Responding By Component
Retrofit Adoption Path MVP
WithinWhen theconverting OSCAL-a Word-based FedRAMP baselines,SSP to OSCAL, move all control statementsresponses and control
objectives are tagged with a response-point FedRAMP Extension. Every
control statement with a designated response-point into the baselinethis-system component.
Every OSCAL SSP must have a statementthis-system withcomponent defined. It is the control'sonly required component.
system-security-plan:implemented-requirementassembly.system-implementation:Pleasecomponents:note-thatuuid:control11111111-2222-4000-8000-009000000000objectivetype:responsethis-systempointstitle:areThisusedSystemfordescription: 'Represents theSAPentireandauthorizationSAR.boundary'
Whenstatus:usingstate:aFedRAMP Resolved Profile Catalog, the following query will identify the response points for a given control.
Organization: Policy and Procedure Statements
For each of the -1 controls, such as AC-1, there must be exactly five statement assemblies: Part (a)(1), Part (a)(2), Part (b), Part (c)(1), and Part (c)(2).
Policy and Procedure Representation<!-- system-implementation --> <control-implementation> <!-- cut --> <implemented-requirement uuid="uuid-value" control-id="ac-1"> <statement statement-id="ac-1_smt.a.1"><!-- cut --></statement> <statement statement-id="ac-1_smt.a.2"><!-- cut --></statement> <statement statement-id="ac-1_smt.b"><!-- cut --></statement> <statement statement-id="ac-1_smt.c.1"><!-- cut --></statement> <statement statement-id="ac-1_smt.c.2"><!-- cut --></statement> </implemented-requirement> </control-implementation>operationalEvery
Organization:statementsMulti-Part/Statementsby-components
Therearraymust be one statement assembly for each lettered part, such as with AC-2, parts a, b, c, etc.
Multi-Part Statement Representation<!-- system-implementation --> <control-implementation> <!-- cut --> <implemented-requirement uuid="uuid-value" control-id="ac-2"> <statement statement-id="ac-2_smt.a"><!-- cut --></statement> <!-- repeat for b, c, d, e, f, g, h, i, j --> <statement statement-id="ac-2_smt.k"><!-- cut --></statement> </implemented-requirement> </control-implementation>
Organization: Single Statementthat
If there are no lettered parts in the control definition, such as with AC-2 (1), there must behas exactly onestatemententryassembly.
Single-Statement Representation<!-- system-implementation --> <control-implementation> <!-- cut --> <implemented-requirement control-id="ac-2.1"> <statement statement-id="ac-2.1_smt"><!-- cut --></statement> </implemented-requirement> </control-implementation>
Response: Overview
Within eachstatementassembly, all responses must be provided within one or moreby-componentassemblies. There must always be a component defined inreferences thesystem-implementationthis-systemrepresenting the system as a whole ("THIS SYSTEM"), even if individual components are defined that comprise the system.See theWorking with Componentssection for more information.
An OSCAL-based FedRAMP SSP should define individual components of the system. Components are not just hardwarecomponent andsoftware. Policies, processes, FIPS 140 validation information, interconnections, services, and underlying systems (leveraged authorizations) are all components.
With OSCAL,includes the contentinfrom thecellWord-basednext toPart amust be broken down into its individual components and responded to separately.SSP.
Eachstatementsarray entry includes:
ForaPartrequireduuidfield- a required
by-componentsarray. Each array entry includes:Componenta-requiredThiscomponent-uuidSystemfield that cites thethis-sytemcomponent from above.- a required
uuidfield - a required
descriptionfield that contains the content from the Word-based SSP control response. - a required
implementation-statuselement with:Describesahowrequiredpartstateais satisfied holistically, or where the description does not fitfield with adefinedvaluecomponent.of
Component - PlatformDescribes howpart ais satisfied by the platform.
Component - Web-ServerDescribes howpart ais satisfied by the web server.
Component - ProcessDescribes howpart ais satisfied by an identified process within this organization.
Component - InheritedDescribes what is inherited from the underlying Infrastructure as a Service (IaaS) provider to satisfypart a.
