedramp name: interconnection-compliance value: "ISO/IEC 27001" - ns: "https://fedramp.gov/ns/oscal" name: interconnection-hosting-environment value: PaaS - ns: "https://fedramp.gov/ns/oscal" name: interconnection-risk value: None - name: isa-title value: "system interconnection agreement" - name: isa-date value: "2023-01-01T00:00:00Z" - name: ipv4-address class: local value: "10.1.1.1" - name: ipv4-address class: remote value: "10.2.2.2" - name: ipv6-address value: "::ffff:10.2.2.2" - ns: "https://fedramp.gov/ns/oscal" name: information value: "Describe the information being transmitted." - ns: "https://fedramp.gov/ns/oscal" name: port class: remote value: "80" - ns: "https://fedramp.gov/ns/oscal" name: interconnection-security value: ipsec link: - href: "#uuid-of-ICA-resource-in-back-matter" rel: isa-agreement back-matter: resource: uuid: "11111111-2222-4000-8000-001000000050" title: "[SAMPLE]Interconnection Security Agreement Title" props: - name: published value: '2023-01-01T00:00:00Z' - name: version value: Document Version - name: type value: agreement class: interconnection-security-agreement rlinks: - href: ./attachments/ISAs/ISA-1.docx External System and Services To map the legacy FedRAMP SSP table for External Systems and Services into a machine-readable OSCAL format, the data is primarily stored within the system-implementation section, specifically under component definitions where the type is set to interconnection . The following data points are captured using various OSCAL fields and FedRAMP-specific properties ( prop ): Identity & Nature: The system, service, or API name is defined by the component title , while the specific interconnection-type (e.g., dedicated line, VPN) and the nature-of-agreement (e.g., MOU, ISA) are captured as properties. Operational Details: Connection characteristics are recorded via properties for direction (inbound/outbound), whether the service is still-supported (Y/N), and a general description of the interface. Data Characteristics: The data-type and its associated data-categorization (Security Impact Level) are explicitly defined to track what information is leaving or entering the boundary. User Access: Information regarding authorized-users and their specific privilege-level is linked back to the user definitions within the system implementation. Compliance & Risk: Any other-compliance-programs (like SOC2 or ISO), the specific hosting-environment , and a summary of the risk-impact-mitigation strategies are all stored as specific metadata properties attached to the interconnection component. When documenting multiple external services, each service is treated as a separate instance of an interconnection component within the OSCAL file.