Skip to main content

System Security Plan Approvals

ssp_02_approvals.png

TheSSP OSCALApprovals syntax isfollow the sameRoles forpattern, document approvers inusing the SSP, SAP, and SAR. For the SSP, approvers are typically executives within the CSP. For the SAP and SAR, approvers are typically executives within the assessor's organization.

Representation
system-security-plan:
  metadata:
  
    roles:
    - id: content-approver title: System Security Plan Approval
      description: The individual or individuals accountable for the accuracy of this SSP.
    - id: cloud-service-provider
      title: Cloud Service Provider
      short-name: CSP

    locations:
    - uuid: 11111111-2222-4000-8000-003000000001
      title: CSP HQ
      address:
        type: work
        addr-lines:
        - Suite 0000
        - 1234 Some Street
        city: Haven
        state: ME
        postal-code: '00000'
        
    parties:
    - uuid: 11111111-2222-4000-8000-004000000001
      type: organization
      name: Cloud Service Provider (CSP) Name
      short-name: CSP Acronym/Short Name
      links:
      - href: '#11111111-2222-4000-8000-001000000052'
        rel: logo
      location-uuids:
      - 11111111-2222-4000-8000-003000000001

    - uuid: 11111111-2222-4000-8000-004000000010
      type: person
      name: '[SAMPLE]Person Name 1'
      props:
      - name: job-title
        value: Individual's Title
      - name: mail-stop
        value: Mailstop A-1
      email-addresses:
      - name@example.com
      telephone-numbers:
      - number: '2020000001'
      location-uuids:
      - 11111111-2222-4000-8000-003000000001
      member-of-organizations:
      - 11111111-2222-4000-8000-004000000001
    - uuid: 11111111-2222-4000-8000-004000000011
      type: person
      name: '[SAMPLE]Person Name 2'
      props:
      - name: job-title
        value: Individual's Title
      email-addresses:
      - name@example.com
      telephone-numbers:
      - number: '2020000002'
      addresses:
      - state: ST
        type: work
        postal-code: '00000'
        addr-lines:
        - Address Line
        country: US
        city: City
      member-of-organizations:
      - 11111111-2222-4000-8000-004000000001

    responsible-parties:
    - role-id: cloud-service-provider
      party-uuids:
      - 11111111-2222-4000-8000-004000000001
    - role-id: content-approver
      party-uuids:
      - 11111111-2222-4000-8000-004000000010
      - 11111111-2222-4000-8000-004000000011
role.

Defined Identifiers
Required Role IDs:

  • content-approver
  • cloud-service-provider
XPath
Queries

  • Approver’s Name: (/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver']/party-uuid]]/party-name)[1]

  • Approver’s Title: (/*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='content-approver'] /party-uuid]]/prop[@name='title'][@ns='http://fedramp.gov/ns/oscal'])[1]

    NOTE: For each additional approver, replace the "[1]" with "[2]", "[3]", and so on.

  • CSP Name: /*/metadata/party[@uuid=[/*/metadata/responsible-party[@role-id='cloud-service-provider']/party-uuid]]/party-name

NOTES:

The code above is an SSP example. For SAP and SAR, a similar approach is used for the assessor, using the "assessor" role ID instead of the "cloud-service-provider" role ID.

Back to top