Skip to main content

9. Services, Ports and Protocols

Entries in the services, ports, and protocols table are represented as component assemblies, with the component-type flag set to "service". Use a protocol assembly for each protocol associated with the service. For a single port, set the port-range start flag and end flag to the same value.

system security plan services, ports and protocols page image

OSCAL Representation

system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  system-implementation:
    components:
    - uuid: 11111111-2222-4000-8000-009000500004
      type: service
      title: API Service
      description: 'A service offered by this system to external systems, such as
        an API. As a result, communication crosses the boundary.


        Describe the service and what it is used for.'
      props:
      - name: implementation-point
        value: internal
      - name: public
        value: 'yes'
      - name: information-type
        ns: http://fedramp.gov/ns/oscal
        value: C.3.5.1
        class: incoming
      - name: information-type
        ns: http://fedramp.gov/ns/oscal
        value: C.3.5.8
        class: outgoing
      - name: connection-security
        ns: http://fedramp.gov/ns/oscal
        value: tls-1.3
      - name: authentication-method
        ns: http://fedramp.gov/ns/oscal
        value: 'yes'
      - name: nature-of-agreement
        ns: http://fedramp.gov/ns/oscal
        value: other
      - name: allows-authenticated-scan
        value: 'no'
      - name: scan-type
        ns: http://fedramp.gov/ns/oscal
        value: infrastructure
      links:
      - href: '#11111111-2222-4000-8000-009000100003'
        rel: used-by
      - href: '#11111111-2222-4000-8000-009000100004'
        rel: used-by
      - href: '#11111111-2222-4000-8000-001000000048'
        rel: poam-item
        resource-fragment: 11111111-3333-4000-8000-000000000004
      - href: https://api.example.com/v1
        rel: api
      status:
        state: operational
      responsible-roles:
      - role-id: administrator
        props:
        - name: privilege-uuid
          ns: http://fedramp.gov/ns/oscal
          value: 11111111-2222-4000-8000-008000000004
        party-uuids:
        - 11111111-2222-4000-8000-004000000010
        - 11111111-2222-4000-8000-004000000011
        - 11111111-2222-4000-8000-004000000012
      - role-id: provider
        party-uuids:
        - 11111111-2222-4000-8000-004000000001
      protocols:
      - uuid: 11111111-2222-4000-8000-010000000002
        name: tls
        title: API Service
        port-ranges:
        - start: '443'
          end: '443'
          transport: TCP

XPath

To Queries

represent 
Network Services and Ports within an OSCAL System Security Plan, the data is organized under the system-implementation section, specifically categorized by components where the type is defined as a service.


The mapping for each service entry includes the following technical details:


    

  • Service (1stIdentity: service):Each /*/system-implementation/component[@type='service'][1]/entry starts with a title Ports:that Startidentifies the specific service or application name (1ste.g., service,"HTTPS" 1stor protocol,"SSH").
    • 
1st
  • Protocol Configuration: The specific network protocol name (such as TCP or UDP) is identified to define how the service communicates.
    • 

  • Port Management: Detailed port range):information /*/system-implementation/component[@type='service'][1]/protocol[1]/is captured within a port-range[1]/@startrange, Ports:specifying Endthe exact start and end values. This also includes the transport layer designation to ensure the specific communication path is fully defined.
    • 

  • Functional Justification: A dedicated purpose field provides the business or technical rationale for why the service is required within the system boundary.
    • 

  • Component Relationships: The model tracks which internal system elements are utilizing the service by linking to the title of other defined components via their unique identifiers (1stUUIDs).
    • 
service,

1st
For protocol,systems 1stwith multiple services, each is documented as an individual service component, with the ability to define multiple protocols and port range):ranges /*/system-implementation/component[@type='service'][1]/protocol[1]/port-range[1]/@endwithin Ports:each Transportentry (1stto service,maintain 1sta protocol,complete 1stand portgranular range):
        /*/system-implementation/component[@type='service'][1]/protocol[1]/port-range[1]/@transport
    Protocol (1st service, 1st protocol):
        /*/system-implementation/component[@type='service'][1]/protocol[1]/@name
    Purpose (1st service):
        /*/system-implementation/component[@type='service'][1]/purpose
    Used By (1st service):
        /*/system-implementation/component[@uuid='uuid-of-component-used-by']/title

Replace XPath predicate "[1]" with "[2]", "[3]", etc.inventory.

Back to top