diff --git a/dist/content/resources/json/FedRAMP_extensions.json b/dist/content/resources/json/FedRAMP_extensions.json index 879c7d588..f92301136 100644 --- a/dist/content/resources/json/FedRAMP_extensions.json +++ b/dist/content/resources/json/FedRAMP_extensions.json @@ -1,2202 +1,1726 @@ { "extensions": { + "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", + "xmlns": "http://csrc.nist.gov/ns/oscal/1.0", "uuid": "BA710064-79AC-47D5-8F70-6749B359E7E2", "metadata": { - "title": "[EXPERIMENTAL] FedRAMP Extensions [DRAFT]", - "published": "2021-07-06T23:07:21Z", - "last-modified": "2021-07-06T23:07:21Z", - "version": "fedramp1.0.0-oscal1.0.0", + "title": "[EXPERIMENTAL] FedRAMP Extensions", + "published": "2021-08-11T23:27:44Z", + "last-modified": "2021-08-11T23:27:44Z", + "version": "fedramp1.0.2-oscal1.0.0", "oscal-version": "oscal-1.0.0", - "revisions": [ - { - "published": "2019-06-01T00:00:00.00-04:00", - "version": "DRAFT-01", - "props": [ - { + "revisions": { + "revision": [ + { + "published": "2019-06-01T00:00:00.00-04:00", + "version": "DRAFT-01", + "prop": { "name": "party-uuid", "ns": "https://fedramp.gov/ns/oscal", - "value": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" - } - ], - "remarks": "Initial draft." - }, - { - "published": "2020-03-03T00:00:00.00-04:00", - "version": "DRAFT-02", - "props": [ - { + "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" + }, + "remarks": {"p": "Initial draft."} + }, + { + "published": "2020-03-03T00:00:00.00-04:00", + "version": "DRAFT-02", + "prop": { "name": "party-uuid", "ns": "https://fedramp.gov/ns/oscal", - "value": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" - } - ], - "remarks": "Partial update to include some SAP, SAR, and POA&M extensions." - }, - { - "published": "2021-02-09T00:00:00.00-04:00", - "version": "DRAFT-03", - "props": [ - { + "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" + }, + "remarks": {"p": "Partial update to include some SAP, SAR, and POA&M extensions."} + }, + { + "published": "2021-02-09T00:00:00.00-04:00", + "version": "DRAFT-03", + "prop": { "name": "party-uuid", "ns": "https://fedramp.gov/ns/oscal", - "value": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" - } - ], - "remarks": "Revised draft to better align with OSCAL RC-1 SSP syntax." - } - ], - "roles": [ - { - "id": "prepared-by", - "title": "Prepared By", - "description": "The organization that prepared this content." - } - ], - "parties": [ - { - "uuid": "77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d", - "type": "organization", - "name": "Federal Risk and Authorization Management Program: Program Management\n Office", - "short-name": "FedRAMP PMO", - "links": [ - { - "href": "https://fedramp.gov" - } - ], - "email-addresses": [ - "info@fedramp.gov" - ], - "addresses": [ - { - "type": "work", - "addr-lines": [ - "1800 F St. NW", - "" - ], - "city": "Washington", - "state": "DC", - "postal-code": "", - "country": "US" - } + "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" + }, + "remarks": {"p": "Revised draft to better align with OSCAL RC-1 SSP syntax."} + }, + { + "published": "2021-08-11T23:27:44.00-00:00", + "version": "fedramp1.0.2-oscal1.0.0", + "prop": { + "name": "party-uuid", + "ns": "https://fedramp.gov/ns/oscal", + "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" + }, + "remarks": {"p": "Release reviewed for updated release."} + } + ] + }, + "role": { + "id": "prepared-by", + "title": "Prepared By", + "description": {"p": "The organization that prepared this content."} + }, + "party": { + "uuid": "77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d", + "type": "organization", + "name": "Federal Risk and Authorization Management Program: Program Management\n Office", + "short-name": "FedRAMP PMO", + "link": {"href": "https://fedramp.gov"}, + "email-address": "info@fedramp.gov", + "address": { + "type": "work", + "addr-line": [ + "1800 F St. NW", + "" ], - "remarks": "This party entry must be present in a FedRAMP SSP.\n\nThe uuid may be different; however, the uuid must be associated with the \\\"fedramp-pmo\\\" role in the responsible-party assemblies." - } - ], - "responsible-parties": { - "prepared-by": { - "party-uuids": [ - "77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d" + "city": "Washington", + "state": "DC", + "postal-code": "", + "country": "US" + }, + "remarks": { + "p": [ + "This party entry must be present in a FedRAMP SSP.", + "The uuid may be different; however, the uuid must be associated with the\n \"fedramp-pmo\" role in the responsible-party assemblies." ] } }, - "remarks": "This EXPERIMENTAL and DRAFT file exteneds OSCAL to meet FedRAMP requirements.\n\nIt provides the extensions, defined identifiers, and acceptable values in a machine-readable format necssary to meet FedRAMP Authorization Package requirements." + "responsible-party": { + "role-id": "prepared-by", + "party-uuid": "77e0e2c8-2560-4fe9-ac78-c3ff4ffc9f6d" + }, + "remarks": { + "p": [ + "This EXPERIMENTAL file exteneds OSCAL to meet FedRAMP requirements.", + "It provides the extensions, defined identifiers, and acceptable values in a machine-readable format necssary to meet FedRAMP Authorization Package requirements." + ] + } }, - "indexes": [ + "index": [ { "id": "index-local-party-id", "target": "//o:party", - "key-fields": { - "target": "@uuid" - }, - "remarks": "This document only." + "key-field": {"target": "@uuid"}, + "remarks": {"p": "This document only."} }, { "id": "index-assessment-layer-party-id", "target": "oscal-document-set()/(o:assessment-plan | o:assessment-results)//o:party", - "key-fields": { - "target": "@uuid" - }, - "remarks": "Select documents." + "key-field": {"target": "@uuid"}, + "remarks": {"p": "Select documents."} }, { "id": "global-local-party-id", "target": "oscal-document-set()//o:party", - "key-fields": { - "target": "@uuid" - }, - "remarks": "Entire stack." + "key-field": {"target": "@uuid"}, + "remarks": {"p": "Entire stack."} } ], - "extension-namespace": { - "ns": "https://fedramp.gov/ns/oscal" - }, - "extensions": { - "response-point": { + "extension-namespace": {"ns": "https://fedramp.gov/ns/oscal"}, + "extension": [ + { + "id": "response-point", "extension-name": "response-point", "formal-name": "Response Point", "description": "A property whose presence indicates its parent part is a required point of response for FedRAMP stakeholders.", - "bindings": [ - { - "pattern": "/o:profile/o:modify/o:alter/o:add/o:prop" - }, - { - "pattern": "/o:profile/o:modify/o:alter/o:add//o:part/o:prop" - }, - { - "pattern": "/o:catalog//o:control//o:part/o:prop" - }, - { - "pattern": "/o:assessment-plan/o:local-definitions/o:objectives-and-methods//part/o:prop" - }, - { - "pattern": "/o:assessment-results/o:local-definitions/o:objectives-and-methods//part/o:prop" - } + "binding": [ + {"pattern": "/o:profile/o:modify/o:alter/o:add/o:prop"}, + {"pattern": "/o:profile/o:modify/o:alter/o:add//o:part/o:prop"}, + {"pattern": "/o:catalog//o:control//o:part/o:prop"}, + {"pattern": "/o:assessment-plan/o:local-definitions/o:objectives-and-methods//part/o:prop"}, + {"pattern": "/o:assessment-results/o:local-definitions/o:objectives-and-methods//part/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } }, - "remarks": "This appears in FedRAMP profiles and resolved profile catalogs.\n\nFor control statements, it signals to the CSP which statements require a response in the SSP.\n\nFor control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook." + "remarks": { + "p": [ + "This appears in FedRAMP profiles and resolved profile catalogs.", + "For control statements, it signals to the CSP which statements require a response in the SSP.", + "For control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook." + ] + } }, - "revision-history-party-uuid": { + { + "id": "revision-history-party-uuid", "extension-name": "party-uuid", "formal-name": "Party Identifier", "description": "Identifies the party who authored this revision.", - "bindings": [ - { - "pattern": "/*/o:metadata/o:revisions/o:revision/o:prop" - } - ], + "binding": {"pattern": "/*/o:metadata/o:revisions/o:revision/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "uuid" - } - ], + "matches": {"data-type": "uuid"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" }, - "index-has-keys": [ - { - "name": "index-local-party-uuid", - "target": "o:prop[@name='party-uuid']", - "key-fields": { - "target": "." - }, - "remarks": "On the revision element in the revision history, the party-uuid extension must match the UUID of an existing party in the metadata." - } - ] + "index-has-key": { + "name": "index-local-party-uuid", + "target": "o:prop[@name='party-uuid']", + "key-field": {"target": "."}, + "remarks": {"p": "On the revision element in the revision history, the party-uuid extension must match the UUID of an existing party in the metadata."} + } } }, - "iso-iec-17020-identifier": { + { + "id": "iso-iec-17020-identifier", "extension-name": "iso-iec-17020-identifier", "formal-name": "ISO/IEC 17020 Identifier", "description": "The ISO/IEC-17020 identifier assigned to the assessor related to their status as an A2LA Accredidted Third Party Assessment Organization.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:metadata/o:party/o:prop" - }, - { - "pattern": "/o:assessment-results/o:metadata/o:party/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan/o:metadata/o:party/o:prop"}, + {"pattern": "/o:assessment-results/o:metadata/o:party/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "CORE": { + { + "id": "CORE", "extension-name": "CORE", "formal-name": "Core Control", "description": "Identifies a control that must be included in every FedRAMP assessment.", - "bindings": [ - { - "pattern": "/o:profile/o:modify/o:alter/o:add/o:prop" - }, - { - "pattern": "/o:profile/o:modify/o:alter/o:add//o:control/o:prop" - }, - { - "pattern": "/o:catalog//o:control/o:prop" - } + "binding": [ + {"pattern": "/o:profile/o:modify/o:alter/o:add/o:prop"}, + {"pattern": "/o:profile/o:modify/o:alter/o:add//o:control/o:prop"}, + {"pattern": "/o:catalog//o:control/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } }, - "remarks": "Core controls must be assessed every year, and are often subject to additional scrutiny by assessors and adjudication reviewers." + "remarks": {"p": "Core controls must be assessed every year, and are often subject to additional scrutiny by assessors and adjudication reviewers."} }, - "security-cia-level": { + { + "id": "security-cia-level", "extension-name": "security-eauth-level", "formal-name": "eAuth Level (OVERALL)", "description": "The overall electronic authentication (eAuth) level applied to the system.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:prop" - }, - { - "pattern": "system-characteristics/o:prop[@name='authenticator-assurance-level']" - }, - { - "pattern": "system-characteristics/o:prop[@name='federation-assurance-level']" - }, - { - "pattern": "system-characteristics/o:prop[@name='identity-assurance-level']" - } + "binding": [ + {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, + {"pattern": "system-characteristics/o:prop[@name='authenticator-assurance-level']"}, + {"pattern": "system-characteristics/o:prop[@name='federation-assurance-level']"}, + {"pattern": "system-characteristics/o:prop[@name='identity-assurance-level']"} ], "constraint": { - "matches": [ - { - "data-type": "integer" - } - ], + "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "1", - "label": "Level 1 (Low)", - "RICHTEXT": "The overall eAuth Level is defined as Level 1 (Low)." - }, - { - "value": "2", - "label": "Level 2 (Moderate)", - "RICHTEXT": "The overall eAuth Level is defined as Level 2 (Moderate)." - }, - { - "value": "3", - "label": "Level 3 (High)", - "RICHTEXT": "The overall eAuth Level is defined as Level 3 (High)." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": 1, + "label": "Level 1 (Low)", + "#text": "The overall eAuth Level is defined as Level 1 (Low)." + }, + { + "value": 2, + "label": "Level 2 (Moderate)", + "#text": "The overall eAuth Level is defined as Level 2 (Moderate)." + }, + { + "value": 3, + "label": "Level 3 (High)", + "#text": "The overall eAuth Level is defined as Level 3 (High)." + } + ] + } }, - "remarks": "FedRAMP requires all Low systems to be at Level 1" + "remarks": {"p": "FedRAMP requires all Low systems to be at Level 1"} }, - "authorization-type": { + { + "id": "authorization-type", "extension-name": "authorization-type", "formal-name": "Authorization Type", "description": "Identifies the FedRAMP authorization type.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "fedramp-jab", - "label": "JAB P-ATO", - "RICHTEXT": "A FedRAMP Joint Authorization Board (JAB) Provisional-Authorization to Operate (P-ATO)." - }, - { - "value": "fedramp-agency", - "label": "Agency ATO", - "RICHTEXT": "A FedRAMP Agency Authorization to Operate (ATO)." - }, - { - "value": "fedramp-li-saas", - "label": "Tailored (LI-SaaS) ATO", - "RICHTEXT": "A FedRAMP Tailored authorization to operate (ATO) for low impact Software as a Service (LI-SaaS) systems." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "fedramp-jab", + "label": "JAB P-ATO", + "#text": "A FedRAMP Joint Authorization Board (JAB) Provisional-Authorization to Operate (P-ATO)." + }, + { + "value": "fedramp-agency", + "label": "Agency ATO", + "#text": "A FedRAMP Agency Authorization to Operate (ATO)." + }, + { + "value": "fedramp-li-saas", + "label": "Tailored (LI-SaaS) ATO", + "#text": "A FedRAMP Tailored authorization to operate (ATO) for low impact Software as a Service (LI-SaaS) systems." + } + ] + } } }, - "users-internal": { + { + "id": "users-internal", "extension-name": "users-internal", "formal-name": "Internal Users", "description": "The current number of users internal to the organization.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "integer" - } - ], + "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "users-external": { + { + "id": "users-external", "extension-name": "users-external", "formal-name": "External Users", "description": "The current number of users external to the organization.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "integer" - } - ], + "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "users-internal-future": { + { + "id": "users-internal-future", "extension-name": "users-internal-future", "formal-name": "Future Internal Users", "description": "The anticipated number of users internal to the organization in one year.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "integer" - } - ], + "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "users-external-future": { + { + "id": "users-external-future", "extension-name": "users-external-future", "formal-name": "Future External Users", "description": "The anticipated number of users external to the organization in one year.