Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSP Completeness Checks: 6 Leveraged FedRAMP-Authorized Services #807

Open
11 of 21 tasks
Tracked by #803
brian-ruf opened this issue Oct 23, 2024 · 8 comments
Open
11 of 21 tasks
Tracked by #803

SSP Completeness Checks: 6 Leveraged FedRAMP-Authorized Services #807

brian-ruf opened this issue Oct 23, 2024 · 8 comments
Assignees
@brian-ruf
Labels
enhancement New feature or request model: ssp type: epic

Comments

@brian-ruf
Copy link
Collaborator

brian-ruf commented Oct 23, 2024
edited by Rene2mt
Loading

This is a ...

fix - something needs to be different

This relates to ...

  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

  • Check for presence
  • If present, check for required fields

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

  • All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • all constraints associated with the review task have been converted/created
  • automate.fedramp.gov content has been updated accordingly
  • the metaschema help prop has an appropriate link to the constraint
  • the template has an content that models the desired OSCAL presentation
  • the constraint runs against the example template
  • known-bad content has been created
  • the constraint appropriately flags the known-bad content as invalid

Other information

No response

TASKS
@brian-ruf brian-ruf added the enhancement New feature or request label Oct 23, 2024
@brian-ruf brian-ruf mentioned this issue Oct 23, 2024
Open
13 tasks
This was referenced Oct 31, 2024
Closed
Open
@aj-stein-gsa aj-stein-gsa moved this from 🆕 New to 🔖 Ready in FedRAMP Automation Oct 31, 2024
@brian-ruf
Copy link
Collaborator Author

brian-ruf commented Nov 10, 2024
edited
Loading

There are a few concepts to sort out, that the former FedRAMP OSCAL SSP Template and documentation conflated.

  • A leveraged system is where this system is running within an underlying system. This is typically a SaaS running inside an IaaS or PaaS. They are considered part of the same stack.
  • A leveraged service can come from:
    • within a leveraged system, thus no interconnection is used.
    • an external system other than the leveraged system, thus an interconnection is typically used.

Scenarios:
A. FedRAMP-Authorized SaaS, running within a FedRAMP-Authorized PaaS or IaaS OR a FedRAMP-authorized PaaS running within a FedRAMP-Authorized IaaS

  • Handled in Section 6 of the Word SSP Template (Leveraged FedRAMP Authorized Services)
  • Must have //leveraged-authorization entry
  • Must have //component[@type=''] entry
  • The above component must have prop[@name='leveraged-authorization-uuid'][@ns=''] with a @value set to the UUID of the above //leveraged-authorization

B. FedRAMP-Authorized System using a service from an underlying leveraged system that appears in the Leveraged Authorization Table:

  • B.1. The service is authorized as part of the leveraged system's FedRAMP authorization and listed under the leveraged system's Marketplace entry:
    • LESS GRANULAR / LEGACY WORD->OSCAL CONVERSION APPROACH:
      • Insert one property (prop[@name='leveraged'][@ns='http://fedramp.gov/ns/oscal']) per service in the appropate Leveraged Authorization entry
      • In the property's @value indicate the service name
      • In the property's remarks indicate the service features used
    • MORE GRANULAR / PREFERRED:
      - Create one //component[@type='service']for each service used
      - The above component must have prop[@name='leveraged-authorization-uuid'] with a @value set to the UUID of the above //leveraged-authorization
  • B.2. The service is not authorized as part of the leveraged system's FedRAMP authorization and is not listed under the leveraged system's Marketplace entry:

C. FedRAMP-Authorized System using services from a system other than the underlying leveraged system:

@brian-ruf
Copy link
Collaborator Author

brian-ruf commented Nov 10, 2024
edited
Loading

LOCATIONS:

