Skip to main content

Preferred Approach

ssp-figure-26.png

Component-based Representation
system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000

  system-implementation:
    components:
    - uuid: 11111111-2222-4000-8000-009000300100009000300300
      type: software
      title: DatabaseLinux SampleOperating System
      description: NoneThis is a web server that communicates with a database via an encrypted connection
      props:
      - name: asset-type
        value: database
      - name: function
        value: see-remarks
        remarks: Briefly describe the function of the databaseoperating-system
      - name: allows-authenticated-scan
        value: 'yes'
      - name: scan-type
        ns: http://fedramp.gov/ns/oscal
        value: database
      - name: vendor-name
        ns: http://fedramp.gov/ns/oscal
        value: Small Biz Software, LLCweb
      links:
      - href: '#11111111-2222-4000-8000-009000500006'001000000059'
        rel: used-by
      - href: '#11111111-2222-4000-8000-009001400001'
        rel: receives
      - href: '#11111111-2222-4000-8000-009001400002'
        rel: initiatesbaseline
      status:
        state: operational
      responsible-roles:
      - role-id: administrator
        party-uuids:
        - 11111111-2222-4000-8000-004000000010

    inventory-items:
    - uuid: 11111111-2222-4000-8000-011000000002011000000023
      description: ComponentInstance Inventoryof Examplethe Linux Operating System
      props:
      - name: asset-id
        value: unique-asset-ID-0223
      - name: asset-type
        value: operating-system
      - name: ipv4-address
        value: 10.2.2.223.23.23
      - name: ipv6-address
        value: 0000:0000:0000:0000:0000:ffff:0a02:0202
      - name: mac-address
        value: 00:00:00:00:00:00
      - name: asset-type
        value: appliance0a17:1717
      - name: virtual
        value: 'no'yes'
      - name: public
        value: 'no'
      - name: fqdn
        value: dns.name
      - name: uri
        value: uniform.resource.locator
      - name: netbios-name
        value: netbios-namelinux-host.example.internal
      - name: physical-location
        value: PhysicalPrimary locationData of AssetCenter
      - name: allows-authenticated-scanis-scanned
        value: 'no'
        remarks: If no, explain why. If yes, omit remark.yes'
      - name: scan-type
        ns: http://fedramp.gov/ns/oscal
        value: infrastructure
      links:
      - href: '#11111111-2222-4000-8000-001000000059'
        rel: baseline
      responsible-parties:
      - role-id: asset-owner
        party-uuids:
        - 11111111-2222-4000-8000-004000000010
      - role-id: asset-administrator
        party-uuids:
        - 11111111-2222-4000-8000-004000000017
      implemented-components:
      - component-uuid: 11111111-2222-4000-8000-009000300100
        props:
        - name: asset-id
          value: unique-asset-ID-3
      remarks: 'COMMENTS: If needed, provide additional information about this inventory
        item.'009000300300

Notes:

  • If component-sample is an image of a Linux virtual machine (VM), and 10 instances of that VM are in use, there would be one (1) component assembly and ten (10) inventory-item assemblies, all referencing the same component.

Inventory Data Locations and XPath Queries

The following queries are intended to show where to find each piece of information within the system inventory template.

All Inventory

OS Infrastructure Inventory

Software and Database Inventory

Any Inventory

XPath Queries
Number of Inventory Items:
    count(/*/system-implementation/system-inventory/inventory-item)
  Number of Hardware Components:
    count(/*/system-implementation/component[@type="hardware"])
  Number of Software Components:
    count(/*/system-implementation/component[@type="software"])
  In Latest Scan?:
    /*/system-implementation/system-inventory/inventory-item[1]/prop[@name="is-scanned"]/@value

  List Inventory Items Not Scanned:
    /*/system-implementation/system-inventory/inventory-item/prop[@name="is-scanned"][@value='no']/../prop[@name='ipv4-address']
  List of Reasons Inventory Items Were Not Scanned:
    /*/system-implementation/system-inventory/inventory-item/prop[@name="is-scanned"][@value='no']/remarks/node()

Unlike most XPath 2.0 queries in this document, the following queries cannot be easily converted to XPath 1.0. If working with XPath 1.0, it may be necessary to perform each search with two separate queries. These queries will list all the IPv4 addresses for each scan type (infrastructure, web, and database), whether using the flat-file inventory approach or the component-based approach.

XPath Queries
IPv4 Address of All Inventory Items Identified for Infrastructure Scanning: 
distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='infrastructure']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/ prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']  [string(.)='infrastructure']]) )

IPv4 Address of All Inventory Items Identified for Web Scanning:

distinct-values( (let $key:=/*/system-implementation/component[prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']='web']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='web']]))

IPv4 Address of All Inventory Items Identified for Database Scanning:

distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='database']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='database']]))

IPv4 Address of All Items Where an Authenticated Scan is Possible:

distinct-values( (/*/system-implementation/system-inventory/inventory-item/prop [@name='ipv4-address'][../prop[@name="allows-authenticated-scan"][@value='yes']] ) | (let $key:=/*/system-implementation/component[prop [@name='allows-authenticated-scan'][@value='yes']]/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']))

IPv4 Address of All Items Where an Authenticated Scan is Not Possible:

distinct-values( (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name="allows-authenticated-scan"][@value='no']] ) | ( let $key:=/*/system-implementation/component[prop [@name='allows-authenticated-scan'][@value='no']]/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) )

Authenticated Scan Justification (if Authenticate Scan is "no"):

/*/system-implementation/system-inventory/inventory-item/prop[@name="allows-authenticated-scan"][@value="no"]/remarks/node()

OR

/*/system-implementation/component/prop[@name="allows-authenticated-scan"] [@value="no"]/remarks/node()
Back to top