-
Notifications
You must be signed in to change notification settings - Fork 92
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from brianrufgsa/file-updates
WIP
- Loading branch information
Showing
5 changed files
with
9,270 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
documents/source |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
ad-hoc | ||
boolean | ||
bulleted | ||
catalog | ||
catalogs | ||
circleci | ||
CODE_OF_CONDUCT.md | ||
conformant | ||
consensus | ||
CONTRIBUTING.md | ||
datatypes | ||
deliverables | ||
duplicative | ||
e.g. | ||
fedramp | ||
fedramp.gov | ||
formatter | ||
formatters | ||
github | ||
http | ||
i.e. | ||
ISSUE_TEMPLATE | ||
json | ||
json-based | ||
jekyll | ||
LICENSE.md | ||
localhost | ||
lossless | ||
metadata | ||
metaschema | ||
metaschemas | ||
namespace | ||
namespaces | ||
ncname | ||
nist.gov | ||
pipelined | ||
quickstart | ||
repo | ||
rev4 | ||
runtime | ||
saxon | ||
saxonhe | ||
schemas | ||
schematron | ||
schematrons | ||
sexualized | ||
SP800-53 | ||
src | ||
stylesheet | ||
stylesheets | ||
subcomponent | ||
subcomponents | ||
subcontrol | ||
subcontrols | ||
sublicensable | ||
toolchain | ||
U.S. | ||
unformatted | ||
USERS.md | ||
utf-8 | ||
xml | ||
xpath | ||
xproc | ||
xq | ||
xquery | ||
xqueries | ||
xsd | ||
xsl | ||
xslt | ||
xslts | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,43 +1,44 @@ | ||
<img src='./assets/FedRAMP_LOGO.png' alt="FedRAMP" width="76" height="94"><br /> | ||
<h2>Federal Risk and Authorization Management Program (FedRAMP) Automation</h2> | ||
|
||
### November 27, 2019 | ||
|
||
FedRAMP is excited to announce that the program has reached an important milestone in automating security documentation. Since May 2018, FedRAMP has worked closely with NIST and industry to develop the Open Security Controls Assessment Language (OSCAL), a standard language and framework that can be applied to the publication, implementation, and assessment of security controls. | ||
|
||
FedRAMP expects that OSCAL will offer a number of benefits to make things easier for stakeholders. | ||
- **Cloud Service Providers (CSPs)** will be able to create their System Security Plans (SSPs) more rapidly and accurately, validating much of their content before submission. | ||
- **Third Party Assessment Organizations (3PAOs)** will be able to automate the planning, execution, and reporting of assessment activities. | ||
- **Leveraging Agencies** will be able to import authorization content into existing tools, rather than entering it manually. | ||
|
||
FedRAMP is building OSCAL-based tools, beginning with a tool to speed up and automate the review of SSP content submitted in an OSCAL format. | ||
|
||
NIST and FedRAMP just released [OSCAL Milestone 2](https://github.com/usnistgov/OSCAL/releases), which offers: | ||
- A new System Security Plan (SSP) model that lets organizations automate the documentation of security and privacy control implementation using OSCAL | ||
- Updated content for the four FedRAMP baselines, the three NIST baselines, and the NIST SP 800-53 revision 4 catalog in OSCAL XML, JSON, and YAML formats | ||
- Updated stable versions of the OSCAL catalog and profile models and associated XML and JSON schemas | ||
- Tools to convert the OSCAL catalog, profile, and SSP content between OSCAL, XML, and JSON | ||
- A registry of FedRAMP-specific extensions, FedRAMP-defined identifiers, and acceptable values when using OSCAL | ||
- A guidance document to aid tool developers in generating fully compliant OSCAL-based FedRAMP SSP content. | ||
- An OSCAL-based FedRAMP SSP template, available in both XML and JSON formats. | ||
|
||
**FedRAMP Wants Your Technical Feedback!**<br /> | ||
Are you well versed in XML, JSON, or YAML? If so, FedRAMP wants your feedback on the below content. For the below items, please provide comments either via email to [email protected], as a comment to an existing issue, or as a new issue via GitHub within the FedRAMP-SSP repository [add link once repo is established]. | ||
- **FedRAMP OSCAL Registry:** This will serve as the authoritative source for all FedRAMP extensions to the OSCAL syntax, FedRAMP-defined identifiers, and accepted values. The draft for public comment is available here[need link]. | ||
- **Guidance Document:** Modeling a FedRAMP SSP in OSCAL: This document enables tool developers to generate OSCAL-based SSP files that are fully compliant with FedRAMP’s extensions, defined identifiers, and acceptable values. The draft for public comment is available [here](https://github.com/GSA/fedramp-automation/raw/master/content/Modeling_a_FedRAMP-SSP_in_OSCAL.pdf). | ||