  • //system-implementation/leveraged-authorization
  • //system-implementation/component[@type='system'][./prop[@name='leveraged-authorization-uuid']]
    Where: //leveraged-authorization[@uuid=//component[@type='system']/prop[@name='leveraged-authorization-uuid']/@value]
Data Location Documentation Notes Example Updated
# n/a / Sequential Numbering n/a n/a
CSP Name //metadata/party[@uuid=//system-implementation/leveraged-authorization/party-uuid]/name (required field) Replace with valid UUID value in OSCAL Representation Y
CSO Name //system-implementation/leveraged-authorization/title (required field) Good Y
CSO Service (Name) //system-implementation/component[@type='service'][./prop[@name='leveraged-authorization-uuid']]/title Add two entries to OSCAL Representation Y
CSO Service (Features) //system-implementation/leveraged-authorization/prop[@name='leveraged-service'][@ns='http://fedramp.gov/ns/oscal']/remarks/node() Add two entries to OSCAL Representation Y
Authorization Type //system-implementation/leveraged-authorization/prop[@name='authorization-type'][@ns='http://fedramp.gov/ns/oscal']/@value Good Y
Package ID //system-implementation/leveraged-authorization/prop[@name='leveraged-system-identifier'][@ns='http://fedramp.gov/ns/oscal'] Good Y
Nature of Agreement //component[@type='system']/prop[@name='agreement-type'][@ns='http://fedramp.gov/ns/oscal']/@value Add prop to component Y
Impact Level //system-implementation/leveraged-authorization/prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal'] Good Y
Data Types //component[@type='system'][./prop[@name='leveraged-authorization-uuid']]/prop[@name='information-type'][@ns='http://fedramp.gov/ns/oscal']/@value Needs to be added to OSCAL Representation Y
Authorized Users
REVISED		 //component[@type='system'][./prop[not(@name='provider')]]/responsible-role[@role-id='leveraged-authorization-users']/party-uuid Missing from OSCAL Representation
Correct in Xpath Queries		 Y
User Authentication Method //system-implementation/leveraged-authorization/prop[@name='user-authentication'][@ns='http://fedramp.gov/ns/oscal'] Missing from OSCAL Representation
Incorrect in Xpath Queries		 Y
Date Authorized //system-implementation/leveraged-authorization/date-authorized (required field) Good Y

Constraints Needed:

  • For each //leveraged-authorization item the following constraints should produce ERROR unless otherwise noted:

    • IMPORTANT: The count functions are not written correctly below in that they are written as if there is only one LA. They should be written so that they evaluate each LA individually. Some LA entries will pass and others will fail. I do not (yet) know how to write a constraint that does performs a check for each distinct item.

    • party-uuid references a valid //party: Core OSCAL does not have a constraint to ensure the party-uuid points to a valid party.

    • count(./prop[@name='authorization-type'][@ns='http://fedramp.gov/ns/oscal'] ) = 1: Exactly one authorization type

    • count(./prop[@name='leveraged-system-identifier'][@ns='http://fedramp.gov/ns/oscal'] ) = 1: Exactly one package identifier

    • count(./prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal'] ) = 1: Exactly one impact level

    • count(./prop[@name='authorization-type'][@ns='http://fedramp.gov/ns/oscal'] ) = 1: Exactly one authorization type

    • count(./prop[@name='service'][@ns='http://fedramp.gov/ns/oscal'] ) >= 1: 0 or more leveraged-service

    • count(./prop[@name='service'][@ns='http://fedramp.gov/ns/oscal'][@value='other']/remarks ) = 1: if service property has a value of "other", remarks must be present. (Reworking services.)

    • count(./prop[@name='user-uuid'][@ns='http://fedramp.gov/ns/oscal'] ) >= 1: 1 or more authorized users (WARN if less than 1)

    • count(//system-implementation/component[@type='system'][./prop[@name='leveraged-authorization-uuid']][@value=./@uuid]) = 1: Must be referenced by exactly one component of type "system".

      • NOTE: The component type is important. There may be 0 or more components of type "service" that reference the leveraged authorization, but only exactly one component of type "system".

