Responsible Roles

Every control should have one or more responsible roles identified.

In OSCAL, there are three options for identifying responsible roles:

By Control: (Retrofit MVP only) assign responsible roles to the implemented-requirement for the entire control
By Component (Implied): infer responsible roles from the components cited in the by-component array
By Component (Explicit): assign responsible roles to the statement/by-component array

Retrofit Adoption Path: MVP

When initially converting a Word-based FedRAMP SSP to OSCAL, assign all roles by control to the implemented-requirements/responsible-roles array. This aligns with the FedRAMP Word-based SSP template.

As the SSP is migrated to a normalized approach using components, the assignment of roles is moved from the entire control to statement-level, component responses.

With fully normalized OSCAL content, responsible roles are inferred via the components associated with a control via statements/by-components. Each assocaited component SHOULD have owner and administrator responsible roles and linked to specific parties (teams or individuals).

If additional roles need to be cited, they are explicilty assigned to by-components/responsible-roles. If an explicitly needed role does not associate cleanly to a specific component, it is assigned to the by-components/responsible-roles entry for this system (component type=this-system).

Adoption Strategies

Retrofit Adoption Path

New Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Control Definitions

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Control Response Overview

Control Responses

Control Response: Policies and Procedures

Inheritence and Customer Responsibilities

Example

Responsible Roles

Retrofit Adoption Path: MVP

WORKING HERE

Representation