SSP Completeness Checks: 7 External Systems and Services Not Having FedRAMP Authorization

[brian-ruf]

This is a ...

fix - something needs to be different

This relates to ...

• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

• Check for presence
• If present, check for required fields

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

• [ ] All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] all constraints associated with the review task have been converted/created
• [ ] automate.fedramp.gov content has been updated accordingly
• [ ] the metaschema help prop has an appropriate link to the constraint
• [ ] the template has an content that models the desired OSCAL presentation
• [ ] the constraint runs against the example template
• [ ] known-bad content has been created
• [ ] the constraint appropriately flags the known-bad content as invalid

Other information

No response

TASKS

• [ ] #907

[brian-ruf]

There are five scenarios that require tracking as part of External Systems and Services Not Having FedRAMP Authorization:

• Scenario 1: A non-authorized service from a FedRAMP leveraged authorization
• Scenario 2: An interconnection between this system and an external system
• Scenario 3: A service from an external system other than the leveraged system
• Scenario 4: A service from this system offered to external systems
• Scenario 5: A CLI that connects to leveraged or external systems

Scenario 1: A non-authorized service from a FedRAMP leveraged authorization

A service from an underlying leveraged system, where the underlying system is FedRAMP-authorized; however, the service is not included in the underlying system's authorization. (The service is not included in the underlying's system's FedRAMP Marketplace details.)

• Create one //component[@type='service'] for each service used
• Unlike the use of services falling under the leveraged system's authorization, the above component must NOT have prop[@name='leveraged-authorization-uuid'].
  • This would incorrectly indicate the service is covered under the authorization. It is not.
• Link the service component to the leveraged system using the component UUID of the leveraged system in: //component[@type='service']/prop[@name='offered-by-system-uuid'][@ns='http://fedramp.gov/ns/oscal']/@value
  • Need to defer due to incorrect constraint in core OSCAL syntax.
• Include an "implementation-point" property with the value set to "external".
• Provide common external service details

Scenario 2: An interconnection between this system and an external system

FedRAMP-Authorized System connecting to an external system that may or may not be FedRAMP-authorized.

• Create one //component[@type='system'] for each external system
• Create one //component[@type='interconnection'] for each connection between this system and the external system
• Link the interconnection component to the external system using the component UUID of the external system in: //component[@type='service']/prop[@name='connected-to-system-uuid'][@ns='http://fedramp.gov/ns/oscal']/@value
• Link the interconnection component to this system using the component UUID of the this systemin : //component[@type='service']/prop[@name='connected-to-system-uuid'][@ns='http://fedramp.gov/ns/oscal']/@value
• Include an "implementation-point" property with the value set to "external".
• Provide Interconnection Security Agreement details
• Provide remote and local connection details
• Provide common external service details

Scenario 3: A service from an external system other than the leveraged system

FedRAMP-Authorized System using an API or service from an external system:

• Create one //component[@type='system'] for each external system
  • Need to defer due to incorrect constraint in core OSCAL syntax.
• Create one //component[@type='service'] for each service or API used
• Select the asset-type that best describes the function provided by the service or API.
  • Give preference to core OSCAL asset-type values, and only define/use others if none of those fit.
• Link the service component to the leveraged system using the component UUID of the leveraged system in: //component[@type='service']/prop[@name='offered-by-system-uuid'][@ns='http://fedramp.gov/ns/oscal']/@value
  • Need to defer due to incorrect constraint in core OSCAL syntax.
• Include an "implementation-point" property with the value set to "external".
• Provide remote connection details
• Provide common external service details

Scenario 4: A service from this system offered to external systems

FedRAMP-Authorized System offering an API or service for external systems:

• Create one //component[@type='service'] for each service or API used
• Select the asset-type that best describes the function provided by the service or API.
  • Give preference to core OSCAL asset-type values, and only define/use others if none of those fit.
• Include an "implementation-point" property with the value set to "internal".
• Provide local connection details
• Provide common external service details

Scenario 5: A CLI that connects to leveraged or external systems

FedRAMP-Authorized System using an CLI to manage remote or underlying system:

• Create one //component[@type='system'] for each system where the CLI can effect change
• Create one //component[@type='software'] for each CLI used
• Specify the software component's asset type as "cli"
• Link the software component to the leveraged system using the component UUID of the leveraged system in: //component[@type='service']/prop[@name='offered-by-system-uuid'][@ns='http://fedramp.gov/ns/oscal']/@value
• Include an "implementation-point" property with the value set to "external".
• Provide remote connection details
• Provide common external service details

[brian-ruf]

TARGET:

• //system-implementation/component[((@type=('system', 'service')) and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='software' and ./prop[@name='asset-type' and @value='cli'])]