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "integer" - } - ], + "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "privacy-designation": { + { + "id": "privacy-designation", "extension-name": "privacy-designation", "formal-name": "Privacy Designation", "description": "Indicates whether this system is privacy sensitive.", - "bindings": [ - { - "pattern": "system-information/o:prop[@name='privacy-sensitive']" - } - ], + "binding": {"pattern": "system-information/o:prop[@name='privacy-sensitive']"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "Privacy Sensitive" - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "Not Privacy Sensitive" - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "Privacy Sensitive" + }, + { + "value": "no", + "label": "No", + "#text": "Not Privacy Sensitive" + } + ] + } } }, - "privacy-threshold-analysis-q1": { + { + "id": "privacy-threshold-analysis-q1", "extension-name": "privacy-threshold-analysis-q1", "formal-name": "Privacy Threshold Analysis Q1", "description": "Does the ISA collect, maintain, or share PII in any identifiable form?", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "Yes, the ISA collects, maintains, or shares some form of PII." - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "No, the ISA does not collect, maintain, or share PII in any form." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "Yes, the ISA collects, maintains, or shares some form of PII." + }, + { + "value": "no", + "label": "No", + "#text": "No, the ISA does not collect, maintain, or share PII in any form." + } + ] + } } }, - "privacy-threshold-analysis-q2": { + { + "id": "privacy-threshold-analysis-q2", "extension-name": "privacy-threshold-analysis-q2", "formal-name": "Privacy Threshold Analysis Q2", "description": "Does the ISA collect, maintain, or share PII from or about the public?", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "Yes, the ISA collects, maintains, or shares PII from or about the public." - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "No, the ISA does not collect, maintain, or share PII from or about the public." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "Yes, the ISA collects, maintains, or shares PII from or about the public." + }, + { + "value": "no", + "label": "No", + "#text": "No, the ISA does not collect, maintain, or share PII from or about the public." + } + ] + } } }, - "privacy-threshold-analysis-q3": { + { + "id": "privacy-threshold-analysis-q3", "extension-name": "privacy-threshold-analysis-q3", "formal-name": "Privacy Threshold Analysis Q3", "description": "Has a Privacy Impact Assessment (PIA) ever been performed for the ISA?", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "Yes, a PIA has been performed." - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "No, a PIA has not been performed.." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "Yes, a PIA has been performed." + }, + { + "value": "no", + "label": "No", + "#text": "No, a PIA has not been performed.." + } + ] + } } }, - "privacy-threshold-analysis-q4": { + { + "id": "privacy-threshold-analysis-q4", "extension-name": "privacy-threshold-analysis-q4", "formal-name": "Privacy Threshold Analysis Q4", "description": "Is there a Privacy Act System of Records Notice (SORN) for this ISA system?", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "Yes, there is a SORN ID for this system." - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "No, there is not a SORN ID for this system." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "Yes, there is a SORN ID for this system." + }, + { + "value": "no", + "label": "No", + "#text": "No, there is not a SORN ID for this system." + } + ] + } } }, - "sorn-id": { + { + "id": "sorn-id", "extension-name": "sorn-id", "formal-name": "SORN ID", "description": "An assigned System of Records Notice (SORN) identifier for this system.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "expects": [ - { - "test": ".[@name='pta-4'][@ns='https://fedramp.gov/ns/oscal']/@value='yes' and .[@name='sorn-id'][@ns='https://fedramp.gov/ns/oscal']" - } - ] + "expect": {"test": ".[@name='pta-4'][@ns='https://fedramp.gov/ns/oscal']/@value='yes' and .[@name='sorn-id'][@ns='https://fedramp.gov/ns/oscal']"} } }, - "user-sensitivity-level": { + { + "id": "user-sensitivity-level", "extension-name": "sensitivity", "formal-name": "User Sensitivity Level", "description": "Defines the sensitivity level of the identified user type.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:user/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:user/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "high-risk", - "label": "High Risk", - "RICHTEXT": "Misuse of the user's access could result in grave damage to the public's trust." - }, - { - "value": "severe", - "label": "Severe", - "RICHTEXT": "Misuse of the user's access could result in a substantial degree of harm or serious damage to the public\u2019s trust." - }, - { - "value": "moderate", - "label": "Moderate", - "RICHTEXT": "Misuse of the user's access could result in a fair amount of harm or serious damage to the public\u2019s trust." - }, - { - "value": "limited", - "label": "Limited", - "RICHTEXT": "Misuse of the user's access could result in some harm or discernible damage to the public\u2019s trust." - }, - { - "value": "not-applicable", - "label": "Not Applicable", - "RICHTEXT": "The user does not have access to the system." - } - ] - } - ] - }, - "remarks": "Values are as required by FedRMAP for packages based on NIST 800-53, Revision 4.\n\nAuthoritative source: [OPM Position Designation (Page 18)](#871713A8-5A27-4AC3-8B94-972588469C6B)." + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "high-risk", + "label": "High Risk", + "#text": "Misuse of the user's access could result in grave damage to the public's trust." + }, + { + "value": "severe", + "label": "Severe", + "#text": "Misuse of the user's access could result in a substantial degree of harm or serious damage to the public\u2019s trust." + }, + { + "value": "moderate", + "label": "Moderate", + "#text": "Misuse of the user's access could result in a fair amount of harm or serious damage to the public\u2019s trust." + }, + { + "value": "limited", + "label": "Limited", + "#text": "Misuse of the user's access could result in some harm or discernible damage to the public\u2019s trust." + }, + { + "value": "not-applicable", + "label": "Not Applicable", + "#text": "The user does not have access to the system." + } + ] + } + }, + "remarks": { + "p": [ + "Values are as required by FedRMAP for packages based on NIST 800-53, Revision 4.", + { + "#text": "Authoritative source: ", + "a": { + "href": "#871713A8-5A27-4AC3-8B94-972588469C6B", + "#text": "OPM Position Designation (Page 18)" + }, + "#text1": "." + } + ] + } }, - "service-processor": { + { + "id": "service-processor", "extension-name": "service-processor", "formal-name": "Service Processor", "description": "Name of the interconnection service processor.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, - "information": { + { + "id": "information", "extension-name": "information", "formal-name": "Transmitted Information", "description": "Describes the information transmitted over the interconnection.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, - "asset-type": { + { + "id": "asset-type", "extension-name": "asset-type", "formal-name": "Asset Type", "description": "Identifies the type of asset.", - "bindings": [ - { - "pattern": "component/o:prop[@name='asset-type']" - }, - { - "pattern": "o:inventory-item/o:prop[@name='asset-type']" - } + "binding": [ + {"pattern": "component/o:prop[@name='asset-type']"}, + {"pattern": "o:inventory-item/o:prop[@name='asset-type']"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ], - "allowed-values": [ - { - "allow-other": "yes", - "enums": [ - { - "value": "os", - "RICHTEXT": "Operating System" - }, - { - "value": "database", - "RICHTEXT": "Database" - }, - { - "value": "web-server", - "RICHTEXT": "Service" - }, - { - "value": "dns-server", - "RICHTEXT": "Policy" - }, - { - "value": "email-server", - "RICHTEXT": "Process" - }, - { - "value": "directory-server", - "RICHTEXT": "Procedure" - }, - { - "value": "pbx", - "RICHTEXT": "Private Branch Exchange" - }, - { - "value": "firewall", - "RICHTEXT": "Firewall" - }, - { - "value": "router", - "RICHTEXT": "Router" - }, - { - "value": "switch", - "RICHTEXT": "Switch" - }, - { - "value": "storage-array", - "RICHTEXT": "Storage Array" - } - ] - } - ] + "matches": {"data-type": "token"}, + "allowed-values": { + "allow-other": "yes", + "enum": [ + { + "value": "os", + "short-label": "OS", + "#text": "Operating System" + }, + { + "value": "database", + "short-label": "DB", + "#text": "Database" + }, + { + "value": "web-server", + "short-label": "Web", + "#text": "Service" + }, + { + "value": "dns-server", + "short-label": "DNS", + "#text": "Policy" + }, + { + "value": "email-server", + "short-label": "eMail", + "#text": "Process" + }, + { + "value": "directory-server", + "short-label": "LDAP", + "#text": "Procedure" + }, + { + "value": "pbx", + "short-label": "PBX", + "#text": "Private Branch Exchange" + }, + { + "value": "firewall", + "short-label": "FW", + "#text": "Firewall" + }, + { + "value": "router", + "short-label": "Rtr", + "#text": "Router" + }, + { + "value": "switch", + "short-label": "Swtch", + "#text": "Switch" + }, + { + "value": "storage-array", + "short-label": "Store", + "#text": "Storage Array" + } + ] + } } }, - "interconnection-direction": { + { + "id": "interconnection-direction", "extension-name": "interconnection-direction", "formal-name": "Interconnection Direction", "description": "Identifies the direction of information flow for the interconnection.", - "bindings": [ - { - "pattern": "o:component[@component-type='interconnection']/o:prop[@name='direction'][@ns='https://fedramp.gov/ns/oscal']" - } - ], + "binding": {"pattern": "o:component[@component-type='interconnection']/o:prop[@name='direction'][@ns='https://fedramp.gov/ns/oscal']"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "incoming", - "RICHTEXT": "Incoming" - }, - { - "value": "outgoing", - "RICHTEXT": "Outgoing" - }, - { - "value": "incoming-outgoing", - "RICHTEXT": "Bi-Directional" - } - ] - } - ] + "matches": {"data-type": "token"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "incoming", + "short-label": "In", + "#text": "Incoming" + }, + { + "value": "outgoing", + "short-label": "Out", + "#text": "Outgoing" + }, + { + "value": "incoming-outgoing", + "short-label": "In/Out", + "#text": "Bi-Directional" + } + ] + } } }, - "interconnection-security": { + { + "id": "interconnection-security", "extension-name": "interconnection-security", "formal-name": "Interconnection Security", "description": "Identifies the type of security applied to the interconnection.", - "bindings": [ - { - "pattern": "o:component[@component-type='interconnection']/o:prop[@name='connection-security'][@ns='https://fedramp.gov/ns/oscal']/@value" - } - ], + "binding": {"pattern": "o:component[@component-type='interconnection']/o:prop[@name='connection-security'][@ns='https://fedramp.gov/ns/oscal']/@value"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "ipsec", - "RICHTEXT": "IPsec" - }, - { - "value": "vpn", - "RICHTEXT": "Virtual Private Network" - }, - { - "value": "ssl", - "RICHTEXT": "Secure Socket Layer" - }, - { - "value": "certificate", - "RICHTEXT": "Certificate" - }, - { - "value": "secure-file-transfer", - "RICHTEXT": "Secure File Transfer" - }, - { - "value": "other", - "RICHTEXT": "Other" - } - ] - } - ] + "matches": {"data-type": "token"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "ipsec", + "short-label": "IPsec", + "#text": "IPsec" + }, + { + "value": "vpn", + "short-label": "VPN", + "#text": "Virtual Private Network" + }, + { + "value": "ssl", + "short-label": "SSL", + "#text": "Secure Socket Layer" + }, + { + "value": "certificate", + "short-label": "Cert", + "#text": "Certificate" + }, + { + "value": "secure-file-transfer", + "short-label": "SFT", + "#text": "Secure File Transfer" + }, + { + "value": "other", + "short-label": "Other", + "#text": "Other" + } + ] + } } }, - "port": { + { + "id": "port", "extension-name": "port", "formal-name": "Interconnection Port", "description": "A port used by the interconnection for the communication.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" }, - "expects": [ - { - "test": ".[@class]" - } - ] + "expect": {"test": ".[@class]"} } }, - "transport-type": { + { + "id": "transport-type", "extension-name": "transport-type", "formal-name": "Transport Type", "description": "The internet protocol transport type.", - "bindings": [ - { - "pattern": "o:component[@component-type='service']/o:protocol/o:port-range/@transport" - } - ], + "binding": {"pattern": "o:component[@component-type='service']/o:protocol/o:port-range/@transport"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "TCP", - "RICHTEXT": "TCP" - }, - { - "value": "UDP", - "RICHTEXT": "UDP" - } - ] - } - ] + "matches": {"data-type": "token"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "tcp", + "short-label": "TCP", + "#text": "TCP" + }, + { + "value": "udp", + "short-label": "UDP", + "#text": "UDP" + } + ] + } } }, - "inventory-item-state": { + { + "id": "inventory-item-state", "extension-name": "inventory-item-state", "formal-name": "Different states of inventory items: public, private, et cetera.", "description": "Indicates if the asset is virtual.", - "bindings": [ - { - "pattern": "o:inventory-item/o:prop[@name='virtual']" - }, - { - "pattern": "o:component/o:prop[@name='virtual']" - }, - { - "pattern": "o:inventory-item/o:prop[@name='public']" - }, - { - "pattern": "component/o:prop[@name='public']" - }, - { - "pattern": "o:inventory-item/o:prop[@name='allows-authenticated-scan']/@value" - }, - { - "pattern": "o:component/o:prop[@name='allows-authenticated-scan']/@value" - }, - { - "pattern": "o:inventory-item/o:prop[@name='is-scanned']/@value" - }, - { - "pattern": "o:component/o:prop[@name='is-scanned']/@value" - } + "binding": [ + {"pattern": "o:inventory-item/o:prop[@name='virtual']"}, + {"pattern": "o:component/o:prop[@name='virtual']"}, + {"pattern": "o:inventory-item/o:prop[@name='public']"}, + {"pattern": "component/o:prop[@name='public']"}, + {"pattern": "o:inventory-item/o:prop[@name='allows-authenticated-scan']/@value"}, + {"pattern": "o:component/o:prop[@name='allows-authenticated-scan']/@value"}, + {"pattern": "o:inventory-item/o:prop[@name='is-scanned']/@value"}, + {"pattern": "o:component/o:prop[@name='is-scanned']/@value"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "RICHTEXT": "Yes" - }, - { - "value": "no", - "RICHTEXT": "No" - } - ] - } - ] + "matches": {"data-type": "token"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "short-label": "Y", + "#text": "Yes" + }, + { + "value": "no", + "short-label": "N", + "#text": "No" + } + ] + } } }, - "circuit": { + { + "id": "circuit", "extension-name": "circuit", "formal-name": "Service Processor", "description": "A circuit used for the communication.