Skip to main content

8. Illustratred Architecture and Narratives

The Architecture, Network and Data Flow Diagramss are each represented using the same OSCAL patterns, with only the top level assemby name changing.

Authorization Boundary

The OSCAL approach to this type of diagram is to treat the image data as either a linked or base64-encoded resource in the back-matter section of the OSCAL file, then reference the diagram using the link field. The narrative describing the system architecture must be provided in the description field of the authorization-boundary assembly.

system security plan architecture page image

OSCAL Representation

<system-characteristics>security-plan:
  <!--uuid: leveraged-authorization11111111-2222-4000-8000-000000000000
  -->system-characteristics:
    <authorization-boundary>boundary:
      <!--description: 8.2 Narrative (Boundary) -->
        <description>
            <p>A holistic, top-level explanation of the FedRAMP authorization boundary.</p>
      </description>diagrams:
      <!-- 8.1uuid: Illustrated11111111-2222-4000-8000-007000000001
        Architecturedescription: (Boundary) -->
        <diagram uuid="uuid-value">
            <description><p>A diagram-specific explanation.</p></description>
        <linklinks:
        href="#uuid-of-boundary-diagram-1"- rel="diagram"href: />'#11111111-2222-4000-8000-001000000054'
          <caption>rel: diagram
        caption: Authorization Boundary Diagram</caption>

  </diagram>back-matter:
    <!-resources:
    - repeatuuid: diagram11111111-2222-4000-8000-001000000054
      assemblytitle: forBoundary eachDiagram
      additionaldescription: boundary diagram -->
    </authorization-boundary>
    <!-- network-architecture -->
</system-characteristics>

<!-- cut -->

<back-matter>
    <resource uuid="uuid-of-boundary-diagram-1">
        <description><p>The primary authorization boundary diagram.<
      props:
      - name: type
        value: image
        class: authorization-boundary
      rlinks:
      - href: ./p></description>
        <base64 filename="architecture-main.png" media-type="image/png">00000000</base64>
    </resource>
</back-matter>attachments/diagrams/boundary.png

XPath Queries

Overall Description:
        /*/system-characteristics/authorization-boundary/description/node()
    Count the Number of Diagrams (There should be at least 1):
        count(/*/system-characteristics/authorization-boundary/diagram)
    Link to First Diagram:
        /*/system-characteristics/authorization-boundary/diagram[1]/link/@href


    If the diagram link points to a resource within the OSCAL file:
        /*/back-matter/resource[@uuid="uuid-of-boundary-diagram"]/base64
    OR:
        /*/back-matter/resource[@uuid="uuid-of-boundary-diagram-1"]/rlink/@href
    Diagram-specific Description:
        /*/system-characteristics/authorization-boundary/diagram[1]/description/node()

Replace XPath predicate "[1]" with "[2]", "[3]", etc.

Network Architecture

The network architecture diagram follows the same patter as the Authorization Boundary diagram, except the content is placed under network-architecture instead of authorization-boundary.

OSCAL Representation

<system-characteristics>security-plan:
  <!-uuid: 11111111-2222-4000-8000-000000000000
  system-characteristics:
    network-architecture:
      description: A holistic, top-level explanation of the network architecture.
      diagrams:
      - authorization-boundaryuuid: 11111111-2222-4000-8000-007000000002
        description: A diagram-specific explanation.
        links:
        - href: '#11111111-2222-4000-8000-001000000055'
          rel: diagram
        caption: Network Diagram

  back-matter:
    resources:
    -> <uuid: 11111111-2222-4000-8000-001000000055
      title: Network Diagram
      description: The primary network diagram.
      props:
      - name: type
        value: image
        class: network-architecture>
      <!-rlinks:
      - contenthref: -->
    <./network-architecture>
    <!-- data-flow -->
</system-characteristics>attachments/diagrams/network.png

Data Flow

The data flow diagram follows the same pattern as the Authorization Boundary diagram, except the content is placed under data-flow instead of authorization-boundary.

OSCAL Representation

<system-characteristics>security-plan:
  <!-uuid: 11111111-2222-4000-8000-000000000000
  system-characteristics:
    data-flow:
      description: A holistic, top-level explanation of the system's data flows.
      diagrams:
      - authorization-boundaryuuid: 11111111-2222-4000-8000-007000000003
        description: A diagram-specific explanation.
        links:
        --> <!-href: '#11111111-2222-4000-8000-001000000056'
          rel: diagram
        caption: Data Flow Diagram

  back-matter:
    resources:
    - network-architectureuuid: 11111111-2222-4000-8000-001000000056
      title: Data Flow Diagram
      description: The primary data flow diagram.
      props:
      --> <name: type
        value: image
        class: data-flow>
      <!-rlinks:
      - contenthref: -->
    <./data-flow>
</system-characteristics>attachments/diagrams/dataflow.png
Back to top