- **OSCAL-based FedRAMP SSP Template:** The template file is pre-populated with FedRAMP extensions and defined-identifiers where practical. It also includes some sample data, and is the basis for the guidance document above. The draft for public comment is available in both XML and JSON formats here[need link]. | ||
- **FedRAMP Baselines:** The FedRAMP baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS) in OSCAL (XML, JSON, and YAML formats) are available here. | ||
|
||
**NIST Wants Your Feedback!**<br /> | ||
For the below items, please provide comments either via email to [email protected], as a comment to an existing issue, or as a new issue via the NIST OSCAL GitHub site. | ||
- **System Security Plan (SSP) model:** This SSP model lets organizations document the security and privacy control implementation of their systems using a rich OSCAL model. The model can represent any type of SSP, including FedRAMP SSP content. The syntax is available here. Content Converters: The converters accurately convert OSCAL catalog, profile, and SSP content from XML to JSON format and JSON to XML. | ||
# Federal Risk and Authorization Management Program (FedRAMP) Automation | ||
### Based on the Open Security Controls Assessment Language (OSCAL) | ||
|
||
|
||
## November 27, 2019 | ||
|
||
The FedRAMP Program Management Office (PMO) has drafted FedRAMP-specific extensions and guidance to ensure our stakeholders can fully express a FedRAMP System Security Plan (SSP) using NIST's [OSCAL SSP syntax](https://pages.nist.gov/OSCAL/documentation/schema/ssp/). | ||
|
||
|
||
## We Want Your Feedback! | ||
The FedRAMP PMO is releasing the following files for public review and comment: | ||
- **FedRAMP OSCAL Registry:** This registry is the authoritative source for all FedRAMP extensions to the OSCAL syntax, FedRAMP-defined identifiers, and accepted values. The draft for public comment is available [here](https://github.com/GSA/fedramp-automation/raw/master/documents/FedRAMP_OSCAL_Registry.xlsx). | ||
- **Guidance Document:** Modeling a FedRAMP SSP in OSCAL: This document enables tool developers to generate OSCAL-based SSP files that are fully compliant with FedRAMP’s extensions, defined identifiers, and acceptable values. The draft for public comment is available [here](https://github.com/GSA/fedramp-automation/raw/master/documents/Modeling_a_FedRAMP-SSP_in_OSCAL.pdf). | ||
- **OSCAL-based FedRAMP SSP Template:** The template file is pre-populated with FedRAMP extensions and defined-identifiers where practical. It also includes some sample data, and is the basis for the guidance document above. The draft for public comment is available in both [XML](https://github.com/GSA/fedramp-automation/raw/master/templates/FedRAMP-SSP-OSCAL-Template.xml) and [JSON](https://github.com/GSA/fedramp-automation/raw/master/templates/FedRAMP-SSP-OSCAL-Template.json) formats. | ||
- **FedRAMP Baselines:** The FedRAMP baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS) in OSCAL (XML, JSON, and YAML formats) are available [here](https://github.com/usnistgov/OSCAL/tree/master/content/fedramp.gov). | ||
|
||
To provide feedback for the items above please create or add an [issue](https://github.com/GSA/fedramp-automation/issues), or send comments via email to [[email protected]](mailto:[email protected]). | ||
|
||
|
||
## Dependencies | ||
|
||
FedRAMP's work is based on NIST's [OSCAL 1.0.0-Milestone2 release](https://github.com/usnistgov/OSCAL/releases/tag/v1.0.0-milestone2), and requires an understanding of the core OSCAL syntax, as well as NIST-provided resources to functon correctly. | ||
|
||
The following NIST resources are available: | ||
- **NIST's Main OSCAL Site:** [https://pages.nist.gov/OSCAL/](https://pages.nist.gov/OSCAL/) | ||
- **NIST's OSCAL GitHub Repository:** [https://github.com/usnistgov/OSCAL](https://github.com/usnistgov/OSCAL) | ||
- **OSCAL Workshop Training Slides:** Provided at an October workshop hosted by the NIST OSCAL Team. The early portions of the deck provide an overview, with more technical details beginning on slide 52. | ||
|
||
|
||
- **Content Converters:** The converters accurately convert OSCAL catalog, profile, and SSP content from XML to JSON format and JSON to XML. | ||
|
||
- **NIST’s 800-53 & 53A Revision 4:** NIST is also providing SP 800-53 and 800-53A, Revision 4 content as well as the NIST High, Moderate, and Low baselines in OSCAL (XML, JSON, and YAML formats) here. | ||
|
||
A complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baselines content is available for download in both ZIP and BZ2 formats. FedRAMP looks forward to receiving your comments and sharing additional progress. | ||
NIST offers a complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baselines content is available for download in both [ZIP](https://github.com/usnistgov/OSCAL/releases/download/v1.0.0-milestone2/oscal-1.0.0-milestone2.zip) and [BZ2](https://github.com/usnistgov/OSCAL/releases/download/v1.0.0-milestone2/oscal-1.0.0-milestone2.tar.bz2) formats. | ||
|
||
Please provide questions and feedback on the above NIST dependencie either via email to [[email protected]]([email protected]), as a comment to an existing issue, or as a new issue via the [NIST OSCAL GitHub site](https://github.com/usnistgov/OSCAL/issues). | ||
|
||
|
||
### FedRAMP looks forward to receiving your comments and sharing additional progress. | ||
|
||
**Public Comment Period**<br /> | ||
We will accept feedback at any time. To ensure FedRAMP considers your feedback before the full release of these documents, please respond no later than January 31, 2020. | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<fedramp-values xmlns="http://csrc.nist.gov/ns/oscal/1.0"> | ||
<metadata> | ||
<title>FedRAMP Definitions and Accepted Values</title> | ||
<title-short>FedRAMP Values</title-short> | ||
<description><p>This provides the FedRAMP acceptable values in a machine-readable format.</p></description> | ||
<author>Brian J. Ruf, CISSP, CCSP, PMP</author> | ||
<last-modified>2019-11-19Z</last-modified> | ||
</metadata> | ||
|
||
<baselines> | ||
<file id="high" href="https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml" /> | ||
<file id="moderate" href="https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml" /> | ||
<file id="low" href="https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml" /> | ||
</baselines> | ||
|
||
<nist name="nist-800-53r4">https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml</nist> | ||
|
||
<security-sensitivity-level> | ||
<value id="low" label="Low" label-short="L" /> | ||
<value id="moderate" label="Moderate" label-short="M" /> | ||
<value id="high" label="High" label-short="H" /> | ||
</security-sensitivity-level> | ||
|
||
<privacy-sensitive> | ||
<value id="yes" label="Privacy Sensitive" label-short="Yes" /> | ||
<value id="no" label="Not Privacy Sensitive" label-short="No" /> | ||
</privacy-sensitive> | ||
|
||
<answers> | ||
<value id="yes" label="Yes" label-short="Y" /> | ||
<value id="no" label="No" label-short="N" /> | ||
</answers> | ||
|
||
<levels> | ||
<value id="low" label="Low" label-short="L" /> | ||
<value id="moderate" label="Moderate" label-short="M" /> | ||
<value id="high" label="High" label-short="H" /> | ||
</levels> | ||
|
||
<authorization-type> | ||
<value id="fedramp-jab" label="FedRAMP JAB P-ATO" label-short="JAB" /> | ||
<value id="fedramp-agency" label="FedRAMP Agency ATO" label-short="Agency" /> | ||
<value id="fedramp-li-saas" label="FedRAMP Tailored for LI-SaaS" label-short="LI-SaaS" /> | ||
</authorization-type> | ||
|
||
<service-model> | ||
<value id="saas" label="Software as a Service" label-short="SaaS" /> | ||
<value id="paas" label="Platform as a Service" label-short="PaaS" /> | ||
<value id="iaas" label="Infrastructure as a Service" label-short="IaaS" /> | ||
<value id="other" label="Other" label-short="Other" /> | ||
</service-model> | ||
|
||
<deployment-model> | ||
<value id="public" label="Public" label-short="Public" /> | ||
<value id="private" label="Private" label-short="Private" /> | ||
<value id="community-usgov-only" label="Government Only Community" label-short="USG Community" /> | ||
<value id="hybrid" label="Hybrid" label-short="Hybrid" /> | ||
</deployment-model> | ||
|
||
<system-status> | ||
<value id="operational" label="Operational" label-short="Operational" /> | ||
<value id="under-development" label="Under Development" label-short="Development" /> | ||
<value id="under-major-modification" label="Major Modification" label-short="Major Mod." /> | ||
<value id="disposition" label="Alternative Implementation" label-short="Alternative" /> | ||
<value id="other" label="Other" label-short="Other" /> | ||
</system-status> | ||
|
||
<user-type> | ||
<value id="internal" label="Internal" label-short="I" /> | ||
<value id="external" label="External" label-short="E" /> | ||
</user-type> | ||
|
||
<privilege-type> | ||
<value id="P" label="Privileged" label-short="P" /> | ||
<value id="NP" label="Non-Privileged" label-short="NP" /> | ||
<value id="NLA" label="No Logical Access" label-short="NLA" /> | ||
