Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP #2

Merged
merged 1 commit into from
Nov 26, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
documents/source
71 changes: 71 additions & 0 deletions .spelling
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
ad-hoc
boolean
bulleted
catalog
catalogs
circleci
CODE_OF_CONDUCT.md
conformant
consensus
CONTRIBUTING.md
datatypes
deliverables
duplicative
e.g.
fedramp
fedramp.gov
formatter
formatters
github
http
i.e.
ISSUE_TEMPLATE
json
json-based
jekyll
LICENSE.md
localhost
lossless
metadata
metaschema
metaschemas
namespace
namespaces
ncname
nist.gov
pipelined
quickstart
repo
rev4
runtime
saxon
saxonhe
schemas
schematron
schematrons
sexualized
SP800-53
src
stylesheet
stylesheets
subcomponent
subcomponents
subcontrol
subcontrols
sublicensable
toolchain
U.S.
unformatted
USERS.md
utf-8
xml
xpath
xproc
xq
xquery
xqueries
xsd
xsl
xslt
xslts

71 changes: 36 additions & 35 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,43 +1,44 @@
<img src='./assets/FedRAMP_LOGO.png' alt="FedRAMP" width="76" height="94"><br />
<h2>Federal Risk and Authorization Management Program (FedRAMP) Automation</h2>

### November 27, 2019

FedRAMP is excited to announce that the program has reached an important milestone in automating security documentation. Since May 2018, FedRAMP has worked closely with NIST and industry to develop the Open Security Controls Assessment Language (OSCAL), a standard language and framework that can be applied to the publication, implementation, and assessment of security controls.

FedRAMP expects that OSCAL will offer a number of benefits to make things easier for stakeholders.
- **Cloud Service Providers (CSPs)** will be able to create their System Security Plans (SSPs) more rapidly and accurately, validating much of their content before submission.
- **Third Party Assessment Organizations (3PAOs)** will be able to automate the planning, execution, and reporting of assessment activities.
- **Leveraging Agencies** will be able to import authorization content into existing tools, rather than entering it manually.

FedRAMP is building OSCAL-based tools, beginning with a tool to speed up and automate the review of SSP content submitted in an OSCAL format.

NIST and FedRAMP just released [OSCAL Milestone 2](https://github.com/usnistgov/OSCAL/releases), which offers:
- A new System Security Plan (SSP) model that lets organizations automate the documentation of security and privacy control implementation using OSCAL
- Updated content for the four FedRAMP baselines, the three NIST baselines, and the NIST SP 800-53 revision 4 catalog in OSCAL XML, JSON, and YAML formats
- Updated stable versions of the OSCAL catalog and profile models and associated XML and JSON schemas
- Tools to convert the OSCAL catalog, profile, and SSP content between OSCAL, XML, and JSON
- A registry of FedRAMP-specific extensions, FedRAMP-defined identifiers, and acceptable values when using OSCAL
- A guidance document to aid tool developers in generating fully compliant OSCAL-based FedRAMP SSP content.
- An OSCAL-based FedRAMP SSP template, available in both XML and JSON formats.

**FedRAMP Wants Your Technical Feedback!**<br />
Are you well versed in XML, JSON, or YAML? If so, FedRAMP wants your feedback on the below content. For the below items, please provide comments either via email to [email protected], as a comment to an existing issue, or as a new issue via GitHub within the FedRAMP-SSP repository [add link once repo is established].
- **FedRAMP OSCAL Registry:** This will serve as the authoritative source for all FedRAMP extensions to the OSCAL syntax, FedRAMP-defined identifiers, and accepted values. The draft for public comment is available here[need link].
- **Guidance Document:** Modeling a FedRAMP SSP in OSCAL: This document enables tool developers to generate OSCAL-based SSP files that are fully compliant with FedRAMP’s extensions, defined identifiers, and acceptable values. The draft for public comment is available [here](https://github.com/GSA/fedramp-automation/raw/master/content/Modeling_a_FedRAMP-SSP_in_OSCAL.pdf).
- **OSCAL-based FedRAMP SSP Template:** The template file is pre-populated with FedRAMP extensions and defined-identifiers where practical. It also includes some sample data, and is the basis for the guidance document above. The draft for public comment is available in both XML and JSON formats here[need link].
- **FedRAMP Baselines:** The FedRAMP baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS) in OSCAL (XML, JSON, and YAML formats) are available here.

**NIST Wants Your Feedback!**<br />
For the below items, please provide comments either via email to [email protected], as a comment to an existing issue, or as a new issue via the NIST OSCAL GitHub site.
- **System Security Plan (SSP) model:** This SSP model lets organizations document the security and privacy control implementation of their systems using a rich OSCAL model. The model can represent any type of SSP, including FedRAMP SSP content. The syntax is available here. Content Converters: The converters accurately convert OSCAL catalog, profile, and SSP content from XML to JSON format and JSON to XML.
# Federal Risk and Authorization Management Program (FedRAMP) Automation
### Based on the Open Security Controls Assessment Language (OSCAL)


## November 27, 2019

The FedRAMP Program Management Office (PMO) has drafted FedRAMP-specific extensions and guidance to ensure our stakeholders can fully express a FedRAMP System Security Plan (SSP) using NIST's [OSCAL SSP syntax](https://pages.nist.gov/OSCAL/documentation/schema/ssp/).