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, - "connection-security": { + { + "id": "connection-security", "extension-name": "connection-security", "formal-name": "Connection Security", "description": "Identifies the mechanisms/protocol(s) used to secure the communication.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='interconnection']/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "ipsec", - "label": "IPsec", - "RICHTEXT": "IPsec" - }, - { - "value": "vpn", - "label": "VPN", - "RICHTEXT": "Virtual Private Network" - }, - { - "value": "ssl", - "label": "SSL", - "RICHTEXT": "Secure Socket Layer" - }, - { - "value": "certificate", - "label": "Cert", - "RICHTEXT": "Certificate" - }, - { - "value": "secure-file-transfer", - "label": "SFT", - "RICHTEXT": "Secure File Transfer" - }, - { - "value": "other", - "label": "Other", - "RICHTEXT": "Other" - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "ipsec", + "label": "IPsec", + "#text": "IPsec" + }, + { + "value": "vpn", + "label": "VPN", + "#text": "Virtual Private Network" + }, + { + "value": "ssl", + "label": "SSL", + "#text": "Secure Socket Layer" + }, + { + "value": "certificate", + "label": "Cert", + "#text": "Certificate" + }, + { + "value": "secure-file-transfer", + "label": "SFT", + "#text": "Secure File Transfer" + }, + { + "value": "other", + "label": "Other", + "#text": "Other" + } + ] + } } }, - "service-used-by": { + { + "id": "service-used-by", "extension-name": "used-by", "formal-name": "Service Used By", "description": "Identifies what uses the service.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='service']/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:system-implementation/o:component[@type='service']/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" } } }, - "scan-type": { + { + "id": "scan-type", "extension-name": "scan-type", "formal-name": "Scan Type", "description": "Identifies the type(s) of scans to be performed on this inventory-item or component.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:component/o:prop" - }, - { - "pattern": "/o:system-security-plan/o:system-implementation/o:system-inventory/o:o:inventory-item/o:prop" - }, - { - "pattern": "/o:assessment-plan/o:local-definitions/o:component/o:prop" - }, - { - "pattern": "/o:assessment-plan/o:local-definitions/o:o:inventory-item/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:local-definitions/o:component/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:local-definitions/o:o:inventory-item/o:prop" - } + "binding": [ + {"pattern": "/o:system-security-plan/o:system-implementation/o:component/o:prop"}, + {"pattern": "/o:system-security-plan/o:system-implementation/o:system-inventory/o:o:inventory-item/o:prop"}, + {"pattern": "/o:assessment-plan/o:local-definitions/o:component/o:prop"}, + {"pattern": "/o:assessment-plan/o:local-definitions/o:o:inventory-item/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:local-definitions/o:component/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:local-definitions/o:o:inventory-item/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "infrastructure", - "label": "Infrastructure", - "RICHTEXT": "The component or inventory item is included in operating system (OS) and/or infrastructure scans." - }, - { - "value": "database", - "label": "Database", - "RICHTEXT": "The component or inventory item is included in Database scans." - }, - { - "value": "web", - "label": "Web", - "RICHTEXT": "The component or inventory item is included in Web interface/application scans." - }, - { - "value": "other", - "label": "Other", - "RICHTEXT": "The component or inventory item is included in non-typical scans." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "infrastructure", + "label": "Infrastructure", + "#text": "The component or inventory item is included in operating system (OS) and/or infrastructure scans." + }, + { + "value": "database", + "label": "Database", + "#text": "The component or inventory item is included in Database scans." + }, + { + "value": "web", + "label": "Web", + "#text": "The component or inventory item is included in Web interface/application scans." + }, + { + "value": "other", + "label": "Other", + "#text": "The component or inventory item is included in non-typical scans." + } + ] + } } }, - "planned-completion-date": { + { + "id": "planned-completion-date", "extension-name": "planned-completion-date", "formal-name": "Planned Completion Date", "description": "Provides the date the control expects to be implemented. Must be present when Implementation Status is \"Planned\"", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:prop" - } - ], + "binding": {"pattern": "/o:system-security-plan/o:control-implementation/o:implemented-requirement/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "date" - } - ], + "matches": {"data-type": "date"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "authorization-recommendation": { + { + "id": "authorization-recommendation", "extension-name": "authorization-recommendation", "formal-name": "Authorization Recommendation", "description": "Indicates whether the assessor recommends the system be authorized by the authorizing official.", - "bindings": [ - { - "pattern": "/o:assessment-results/o:results/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-results/o:results/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "Yes, the assessor recommends the system for authorization." - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "No, the assessor does not recommend the system for authorization." - } - ] - } - ] - } - }, - "title-short": { - "extension-name": "title-short", - "formal-name": "Short Title", - "description": "The short name for the system represented in the resource.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop" + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "Yes, the assessor recommends the system for authorization." + }, + { + "value": "no", + "label": "No", + "#text": "No, the assessor does not recommend the system for authorization." + } + ] } + } + }, + { + "id": "title-short", + "extension-name": "title-short", + "formal-name": "Short Title", + "description": "The short name for the system represented in the resource.", + "binding": [ + {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "system-id": { + { + "id": "system-id", "extension-name": "system-id", "formal-name": "System Identifier", "description": "The FedRAMP-assigned identifier for this system.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "import-profile": { + { + "id": "import-profile", "extension-name": "import-profile", "formal-name": "Profile", "description": "The baseline/profile for this sysytem based on its FIPS-199 categorization.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "uri" - } - ], + "matches": {"data-type": "uri"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "authorization-date": { + { + "id": "authorization-date", "extension-name": "authorization-date", "formal-name": "Authorization Date", "description": "The date the system was authorized. Omit or leave blank for an initial authorization.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "date" - } - ], + "matches": {"data-type": "date"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "purpose": { + { + "id": "purpose", "extension-name": "purpose", "formal-name": "Purpose", "description": "Explains the system's purpose.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "description": { + { + "id": "description", "extension-name": "description", "formal-name": "Description", "description": "A brief description of the system.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan/o:back-matter/o:resource/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:back-matter/o:resource/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "sampling": { + { + "id": "sampling", "extension-name": "sampling", "formal-name": "Sampling", "description": "Indicates whether a sampling methodology was used instead of assessing the entire system.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:assessment-subject/o:prop" - }, - { - "pattern": "/o:assessment-results/o:results/o:assessment-subject/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan/o:assessment-subject/o:prop"}, + {"pattern": "/o:assessment-results/o:results/o:assessment-subject/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "Yes, a sampling methodology was used." - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "No, a sampling methodology was not used." - } - ] - } - ] - } - }, - "POAM-ID": { - "extension-name": "POAM-ID", - "formal-name": "POA&M ID", - "description": "A CSP-assigned POA&M identifier.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:poam-item/o:prop" - } - ], - "constraint": { - "matches": [ - { - "data-type": "string" - } - ], - "has-cardinality": { - "min-occurs": 0, - "max-occurs": "1" + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "Yes, a sampling methodology was used." + }, + { + "value": "no", + "label": "No", + "#text": "No, a sampling methodology was not used." + } + ] } } }, - "control-objective-implementation-status": { + { + "id": "control-objective-implementation-status", "extension-name": "control-objective-implementation-status", "formal-name": "Objective Implementation Status", "description": "Indicates the implementation status of the control objective.", - "bindings": [ - { - "pattern": "/o:assessment-results/o:results/o:finding/o:objective-status/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-results/o:results/o:finding/o:objective-status/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "implemented", - "label": "Implemented", - "RICHTEXT": "The assessor finds sufficient evidence to agree the control objective is fully implemented." - }, - { - "value": "partial", - "label": "Partial", - "RICHTEXT": "The assessor finds evidence to suggest a portion of the control objective is implemented and a portion is not." - }, - { - "value": "planned", - "label": "Planned", - "RICHTEXT": "The assessor finds this control objective is not implemented, but there is evidence the system owner has a plan for implemnting it." - }, - { - "value": "alternative", - "label": "Alternative Implementation", - "RICHTEXT": "The assessor finds evidence of an alternative implementation, which the assessor judges to provide protection similar enough to satisfy this control." - }, - { - "value": "not-applicable", - "label": "Not Applicable (N/A)", - "RICHTEXT": "The assessor finds this control objective does not apply to this system." - } - ] - } - ] + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "implemented", + "label": "Implemented", + "#text": "The assessor finds sufficient evidence to agree the control objective is fully implemented." + }, + { + "value": "partial", + "label": "Partial", + "#text": "The assessor finds evidence to suggest a portion of the control objective is implemented and a portion is not." + }, + { + "value": "planned", + "label": "Planned", + "#text": "The assessor finds this control objective is not implemented, but there is evidence the system owner has a plan for implemnting it." + }, + { + "value": "alternative", + "label": "Alternative Implementation", + "#text": "The assessor finds evidence of an alternative implementation, which the assessor judges to provide protection similar enough to satisfy this control." + }, + { + "value": "not-applicable", + "label": "Not Applicable (N/A)", + "#text": "The assessor finds this control objective does not apply to this system." + } + ] + } } }, - "control-implementation-status": { + { + "id": "control-implementation-status", "extension-name": "implementation-status", "formal-name": "Control Implementation Status", "description": "Indicates the implementation status of the control.", - "bindings": [ - { - "pattern": "o:implemented-requirement/o:prop[@name='implementation-status']/@value" - } - ], + "binding": {"pattern": "o:implemented-requirement/o:prop[@name='implementation-status']/@value"}, "constraint": { "has-cardinality": { "min-occurs": 1, "max-occurs": "unbounded" }, - "remarks": "When an prop is defined as an extension, a separate constraint assembly is needed to specify datatype and allowed values on the `@value` flag." + "remarks": { + "p": { + "#text": "When an prop is defined as an extension, a separate constraint assembly is needed to specify datatype and allowed values on the ", + "code": "@value", + "#text1": " flag." + } + } } }, - "leveraged-authorization": { + { + "id": "leveraged-authorization", "extension-name": "leveraged-authorization-uuid", "formal-name": "Leveraged Authorization", "description": "Indicates a leveraged authorization used for this control.", - "bindings": [ - { - "pattern": "/o:assessment-results/o:results/o:finding/o:objective-status/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-results/o:results/o:finding/o:objective-status/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "uuid" - } - ], + "matches": {"data-type": "uuid"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" } }, - "remarks": "This is for legacy SSP convertion to OSCAL. The preferred approach is to specificy the leveraged system as a `component` and reference it in the control using `by-component`." + "remarks": { + "p": { + "#text": "This is for legacy SSP convertion to OSCAL. The preferred approach is to specificy the leveraged system as a ", + "code": "component", + "#text1": " and reference it in the control using ", + "code#1": "by-component", + "#text2": "." + } + } }, - "control-origination": { + { + "id": "control-origination", "extension-name": "control-origination", "formal-name": "Control Origination", "description": "The point(s) from which the control satisfaction originates.", - "bindings": [ - { - "pattern": "implemented-requirement/o:prop[@name='control-origination']/@value" - } - ], + "binding": {"pattern": "implemented-requirement/o:prop[@name='control-origination']/@value"}, "constraint": { "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "sp-corporate", - "RICHTEXT": "Service Provider (Corporate)" - }, - { - "value": "sp-system", - "RICHTEXT": "Service Provider (System Specific)" - }, - { - "value": "customer-configured", - "RICHTEXT": "Configured by Customer" - }, - { - "value": "customer-provided", - "RICHTEXT": "Provided by Customer" - }, - { - "value": "inherited", - "RICHTEXT": "Inherited" - } - ] + "remarks": { + "p": { + "#text": "When an prop is defined as an extension, a separate constraint assembly is needed to specify datatype and allowed values on the ", + "code": "@value", + "#text1": " flag." } - ], - "remarks": "When an prop is defined as an extension, a separate constraint assembly is needed to specify datatype and allowed values on the `@value` flag." + }, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "sp-corporate", + "short-label": "SP Corporate", + "#text": "Service Provider (Corporate)" + }, + { + "value": "sp-system", + "short-label": "SP System", + "#text": "Service Provider (System Specific)" + }, + { + "value": "customer-configured", + "short-label": "Cust. Configured", + "#text": "Configured by Customer" + }, + { + "value": "customer-provided", + "short-label": "Cust. Provided", + "#text": "Provided by Customer" + }, + { + "value": "inherited", + "short-label": "Inherited", + "#text": "Inherited" + } + ] + } } }, - "no-oscal-ssp-title-short": { + { + "id": "no-oscal-ssp-title-short", "extension-name": "title-short", "formal-name": "Short System Name", "description": "The abbreviated name for the system, such as an acronym.