</privilege-type> | ||
|
||
<user-sensitivity> | ||
<value id="high-risk" label="High Risk" label-short="High" /> | ||
<value id="severe" label="Severe" label-short="Sev." /> | ||
<value id="moderate" label="Moderate" label-short="Mod." /> | ||
<value id="limited" label="Limited" label-short="Lim." /> | ||
<value id="na" label="Not Applicable" label-short="N/A" /> | ||
</user-sensitivity> | ||
|
||
<interconnection-direction> | ||
<value id="incoming" label="Incoming" label-short="In" /> | ||
<value id="outgoing" label="Outgoing" label-short="Out" /> | ||
</interconnection-direction> | ||
|
||
<interconnection-security> | ||
<value id="ipsec" label="Incoming" label-short="In" /> | ||
<value id="vpn" label="Outgoing" label-short="Out" /> | ||
<value id="ssl" label="Outgoing" label-short="Out" /> | ||
<value id="certificate" label="Outgoing" label-short="Out" /> | ||
<value id="secure-file-transfer" label="Outgoing" label-short="Out" /> | ||
<value id="other" label="Other" label-short="Out" /> | ||
</interconnection-security> | ||
|
||
<component-type> | ||
<value id="software" label="Software" label-short="S/W" /> | ||
<value id="hardware" label="Hardware" label-short="H/W" /> | ||
<value id="service" label="Service" label-short="Svc" /> | ||
<value id="policy" label="Policy" label-short="Pol" /> | ||
<value id="process" label="Process" label-short="Pros" /> | ||
<value id="procedure" label="Procedure" label-short="Proc" /> | ||
<value id="plan" label="Plan" label-short="Plan" /> | ||
<value id="guidance" label="Guidance" label-short="Guide" /> | ||
<value id="standard" label="Standard" label-short="Std" /> | ||
<value id="validation" label="Validation" label-short="Val" /> | ||
<value id="customer" label="Customer" label-short="Cust" /> | ||
<value id="*" label="Any Other" label-short="*" /> | ||
</component-type> | ||
|
||
<asset-type> | ||
<value id="os" label="Operating System" label-short="OS" /> | ||
<value id="database" label="Database" label-short="DB" /> | ||
<value id="web-server" label="Service" label-short="Web" /> | ||
<value id="dns-server" label="Policy" label-short="DNS" /> | ||
<value id="email-server" label="Process" label-short="eMail" /> | ||
<value id="directory-server" label="Procedure" label-short="LDAP" /> | ||
<value id="pbx" label="Private Branch Exchange" label-short="PBX" /> | ||
<value id="firewall" label="Firewall" label-short="FW" /> | ||
<value id="router" label="Router" label-short="Rtr" /> | ||
<value id="switch" label="Switch" label-short="Swtch" /> | ||
<value id="storage-array" label="Storage Array" label-short="Store" /> | ||
<value id="*" label="Any Other" label-short="*" /> | ||
</asset-type> | ||
|
||
<implementation-status> | ||
<value id="implemented" label="Implemented" label-short="Implemented" /> | ||
<value id="partial" label="Partially Implemented" label-short="Partial" /> | ||
<value id="planned" label="Planned" label-short="Planned" /> | ||
<value id="alternative" label="Alternative Implementation" label-short="Alternative" /> | ||
<value id="na" label="Not Applicable" label-short="N/A" /> | ||
</implementation-status> | ||
|
||
<control-origination> | ||
<value id="sp-corporate" label="Service Provider (Corporate)" label-short="SP Corporate" /> | ||
<value id="sp-system" label="Service Provider (System Specific)" label-short="SP System" /> | ||
<value id="customer-configured" label="Configured by Customer" label-short="Cust. Configured" /> | ||
<value id="customer-provided" label="Provided by Customer" label-short="Cust. Provided" /> | ||
<value id="inherited" label="Inherited" label-short="Inherited"/> | ||
</control-origination> | ||
|
||
<citation-tye> | ||
<value id="law" label="Law or Statute" label-short="Law" /> | ||
<value id="regulation" label="Regulation or Directive" label-short="Regulation" /> | ||
<value id="standard" label="Industry Standard" label-short="Standard" /> | ||
<value id="guidance" label="Guidance" label-short="Guidance" /> | ||
<value id="pii" label="Privacy Impact Information" label-short="P.I.I."/> | ||
</citation-tye> | ||
|
||
<resource-tye> | ||
<value id="policy" label="Polciy" label-short="Policy" /> | ||
<value id="procedure" label="Procedure" label-short="Procedure" /> | ||
<value id="guide" label="Guidance Document" label-short="Guidance" /> | ||
<value id="pia" label="Privacy Impact Assessment" label-short="P.I.A." /> | ||
<value id="rob" label="Rules of Behavior" label-short="R.O.B."/> | ||
<value id="plan" label="Plan" label-short="PLan"/> | ||
</resource-tye> | ||
|
||
</fedramp-values> |
Oops, something went wrong.