Data	Location	UnAuth Service from LA	Intercon	External Service	External API	Offered API	Management CLI
#	n/a / Sequential Numbering	n/a	n/a	n/a	n/a	n/a	n/a	n/a
System/Service/API/CLI Name [1]	./title (required field)	Y	Y	Y	Y	Y	Y
Service Processor Name [1]	./responsible-role[@name='provider']/party-uuid		Y	Y	Y		Y
Connection Details (Direction) [1 or 2]	./prop[@name='direction']/@value	Y	Y	Y
Connection Details (Local IPv4 Address) [0+]	./prop[@name='ipv4-address' and @class='local' and @ns='http://fedramp.gov/ns/oscal']/@value		Y			Y
Connection Details (Local IPv6 Address) [0+]	./prop[@name='ipv6-address' and @class='local' and @ns='http://fedramp.gov/ns/oscal']/@value		Y			Y
Connection Details (Local Port) [0+]	./protocol[@name='local']/port-range		Y			Y
Connection Details (Remote IPv4 Address) [0+]	./prop[@name='ipv4-address' and @class='remote' and @ns='http://fedramp.gov/ns/oscal']/@value		Y	Y	Y		?
Connection Details (Remote IP6 Address) [0+]	./prop[@name='ipv6-address' and @class='remote' and @ns='http://fedramp.gov/ns/oscal']/@value		Y	Y	Y		?
Connection Details (Remote Port) [0+]	./protocol[@name='remote']/port-range		Y	Y	Y		?
Connection Details (Non-IP Based) [0 or 1]	./prop[@name='non-ip-based-connection' and @ns='http://fedramp.gov/ns/oscal']/@value		Y
Connection Details (Security) [1]	./prop[@name='' and @ns='http://fedramp.gov/ns/oscal']/@value		Y	Y	Y	Y	Y
Nature of Agreement [1]	./prop[@name='nature-of-agreement' and @ns='http://fedramp.gov/ns/oscal']/@value		Y	Y	Y
Still Supported? [1]	./prop[@name='still-supported' and @ns='http://fedramp.gov/ns/oscal']	Y		Y	Y		Y
Data Types [1+]	./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value	Y	Y	Y	Y	Y	Y
Data Categorization (Confidentiality) [1+]	//system-characteristics/system-information/information-type[./categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1']/information-type-id/text()=./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value]/confidentiality-impact/selected	Y	Y	Y	Y	Y	Y
Data Categorization (Integrity) [1+]	//system-characteristics/system-information/information-type[./categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1']/information-type-id/text()=./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value]/integrity-impact/selected	Y	Y	Y	Y	Y	Y
Data Categorization (Availability) [1+]	//system-characteristics/system-information/information-type[./categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1']/information-type-id/text()=./prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']/@value]/availability-impact/selected	Y	Y	Y	Y	Y	Y
Authorized Users [0+]	./responsible-role[@role-id='authorized-users']/party-uuid	Y	Y	Y	Y		Y
User Authentication Method [0 or 1]	./prop[@name='user-authentication' and @ns='http://fedramp.gov/ns/oscal']		Y	Y	Y	Y	Y
Other Compliance Programs [0+]	./prop[@name='compliance-program' and @ns='http://fedramp.gov/ns/oscal']/@value	Y	Y	Y	Y		Y
Description [1] OSCAL	./description (Required)	Y	Y	Y	Y	Y	Y
Hosting Environment [1]	./prop[@name='hosting-environment' and @ns='http://fedramp.gov/ns/oscal']		Y	Y	Y	Y
Risk [0+]	./prop[@name='risk' and @ns='http://fedramp.gov/ns/oscal']/remarks	Y	Y	Y	Y	Y	Y
Impact [0+]	./prop[@name='impact' and @ns='http://fedramp.gov/ns/oscal']/remarks	Y	Y	Y	Y	Y	Y
Mitigation [0+]	./prop[@name='mitigation' and @ns='http://fedramp.gov/ns/oscal']/remarks	Y	Y	Y	Y	Y	Y

[brian-ruf]

STILL WORKING HERE

Constraints Needed:

• Every role defined in //component/responsible-role/@role-id exists in //metadata/role/@id index

• Every party defined in //component/responsible-role/@role-id/party-uuid references a valid party in //metadata/party/@uuid index

• The following scenarios require a "direction" property/extension:

  • unauthorized service in authorized system
  • external service
  • interconnection

• If ./prop[@name='direction' and @ns='http://fedramp.gov/ns/oscal' and @value='incoming']

  • If direction is incoming there must be at least one local ipv4 or ipv6 address.
  • count(./prop[@name=('ipv4-address', 'ipv6-address') and @class='local' and @ns='http://fedramp.gov/ns/oscal']/@value) >=1
  • If direction is incoming there must be at least one local ports entry.
  • count(./protocol[@name='local']/port-range/@start)

• If ./prop[@name='direction' and @ns='http://fedramp.gov/ns/oscal' and @value='outgoing']

  • If direction is outgoing there must be at least one remote ipv4 or ipv6 address.
  • count(./prop[@name=('ipv4-address', 'ipv6-address') and @class='remote' and @ns='http://fedramp.gov/ns/oscal']/@value) >=1
  • If direction is outgoing there must be at least one remote ports entry.
  • count(./protocol[@name='remote']/port-range/@start)

• count(./responsible-role[@name='provider']/party-uuid) = 1: Exactly one provider party

• ./responsible-role[@name='provider']/party-uuid exists in //part index