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "no-oscal-ssp-system-id": { + { + "id": "no-oscal-ssp-system-id", "extension-name": "system-id", "formal-name": "Short System Name", "description": "The FedRAMP-assigned system identifier.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "no-oscal-ssp-import-profile": { + { + "id": "no-oscal-ssp-import-profile", "extension-name": "import-profile", "formal-name": "Relevant Baseline", "description": "Identifies the relevant OSCAL baseline.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "uri" - } - ], + "matches": {"data-type": "uri"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } }, - "remarks": "As with all URIs in OSCAL, this may contain a URI fragment, which identifies the local resource containing the relevant profile." + "remarks": {"p": "As with all URIs in OSCAL, this may contain a URI fragment, which identifies the local resource containing the relevant profile."} }, - "no-oscal-ssp-purpose": { + { + "id": "no-oscal-ssp-purpose", "extension-name": "system-id", "formal-name": "Short System Name", "description": "The FedRAMP-assigned system identifier.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "no-oscal-ssp-authorization-date": { + { + "id": "no-oscal-ssp-authorization-date", "extension-name": "authorization-date", "formal-name": "Authorization Date", "description": "The date of the system's initial FedRAMP authorization.", - "bindings": [ - { - "pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-plan/o:back-matter/o:resource[./o:prop[@name='type'][.='no-oscal-ssp']]/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "dateTime-with-timezone" - } - ], + "matches": {"data-type": "dateTime-with-timezone"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 } } }, - "task-login-url": { + { + "id": "task-login-url", "extension-name": "logn-url", "formal-name": "Login URL", "description": "The login URL for a web application.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-implementation/o:o:inventory-item/o:prop" - }, - { - "pattern": "/o:assessment-plan//o:task/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop" - } + "binding": [ + {"pattern": "/o:system-security-plan/o:system-implementation/o:o:inventory-item/o:prop"}, + {"pattern": "/o:assessment-plan//o:task/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "NCName" - } - ] + "matches": {"data-type": "NCName"} } }, - "task-login-id": { + { + "id": "task-login-id", "extension-name": "logn-id", "formal-name": "Login ID", "description": "The login ID used to assess the web application.", - "bindings": [ - { - "pattern": "/o:assessment-plan//o:task/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan//o:task/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "NCName" - } - ] + "matches": {"data-type": "NCName"} } }, - "task-test-type": { + { + "id": "task-test-type", "extension-name": "test-type", "formal-name": "Test Type", "description": "Indicates the type of test represented by the task.", - "bindings": [ - { - "pattern": "/o:assessment-plan//o:task/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan//o:task/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "NCName" - } - ], - "allowed-values": [ - { - "enums": [ - { - "value": "web-applicaiton", - "label": "Web Application", - "RICHTEXT": "This task tests a web application." - } - ] + "matches": {"data-type": "NCName"}, + "allowed-values": { + "enum": { + "value": "web-applicaiton", + "label": "Web Application", + "#text": "This task tests a web application." } - ] + } } }, - "task-user-uuid": { + { + "id": "task-user-uuid", "extension-name": "user-uuid", "formal-name": "User Identifier", "description": "Cites the SSP defined user role to use for testing.", - "bindings": [ - { - "pattern": "/o:assessment-plan//o:task/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-plan//o:task/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:local-definition/o:o:inventory-item/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "uuid" - } - ] + "matches": {"data-type": "uuid"} } }, - "poam-id": { - "extension-name": "POAM-ID", - "formal-name": "CSP POA&M Identifier", - "description": "A CSP-assigned identifier for this POA&M item.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:poam-item/o:prop" - } - ], + { + "id": "poam-id", + "extension-name": "poam-id", + "formal-name": "POA&M ID", + "description": "A CSP-assigned POA&M identifier.", + "binding": {"pattern": "/o:plan-of-action-and-milestones/o:poam-item/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "NCName" - } - ] + "matches": {"data-type": "string"}, + "has-cardinality": { + "min-occurs": 0, + "max-occurs": 1 + } } }, - "poam-impacted-control": { + { + "id": "poam-impacted-control", "extension-name": "impacted-control-id", "formal-name": "Impacted Control", "description": "A control impacted by this POA&M item.", - "bindings": [ - { - "pattern": "/o:assessment-results/o:result/o:risk/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ] + "matches": {"data-type": "token"} }, - "remarks": "Impacted control is required in the POA&M and optional in the SAR.\n\nIt is allowed in the SAR in anticipation of duplicatng open risks from the SAR to the POA&M." + "remarks": { + "p": [ + "Impacted control is required in the POA&M and optional in the SAR.", + "It is allowed in the SAR in anticipation of duplicatng open risks from the SAR to the POA&M." + ] + } }, - "sar-risk-priority": { + { + "id": "sar-risk-priority", "extension-name": "priority", "formal-name": "Risk Priority", "description": "Assessor's recommended risk priority. Lower numbers are higher priority. One (1) is highest priority.", - "bindings": [ - { - "pattern": "/o:assessment-results/o:result/o:risk/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop" - } + "binding": [ + {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "integer" - } - ], + "matches": {"data-type": "integer"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "sar-recommend-authorization": { + { + "id": "sar-recommend-authorization", "extension-name": "recommend-authorization", "formal-name": "Assessor's Authorization Recommendation", "description": "Indicates the assessor's reommendation for initial or continued authorization.", - "bindings": [ - { - "pattern": "/o:assessment-results/o:result/o:attestation/o:part[@name='authorization-statements']/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-results/o:result/o:attestation/o:part[@name='authorization-statements']/o:prop"}, "constraint": { - "matches": [ - { - "data-type": "NCName" - } - ], + "matches": {"data-type": "NCName"}, "has-cardinality": { "min-occurs": 1, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "enums": [ - { - "value": "yes", - "label": "Yes", - "RICHTEXT": "The assessor recommends initial or continued authorization." - }, - { - "value": "no", - "label": "No", - "RICHTEXT": "The assessor does not recommend initial or continued authorization." - } - ] - } - ] + "allowed-values": { + "enum": [ + { + "value": "yes", + "label": "Yes", + "#text": "The assessor recommends initial or continued authorization." + }, + { + "value": "no", + "label": "No", + "#text": "The assessor does not recommend initial or continued authorization." + } + ] + } } }, - "likelihood": { + { + "id": "likelihood", "extension-name": "likelihood", "formal-name": "Likelihood", "description": "The likelihood of a risk.", - "bindings": [ - { - "pattern": "o:risk/o:risk-metric[@name='likelihood'][@system='https://fedramp.gov']" - } - ] + "binding": {"pattern": "o:risk/o:risk-metric[@name='likelihood'][@system='https://fedramp.gov']"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "low", + "short-label": "L", + "#text": "Low" + }, + { + "value": "moderate", + "short-label": "M", + "#text": "Moderate" + }, + { + "value": "high", + "short-label": "H", + "#text": "High" + } + ] + } }, - "vulnerability-identifier": { + { + "id": "vulnerability-identifier", "extension-name": "vulnerability-id", "formal-name": "Vulnerability Identifier", "description": "A tool assigned vulnerability ID.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop" - } + "binding": [ + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "plugin-identifier": { + { + "id": "plugin-identifier", "extension-name": "plugin-id", "formal-name": "Plugin Identifier", "description": "A tool assigned Plugin ID.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop" - } + "binding": [ + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:risk/o:characterization/o:origin/o:actor[@type='tool']/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "string" - } - ], + "matches": {"data-type": "string"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 } } }, - "operational-requirement": { + { + "id": "operational-requirement", "extension-name": "operational-requirement", "formal-name": "Operational Requirement", "description": "The risk cannot be remediated without impact to the system and must be accepted.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:risk/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:observation/o:prop" - } + "binding": [ + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "enums": [ - { - "value": "investigating", - "label": "Investigating", - "RICHTEXT": "A possible operational requirement is being investigated." - }, - { - "value": "pending", - "label": "Tracking", - "RICHTEXT": "An operational requirement deviation request was submitted to the AO and is pending adjudication." - }, - { - "value": "approved", - "label": "Approved", - "RICHTEXT": "The operational requirement has been approved by the AO." - }, - { - "value": "withdrawn", - "label": "Withdrawn", - "RICHTEXT": "The operational requirement was withdrawn." - } - ] - } - ] + "allowed-values": { + "enum": [ + { + "value": "investigating", + "label": "Investigating", + "#text": "A possible operational requirement is being investigated." + }, + { + "value": "pending", + "label": "Tracking", + "#text": "An operational requirement deviation request was submitted to the AO and is pending adjudication." + }, + { + "value": "approved", + "label": "Approved", + "#text": "The operational requirement has been approved by the AO." + }, + { + "value": "withdrawn", + "label": "Withdrawn", + "#text": "The operational requirement was withdrawn." + } + ] + } } }, - "false-positive": { + { + "id": "false-positive", "extension-name": "false-positive", "formal-name": "False Positive", "description": "The risk was found to be a false positive report.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:risk/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:observation/o:prop" - } + "binding": [ + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "NCName" - } - ], + "matches": {"data-type": "NCName"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "enums": [ - { - "value": "investigating", - "label": "Investigating", - "RICHTEXT": "A possible risk adjustment is being investigated." - }, - { - "value": "pending", - "label": "Tracking", - "RICHTEXT": "A false positive deviation request was submitted to the AO and is pending adjudication." - }, - { - "value": "approved", - "label": "Approved", - "RICHTEXT": "The false positive has been approved by the AO." - }, - { - "value": "withdrawn", - "label": "Withdrawn", - "RICHTEXT": "The false positive was withdrawn." - } - ] - } - ] + "allowed-values": { + "enum": [ + { + "value": "investigating", + "label": "Investigating", + "#text": "A possible risk adjustment is being investigated." + }, + { + "value": "pending", + "label": "Tracking", + "#text": "A false positive deviation request was submitted to the AO and is pending adjudication." + }, + { + "value": "approved", + "label": "Approved", + "#text": "The false positive has been approved by the AO." + }, + { + "value": "withdrawn", + "label": "Withdrawn", + "#text": "The false positive was withdrawn." + } + ] + } } }, - "risk-adjustment": { + { + "id": "risk-adjustment", "extension-name": "risk-adjustment", "formal-name": "Risk Adjustment", "description": "Mitigating factors were identified or implemented, reducing the likelihood or impact of the risk.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:risk/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:observation/o:prop" - } + "binding": [ + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" + "max-occurs": 1 }, - "allowed-values": [ - { - "enums": [ - { - "value": "investigating", - "label": "Investigating", - "RICHTEXT": "A possible risk adjustment is being investigated." - }, - { - "value": "pending", - "label": "Tracking", - "RICHTEXT": "A risk adjustment deviation request was submitted to the AO and is pending adjudication." - }, - { - "value": "approved", - "label": "Approved", - "RICHTEXT": "The risk adjustment has been approved by the AO." - }, - { - "value": "withdrawn", - "label": "Withdrawn", - "RICHTEXT": "The risk adjustment was withdrawn." - } - ] - } - ] + "allowed-values": { + "enum": [ + { + "value": "investigating", + "label": "Investigating", + "#text": "A possible risk adjustment is being investigated." + }, + { + "value": "pending", + "label": "Tracking", + "#text": "A risk adjustment deviation request was submitted to the AO and is pending adjudication." + }, + { + "value": "approved", + "label": "Approved", + "#text": "The risk adjustment has been approved by the AO." + }, + { + "value": "withdrawn", + "label": "Withdrawn", + "#text": "The risk adjustment was withdrawn." + } + ] + } } }, - "vendor-dependency": { + { + "id": "vendor-dependency", "extension-name": "vendor-dependency", "formal-name": "Vendor Dependency", "description": "A vendor resolution is pending, but not yet available.