From 8d777a7a9727052e5cd77603c412aff9593fb43c Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Mon, 2 Dec 2024 10:57:04 -0500 Subject: [PATCH] Add Leveraged-Authorization Documentation (#124) * Add leveraged authorization documentation * Fix wording Co-authored-by: DimitriZhurkin * Remove "attest" Co-authored-by: DimitriZhurkin * Fix remark --------- Co-authored-by: DimitriZhurkin --- .../ssp/4-ssp-template-to-oscal-mapping.md | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index 4c08d4b..01827cd 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -915,10 +915,10 @@ Each system must define at least two data centers. There must be exactly one pri --- ## Leveraged FedRAMP-Authorized Services -If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. +If this system is leveraging the authorization of one or more systems, such as a SaaS running on an IaaS, each leveraged system must be represented within the `system-implementation` assembly. There must be one `leveraged-authorization` assembly and one matching `component` assembly for each leveraged authorization. A leveraged authorization must define a FIPS-199 impact level (low, moderate, or high) that matches or exceeds the security sensitivity level of the leveraging system. The `leveraged-authorization` assembly includes the leveraged system's name, point of contact (POC), and authorization date. The `component` assembly must be linked to the `leveraged-authorization` assembly using a property (prop) field with the name "leveraged-authorization-uuid" and the -UUID value of its associated `leveraged-authorization` assembly. The `component` assembly enables controls to reference it with the `by-component` responses described in the [*Control Implementation Descriptions*](/documentation/ssp/6-security-controls/#control-implementation-descriptions) section. The "implementation-point" property value must be set to "external". +UUID value of its associated `leveraged-authorization` assembly. The `component` assembly enables controls to reference it with the `by-component` responses described in the [*Control Implementation Descriptions*](/documentation/ssp/6-security-controls/#control-implementation-descriptions) section. The "implementation-point" property value must be set to "external". The component assembly must define an `authentication-method` with remarks that explain the method if authentication is used, justify the absence of authentication if not used, or provide an explanation of why authentication is not applicable. If the leveraged system owner provides a UUID for their system, such as in an OSCAL-based Inheritance and Responsibility document (similar to a CRM), it should be provided as the inherited-uuid property value. @@ -946,7 +946,10 @@ While a leveraged system has no need to represent content here, its SSP must inc E.I.P. - + + + fips-199-moderate + Name of Underlying System @@ -960,8 +963,18 @@ While a leveraged system has no need to represent content here, its SSP must inc uuid-of-leveraged-system-poc 2015-01-01 - - + + + + + + + +

This component has an authentication method which we document as required here.

+ + + + Name of Leveraged System

Briefly describe leveraged system.

@@ -1020,6 +1033,11 @@ FedRAMP defines the following allowed values for the nature-of-agreement propert - other - sla +FedRAMP defines the following allowed values for an authentication-method's value property: +- yes +- no +- not-applicable + {{}} #### XPath Queries