    • count(//system-implementation/component[@type='system'][./prop[@name='leveraged-authorization-uuid']]/prop[@name='nature-of-agreement'][@ns='http://fedramp.gov/ns/oscal']) = 1: Each LA must have exactly one nature-of-agreement property in its corresponding "system" component.

    • count(/system-implementation/component[@type='system'][./prop[@name='leveraged-authorization-uuid']]/prop[@name='user-authentication'][@ns='http://fedramp.gov/ns/oscal']/remarks ) = 1: Exactly 1 authentication

    • count(//system-implementation/component[@type='system'][./prop[not(@name='provider')]]/responsible-role[@role-id='leveraged-authorization-users']//party-uuid) >= 1: or more authorized users (WARN if less than 1) ADDED.

    • count(//system-implementation/component[@type='system'][./prop[@name='leveraged-authorization-uuid']]/prop[@name='implementation-point' and @value='external']) = 1: exactly 1 indicator this is an external system ADDED.

    • count(//system-implementation/component[@type='system'][./prop[@name='leveraged-authorization-uuid']]/prop[@name='information-type'][@ns='http://fedramp.gov/ns/oscal']) >= 1: Each LA must have at least one information-type property in its corresponding "system" component.

  • If this is a SaaS, provide a WARNING if there are no leveraged authorizations. Check that SaaS has at least one leveraged authorization #895

    • If //system-characteristics/prop[@name='cloud-service-model']/@value is saas
    • count(//leveraged-authorization) >= 1

  • Each //system-implementation/leveraged-authorization/prop[@name='user-uuid'][@ns='http://fedramp.gov/ns/oscal']/@value must reference a valid //system-implementation/user
    REMOVED This is now handled in the //component/responsible-role/party-uuid, where core OSCAL enforces presence.

  • //system-implementation/leveraged-authorization/prop[@name='user-authentication'][@ns='http://fedramp.gov/ns/oscal']/@value: Allowed values (allow others = no): Check allowed values for user authentication #891

    • yes: A user authentication mechanism exists, and is described in the remarks.
    • no: A user authentication mechanism does not exist, the reason authentication is not necessary is described in the remarks.
    • not-applicable: No user authentication is necessary, and an attestation is provided in the remarks.

  • //component/prop[@name='nature-of-agreement'][@ns='http://fedramp.gov/ns/oscal']: Allowed values (allow others = yes): Allowed Values for nature-of-agreement for leveraged authorization #889

    • contract: A contract between the CSP and the organization that owns the leveraged system.
    • mou : A memorandum of understanding between the CSP and the organization that owns the leveraged system.
    • sla : A service-level agreement between the CSP and the organization that owns the leveraged system.
    • eula : An end user license agreement between the CSP and the organization that owns the leveraged system.
    • license : An application license agreement between the CSP and the organization that owns the leveraged system.
    • other : An non-typical agreement between the CSP and the organization that owns the leveraged system. Explain in remarks.

  • //leveraged-authorization/prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal']: Allowed values (allow others = no): Check for impact level of leveraged authorizations in a SSP #888

    • fips-199-low : A 'low' sensitivity level as defined in FIPS-199.
    • fips-199-moderate : A 'moderate' sensitivity level as defined in FIPS-199.
    • fips-199-high : A 'high' sensitivity level as defined in FIPS-199.

  • //component/prop[@name='information-type'][@ns='http://fedramp.gov/ns/oscal']/@value: Allowed values (allow others = no): Check components have a valid 800-60 information type #892

General Documentation Changes:

https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services

Example on Page Updates:

  • Remove <link href="//path/to/leveraged_system_legacy_crm.xslt" /> (leftover from non-viable approach) Remove obsolete CRM data for #807 tasks automate.fedramp.gov#121

  • Fix: Use only valid UUID values

  • Fix: <prop name="leveraged-authorization-uuid" value="5a9c98ab-8e5e-433d-a7bd-515c07cd1497" /> (value/UUID should be the same as the leveraged-authorization entry's UUID)

  • Add: <prop ns="http://fedramp.gov/ns/oscal" name="agreement-type" value="contract"/> to component example

  • List the allowed values for agreement-type (enumerated above)

  • Updated language for "IMPORTANT FOR LEVERAGED SYSTEMS" callout box:

While a leveraged system has no need to represent content here, its OSCAL-based SSP should include special inheritance and responsibility information in the individual controls. See the Response: Identifying Inheritable Controls and Customer Responsibilities section for more information.