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:risk/o:prop" - }, - { - "pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop" - }, - { - "pattern": "/o:assessment-results/o:result/o:observation/o:prop" - } + "binding": [ + {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, + {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:prop"}, + {"pattern": "/o:assessment-results/o:result/o:observation/o:prop"} ], "constraint": { - "matches": [ - { - "data-type": "token" - } - ], + "matches": {"data-type": "token"}, "has-cardinality": { "min-occurs": 0, - "max-occurs": "1" - }, - "allowed-values": [ - { - "enums": [ - { - "value": "investigating", - "label": "Investigating", - "RICHTEXT": "The risk is a suspected vendor dependency, and is being investigated for verification." - }, - { - "value": "tracking", - "label": "Tracking", - "RICHTEXT": "The vendor has confirmed the issue and is working on a resolution." - }, - { - "value": "resolved", - "label": "Resolved", - "RICHTEXT": "The vendor released the fix and it has been applied." - }, - { - "value": "withdrawn", - "label": "Withdrawn", - "RICHTEXT": "The vendor dependency was withdrawn." - } - ] - } - ] - } - } - }, - "constraints": [ - { - "name": "observation-types", - "formal-name": "Observation Types", - "description": "In addition to the NIST observation types, FedRAMP requires observaton types to support risk deviations and vendor dependencies.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:observation/o:type" + "max-occurs": 1 }, - { - "pattern": "/o:assessment-results/o:result/o:observation/o:type" - } - ], - "allowed-values": [ - { - "allow-other": "yes", - "enums": [ - { - "value": "vendor-dependency", - "label": "Vendor Dependency", - "RICHTEXT": "The observation provides evidence of reliance on a vendor for a pending resolution that is not yet available." - }, + "allowed-values": { + "enum": [ { - "value": "false-positive", - "label": "False Positive", - "RICHTEXT": "The observation provides evidence the associated risk is a false positive finding." + "value": "investigating", + "label": "Investigating", + "#text": "The risk is a suspected vendor dependency, and is being investigated for verification." }, { - "value": "operational-requirement", - "label": "Operational Requirement", - "RICHTEXT": "The observation provides evidence to substantiate the assertion that remediating the risk will have an adverse impact on the system." + "value": "tracking", + "label": "Tracking", + "#text": "The vendor has confirmed the issue and is working on a resolution." }, { - "value": "risk-adjustment", - "label": "Risk Adjustment", - "RICHTEXT": "The observation provides evidence to justify an adjustment to the likelihood or impact values." + "value": "resolved", + "label": "Resolved", + "#text": "The vendor released the fix and it has been applied." }, { - "value": "closure", - "label": "Closure", - "RICHTEXT": "The observation provides evidence of risk closure." + "value": "withdrawn", + "label": "Withdrawn", + "#text": "The vendor dependency was withdrawn." } ] } - ] + } + } + ], + "constraint": [ + { + "name": "observation-types", + "formal-name": "Observation Types", + "description": "In addition to the NIST observation types, FedRAMP requires observaton types to support risk deviations and vendor dependencies.", + "binding": [ + {"pattern": "/o:plan-of-action-and-milestones/o:observation/o:type"}, + {"pattern": "/o:assessment-results/o:result/o:observation/o:type"} + ], + "allowed-values": { + "allow-other": "yes", + "enum": [ + { + "value": "vendor-dependency", + "label": "Vendor Dependency", + "#text": "The observation provides evidence of reliance on a vendor for a pending resolution that is not yet available." + }, + { + "value": "false-positive", + "label": "False Positive", + "#text": "The observation provides evidence the associated risk is a false positive finding." + }, + { + "value": "operational-requirement", + "label": "Operational Requirement", + "#text": "The observation provides evidence to substantiate the assertion that remediating the risk will have an adverse impact on the system." + }, + { + "value": "risk-adjustment", + "label": "Risk Adjustment", + "#text": "The observation provides evidence to justify an adjustment to the likelihood or impact values." + }, + { + "value": "closure", + "label": "Closure", + "#text": "The observation provides evidence of risk closure." + } + ] + } }, { "name": "sar-risk-impacted-control", "formal-name": "Impacted Control", "description": "The impacted control field is optional in the SAR, but helpful in anticipation of copying open risks to the POA&M.", - "bindings": [ - { - "pattern": "/o:assessment-results/o:result/o:risk/o:prop" - } - ], + "binding": {"pattern": "/o:assessment-results/o:result/o:risk/o:prop"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" @@ -2206,11 +1730,7 @@ "name": "poam-risk-impacted-control", "formal-name": "Impacted Control", "description": "At least one impacted control field is required in the POA&M.", - "bindings": [ - { - "pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop" - } - ], + "binding": {"pattern": "/o:plan-of-action-and-milestones/o:risk/o:prop"}, "has-cardinality": { "min-occurs": 0, "max-occurs": "unbounded" @@ -2220,781 +1740,724 @@ "name": "control-origination-constraints", "formal-name": "Control Origination", "description": "The point(s) from which the control satisfaction originates.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='control-origination'][@ns='https://fedramp.gov/ns/oscal']/@value" - } - ], - "matches": [ - { - "data-type": "token" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "sp-corporate", - "label": "SP Corporate", - "RICHTEXT": "Service Provider (Corporate)" - }, - { - "value": "sp-system", - "label": "SP System", - "RICHTEXT": "Service Provider (System Specific)" - }, - { - "value": "customer-configured", - "label": "Cust. Configured", - "RICHTEXT": "Configured by Customer" - }, - { - "value": "customer-provided", - "label": "Cust. Provided", - "RICHTEXT": "Provided by Customer" - }, - { - "value": "inherited", - "label": "Inherited", - "RICHTEXT": "Inherited" - } - ] - } - ] + "binding": {"pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='control-origination'][@ns='https://fedramp.gov/ns/oscal']/@value"}, + "matches": {"data-type": "token"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "sp-corporate", + "label": "SP Corporate", + "#text": "Service Provider (Corporate)" + }, + { + "value": "sp-system", + "label": "SP System", + "#text": "Service Provider (System Specific)" + }, + { + "value": "customer-configured", + "label": "Cust. Configured", + "#text": "Configured by Customer" + }, + { + "value": "customer-provided", + "label": "Cust. Provided", + "#text": "Provided by Customer" + }, + { + "value": "inherited", + "label": "Inherited", + "#text": "Inherited" + } + ] + } }, { "name": "control-implementation-status-constraints", "formal-name": "Control Implementation Status Constraints", "description": "Defines the data type and allowed values for the Control Implementation Status", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal']/@value" - } - ], - "matches": [ - { - "data-type": "token" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "implemented", - "label": "Implemented", - "RICHTEXT": "The assessor finds sufficient evidence to agree the control objective is fully implemented." - }, - { - "value": "partial", - "label": "Partial", - "RICHTEXT": "The assessor finds evidence to suggest a portion of the control objective is implemented and a portion is not." - }, - { - "value": "planned", - "label": "Planned", - "RICHTEXT": "The assessor finds this control objective is not implemented, but there is evidence the system owner has a plan for implemnting it." - }, - { - "value": "alternative", - "label": "Alternative Implementation", - "RICHTEXT": "The assessor finds evidence of an alternative implementation, which the assessor judges to provide protection similar enough to satisfy this control." - }, - { - "value": "not-applicable", - "label": "Not Applicable (N/A)", - "RICHTEXT": "The assessor finds this control objective does not apply to this system." - } - ] - } - ], - "remarks": "When an extension is an prop, the data type and allowed values must be defined in a separate constraint." + "binding": {"pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement/o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal']/@value"}, + "matches": {"data-type": "token"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "implemented", + "label": "Implemented", + "#text": "The assessor finds sufficient evidence to agree the control objective is fully implemented." + }, + { + "value": "partial", + "label": "Partial", + "#text": "The assessor finds evidence to suggest a portion of the control objective is implemented and a portion is not." + }, + { + "value": "planned", + "label": "Planned", + "#text": "The assessor finds this control objective is not implemented, but there is evidence the system owner has a plan for implemnting it." + }, + { + "value": "alternative", + "label": "Alternative Implementation", + "#text": "The assessor finds evidence of an alternative implementation, which the assessor judges to provide protection similar enough to satisfy this control." + }, + { + "value": "not-applicable", + "label": "Not Applicable (N/A)", + "#text": "The assessor finds this control objective does not apply to this system." + } + ] + }, + "remarks": {"p": "When an extension is an prop, the data type and allowed values must be defined in a separate constraint."} }, { "formal-name": "Control Implementation Status Constraints", "description": "Remarks are required for certain Control Implementation Status values.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement" - } - ], - "matches": [ - { - "data-type": "NCName" - } - ], - "expects": [ - { - "test": "(o:prop[@name='planned-completion'][@ns='https://fedramp.gov/ns/oscal'])" - } - ] - }, - { - "formal-name": "FedRAMP Facet System Constraints" + "binding": {"pattern": "/o:system-security-plan/o:control-implmentation/o:implemented-requirement"}, + "matches": {"data-type": "NCName"}, + "expect": {"test": "(o:prop[@name='planned-completion'][@ns='https://fedramp.gov/ns/oscal'])"} }, + {"formal-name": "FedRAMP Facet System Constraints"}, { "name": "planned-completion-date", "formal-name": "Planned Implementation Date Exists", "description": "If the control implementation status is \"Planned\" a \"Planned Implementation Date\" must be provided.", - "props": [ - { - "name": "reference", - "value": "3.1" - } - ], - "bindings": [ - { - "pattern": "/o:system-security-plan/o:control-implementation/o:implemented-requirement[o:prop[@name='implementation-status'][@value='planned']]" - } - ], - "expects": [ - { - "test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='partial']/remarks)" - }, - { - "test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='planned']/remarks)" - }, - { - "test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='alternative']/remarks)" - }, - { - "test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='not-applicable']/remarks)" + "prop": { + "name": "reference", + "#text": 3.1 + }, + "binding": {"pattern": "/o:system-security-plan/o:control-implementation/o:implemented-requirement[o:prop[@name='implementation-status'][@value='planned']]"}, + "expect": [ + {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='partial']/remarks)"}, + {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='planned']/remarks)"}, + {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='alternative']/remarks)"}, + {"test": "(o:prop[@name='implementation-status'][@ns='https://fedramp.gov/ns/oscal'][@value='not-applicable']/remarks)"} + ], + "remarks": { + "p": { + "#text": "In the SSP, if ", + "code": "implemented-requirement", + "#text1": " includes ", + "code#1": "prop[@name='implementation-status']", + "#text2": " with ", + "code#2": "value='planned'", + "#text3": ", a ", + "code#3": "planned-completion-date", + "#text4": " extension must be provided." } - ], - "remarks": "In the SSP, if `implemented-requirement` includes `prop[@name='implementation-status']` with `value='planned'`, a `planned-completion-date` extension must be provided." + } }, { "formal-name": "Port Class Exists", "description": "If a port number is provided as part of an interconnection, Local or Remote must be specified.", - "bindings": [ - { - "pattern": "o:system-security-plan/o:system-implementation/o:component[@component-type='interconnection']/o:prop[@name='port']" - } - ], - "expects": [ - { - "test": "exists(@class)" - } - ], - "remarks": "The port field is a FedRAMP extension - a property assigned to a component with a component type of 'interconnection'.\n\nWhen this extension is present, it must include a `@class` flag with a value of either 'local' or 'remote'." + "binding": {"pattern": "o:system-security-plan/o:system-implementation/o:component[@component-type='interconnection']/o:prop[@name='port']"}, + "expect": {"test": "exists(@class)"}, + "remarks": { + "p": [ + "The port field is a FedRAMP extension - a property assigned to a component with a component type of 'interconnection'.", + { + "#text": "When this extension is present, it must include a ", + "code": "@class", + "#text1": " flag with a value of either 'local' or 'remote'." + } + ] + } }, { "formal-name": "Port Class Valid Values", "description": "If a port number is provided as part of an interconnection, Local or Remote must be specified.", - "bindings": [ - { - "pattern": "o:system-security-plan/o:system-implementation/o:component[@component-type='interconnection']/o:prop[@name='port']/@class" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "local", - "label": "Local", - "RICHTEXT": "The identified port number is used by the interconnected system to communicate with this system." - }, - { - "value": "remote", - "label": "Remote", - "RICHTEXT": "The identified poart number is used by this system to communicate with the interconnected system." - } - ] - } - ], - "remarks": "The port field is a FedRAMP extension - a property assigned to a component with a component type of 'interconnection'.