Inheritence and Customer Responsibilities

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritance details as well as customer responsibilities (referred to as consumer responsibilities by NIST). OSCAL is designed to enable leveraged and leveraging system SSP details to be linked by tools for validation.

Within the appropriate by-component assembly, include an export assembly. Use provided to identify a capability that may be inherited by a leveraging system. Use responsibility to identify a customer responsibility. If a responsibility must be satisfied to achieve inheritance, add the provided-uuid flag to the responsibility field.

Representation


system-security-plan:
  control-implementation:
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000020000
      control-id: ac-2

      statements:
      - statement-id: ac-2_smt.a
        uuid: 11111111-2222-4000-8000-012000020100
        by-components:
        - component-uuid: 11111111-2222-4000-8000-009000000000
          uuid: 11111111-2222-4000-8000-012000020102
          description: 'Confidential control response.'
          implementation-status:
            state: implemented
            
          export:
            provided:
            - uuid: 11111111-2222-4000-8000-015000000001
              description: This system's statement of capabilities which may be inherited
                by a customer's leveraging systems toward satisfaction of AC-2, part a.
                
            responsibilities:
            - uuid: 11111111-2222-4000-8000-016000000001
              provided-uuid: 11111111-2222-4000-8000-015000000001
              description: 'Leveraged system''s statement of a leveraging system''s
                responsibilities in satisfaction of AC-2, part a.'
              responsible-roles:
              - role-id: cloud-service-provider
                party-uuids:
                - 11111111-2222-4000-8000-004000000001

See the NIST OSCAL Leveraged Authorization Presentation for more information.

Leveraged Authorization Response: Inheriting Controls, Satisfying Responsibilities

When the current system is inheriting a control from or meeting customer responsibilities defined by an underlying authorization, the leveraged system must first be defined as described in the Response: Identifying Inheritable Controls and Customer Responsibilities section, and documented a component int the leveraging system SSP before it may be referenced in a control response. The by-component assembly references these components.

IMPORTANT: The leveraged system may provide a single component representing the entire leveraged system or may provide individual system components as well. In either case, the inherited-uuid property in the component must have the value flag set to the UUID of the leveraged system or component.

Representation


system-security-plan:
  system-implementation:
    components:
    - uuid: 11111111-2222-4000-8000-009000100004
      type: system
      title: Leveraged Authorized System
      description: Briefly describe the leveraged system.
      status:
        state: operational

      
  control-implementation:
    implemented-requirements:
      statements:
        by-components:
        - component-uuid: 11111111-2222-4000-8000-009000000004
          uuid: 11111111-2222-4000-8000-012000020104
          description: For the portion inherited from an underlying FedRAMP-authorized
            provider, describe **what** is inherited.
          implementation-status:
            state: implemented
          inherited:
          - uuid: 11111111-2222-4000-8000-017000000001
            provided-uuid: 11111111-0000-4000-9009-002001002001
            description: 'Optional description.'
          satisfied:
          - uuid: 11111111-2222-4000-8000-018000000001
            responsibility-uuid: 11111111-0000-4000-9009-002001002002
            description: 'Description of how the responsibility was satisfied.'

See the NIST OSCAL Leveraged Authorization Presentation for more information.

SSP Adoption Strategies

Retrofit Adoption Path

Native Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Responding to Control Baselines

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Responding By Component

Control Implementation Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Inheritence and Customer Responsibilities

Citing Control Statements

Inheritence and Customer Responsibilities

Representation

Leveraged Authorization Response: Inheriting Controls, Satisfying Responsibilities

Representation