Rationale for changing "must" to "should":
There will be SaaS systems with an OSCAL-based SSP that are leveraging PaaS or IaaS systems that have not yet converted their SSPs to OSCAL. We cannot require the author of a leveraging SSP to do anything regarding the leveraged SSP. They have no power to compel the leveraged system owner to convert to OSCAL nor comply with FedRAMP's inheritance and customer responsibility requirements.

@brian-ruf
Copy link
Collaborator Author

brian-ruf commented Nov 11, 2024
edited
Loading

Use the following allowed values for the //component/prop[@name='information-type'][@ns='http://fedramp.gov/ns/oscal']/@value flag:

<enum value='C.2.1.1'>Controls and Oversight / Corrective Action Information Type as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.1.2'>Controls and Oversight / Program Evaluation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.1.3'>Controls and Oversight / Program Monitoring as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.2.1'>Regulatory Development / Policy and Guidance Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.2.2'>Regulatory Development / Public Comment Tracking as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.2.3'>Regulatory Development / Regulatory Creation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.2.4'>Regulatory Development / Rule Publication as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.1'>Planning and Budgeting / Budget Formulation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.2'>Planning and Budget / Capital Planning as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.3'>Planning and Budget / Enterprise Architecture as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.4'>Planning and Budget / Strategic Planning as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.5'>Planning and Budget / Budget Execution as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.6'>Planning and Budget / Workforce Planning as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.7'>Planning and Budget / Management Improvement as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.8'>Planning and Budget / Budget and Performance Integration as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.3.9'>Planning and Budget / Tax and Fiscal Policy as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.4.1'>Internal Risk Management and Mitigation / Contingency Planning as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.4.2'>Internal Risk Management and Mitigation / Continuity of Operations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.4.3'>Internal Risk Management and Mitigation / Service Recovery as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.5.1'>Revenue Collection / Debt Collection as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.5.2'>Revenue Collection / User Fee Collection as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.5.3'>Revenue Collection / Federal Asset Sales as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.6.1'>Public Affairs / Customer Services as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.6.2'>Public Affairs / Official Information Dissemination as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.6.3'>Public Affairs / Product Outreach as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.6.4'>Public Affairs / Public Relations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.7.1'>Legislative Relations / Legislation Tracking as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.7.2'>Legislative Relations / Legislative Testimony as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.7.3'>Legislative Relations / Proposal Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.7.4'>Legislative Relations / Congressional Liaison Operations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.1'>General Government / Central Fiscal Operations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.2'>General Government / Legislative Functions as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.3'>General Government / Executive Functions as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.4'>General Government / Central Property Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.5'>General Government / Central Personnel Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.6'>General Government / Taxation Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.7'>General Government / Central Records and Statistics Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.8'>General Government / Income Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.9'>General Government / Personal Identity and Authentication Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.10'>General Government / Entitlement Event Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.11'>General Government / Representative Payee Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.2.8.12'>General Government / General Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.1.1'>Administrative Management / Facilities, Fleet, and Equipment Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.1.2'>Administrative Management / Help Desk Services as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.1.3'>Administrative Management / Security Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.1.4'>Administrative Management / Travel Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.1.5'>Administrative Management / Workplace Policy Development and Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.2.1'>Financial Management / Assets and Liability Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.2.2'>Financial Management / Reporting and Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.2.3'>Financial Management / Funds Control as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.2.4'>Financial Management / Accounting as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.2.5'>Financial Management / Payments as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.2.6'>Financial Management / Collections and Receivables as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.2.7'>Financial Management / Cost Accounting/ Performance Measurement as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.1'>Human Resource Management / HR Strategy as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.2'>Human