SAMPLE ONLY: Model needed for communicating shared responsibilities without exposing SSP in OSCAL.

[Compton-US]

Required Information

Title: Customer Responsibility Matrix, and Shared Responsibility Model

Problem Statement

We are interested in the creation of a model that supports the ability to export content from the System Security Plan (SSP) for customers to import/reference in a separate System Security Plan. This responsibility model is used to expose only the appropriate and necessary SSP content to a leveraging system, when the leveraging system owner is not entitled to see the entire SSP of the leveraged system.

Supporting Information

GitHub Project Link - https://github.com/usnistgov/OSCAL/ GitHub Issue # - Impact - Not sure Scope - Not sure Audience - All OSCAL Users

Criticality

Significant - Places burden on operational use, workflow and/or velocity.

Constraints

• The solution should only contain information that the author wishes to share with others.

Requirements

• Should be able to use information from SSP or CD models without exposing sensitive information.
• Should be able to facilitate a system owner's desire to properly reference content from a leveraged SSP when the full SSP is available to the authorizing official.

Participants

• The team at Company A would be willing to support this effort as needed to develop an approach and model.

[Compton-US]

This effort has been reviewed (multiple comments may accompany this step...but this is a sample.). It will be assigned to @Compton-NIST as lead. Effort is expected to begin 2/1/2023.

[Compton-US]

A commit should establish the effort in the repo with a reference to this ticket. Would make an entry here with a link to: https://github.com/usnistgov/OSCAL-Research/tree/prototype-candidate/spirals-example/2022-07-Customer-Responsibility-Model