ForPart bComponent - This SystemDescribes howpart bis satisfied holistically, or where the description does not fit with a defined component.
Component - PlatformDescribes howpart bis satisfied by the platform.
Component - Web-ServerDescribes howpart bis satisfied by the web server.
Component - ProcessDescribes howpart bis satisfied by an identified process within this organization.
Component - InheritedDescribes what is inherited from the underlying Infrastructure as a Service (IaaS) provider to satisfypart bimplemented.
Thesystem-security-plan:
followingcontrol-implementation:
aredescription: examples.
Response:Native ExampleAdoption Path
WithinWhen eachcreating ofan SSP from scratch, ensure appropriate components are defined before authoring a control response. The this-system component must always be present. Other components are present baed on their use within the sytem. See Components for more information.
statementsystem-security-plan:
system-implementation:
components:
- uuid: 11111111-2222-4000-8000-009000000000
type: this-system
title: This System
description: 'Represents the entire authorization boundary'
status:
state: operational
- uuid: 11111111-2222-4000-8000-009000500001
type: service
title: Service A
description: 'An authorized service from a leveraged CSO.'
status:
state: operational
- uuid: 11111111-2222-4000-8000-009000600001
type: policy
title: Access Control and Identity Management Policy
description: 'A corporate policy used for the system.'
status:
state: operational
Every statements assemblies,/ allby-components responsesarray appear inhas one or more by-componentassemblies.that Eachreference by-componentassembly references a component defined in the system-implementation assembly.
Representation
<system-implementation>
<!-- leveraged-authorization, user -->
<component uuid="uuid-value" type="software">
<title>Component Title</title>
<description>
<p>Description of the component.</p>
</description>
<status state="operational"/>
</component>
<component uuid="uuid-value" type="process">
<title>Process Title</title>
<description>
<p>Description of the component.</p>
</description>
<status state="operational"/>
<responsible-role role-id="admin-unix">
<party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
</responsible-role>
</component>
</system-implementation>
<control-implementation>
<!-- cut -->
<implemented-requirement uuid="uuid-value" control-id="ac-2">
<statement uuid="uuid-value" statement-id="ac-2_smt.a">
<by-component uuid="uuid-value" component-uuid="uuid-of-software-component">
<description>
<p>Describedescribes how the softwarethat component is satisfying thethat control.</p>control </description>requirement </by-component>statement.
<by-component uuid="uuid-value" component-uuid="uuid-of-process-component">
<description>
<p>Describe how the process satisfies the control.</p>
</description>
</by-component>
<!-- repeat by-component assembly for each component related to part a. -->
</statement>
<!-- repeat statement assembly for statement part (b, c, etc.) as needed. -->
</implemented-requirement>
</control-implementation>
<!-- back-matter -->
NOTES:
All statement-id values must be cited as they appear in the NIST SP
800-53, Revision 4 or Revision 5 OSCAL catalogs:
https://github.com/usnistgov/oscal-content/tree/master/nist.gov/SP800-53
Response:The "This System" Component
There must always be a "This System" component in the SSP. This is used in several ways:
-
Holistic Overview: The SSP author may wish to provide a more
holistic overview of how several components work together, even if
details are provided individually in other by-component assemblies.
-
Catch-all: Any control response that does not cleanly align with
another system component may be described in the "This System"
component.
-
Legacy SSP Conversion: When converting a legacy SSP to OSCAL,
the legacy control response statements may initially be associated
with the "This System" component until the SSP author is able
to provide responses for individual components.
Representation
<system-implementation>
<!-- leveraged-authorization, user
-->
<component uuid="uuid-value" type="this-system">
<title>This System</title>
<description>
<p>Description of the component.</p>
</description>
<status state="operational"/>
</component>
</system-implementation>
<control-implementation>
<!-- cut -->
<implemented-requirement uuid="uuid-value" control-id="ac-2">
<statement uuid="uuid-value" statement-id="ac-2_smt.a">
<by-component uuid="uuid-value" component-uuid="uuid-of-this-system-component">
<description>
<p>Describe how individual components are working together.</p>
<p>Describe how the system - as a whole - is satisfying this statement.</p>
<p>This can include policy, procedures, hardware, software, etc.</p>
</description>
</by-component>
</statement>
<!-- repeat statement assembly for statement part (b, c, etc.) as needed. -->
</implemented-requirement>
</control-implementation>
<!-- back-matter -->
NOTES:
Although the name of the component is "This System",
non-technical solutions may also be discussed here, such as policies
and procedures.