Resource Management / Staff Acquisition as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.3'>Human Resource Management / Organization & Position Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.4'>Human Resource Management / Compensation Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.5'>Human Resource Management / Benefits Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.6'>Human Resource Management / Employee Performance Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.7'>Human Resource Management / Employee Relations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.8'>Human Resource Management / Labor Relations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.9'>Human Resource Management / Separation Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.3.10'>Human Resource Management / Human Resources Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.4.1'>Supply Chain Management / Goods Acquisition as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.4.2'>Supply Chain Management / Inventory Control as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.4.3'>Supply Chain Management / Logistics Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.4.4'>Supply Chain Management / Services Acquisition as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.1'>Information and Technology Management / System Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.2'>Information and Technology Management / Lifecycle/Change Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.3'>Information and Technology Management / System Maintenance as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.4'>Information and Technology Management / IT Infrastructure Maintenance as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.5'>Information and Technology Management / Information Security as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.6'>Information and Technology Management / Record Retention as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.7'>Information and Technology Management / Information Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.8'>Information and Technology Management / System and Network Monitoring as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='C.3.5.9'>Information and Technology Management / Information Sharing as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.2.1'>Homeland Security / Border and Transportation Security as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.2.2'>Homeland Security / Key Asset and Critical Infrastructure Protection as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.2.3'>Homeland Security / Catastrophic Defense as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.2.4'>Homeland Security / Executive Functions of the Executive Office of the President as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.3.1'>Intelligence Operations / Domestic Intelligence as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.4.1'>Disaster Management / Disaster Monitoring and Prediction as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.4.2'>Disaster Management / Disaster Preparedness and Planning as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.4.3'>Disaster Management / Disaster Repair and Restoration as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.4.4'>Disaster Management / Emergency Response as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.5.1'>International Affairs and Commerce / Foreign Affairs as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.5.2'>International Affairs and Commerce / International Development and Humanitarian Aid as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.5.3'>International Affairs and Commerce / Global Trade as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.6.1'>Natural Resources / Water Resource Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.6.2'>Natural Resources / Conservation, Marine and Land Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.6.3'>Natural Resources / Recreational Resource Management and Tourism as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.6.4'>Natural Resources / Agricultural Innovation and Services as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.7.1'>Energy / Energy Supply as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.7.2'>Energy / Energy Conservation and Preparedness as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.7.3'>Energy / Energy Resource Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.7.4'>Energy / Energy Production as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.8.1'>Environmental Management / Environmental Monitoring and Forecasting as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.8.2'>Environmental Management / Environmental Remediation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.9.1'>Economic Development / Business and Industry Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.9.2'>Economic Development / Intellectual Property Protection as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.9.3'>Economic Development / Financial Sector Oversight as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.9.4'>Economic Development / Industry Sector Income Stabilization as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.10.1'>Community and Social Services / Home-ownership Promotion as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.10.2'>Community and Social Services / Community and Regional Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.10.3'>Community and Social Services / Social Services as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.10.4'>Community and Social Services / Postal Services as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.11.1'>Transportation / Ground Transportation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.11.2'>Transportation / Water Transportation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.11.3'>Transportation / Air Transportation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.11.4'>Transportation / Space Operations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.12.1'>Education / Elementary, Secondary, and Vocational Education as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.12.2'>Education / Higher Education as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.12.3'>Education / Cultural