Skip to main content

Document Approvals

ssp_02_approvals.png

The OSCAL syntax is the same for document approvers in the SSP, SAP, and SAR. For the SSP, approvers are typically executives within the CSP. For the SAP and SAR, approvers are typically executives within the assessor's organization.

Representation
system-security-plan:
  metadata:
  
    roles:
    - id: content-approver
      title: System Security Plan Approval
      description: The individual or individuals accountable for the accuracy of this SSP.
    - id: cloud-service-provider
      title: Cloud Service Provider
      short-name: CSP

    locations:
    - uuid: 11111111-2222-4000-8000-003000000001
      title: CSP HQ
      address:
        type: work
        addr-lines:
        - Suite 0000
        - 1234 Some Street
        city: Haven
        state: ME
        postal-code: '00000'
        
    parties:
    - uuid: 11111111-2222-4000-8000-004000000001
      type: organization
      name: Cloud Service Provider (CSP) Name
      short-name: CSP Acronym/Short Name
      links:
      - href: '#11111111-2222-4000-8000-001000000052'
        rel: logo
      location-uuids:
      - 11111111-2222-4000-8000-003000000001

    - uuid: 11111111-2222-4000-8000-004000000010
      type: person
      name: '[SAMPLE]Person Name 1'
      props:
      - name: job-title
        value: Individual's Title
      - name: mail-stop
        value: Mailstop A-1
      email-addresses:
      - name@example.com
      telephone-numbers:
      - number: '2020000001'
      location-uuids:
      - 11111111-2222-4000-8000-003000000001
      member-of-organizations:
      - 11111111-2222-4000-8000-004000000001
    - uuid: 11111111-2222-4000-8000-004000000011
      type: person
      name: '[SAMPLE]Person Name 2'
      props:
      - name: job-title
        value: Individual's Title
      email-addresses:
      - name@example.com
      telephone-numbers:
      - number: '2020000002'
      addresses:
      - state: ST
        type: work
        postal-code: '00000'
        addr-lines:
        - Address Line
        country: US
        city: City
      member-of-organizations:
      - 11111111-2222-4000-8000-004000000001

    responsible-parties:
    - role-id: cloud-service-provider
      party-uuids:
      - 11111111-2222-4000-8000-004000000001
    - role-id: content-approver
      party-uuids:
      - 11111111-2222-4000-8000-004000000010
      - 11111111-2222-4000-8000-004000000011

Defined Identifiers
Required Role IDs:

  • content-approver
  • cloud-service-provider
XPath Queries

  • Approver’s Name: (/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver']/party-uuid]]/party-name)[1]

  • Approver’s Title: (/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver'] /party-uuid]]/prop[@name='title'][@ns='http://fedramp.gov/ns/oscal'])[1]

    NOTE: For each additional approver, replace the "[1]" with "[2]", "[3]", and so on.

  • CSP Name: /*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='cloud-service-provider']/party-uuid]]/party-name

NOTES:

The code above is an SSP example. For SAP and SAR, a similar approach is used for the assessor, using the "assessor" role ID instead of the "cloud-service-provider" role ID.

Back to top