Document Approvals
The OSCAL syntax is the same for document approvers in the SSP, SAP, and SAR. For the SSP, approvers are typically executives within the CSP. For the SAP and SAR, approvers are typically executives within the assessor's organization.
Representation
<!-system-security-plan:
metadata:
roles:
- Representationid: -->content-approver
<metadata>title: <!--System title,Security publishedPlan ...Approval
prop,description: linkThe -->
<role id="content-approver">
<title>[SSP, SAP,individual or SAR] Approval</title>
<desc>The executive(s)individuals accountable for the accuracy of this content.</desc>SSP.
</role>- <roleid: id="cloud-service-provider">provider
<title>title: Cloud Service Provider</title>
<short-name>name: CSP</short-name>
</role>locations:
<party- uuid="uuid-of-csp"uuid: type="organization">11111111-2222-4000-8000-003000000001
<name>title: CSP HQ
address:
type: work
addr-lines:
- Suite 0000
- 1234 Some Street
city: Haven
state: ME
postal-code: '00000'
parties:
- uuid: 11111111-2222-4000-8000-004000000001
type: organization
name: Cloud Service Provider (CSP) Name</name>
<short-name>name: CSP Acronym/Short Name</short-name>
</party>links:
<party- uuid="uuid-of-person-1"href: type="person">'#11111111-2222-4000-8000-001000000052'
<name>rel: logo
location-uuids:
- 11111111-2222-4000-8000-003000000001
- uuid: 11111111-2222-4000-8000-004000000010
type: person
name: '[SAMPLE]Person Name 1</name>1'
<propprops:
name="title"- ns="http://fedramp.gov/ns/oscal">name: job-title
value: Individual's Title</prop>
<- name: mail-stop
value: Mailstop A-1
email-addresses:
- name@example.com
telephone-numbers:
- number: '2020000001'
location-uuids:
- 11111111-2222-4000-8000-003000000001
member-of-organization>uuid-of-csp</member-of-organization>organizations:
</party>- <party11111111-2222-4000-8000-004000000001
uuid="uuid-of-person-2"- type="person">uuid: <name>11111111-2222-4000-8000-004000000011
type: person
name: '[SAMPLE]Person Name 2</name>2'
<propprops:
name="title"- ns="http://fedramp.gov/ns/oscal">name: job-title
value: Individual's Title</prop>
<email-addresses:
- name@example.com
telephone-numbers:
- number: '2020000002'
addresses:
- state: ST
type: work
postal-code: '00000'
addr-lines:
- Address Line
country: US
city: City
member-of-organization>uuid-of-csp</member-of-organization>organizations:
</party>- <11111111-2222-4000-8000-004000000001
responsible-partyparties:
- role-id="id: cloud-service-provider">provider
<party-uuid>uuid-of-csp</party-uuid>uuids:
</responsible-party>- <responsible-party11111111-2222-4000-8000-004000000001
- role-id="id: content-approver">approver
<party-uuid>uuid-of-person-1</party-uuid>uuids:
<party-uuid>uuid-of-person-2</party-uuid>- </responsible-party>11111111-2222-4000-8000-004000000010
</metadata>- 11111111-2222-4000-8000-004000000011
Defined Identifiers
Required Role IDs:
content-approvercloud-service-provider
FedRAMP Extension (Person's Title)
prop (ns="http://fedramp.gov/ns/oscal"):
name="title"
XPath Queries
-
Approver’s Name:
(/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver']/party-uuid]]/party-name)[1] -
Approver’s Title:
(/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver'] /party-uuid]]/prop[@name='title'][@ns='http://fedramp.gov/ns/oscal'])[1]NOTE: For each additional approver, replace the "[1]" with "[2]", "[3]", and so on.
-
CSP Name:
/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='cloud-service-provider']/party-uuid]]/party-name
NOTES:
The code above is an SSP example. For SAP and SAR, a similar approach is
used for the assessor, using the "assessor" role ID instead of the
"cloud-service-provider" role ID.