and Historic Preservation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.12.4'>Education / Cultural and Historic Exhibition as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.13.1'>Workforce Management / Training and Employment as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.13.2'>Workforce Management / Labor Rights Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.13.3'>Workforce Management / Worker Safety as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.14.1'>Health / Access to Care as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.14.2'>Health / Population Health Management and Consumer Safety as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.14.3'>Health / Health Care Administration as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.14.4'>Health / Health Care Delivery Services as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.14.5'>Health / Health Care Research and Practitioner Education as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.15.1'>Income Security / General Retirement and Disability as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.15.2'>Income Security / Unemployment Compensation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.15.3'>Income Security / Housing Assistance as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.15.4'>Income Security / Food and Nutrition Assistance as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.15.5'>Income Security / Survivor Compensation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.1'>Law Enforcement / Criminal Apprehension as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.2'>Law Enforcement / Criminal Investigation and Surveillance as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.3'>Law Enforcement / Citizen Protection as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.4'>Law Enforcement / Leadership Protection as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.5'>Law Enforcement / Property Protection as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.6'>Law Enforcement / Substance Control as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.7'>Law Enforcement / Crime Prevention as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.16.8'>Law Enforcement / Trade Law Enforcement as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.17.1'>Litigation and Judicial Activities / Judicial Hearings as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.17.2'>Litigation and Judicial Activities / Legal Defense as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.17.3'>Litigation and Judicial Activities / Legal Investigation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.17.4'>Litigation and Judicial Activities / Legal Prosecution and Litigation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.17.5'>Litigation and Judicial Activities / Resolution Facilitation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.18.1'>Federal Correctional Activities / Criminal Incarceration as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.18.2'>Federal Correctional Activities / Criminal Rehabilitation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.19.1'>General Sciences and Innovation / Scientific and Technological Research and Innovation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.19.2'>General Science and Innovation / Space Exploration and Innovation as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.20.1'>Knowledge Creation and Management / Research and Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.20.2'>Knowledge Creation and Management / General Purpose Data and Statistics as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.20.3'>Knowledge Creation and Management / Advising and Consulting as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.20.4'>Knowledge Creation and Management / Knowledge Dissemination as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.21.1'>Regulatory Compliance and Enforcement / Inspections and Auditing as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.21.2'>Regulatory Compliance and Enforcement / Standards Setting/Reporting Guideline Development as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.21.3'>Regulatory Compliance and Enforcement / Permits and Licensing as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.22.1'>Public Goods Creation and Management / Manufacturing as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.22.2'>Public Goods Creation and Management / Construction as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.22.3'>Public Goods Creation and Management / Public Resources, Facility and Infrastructure Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.22.4'>Public Goods Creation and Management / Information Infrastructure Management as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.23.1'>Federal Financial Assistance / Federal Grants (Non-State) as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.23.2'>Federal Financial Assistance / Direct Transfers to Individuals as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.23.3'>Federal Financial Assistance / Subsidies Information as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.23.4'>Federal Financial Assistance / Tax Credits as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.24.1'>Credit and Insurance / Direct Loans as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.24.2'>Credit and Insurance / Loan Guarantees as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.24.3'>Credit and Insurance / General Insurance as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.25.1'>Transfers to Local/State Government / Formula Grants as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.25.2'>Transfers to Local/State Government / Project/Competitive Grants as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.25.3'>Transfers to Local/State Governments / Earmarked Grants as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.25.4'>Transfers to Local/State Governments / State Loans as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.26.1'>Direct Services for Citizens / Military Operations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>
<enum value='D.26.2'>Direct Services for Citizens / Civilian Operations as defined by <a href='https://doi.org/10.6028/NIST.SP.800-60v2r1'>NIST.SP.800-60v2r1</a></enum>