\n\nWhen this extension is present, it must include a `@class` flag with a value of either 'local' or 'remote'." + "binding": {"pattern": "o:system-security-plan/o:system-implementation/o:component[@component-type='interconnection']/o:prop[@name='port']/@class"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "local", + "label": "Local", + "#text": "The identified port number is used by the interconnected system to communicate with this system." + }, + { + "value": "remote", + "label": "Remote", + "#text": "The identified poart number is used by this system to communicate with the interconnected system." + } + ] + }, + "remarks": { + "p": [ + "The port field is a FedRAMP extension - a property assigned to a component with a component type of 'interconnection'.", + { + "#text": "When this extension is present, it must include a ", + "code": "@class", + "#text1": " flag with a value of either 'local' or 'remote'." + } + ] + } }, { "formal-name": "Additional Component Types", "description": "Identifies additional component types for Assessment Assets in the SAP and SAR.", - "bindings": [ - { - "pattern": "o:assessment-plan/o:assessment-assets/o:component/@type" - }, - { - "pattern": "o:assessment-results/o:assessment-result/o:local-definitions/o:assessment-assets/o:component/@type" - } + "binding": [ + {"pattern": "o:assessment-plan/o:assessment-assets/o:component/@type"}, + {"pattern": "o:assessment-results/o:assessment-result/o:local-definitions/o:assessment-assets/o:component/@type"} ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "assessment-origination", - "label": "Assessment Origination", - "RICHTEXT": "The component identifies one or more IP addresses from which assessment activities may be performed." - } - ] + "allowed-values": { + "allow-other": "no", + "enum": { + "value": "assessment-origination", + "label": "Assessment Origination", + "#text": "The component identifies one or more IP addresses from which assessment activities may be performed." } - ], - "remarks": "For FedRAMP, the SAP must identify the IP addresses from which scanning and penetration test activities are performed, and the SAR must identify the actual IP addresses used.\n\nThis requires an additional component type in the SAP's `assessment-assets`, and in the SAR's `result`, `local-definitions`, `assessment-assets`." + }, + "remarks": { + "p": [ + "For FedRAMP, the SAP must identify the IP addresses from which scanning and penetration test activities are performed, and the SAR must identify the actual IP addresses used.", + { + "#text": "This requires an additional component type in the SAP's ", + "code": "assessment-assets", + "#text1": ", and in the SAR's ", + "code#1": "result", + "#text2": ", ", + "code#2": "local-definitions", + "#text3": ", ", + "code#3": "assessment-assets", + "#text4": "." + } + ] + } }, { "name": "fedramp-general-role-identifiers", "formal-name": "General Role Identifiers", "description": "FedRAMP additional roles identifiers.", - "bindings": [ - { - "pattern": "/*/o:metadata/o:role/@id" - } - ], - "allowed-values": [ - { - "allow-other": "yes", - "enums": [ - { - "value": "fedramp-pmo", - "label": "FedRAMP PMO", - "RICHTEXT": "The FedRAMP Program Management Office (PMO)" - }, - { - "value": "fedramp-jab", - "label": "FedRAMP JAB", - "RICHTEXT": "The FedRAMP Joint Authorization Board (JAB)" - }, - { - "value": "cloud-service-provider", - "label": "CSP", - "RICHTEXT": "Cloud Service Provider" - }, - { - "value": "csp-operations-center", - "label": "CSP Operations Center", - "RICHTEXT": "Cloud Service Provider Operations Center" - } - ] - } - ], - "remarks": "These are in addition to the NIST-defined allowed values for role identifiers, and apply to all OSCAL-based FedRAMP content." + "binding": {"pattern": "/*/o:metadata/o:role/@id"}, + "allowed-values": { + "allow-other": "yes", + "enum": [ + { + "value": "fedramp-pmo", + "label": "FedRAMP PMO", + "#text": "The FedRAMP Program Management Office (PMO)" + }, + { + "value": "fedramp-jab", + "label": "FedRAMP JAB", + "#text": "The FedRAMP Joint Authorization Board (JAB)" + }, + { + "value": "cloud-service-provider", + "label": "CSP", + "#text": "Cloud Service Provider" + }, + { + "value": "csp-operations-center", + "label": "CSP Operations Center", + "#text": "Cloud Service Provider Operations Center" + } + ] + }, + "remarks": {"p": "These are in addition to the NIST-defined allowed values for role identifiers, and apply to all OSCAL-based FedRAMP content."} }, { "name": "fedramp-assessment-role-identifiers", "formal-name": "Assessment Role Identifiers", "description": "FedRAMP additional roles identifiers.", - "bindings": [ - { - "pattern": "/*/o:metadata/o:role/@id" - } - ], - "allowed-values": [ - { - "allow-other": "yes", - "enums": [ - { - "value": "assessor", - "label": "Assesor", - "RICHTEXT": "Assesor" - }, - { - "value": "assessment-team", - "label": "Assessment Team", - "RICHTEXT": "Assessment Team" - }, - { - "value": "assessment-lead", - "label": "Assessment Lead", - "RICHTEXT": "Assessment Lead" - }, - { - "value": "assessment-executive", - "label": "Assessment Executive", - "RICHTEXT": "Assessment Executive" - }, - { - "value": "csp-assessment-poc", - "label": "CSP Assessment PoC", - "RICHTEXT": "Cloud Service Provider Assessment Point(s) of Contact" - }, - { - "value": "csp-end-of-testing-poc", - "label": "CSP End of Testing PoC", - "RICHTEXT": "Cloud Service Provider End of Testing Point(s) of Contact" - }, - { - "value": "csp-results-poc", - "label": "CSP Results PoC", - "RICHTEXT": "Cloud Service Provider Point(s) of Contact" - }, - { - "value": "penetration-test-team", - "label": "Penetration Test Team", - "RICHTEXT": "Penetration Test Team" - }, - { - "value": "penetration-test-lead", - "label": "Penetration Test Lead", - "RICHTEXT": "Penetration Test Lead" - } - ] - } - ], - "remarks": "These are in addition to the NIST-defined allowed values for role identifiers, and apply to OSCAL-based FedRAMP SAP and SAR content." + "binding": {"pattern": "/*/o:metadata/o:role/@id"}, + "allowed-values": { + "allow-other": "yes", + "enum": [ + { + "value": "assessor", + "label": "Assesor", + "#text": "Assesor" + }, + { + "value": "assessment-team", + "label": "Assessment Team", + "#text": "Assessment Team" + }, + { + "value": "assessment-lead", + "label": "Assessment Lead", + "#text": "Assessment Lead" + }, + { + "value": "assessment-executive", + "label": "Assessment Executive", + "#text": "Assessment Executive" + }, + { + "value": "csp-assessment-poc", + "label": "CSP Assessment PoC", + "#text": "Cloud Service Provider Assessment Point(s) of Contact" + }, + { + "value": "csp-end-of-testing-poc", + "label": "CSP End of Testing PoC", + "#text": "Cloud Service Provider End of Testing Point(s) of Contact" + }, + { + "value": "csp-results-poc", + "label": "CSP Results PoC", + "#text": "Cloud Service Provider Point(s) of Contact" + }, + { + "value": "penetration-test-team", + "label": "Penetration Test Team", + "#text": "Penetration Test Team" + }, + { + "value": "penetration-test-lead", + "label": "Penetration Test Lead", + "#text": "Penetration Test Lead" + } + ] + }, + "remarks": {"p": "These are in addition to the NIST-defined allowed values for role identifiers, and apply to OSCAL-based FedRAMP SAP and SAR content."} }, { "name": "hash-algorithm", + "extension-name": "hash-algorithm", "formal-name": "Hash Algorithm", "description": "Identifies the algorithm used to create the hash value of the attachment.", - "bindings": [ - { - "pattern": "o:resource/o:hash/@algorithm" - } - ], - "allowed-values": [ - { - "allow-other": "yes", - "enums": [ - { - "value": "SHA-224", - "RICHTEXT": "SHA-224" - }, - { - "value": "SHA-256", - "RICHTEXT": "SHA-256" - }, - { - "value": "SHA-384", - "RICHTEXT": "SHA-384" - }, - { - "value": "SHA-512", - "RICHTEXT": "SHA-512" - }, - { - "value": "RIPEMD-160", - "RICHTEXT": "RIPEMD-160" - } - ] - } - ] + "binding": {"pattern": "o:resource/o:hash/@algorithm"}, + "allowed-values": { + "allow-other": "yes", + "enum": [ + { + "value": "SHA-224", + "short-label": "SHA-224", + "#text": "SHA-224" + }, + { + "value": "SHA-256", + "short-label": "SHA-256", + "#text": "SHA-256" + }, + { + "value": "SHA-384", + "short-label": "SHA-384", + "#text": "SHA-384" + }, + { + "value": "SHA-512", + "short-label": "SHA-512", + "#text": "SHA-512" + }, + { + "value": "RIPEMD-160", + "short-label": "RIPEMD-160", + "#text": "RIPEMD-160" + } + ] + } }, { "name": "attachment-type", "formal-name": "Attachment/Resource Types", "description": "FedRAMP additional attachment/resource types.", - "bindings": [ - { - "pattern": "/*/o:back-matter/o:resource/o:prop[@name='type']" - } - ], - "allowed-values": [ - { - "allow-other": "yes", - "enums": [ - { - "value": "law", - "RICHTEXT": "Law or Statute" - }, - { - "value": "regulation", - "RICHTEXT": "Regulation or Directive" - }, - { - "value": "standard", - "RICHTEXT": "Industry Standard" - }, - { - "value": "guidance", - "RICHTEXT": "Guidance" - }, - { - "value": "pii", - "RICHTEXT": "Privacy Impact Information" - }, - { - "value": "policy", - "RICHTEXT": "Polciy" - }, - { - "value": "procedure", - "RICHTEXT": "Procedure" - }, - { - "value": "guide", - "RICHTEXT": "Guidance Document" - }, - { - "value": "pia", - "RICHTEXT": "Privacy Impact Assessment" - }, - { - "value": "rules-of-behavior", - "RICHTEXT": "Rules of Behavior" - }, - { - "value": "plan", - "RICHTEXT": "Plan" - }, - { - "value": "system-security-plan", - "RICHTEXT": "System Security Plan" - }, - { - "value": "artifact", - "RICHTEXT": "Artifact" - }, - { - "value": "evidence", - "RICHTEXT": "Evidence" - }, - { - "value": "screen-shot", - "RICHTEXT": "Screen Shot" - }, - { - "value": "image", - "RICHTEXT": "Image" - }, - { - "value": "tool-report", - "RICHTEXT": "Tool Report" - }, - { - "value": "raw-tool-output", - "RICHTEXT": "Raw Tool Output" - }, - { - "value": "interview-notes", - "RICHTEXT": "Interview Notes" - }, - { - "value": "questionnaire", - "RICHTEXT": "Questions" - }, - { - "value": "report", - "RICHTEXT": "Report" - }, - { - "value": "fedramp-citations", - "RICHTEXT": "FedRAMP Citations" - }, - { - "value": "fedramp-acronyms", - "RICHTEXT": "FedRAMP Acronyms" - }, - { - "value": "fedramp-logo", - "RICHTEXT": "FedRAMP Logo" - }, - { - "value": "separation-of-duties-matrix", - "RICHTEXT": "Separation of Duties Matrix" - }, - { - "value": "logo", - "RICHTEXT": "Logo" - }, - { - "value": "Personal-Identifiable-Information", - "RICHTEXT": "Personal Identifiable Information (PII)" - }, - { - "value": "agreement", - "RICHTEXT": "Agreement" - }, - { - "value": "incident-response-plan", - "RICHTEXT": "Incident Response Plan" - }, - { - "value": "information-security-policies-and-procedures", - "RICHTEXT": "Incident Security Policies and Procedures" - }, - { - "value": "user-guide", - "RICHTEXT": "User Guide" - }, - { - "value": "privacy-impact-assessment", - "RICHTEXT": "Privacy Impact Assessment" - }, - { - "value": "information-system-contingency-plan", - "RICHTEXT": "Information System Contingency Plan" - }, - { - "value": "configuration-management-plan", - "RICHTEXT": "configuration-management-plan" - } - ] - } - ], - "remarks": "These are in addition to the NIST-defined allowed values for resource types." + "binding": {"pattern": "/*/o:back-matter/o:resource/o:prop[@name='type']"}, + "allowed-values": { + "allow-other": "yes", + "enum": [ + { + "value": "law", + "short-label": "Law", + "#text": "Law or Statute" + }, + { + "value": "regulation", + "short-label": "Regulation", + "#text": "Regulation or Directive" + }, + { + "value": "standard", + "short-label": "Standard", + "#text": "Industry Standard" + }, + { + "value": "guidance", + "short-label": "Guidance", + "#text": "Guidance" + }, + { + "value": "policy", + "short-label": "Policy", + "#text": "Polciy" + }, + { + "value": "procedure", + "short-label": "Procedure", + "#text": "Procedure" + }, + { + "value": "guide", + "short-label": "Guidance", + "#text": "Guidance Document" + }, + { + "value": "rules-of-behavior", + "short-label": "ROB", + "#text": "Rules of Behavior" + }, + { + "value": "plan", + "short-label": "Plan", + "#text": "Plan" + }, + { + "value": "system-security-plan", + "short-label": "SSP", + "#text": "System Security Plan" + }, + { + "value": "artifact", + "short-label": "artifact", + "#text": "Artifact" + }, + { + "value": "evidence", + "short-label": "evidence", + "#text": "Evidence" + }, + { + "value": "screen-shot", + "short-label": "screen", + "#text": "Screen Shot" + }, + { + "value": "image", + "short-label": "image", + "#text": "Image" + }, + { + "value": "tool-report", + "short-label": "Report", + "#text": "Tool Report" + }, + { + "value": "raw-tool-output", + "short-label": "Raw", + "#text": "Raw Tool Output" + }, + { + "value": "interview-notes", + "short-label": "Notes", + "#text": "Interview Notes" + }, + { + "value": "questionnaire", + "short-label": "Questions", + "#text": "Questions" + }, + { + "value": "report", + "short-label": "Report", + "#text": "Report" + }, + { + "value": "fedramp-citations", + "short-label": "FR Citations", + "#text": "FedRAMP Citations" + }, + { + "value": "fedramp-acronyms", + "short-label": "FR Acronyms", + "#text": "FedRAMP Acronyms" + }, + { + "value": "fedramp-logo", + "short-label": "FR Logo", + "#text": "FedRAMP Logo" + }, + { + "value": "separation-of-duties-matrix", + "short-label": "SoD Matrix", + "#text": "Separation of Duties Matrix" + }, + { + "value": "logo", + "short-label": "Logo", + "#text": "Logo" + }, + { + "value": "personal-identifiable-information", + "short-label": "PII", + "#text": "Personal Identifiable Information (PII)" + }, + { + "value": "agreement", + "short-label": "Agreement", + "#text": "Agreement" + }, + { + "value": "incident-response-plan", + "short-label": "IRP", + "#text": "Incident Response Plan" + }, + { + "value": "information-security-policies-and-procedures", + "short-label": "ISPP", + "#text": "Incident Security Policies and Procedures" + }, + { + "value": "user-guide", + "short-label": "User Guide", + "#text": "User Guide" + }, + { + "value": "privacy-impact-analysis", + "short-label": "PIA", + "#text": "Privacy Impact Assessment" + }, + { + "value": "information-system-contingency-plan", + "short-label": "ISCP", + "#text": "Information System Contingency Plan" + }, + { + "value": "configuration-management-plan", + "short-label": "CMP", + "#text": "configuration-management-plan" + } + ] + }, + "remarks": {"p": "These are in addition to the NIST-defined allowed values for resource types."