Inheritence and Customer Responsibilities

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritance details as well as customer responsibilities (referred to as consumer responsibilities by NIST). OSCAL is designed to enable leveraged and leveraging system SSP details to be linked by tools for validation.

Within the appropriate by-component assembly, include an export assembly. Use provided to identify a capability that may be inherited by a leveraging system. Use responsibility to identify a customer responsibility. If a responsibility must be satisfied to achieve inheritance, add the provided-uuid flag to the responsibility field.

Representation

<!--
system-implementation -->
<control-implementation><!-- cut -->
    <implemented-requirement uuid="uuid-value"security-plan:
  control-id="ac-2">implementation:
    <statement uuid="uuid-value" statement-id="ac-2_smt.a">
            <by-component uuid="uuid-value" component-uuid="uuid-of-this-system-component">
                <description>
                    <p>Describe how the systemimplemented-requirements:
    - asuuid: 11111111-2222-4000-8000-012000020000
      control-id: ac-2

      statements:
      - statement-id: ac-2_smt.a
        uuid: 11111111-2222-4000-8000-012000020100
        by-components:
        - component-uuid: 11111111-2222-4000-8000-009000000000
          uuid: 11111111-2222-4000-8000-012000020102
          description: 'Confidential control response.'
          implementation-status:
            state: implemented
            
          export:
            provided:
            - uuid: 11111111-2222-4000-8000-015000000001
              description: This system's statement of capabilities which may be inherited
                by a wholecustomer's leveraging systems toward satisfaction of AC-2, part a.
                
            responsibilities:
            - isuuid: satisfying11111111-2222-4000-8000-016000000001
              thisprovided-uuid: statement.</p>11111111-2222-4000-8000-015000000001
              </description>description: <export>
                    <responsibility uuid="uuid-value">
                        <description>
                            <p>Leveraging'Leveraged system''s statement of a leveraging system''s
                responsibilities in satisfaction of AC-2.</p>2, <p>Notpart linkeda.'
              toresponsible-roles:
              inheritance, so this is always required.</p>
                        </description>
                        <responsible-role- role-id="customer"id: />cloud-service-provider
                </responsibility>party-uuids:
                </export>- </by-component>            
            <by-component uuid="uuid-value" component-uuid="uuid-of-software-component">
                <description>
                    <p>Describe how the software is satisfying this statement.</p>
                </description>
                <export>
                    <provided uuid="uuid-value">
                        <description>
                            <p>Customer appropriate description of what may be inherited.</p>
                        </description>
                        <responsible-role role-id="poc-for-customers" />
                    </provided>
                    
                    <responsibility uuid="uuid-value" provided-uuid="uuid-of-provided">
                        <description>
                            <p>Customer responsibilities if inheriting this capability.</p>
                        </description>
                        <responsible-role role-id="customer" />
                    </responsibility>
                </export>
            </by-component>
        </statement>
    </implemented-requirement>
</control-implementation>11111111-2222-4000-8000-004000000001

See the NIST OSCAL Leveraged Authorization Presentation for more information.

---

Leveraged Authorization Response: Inheriting Controls, Satisfying Responsibilities

When the current system is inheriting a control from or meeting customer responsibilities defined by an underlying authorization, the leveraged system must first be defined as described in the Response: Identifying Inheritable Controls and Customer Responsibilities section, and documented a component int the leveraging system SSP before it may be referenced in a control response. The by-component assembly references these components.

IMPORTANT: The leveraged system may provide a single component representing the entire leveraged system or may provide individual system components as well. In either case, the inherited-uuid property in the component must have the value flag set to the UUID of the leveraged system or component.

Representation

<
system-implementation>security-plan:
  <componentsystem-implementation:
    uuid="uuid-value"components:
    type="this-system"><!-- cutuuid: --></component>11111111-2222-4000-8000-009000100004
      <componenttype: uuid="uuid-value"system
      type="system">
        <title><b>LEVERAGED SYSTEM as a whole (IaaS)</b></title>
        <prop name="leveraged-authorization-uuid" value="uuid-of-LA-in-this-SSP" />
        <prop name="inherited-uuid" value="uuid-of-component-in-leveraged-SSP" />
    </component>
    <component uuid="uuid-value" type="service">
        <title>Service Provided bytitle: Leveraged Authorized System</title>
      <propdescription: name="leveraged-authorization-uuid"Briefly value="uuid-of-LA-in-this-SSP"describe />the <propleveraged name="inherited-uuid"system.
      value="uuid-of-component-in-leveraged-SSP"status:
        />state: </component>
</system-implementation>        
<control-implementation>
    <implemented-requirement uuid="uuid-value"operational

      
  control-id="ac-2">implementation:
    <statementimplemented-requirements:
      uuid="uuid-value"statements:
        statement-id="ac-2_smt.a">by-components:
        <by-component uuid="uuid-value"- component-uuid="uuid-of-this-system-component">uuid: <description><p>Describe11111111-2222-4000-8000-009000000004
          whatuuid: is11111111-2222-4000-8000-012000020104
          satisfieddescription: byFor thisthe system.</p></description>
            </by-component>
            
            <by-component uuid="uuid-value" component-uuid="uuid-leveraged-system-component">
                <description>
                    <p>Describe what isportion inherited from thean leveragedunderlying systemFedRAMP-authorized
            inprovider, satisfactiondescribe of**what** thisis controlinherited.
          statement.</p>implementation-status:
            </description>state: <inheritedimplemented
          inherited:
          - uuid: 11111111-2222-4000-8000-017000000001
            provided-uuid="uuid-of-provided"uuid: uuid="uuid-value">11111111-0000-4000-9009-002001002001
            <description>description: <p>Optional:'Optional Informationdescription.'
          providedsatisfied:
          by- leverageduuid: system.</p>
                    </description>
                </inherited>
                
                <satisfied11111111-2222-4000-8000-018000000001
            responsibility-uuid="uuid-of-responsibility"uuid: uuid="uuid-value"11111111-0000-4000-9009-002001002002
            >description: <description>
                        <p>'Description of how the responsibility was satisfied.</p>
                    </description>
                </satisfied>
            </by-component>
        </statement>
        <!-- repeat statement assembly for statement part (b, c, etc.) as needed. -->
    </implemented-requirement>
</control-implementation>
<!-- back-matter -->'

See the NIST OSCAL Leveraged Authorization Presentation for more information.