@brian-ruf
Copy link
Collaborator Author

brian-ruf commented Nov 12, 2024
edited
Loading

While likely outside the ability of constraints, it would be very helpful to have a mechanism use the FedRAMP Marketplace JSON data to validate that:

  • Each leveraged authorization entry in the LA table includes a valid package ID as it appears in the FedRAMP Marketplace
  • The referenced package ID has a FedRAMP authorization
  • The referenced package ID's impact level is the same or higher than the leveraging system
  • Any service listed in the LA table is included in the list of authorized services for the leveraged system

Relevant SSP Paths:

  • Package ID: //system-implementation/leveraged-authorization/prop[@name='leveraged-system-identifier'][@ns='http://fedramp.gov/ns/oscal']/@value
  • Leveraged Services: //system-implementation/leveraged-authorization/prop[@name='leveraged-service'][@ns='http://fedramp.gov/ns/oscal']/@value

Marketplace JSON Data:

  • //*[Package_ID=[Package ID Value]]//Original_Authorization_Date
  • //*[Package_ID='F1607067912']//Impact_Level

NOTE: Although CSPs like AWS have a Marketplace listing that includes their list of "Other Services", this information does not appear in the above mentioned JSON data file.

@brian-ruf
Copy link
Collaborator Author

brian-ruf commented Nov 12, 2024
edited
Loading

Examples Needed

  • - Leveraged Authorization without the use of underlying services
  • - Leveraged Authorization using authorized services
  • - Leveraged Authorization using unauthorized services

@brian-ruf
Copy link
Collaborator Author

brian-ruf commented Nov 12, 2024
edited
Loading

Changes from Prior Guides / Examples

  • Changed property name from interconnection-data-type to information-type:
    • FROM: //component[@type='system']/prop[@name='interconnection-data-type'][@ns='http://fedramp.gov/ns/oscal']
    • TO: //component[@type='system']/prop[@name='information-type'][@ns='http://fedramp.gov/ns/oscal']
    • Rationale: Previously, this property only applied to interconnection components. Now the Leveraged FedRAMP Authorization table in the Rev 5 SSP template requires system components to include this detail as well.
  • Allowed values may conflict for //component/prop[@name='nature-of-agreement'][@ns='http://fedramp.gov/ns/oscal']
    • Previously, no allowed values were defined
    • Previously, at least one example used capital letters for sla. This is inconsistent with the use of all lower-case for most OSCAL and FedRAMP allowed values.
    • Defining an allowed values list may cause some previously unreviewed values to be become invalid.
  • Changed component type leveraged-system to system.
    • FedRAMP Examples incorrectly used a leveraged-system component type.
    • While core OSCAL syntax allows for other component type values, it also explicitly provides system for leveraged authorizations.
      • The OSCAL syntax explicitly states the following for the system component type:
        • system: An external system, which may be a leveraged system or the other side of an interconnection.
  • Nothing was defined to capture user-authentication content. This has now been modeled.
  • While the XPath Queries included reference to Authorized Users in //system-implementation/user assembly, no mechanism was provided for linking these users to the leveraged authorization. This has now been modeled.

NOTE: Modeled content available as part of THIS FILE.

@aj-stein-gsa aj-stein-gsa mentioned this issue Nov 12, 2024
Open
18 tasks
@brian-ruf brian-ruf self-assigned this Nov 12, 2024
@brian-ruf brian-ruf moved this from 🔖 Ready to 🏗 In progress in FedRAMP Automation Nov 12, 2024
@brian-ruf
Copy link
Collaborator Author

Documentation should reflect that optional use of //component[@type='system' and ./prop[@name='leveraged-authorization-uuid']]/prop[@name='inherited-uuid']/@value, which includes the UUID of the service component from the SSP of the system that provides that service. This is only available to SSP authors if they have direct access to the providing system's SSP, or if it was exposed by the providing system via an OSCAL-based customer responsibility matrix, component definition or similar file.

@brian-ruf
Copy link
Collaborator Author

NOTE: Moving user-authentication property from leveraged-authorization to component for consistency with external systems and services, and to keep the authentication information with the authorized user information.

@brian-ruf brian-ruf mentioned this issue Nov 19, 2024
Open
3 tasks
@aj-stein-gsa aj-stein-gsa mentioned this issue Nov 20, 2024
Merged
This was referenced Nov 21, 2024
Open
Open
This was referenced Nov 21, 2024
Closed
Open
Closed
This was referenced Nov 25, 2024
Open
Open
@brian-ruf brian-ruf mentioned this issue Dec 4, 2024
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brian-ruf brian-ruf

Labels
enhancement New feature or request model: ssp type: epic
Projects
FedRAMP Automation
Status: 🔍 Active Objectives and Issues
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brian-ruf