} }, { "name": "media-type", "formal-name": "Attachment/Resource Media Types", "description": "IANA media-types supported by FedRAMP as attachment/resource types.", - "bindings": [ - { - "pattern": "o:rlink/@media-type" - }, - { - "pattern": "o:base64/@media-type" - } - ], - "allowed-values": [ - { - "enums": [ - { - "value": "application/gzip", - "RICHTEXT": "application/gzip" - }, - { - "value": "application/msword", - "RICHTEXT": "application/msword" - }, - { - "value": "application/octet-stream", - "RICHTEXT": "application/octet-stream" - }, - { - "value": "application/pdf", - "RICHTEXT": "application/pdf" - }, - { - "value": "application/vnd.ms-excel", - "RICHTEXT": "application/vnd.ms-excel" - }, - { - "value": "application/vnd.ms-works", - "RICHTEXT": "application/vnd.ms-works" - }, - { - "value": "application/vnd.oasis.opendocument.graphics", - "RICHTEXT": "application/vnd.oasis.opendocument.graphics" - }, - { - "value": "application/vnd.oasis.opendocument.presentation", - "RICHTEXT": "application/vnd.oasis.opendocument.presentation" - }, - { - "value": "application/vnd.oasis.opendocument.spreadsheet", - "RICHTEXT": "application/vnd.oasis.opendocument.spreadsheet" - }, - { - "value": "application/vnd.oasis.opendocument.text", - "RICHTEXT": "application/vnd.oasis.opendocument.text" - }, - { - "value": "application/vnd.openxmlformats-officedocument.presentationml.presentation", - "RICHTEXT": "application/vnd.openxmlformats-officedocument.presentationml.presentation" - }, - { - "value": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", - "RICHTEXT": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" - }, - { - "value": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", - "RICHTEXT": "application/vnd.openxmlformats-officedocument.wordprocessingml.document" - }, - { - "value": "application/x-bzip", - "RICHTEXT": "application/x-bzip" - }, - { - "value": "application/x-bzip2", - "RICHTEXT": "application/x-bzip2" - }, - { - "value": "application/x-tar", - "RICHTEXT": "application/x-tar" - }, - { - "value": "application/zip", - "RICHTEXT": "application/zip" - }, - { - "value": "image/bmp", - "RICHTEXT": "image/bmp" - }, - { - "value": "image/jpeg", - "RICHTEXT": "image/jpeg" - }, - { - "value": "image/png", - "RICHTEXT": "image/png" - }, - { - "value": "image/tiff", - "RICHTEXT": "image/tiff" - }, - { - "value": "image/webp", - "RICHTEXT": "image/webp" - }, - { - "value": "image/svg+xml", - "RICHTEXT": "image/svg+xml" - }, - { - "value": "text/csv", - "RICHTEXT": "text/csv" - }, - { - "value": "text/html", - "RICHTEXT": "text/html" - }, - { - "value": "text/plain", - "RICHTEXT": "text/plain" - } - ] - } + "binding": [ + {"pattern": "o:rlink/@media-type"}, + {"pattern": "o:base64/@media-type"} ], - "remarks": "These are in addition to the NIST-defined allowed values for resource types." + "allowed-values": { + "enum": [ + { + "value": "application/gzip", + "#text": "application/gzip" + }, + { + "value": "application/msword", + "#text": "application/msword" + }, + { + "value": "application/octet-stream", + "#text": "application/octet-stream" + }, + { + "value": "application/pdf", + "#text": "application/pdf" + }, + { + "value": "application/vnd.ms-excel", + "#text": "application/vnd.ms-excel" + }, + { + "value": "application/vnd.ms-works", + "#text": "application/vnd.ms-works" + }, + { + "value": "application/vnd.oasis.opendocument.graphics", + "#text": "application/vnd.oasis.opendocument.graphics" + }, + { + "value": "application/vnd.oasis.opendocument.presentation", + "#text": "application/vnd.oasis.opendocument.presentation" + }, + { + "value": "application/vnd.oasis.opendocument.spreadsheet", + "#text": "application/vnd.oasis.opendocument.spreadsheet" + }, + { + "value": "application/vnd.oasis.opendocument.text", + "#text": "application/vnd.oasis.opendocument.text" + }, + { + "value": "application/vnd.openxmlformats-officedocument.presentationml.presentation", + "#text": "application/vnd.openxmlformats-officedocument.presentationml.presentation" + }, + { + "value": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "#text": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" + }, + { + "value": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "#text": "application/vnd.openxmlformats-officedocument.wordprocessingml.document" + }, + { + "value": "application/x-bzip", + "#text": "application/x-bzip" + }, + { + "value": "application/x-bzip2", + "#text": "application/x-bzip2" + }, + { + "value": "application/x-tar", + "#text": "application/x-tar" + }, + { + "value": "application/zip", + "#text": "application/zip" + }, + { + "value": "image/bmp", + "#text": "image/bmp" + }, + { + "value": "image/jpeg", + "#text": "image/jpeg" + }, + { + "value": "image/png", + "#text": "image/png" + }, + { + "value": "image/tiff", + "#text": "image/tiff" + }, + { + "value": "image/webp", + "#text": "image/webp" + }, + { + "value": "image/svg+xml", + "#text": "image/svg+xml" + }, + { + "value": "text/csv", + "#text": "text/csv" + }, + { + "value": "text/html", + "#text": "text/html" + }, + { + "value": "text/plain", + "#text": "text/plain" + } + ] + }, + "remarks": {"p": "These are in addition to the NIST-defined allowed values for resource types."} }, { "name": "system-identifier-type", "formal-name": "System Identifier Type", "description": "Enables an identifier to be formally recognized as being assigned by FedRAMP.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:system-id/@identifier-type" - } - ], - "allowed-values": [ - { - "allow-other": "yes", - "enums": [ - { - "value": "https://fedramp.gov", - "label": "FedRAMP ID", - "RICHTEXT": "FedRAMP-Assigned Identifier" - }, - { - "value": "https://ietf.org/rfc/rfc4122", - "RICHTEXT": "RFC-4122 UUIDv4 Value" - } - ] - } - ] + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-id/@identifier-type"}, + "allowed-values": { + "allow-other": "yes", + "enum": [ + { + "value": "https://fedramp.gov", + "label": "FedRAMP ID", + "#text": "FedRAMP-Assigned Identifier" + }, + { + "value": "https://ietf.org/rfc/rfc4122", + "short-label": "UUIDv4", + "#text": "RFC-4122 UUIDv4 Value" + } + ] + } }, { "name": "information-type-system", "formal-name": "Information Type System", "description": "Identifies the system from which the information type was defined.", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:information-type-id/@system" + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:system-information/o:information-type/o:information-type-id/@system"}, + "allowed-values": { + "allow-other": "no", + "enum": { + "value": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "label": "SP 800-60 V2R1", + "#text": "NIST SP 800-60, Volume 2, Revision 1" } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "https://doi.org/10.6028/NIST.SP.800-60v2r1", - "label": "SP 800-60 V2R1", - "RICHTEXT": "NIST SP 800-60, Volume 2, Revision 1" - } - ] - } - ], - "remarks": "FedRAMP only allows information types defined in NIST SP 800-60v2r1." + }, + "remarks": {"p": "FedRAMP only allows information types defined in NIST SP 800-60v2r1."} }, { "name": "security-level", "formal-name": "Security Impact Level", "description": "The security objective level as defined by NIST SP 800-60.", - "bindings": [ - { - "pattern": "security-sensitivity-level" - }, - { - "pattern": "security-impact-level" - }, - { - "pattern": "(security-objective-confidentiality|security-objective-integrity|security-objective-availability)" - }, - { - "pattern": "system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "fips-199-low", - "label": "L", - "RICHTEXT": "Low" - }, - { - "value": "fips-199-moderate", - "label": "M", - "RICHTEXT": "Moderate" - }, - { - "value": "fips-199-high", - "label": "H", - "RICHTEXT": "High" - } - ] - } - ] + "binding": [ + {"pattern": "security-sensitivity-level"}, + {"pattern": "security-impact-level"}, + {"pattern": "(security-objective-confidentiality|security-objective-integrity|security-objective-availability)"}, + {"pattern": "system-information/information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)"} + ], + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "fips-199-low", + "label": "L", + "#text": "Low" + }, + { + "value": "fips-199-moderate", + "label": "M", + "#text": "Moderate" + }, + { + "value": "fips-199-high", + "label": "H", + "#text": "High" + } + ] + } }, { "name": "system-operational-status", "formal-name": "Operational Status (system)", "description": "The operational status of the system", - "bindings": [ - { - "pattern": "/o:system-security-plan/o:system-characteristics/o:status/@state" - } - ], - "allowed-values": [ - { - "allow-other": "no", - "enums": [ - { - "value": "operational", - "RICHTEXT": "Operational" - }, - { - "value": "under-development", - "RICHTEXT": "Under Development" - }, - { - "value": "disposition", - "RICHTEXT": "Alternative Implementation" - }, - { - "value": "other", - "RICHTEXT": "Other" - } - ] - } - ], - "remarks": "FedRAMP limits the allowed values from a larger NIST-defined list to only those defined here." - } - ], - "back-matter": { - "resources": [ - { - "uuid": "871713A8-5A27-4AC3-8B94-972588469C6B", - "title": "OPM Posiiton Designation", - "props": [ + "binding": {"pattern": "/o:system-security-plan/o:system-characteristics/o:status/@state"}, + "allowed-values": { + "allow-other": "no", + "enum": [ + { + "value": "operational", + "short-label": "Operational", + "#text": "Operational" + }, { - "name": "type", - "value": "" + "value": "under-development", + "short-label": "Development", + "#text": "Under Development" }, { - "name": "published", - "value": "2017-09-01T00:00:00Z" - } - ], - "rlinks": [ + "value": "disposition", + "short-label": "Alternative", + "#text": "Alternative Implementation" + }, { - "href": "https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/position-designation-system-with-glossary-2017.pdf", - "media-type": "application/pdf" + "value": "other", + "short-label": "Other", + "#text": "Other" } ] + }, + "remarks": {"p": "FedRAMP limits the allowed values from a larger NIST-defined list to only those defined here."} + } + ], + "back-matter": { + "resource": { + "uuid": "871713A8-5A27-4AC3-8B94-972588469C6B", + "title": "OPM Posiiton Designation", + "prop": [ + {"name": "type"}, + { + "name": "published", + "#text": "2017-09-01T00:00:00Z" + } + ], + "rlink": { + "media-type": "application/pdf", + "href": "https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/position-designation-system-with-glossary-2017.pdf" } - ] + } } } -} +} \ No newline at end of file diff --git a/dist/content/resources/json/fedramp_threats.json b/dist/content/resources/json/fedramp_threats.json index 194b327b9..23b75e0c0 100644 --- a/dist/content/resources/json/fedramp_threats.json +++ b/dist/content/resources/json/fedramp_threats.json @@ -4,8 +4,8 @@ "uuid": "7539047F-158B-4AA0-8FC5-F0530F1CC5CF", "metadata": { "title": "FedRAMP Defined Threat Table [DRAFT]", - "last-modified": "2019-12-15T00:00:00Z", - "version": "DRAFT-02", + "last-modified": "2021-08-11T23:18:00Z", + "version": "fedramp1.0.2-oscal1.0.0", "revisions": { "revision": [ { @@ -27,6 +27,16 @@ "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" }, "remarks": {"p": "Revised draft to align metadata with OSCAL syntax, and to provide a machine-readble definition for threat origination types."} + }, + { + "published": "2021-08-11T23:18:00.00-00:00", + "version": "fedramp1.0.2-oscal1.0.0", + "prop": { + "name": "party-uuid", + "ns": "https://fedramp.gov/ns/oscal", + "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" + }, + "remarks": {"p": "Updated version reviewed for fedramp1.0.2-oscal1.0.0 releases."} } ] }, diff --git a/dist/content/resources/json/fedramp_values.json b/dist/content/resources/json/fedramp_values.json index 3168527ab..6108fc415 100644 --- a/dist/content/resources/json/fedramp_values.json +++ b/dist/content/resources/json/fedramp_values.json @@ -2,17 +2,17 @@ "fedramp-values": { "xmlns": "https://fedramp.gov/ns/oscal", "metadata": { - "title": "[EXPERIMENTAL] FedRAMP Defined Identifiers and Accepted Values [DRAFT]", - "title-short": "FedRAMP Data Values (DRAFT)", - "last-modified": "2021-07-06T12:28:35Z", - "version": "fedramp1.0.0-oscal1.0.0", + "title": "[EXPERIMENTAL] FedRAMP Defined Identifiers and Accepted Values", + "title-short": "FedRAMP Data Values (Experimental)", + "last-modified": "2021-08-11T23:20:58Z", + "version": "fedramp1.0.2-oscal1.0.0", "author": "FedRAMP PMO", - "description": "This EXPERIMENTAL and DRAFT file provides the FedRAMP defined identifiers and acceptable values in a machine-readable format.", + "description": "This EXPERIMENTAL file provides the FedRAMP defined identifiers and acceptable values in a machine-readable format.", "remarks": "" }, "namespace": { "ns": { - "name": "FedRAMP", + "name": "fedramp", "ns": "https://fedramp.gov/ns/oscal" } }, @@ -866,12 +866,12 @@ "allow-other": "no", "enum": [ { - "value": "TCP", + "value": "tcp", "short-label": "TCP", "#text": "TCP" }, { - "value": "UDP", + "value": "udp", "short-label": "UDP", "#text": "UDP" } @@ -1076,11 +1076,6 @@ "short-label": "Guidance", "#text": "Guidance" }, - { - "value": "pii", - "short-label": "P.I.I.", - "#text": "Privacy Impact Information" - }, { "value": "policy", "short-label": "Policy", @@ -1096,14 +1091,9 @@ "short-label": "Guidance", "#text": "Guidance Document" }, - { - "value": "pia", - "short-label": "P.I.A.", - "#text": "Privacy Impact Assessment" - }, { "value": "rules-of-behavior", - "short-label": "R.O.B.", + "short-label": "ROB", "#text": "Rules of Behavior" }, { @@ -1187,7 +1177,7 @@ "#text": "Logo" }, { - "value": "Personal-Identifiable-Information", + "value": "personally-identifiable-information", "short-label": "PII", "#text": "Personal Identifiable Information (PII)" }, @@ -1213,7 +1203,7 @@ }, { "value": "privacy-impact-assessment", - "short-label": "PII", + "short-label": "PIA", "#text": "Privacy Impact Assessment" }, { diff --git a/dist/content/resources/json/information-types.json b/dist/content/resources/json/information-types.json index ca83af069..612547ec5 100644 --- a/dist/content/resources/json/information-types.json +++ b/dist/content/resources/json/information-types.json @@ -3,10 +3,10 @@ "xmlns": "https://fedramp.gov/ns/oscal", "uuid": "157BB1F7-8BE7-4642-9D5B-60B5995684F0", "metadata": { - "title": "FedRAMP Acceptable Information Types [DRAFT]", + "title": "FedRAMP Acceptable Information Types (Experimental)", "published": "2021-01-15T00:00:00Z", "last-modified": "2021-01-15T00:00:00Z", - "version": "DRAFT-02", + "version": "fedramp1.0.2-oscal1.0.0", "revisions": { "revision": [ { @@ -28,6 +28,16 @@ "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" }, "remarks": {"p": "Revised draft to better align with OSCAL SSP syntax."} + }, + { + "published": "2021-08-11T23:18:00.00-00:00", + "version": "fedramp1.0.2-oscal1.0.0", + "prop": { + "name": "party-uuid", + "ns": "https://fedramp.gov/ns/oscal", + "#text": "6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" + }, + "remarks": {"p": "Updated version reviewed for fedramp1.0.2-oscal1.0.0 releases."} } ] }, diff --git a/dist/content/resources/xml/FedRAMP_extensions.xml b/dist/content/resources/xml/FedRAMP_extensions.xml index 6e5b3d6c5..f586cfeb5 100644 --- a/dist/content/resources/xml/FedRAMP_extensions.xml +++ b/dist/content/resources/xml/FedRAMP_extensions.xml @@ -2,10 +2,10 @@ - [EXPERIMENTAL] FedRAMP Extensions [DRAFT] - 2021-07-06T23:07:21Z - 2021-07-06T23:07:21Z - fedramp1.0.0-oscal1.0.0 + [EXPERIMENTAL] FedRAMP Extensions + 2021-08-11T23:27:44Z + 2021-08-11T23:27:44Z + fedramp1.0.2-oscal1.0.0 oscal-1.0.0 @@ -32,6 +32,14 @@

