Skip to main content

7. External Systems and Services Not Having FedRAMP Authorization

FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using component assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.

system security plan external systems and services page image

OSCAL Representation

system-security-plan:
  system-implementation:
    component:
      uuid: 11111111-2222-4000-8000-009000200001
      type: interconnection
      title: "[EXAMPLE]External System / Service Name"
      description: "Briefly describe the interconnection details."
      prop:
        - ns: "https://fedramp.gov/ns/oscal"
          name: service-processor
          value: "[SAMPLE] Telco Name"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-type
          value: "1"
        - name: direction
          value: incoming
        - name: direction
          value: outgoing
        - ns: "https://fedramp.gov/ns/oscal"
          name: nature-of-agreement
          value: contract
        - ns: "https://fedramp.gov/ns/oscal"
          name: still-supported
          value: yes
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-data-type
          value: "C.3.5.1"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-data-type
          value: "C.3.5.8"
        - ns: "https://fedramp.gov/ns/oscal"
          class: "C.3.5.1"
          name: interconnection-data-categorization
          value: low
        - ns: "https://fedramp.gov/ns/oscal"
          class: "C.3.5.8"
          name: interconnection-data-categorization
          value: moderate
        - ns: "https://fedramp.gov/ns/oscal"
          name: authorized-users
          value: "SecOps engineers"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-compliance
          value: "PCI SOC 2"
        - ns: "https://fedramp.gov/ns/oscal"
          class: fedramp
          name: interconnection-compliance
          value: "ISO/IEC 27001"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-hosting-environment
          value: PaaS
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-risk
          value: None
        - name: isa-title
          value: "system interconnection agreement"
        - name: isa-date
          value: "2023-01-01T00:00:00Z"
        - name: ipv4-address
          class: local
          value: "10.1.1.1"
        - name: ipv4-address
          class: remote
          value: "10.2.2.2"
        - name: ipv6-address
          value: "::ffff:10.2.2.2"
        - ns: "https://fedramp.gov/ns/oscal"
          name: information
          value: "Describe the information being transmitted."
        - ns: "https://fedramp.gov/ns/oscal"
          name: port
          class: remote
          value: "80"
        - ns: "https://fedramp.gov/ns/oscal"
          name: interconnection-security
          value: ipsec
          link:
            - href: "#uuid-of-ICA-resource-in-back-matter"
              rel: isa-agreement
  back-matter:
    resource:
      uuid: "11111111-2222-4000-8000-001000000050"
      title: "[SAMPLE]Interconnection Security Agreement Title"
      props:
      - name: published
        value: '2023-01-01T00:00:00Z'
      - name: version
        value: Document Version
      - name: type
        value: agreement
        class: interconnection-security-agreement
      rlinks:
      - href: ./attachments/ISAs/ISA-1.docx

External System and Services (Queries)

ReferTo tomap the XPathlegacy queriesFedRAMP belowSSP and corresponding notestable for guidance on what targets in an OSCAL SSP should be used to represent each column of the "External Systems and Services Notinto Havinga FedRAMPmachine-readable Authorization"OSCAL table informat, the legacydata SSPis template.primarily stored within the system-implementation section, specifically under component definitions where the type is set to interconnection.

XPath

The Queries

following 
data points are captured using various OSCAL fields and FedRAMP-specific properties (Interconnectionprop):

#
    

  • Identity & Nature: The system, service, or API name is defined by the component title, while the specific interconnection-type (e.g., dedicated line, VPN) and the nature-of-agreement (e.g., MOU, ISA) are captured as properties.
    • 

  • Operational Details: Connection characteristics are recorded via properties for firstdirection external(inbound/outbound), system:whether /*/system-implementation/component[@type='interconnection'][1]/the prop[@ns="https://fedramp.gov/ns/oscal"service andis @name="interconnection-type"]/@value
    System/Service/API/CLI Name:
        /*/system-implementation/component[@type='interconnection']/title
    Connection Details:
        /*/system-implementation/component[@type='interconnection'][1]/prop[@name="direction"]/@value
    Nature of Agreement for first external system:
        /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal" and @name="nature-of-agreement"]/@value
    Still Supportedstill-supported (Y/N):
        /*/system-implementation/component[@type='interconnection'][1]/ prop[@ns="https://fedramp.gov/ns/oscal", and @name="still-supported"]/@valuea general description of the interface.
    • 

  • Data Types:Characteristics: /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal"The data-type and @name="interconnection-its associated data-type"]/@valuecategorization Data(Security Categorization:Impact /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal"Level) are explicitly defined to track what information is leaving or entering the boundary.
    • 

  • User Access: Information regarding authorized-users and @name="interconnection-data-categorization"]/@valuetheir Authorizedspecific Users:privilege-level //system-security-plan/system-implementation/user[@uuid="uuid-of-user"]is Correspondinglinked Accessback Level:to //system-security-plan/system-implementation/user[@uuid="uuid-of-user"]/propthe @name="privilege-level"]/@valueuser Otherdefinitions within the system implementation.
    • 

  • Compliance Programs:& /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal"Risk: Any other-compliance-programs (like SOC2 or ISO), the specific hosting-environment, and @name="interconnection-compliance"]/@valuea Description:summary /*/system-implementation/component[@type='interconnection'][1]/descriptionof Hostingthe Environment:risk-impact-mitigation /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal"strategies andare @name="interconnection-hosting-environment"]/@valueall Risk/Impact/Mitigation:stored /*/system-implementation/component[@type='interconnection'][1]/prop[@ns="https://fedramp.gov/ns/oscal"as andspecific @name="interconnection-risk"]/@valuemetadata
properties
attached
to the interconnection component.

ReplaceWhen XPathdocumenting predicatemultiple "[1]"external withservices, "[2]",each "[3]",service etc.is treated as a separate instance of an interconnection component within the OSCAL file.

Back to top