Linking to Artifacts
Any time policies, procedures, plans, and similar documentation are
cited in a control response, they must be linked.
For the legacy approach, when responding within the by-component
assembly for "this system", the link must be within the same by-component assembly where the artifact is cited.
Representation: Legacy Approach Example - No Policy Component
<control-implementation>
<implemented-requirement uuid="uuid-value" control-id="ac-1">
<statement uuid="uuid-value" statement-id="ac-1_smt.a">
<by-component component-uuid="uuid-of-this-system" uuid="uuid-value">
<description>
<p>Describe how Part a is satisfied within the system.</p>
</description>
<link href="#uuid-of-policy-resource-in-back-matter" rel="policy" />
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
<!-- back-matter -->
For the component approach, use the component representing the policy.
The link should be in the component, but may be added directly to the
by-component as well.
Representation: Component Approach Example
<system-implementation>
<!-- leveraged-authorization, user -->
<component uuid="uuid-value" type="policy">
<title>Access Control and Identity Management Policy</title>
<description>
<p>An example component representing a policy.</p>
</description>
<link href="#uuid-of-policy-resource-in-back-matter" rel="policy" />
<status state="operational"/>
</component>
</system-implementation>
<control-implementation>
<implemented-requirement uuid="uuid-value" control-id="ac-1">
<statement uuid="uuid-value" statement-id="ac-1_smt.a">
<by-component component-uuid="uuid-of-policy-component" uuid="uuid-value">
<description>
<p>Describe how this policy satisfies Part a.</p>
</description>
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
<!-- back-matter -->
For either example above, the policy must be present as a resource in back-matter.
In Back Matter
<back-matter>
<resource uuid="uuid-value">
<title>Access Control and Identity Management Policy</title>
<rlink media-type="application/pdf" href="./documents/policies/sample_policy.pdf" />
<base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64>
</resource>
</back-matter>
Response: Identifying Inheritable Controls and Customer Responsibilities
For systems that may be leveraged, OSCAL enables a robust mechanism for
providing both inheritance details as well as customer responsibilities
(referred to as consumer responsibilities by NIST). OSCAL is designed to
enable leveraged and leveraging system SSP details to be linked by tools
for validation.
Within the appropriate by-component assembly, include an export
assembly. Use provided to identify a capability that may be inherited by a leveraging system. Use responsibility to identify a customer responsibility. If a responsibility must be satisfied to achieve inheritance, add the
provided-uuid flag to the responsibility field.
Representation
<!-- system-implementation -->
<control-implementation><!-- cut -->
<implemented-requirement uuid="uuid-value" control-id="ac-2">
<statement uuid="uuid-value" statement-id="ac-2_smt.a">
<by-component uuid="uuid-value" component-uuid="uuid-of-this-system-component">
<description>
<p>Describe how the system - as a whole - is satisfying this statement.</p>
</description>
<export>
<responsibility uuid="uuid-value">
<description>
<p>Leveraging system's responsibilities in satisfaction of AC-2.</p>
<p>Not linked to inheritance, so this is always required.</p>
</description>
<responsible-role role-id="customer" />
</responsibility>
</export>
</by-component>
<by-component uuid="uuid-value" component-uuid="uuid-of-software-component">
<description>
<p>Describe how the software is satisfying this statement.</p>
</description>
<export>
<provided uuid="uuid-value">
<description>
<p>Customer appropriate description of what may be inherited.</p>
</description>
<responsible-role role-id="poc-for-customers" />
</provided>
<responsibility uuid="uuid-value" provided-uuid="uuid-of-provided">
<description>
<p>Customer responsibilities if inheriting this capability.</p>
</description>
<responsible-role role-id="customer" />
</responsibility>
</export>
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
See the NIST OSCAL Leveraged Authorization Presentation for more information.