Revised draft to better align with OSCAL RC-1 SSP syntax.

 + + 2021-08-11T23:27:44.00-00:00 + fedramp1.0.2-oscal1.0.0 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Release reviewed for updated release.

+ + @@ -67,7 +75,7 @@ -

This EXPERIMENTAL and DRAFT file exteneds OSCAL to meet FedRAMP requirements.

+

This EXPERIMENTAL file exteneds OSCAL to meet FedRAMP requirements.

It provides the extensions, defined identifiers, and acceptable values in a machine-readable format necssary to meet FedRAMP Authorization Package requirements.

 @@ -453,8 +461,8 @@ - TCP - UDP + TCP + UDP @@ -681,17 +689,6 @@ - - POAM-ID - POA&M ID - A CSP-assigned POA&M identifier. - - - - - - - control-objective-implementation-status Objective Implementation Status @@ -864,12 +861,13 @@ - POAM-ID - CSP POA&M Identifier - A CSP-assigned identifier for this POA&M item. - + poam-id + POA&M ID + A CSP-assigned POA&M identifier. + - + + @@ -1221,12 +1219,10 @@ Regulation or Directive Industry Standard Guidance - Privacy Impact Information Polciy Procedure Guidance Document - Privacy Impact Assessment - Rules of Behavior + Rules of Behavior Plan System Security Plan Artifact @@ -1245,12 +1241,12 @@ Logo - Personal Identifiable Information (PII) + Personal Identifiable Information (PII) Agreement Incident Response Plan Incident Security Policies and Procedures User Guide - Privacy Impact Assessment + Privacy Impact Assessment Information System Contingency Plan configuration-management-plan diff --git a/dist/content/resources/xml/fedramp_threats.xml b/dist/content/resources/xml/fedramp_threats.xml index bb26190ca..3a85abb95 100644 --- a/dist/content/resources/xml/fedramp_threats.xml +++ b/dist/content/resources/xml/fedramp_threats.xml @@ -3,8 +3,8 @@ FedRAMP Defined Threat Table [DRAFT] - 2019-12-15T00:00:00Z - DRAFT-02 + 2021-08-11T23:18:00Z + fedramp1.0.2-oscal1.0.0 2019-06-01T00:00:00.00-04:00 @@ -22,6 +22,14 @@

Revised draft to align metadata with OSCAL syntax, and to provide a machine-readble definition for threat origination types.

 + + 2021-08-11T23:18:00.00-00:00 + fedramp1.0.2-oscal1.0.0 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Updated version reviewed for fedramp1.0.2-oscal1.0.0 releases.

+ + @@ -377,4 +385,4 @@ Denial of Service - + \ No newline at end of file diff --git a/dist/content/resources/xml/fedramp_values.xml b/dist/content/resources/xml/fedramp_values.xml index c69783873..437e6ec8c 100644 --- a/dist/content/resources/xml/fedramp_values.xml +++ b/dist/content/resources/xml/fedramp_values.xml @@ -1,17 +1,17 @@ - [EXPERIMENTAL] FedRAMP Defined Identifiers and Accepted Values [DRAFT] - FedRAMP Data Values (DRAFT) - 2021-07-06T12:28:35Z - fedramp1.0.0-oscal1.0.0 + [EXPERIMENTAL] FedRAMP Defined Identifiers and Accepted Values + FedRAMP Data Values (Experimental) + 2021-08-11T23:20:58Z + fedramp1.0.2-oscal1.0.0 FedRAMP PMO - This EXPERIMENTAL and DRAFT file provides the FedRAMP defined identifiers and acceptable values in a machine-readable format. + This EXPERIMENTAL file provides the FedRAMP defined identifiers and acceptable values in a machine-readable format. - + @@ -357,8 +357,8 @@ The internet protocol transport type. - TCP - UDP + TCP + UDP @@ -443,12 +443,10 @@ Regulation or Directive Industry Standard Guidance - Privacy Impact Information Polciy Procedure Guidance Document - Privacy Impact Assessment - Rules of Behavior + Rules of Behavior Plan System Security Plan Artifact @@ -467,12 +465,12 @@ Logo - Personal Identifiable Information (PII) + Personal Identifiable Information (PII) Agreement Incident Response Plan Incident Security Policies and Procedures User Guide - Privacy Impact Assessment + Privacy Impact Assessment Information System Contingency Plan configuration-management-plan diff --git a/dist/content/resources/xml/information-types.xml b/dist/content/resources/xml/information-types.xml index 94d82ef35..9fa65ee27 100644 --- a/dist/content/resources/xml/information-types.xml +++ b/dist/content/resources/xml/information-types.xml @@ -1,10 +1,10 @@ - FedRAMP Acceptable Information Types [DRAFT] + FedRAMP Acceptable Information Types (Experimental) 2021-01-15T00:00:00Z 2021-01-15T00:00:00Z - DRAFT-02 + fedramp1.0.2-oscal1.0.0 2019-06-01T00:00:00.00-04:00 @@ -22,6 +22,14 @@

Revised draft to better align with OSCAL SSP syntax.

 + + 2021-08-11T23:18:00.00-00:00 + fedramp1.0.2-oscal1.0.0 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Updated version reviewed for fedramp1.0.2-oscal1.0.0 releases.

+ + Sampling x - - n/a - n/a - n/a - n/a - 0 or 1 - -

POA&M ID

-

A CSP-assigned POA&M identifier.

- - -

prop

- - -

POAM-ID

- - -

/o:plan-of-action-and-milestones/o:poam-item/o:prop

- - string -   -   - - n/a n/a @@ -1187,21 +1163,21 @@

User Identifier

n/a n/a n/a - [unspecified] + 0 or 1 -

CSP POA&M Identifier

-

A CSP-assigned identifier for this POA&M item.

+

POA&M ID

+

A CSP-assigned POA&M identifier.

prop

-

POAM-ID

+

poam-id

/o:plan-of-action-and-milestones/o:poam-item/o:prop

- NCName + string     diff --git a/src/content/resources/xml/FedRAMP_extensions.xml b/src/content/resources/xml/FedRAMP_extensions.xml index 6e5b3d6c5..f586cfeb5 100644 --- a/src/content/resources/xml/FedRAMP_extensions.xml +++ b/src/content/resources/xml/FedRAMP_extensions.xml @@ -2,10 +2,10 @@ - [EXPERIMENTAL] FedRAMP Extensions [DRAFT] - 2021-07-06T23:07:21Z - 2021-07-06T23:07:21Z - fedramp1.0.0-oscal1.0.0 + [EXPERIMENTAL] FedRAMP Extensions + 2021-08-11T23:27:44Z + 2021-08-11T23:27:44Z + fedramp1.0.2-oscal1.0.0 oscal-1.0.0 @@ -32,6 +32,14 @@

Revised draft to better align with OSCAL RC-1 SSP syntax.

 + + 2021-08-11T23:27:44.00-00:00 + fedramp1.0.2-oscal1.0.0 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Release reviewed for updated release.

+ + @@ -67,7 +75,7 @@ -

This EXPERIMENTAL and DRAFT file exteneds OSCAL to meet FedRAMP requirements.

+

This EXPERIMENTAL file exteneds OSCAL to meet FedRAMP requirements.

It provides the extensions, defined identifiers, and acceptable values in a machine-readable format necssary to meet FedRAMP Authorization Package requirements.

 @@ -453,8 +461,8 @@ - TCP - UDP + TCP + UDP @@ -681,17 +689,6 @@ - - POAM-ID - POA&M ID - A CSP-assigned POA&M identifier. - - - - - - - control-objective-implementation-status Objective Implementation Status @@ -864,12 +861,13 @@ - POAM-ID - CSP POA&M Identifier - A CSP-assigned identifier for this POA&M item. - + poam-id + POA&M ID + A CSP-assigned POA&M identifier. + - + + @@ -1221,12 +1219,10 @@ Regulation or Directive Industry Standard Guidance - Privacy Impact Information Polciy Procedure Guidance Document - Privacy Impact Assessment - Rules of Behavior + Rules of Behavior Plan System Security Plan Artifact @@ -1245,12 +1241,12 @@ Logo - Personal Identifiable Information (PII) + Personal Identifiable Information (PII) Agreement Incident Response Plan Incident Security Policies and Procedures User Guide - Privacy Impact Assessment + Privacy Impact Assessment Information System Contingency Plan configuration-management-plan diff --git a/src/content/resources/xml/fedramp_threats.xml b/src/content/resources/xml/fedramp_threats.xml index f29db7f5f..3a85abb95 100644 --- a/src/content/resources/xml/fedramp_threats.xml +++ b/src/content/resources/xml/fedramp_threats.xml @@ -3,8 +3,8 @@ FedRAMP Defined Threat Table [DRAFT] - 2019-12-15T00:00:00Z - DRAFT-02 + 2021-08-11T23:18:00Z + fedramp1.0.2-oscal1.0.0 2019-06-01T00:00:00.00-04:00 @@ -22,6 +22,14 @@

Revised draft to align metadata with OSCAL syntax, and to provide a machine-readble definition for threat origination types.

 + + 2021-08-11T23:18:00.00-00:00 + fedramp1.0.2-oscal1.0.0 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Updated version reviewed for fedramp1.0.2-oscal1.0.0 releases.

+ + diff --git a/src/content/resources/xml/fedramp_values.xml b/src/content/resources/xml/fedramp_values.xml index c69783873..437e6ec8c 100644 --- a/src/content/resources/xml/fedramp_values.xml +++ b/src/content/resources/xml/fedramp_values.xml @@ -1,17 +1,17 @@ - [EXPERIMENTAL] FedRAMP Defined Identifiers and Accepted Values [DRAFT] - FedRAMP Data Values (DRAFT) - 2021-07-06T12:28:35Z - fedramp1.0.0-oscal1.0.0 + [EXPERIMENTAL] FedRAMP Defined Identifiers and Accepted Values + FedRAMP Data Values (Experimental) + 2021-08-11T23:20:58Z + fedramp1.0.2-oscal1.0.0 FedRAMP PMO - This EXPERIMENTAL and DRAFT file provides the FedRAMP defined identifiers and acceptable values in a machine-readable format. + This EXPERIMENTAL file provides the FedRAMP defined identifiers and acceptable values in a machine-readable format. - + @@ -357,8 +357,8 @@ The internet protocol transport type. - TCP - UDP + TCP + UDP @@ -443,12 +443,10 @@ Regulation or Directive Industry Standard Guidance - Privacy Impact Information Polciy Procedure Guidance Document - Privacy Impact Assessment - Rules of Behavior + Rules of Behavior Plan System Security Plan Artifact @@ -467,12 +465,12 @@ Logo - Personal Identifiable Information (PII) + Personal Identifiable Information (PII) Agreement Incident Response Plan Incident Security Policies and Procedures User Guide - Privacy Impact Assessment + Privacy Impact Assessment Information System Contingency Plan configuration-management-plan diff --git a/src/content/resources/xml/information-types.xml b/src/content/resources/xml/information-types.xml index 94d82ef35..9fa65ee27 100644 --- a/src/content/resources/xml/information-types.xml +++ b/src/content/resources/xml/information-types.xml @@ -1,10 +1,10 @@ - FedRAMP Acceptable Information Types [DRAFT] + FedRAMP Acceptable Information Types (Experimental) 2021-01-15T00:00:00Z 2021-01-15T00:00:00Z - DRAFT-02 + fedramp1.0.2-oscal1.0.0 2019-06-01T00:00:00.00-04:00 @@ -22,6 +22,14 @@

Revised draft to better align with OSCAL SSP syntax.

 + + 2021-08-11T23:18:00.00-00:00 + fedramp1.0.2-oscal1.0.0 + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + +

Updated version reviewed for fedramp1.0.2-oscal1.0.0 releases.

+ +