## We Want Your Feedback!
The FedRAMP PMO is releasing the following files for public review and comment:
- **FedRAMP OSCAL Registry:** This registry is the authoritative source for all FedRAMP extensions to the OSCAL syntax, FedRAMP-defined identifiers, and accepted values. The draft for public comment is available [here](https://github.com/GSA/fedramp-automation/raw/master/documents/FedRAMP_OSCAL_Registry.xlsx).
- **Guidance Document:** Modeling a FedRAMP SSP in OSCAL: This document enables tool developers to generate OSCAL-based SSP files that are fully compliant with FedRAMP’s extensions, defined identifiers, and acceptable values. The draft for public comment is available [here](https://github.com/GSA/fedramp-automation/raw/master/documents/Modeling_a_FedRAMP-SSP_in_OSCAL.pdf).
- **OSCAL-based FedRAMP SSP Template:** The template file is pre-populated with FedRAMP extensions and defined-identifiers where practical. It also includes some sample data, and is the basis for the guidance document above. The draft for public comment is available in both [XML](https://github.com/GSA/fedramp-automation/raw/master/templates/FedRAMP-SSP-OSCAL-Template.xml) and [JSON](https://github.com/GSA/fedramp-automation/raw/master/templates/FedRAMP-SSP-OSCAL-Template.json) formats.
- **FedRAMP Baselines:** The FedRAMP baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS) in OSCAL (XML, JSON, and YAML formats) are available [here](https://github.com/usnistgov/OSCAL/tree/master/content/fedramp.gov).

To provide feedback for the items above please create or add an [issue](https://github.com/GSA/fedramp-automation/issues), or send comments via email to [[email protected]](mailto:[email protected]).


## Dependencies

FedRAMP's work is based on NIST's [OSCAL 1.0.0-Milestone2 release](https://github.com/usnistgov/OSCAL/releases/tag/v1.0.0-milestone2), and requires an understanding of the core OSCAL syntax, as well as NIST-provided resources to functon correctly.

The following NIST resources are available:
- **NIST's Main OSCAL Site:** [https://pages.nist.gov/OSCAL/](https://pages.nist.gov/OSCAL/)
- **NIST's OSCAL GitHub Repository:** [https://github.com/usnistgov/OSCAL](https://github.com/usnistgov/OSCAL)
- **OSCAL Workshop Training Slides:** Provided at an October workshop hosted by the NIST OSCAL Team. The early portions of the deck provide an overview, with more technical details beginning on slide 52.


- **Content Converters:** The converters accurately convert OSCAL catalog, profile, and SSP content from XML to JSON format and JSON to XML.

- **NIST’s 800-53 & 53A Revision 4:** NIST is also providing SP 800-53 and 800-53A, Revision 4 content as well as the NIST High, Moderate, and Low baselines in OSCAL (XML, JSON, and YAML formats) here.

A complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baselines content is available for download in both ZIP and BZ2 formats. FedRAMP looks forward to receiving your comments and sharing additional progress.
NIST offers a complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baselines content is available for download in both [ZIP](https://github.com/usnistgov/OSCAL/releases/download/v1.0.0-milestone2/oscal-1.0.0-milestone2.zip) and [BZ2](https://github.com/usnistgov/OSCAL/releases/download/v1.0.0-milestone2/oscal-1.0.0-milestone2.tar.bz2) formats.

Please provide questions and feedback on the above NIST dependencie either via email to [[email protected]]([email protected]), as a comment to an existing issue, or as a new issue via the [NIST OSCAL GitHub site](https://github.com/usnistgov/OSCAL/issues).


### FedRAMP looks forward to receiving your comments and sharing additional progress.

**Public Comment Period**<br />
We will accept feedback at any time. To ensure FedRAMP considers your feedback before the full release of these documents, please respond no later than January 31, 2020.



165 changes: 165 additions & 0 deletions resources/fedramp_values.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
<?xml version="1.0" encoding="UTF-8"?>
<fedramp-values xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<metadata>
<title>FedRAMP Definitions and Accepted Values</title>
<title-short>FedRAMP Values</title-short>
<description><p>This provides the FedRAMP acceptable values in a machine-readable format.</p></description>
<author>Brian J. Ruf, CISSP, CCSP, PMP</author>
<last-modified>2019-11-19Z</last-modified>
</metadata>

<baselines>
<file id="high" href="https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml" />
<file id="moderate" href="https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml" />
<file id="low" href="https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml" />
</baselines>

<nist name="nist-800-53r4">https://raw.githubusercontent.com/usnistgov/OSCAL/master/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml</nist>

<security-sensitivity-level>
<value id="low" label="Low" label-short="L" />
<value id="moderate" label="Moderate" label-short="M" />
<value id="high" label="High" label-short="H" />
</security-sensitivity-level>

<privacy-sensitive>
<value id="yes" label="Privacy Sensitive" label-short="Yes" />
<value id="no" label="Not Privacy Sensitive" label-short="No" />
</privacy-sensitive>

<answers>
<value id="yes" label="Yes" label-short="Y" />
<value id="no" label="No" label-short="N" />
</answers>

<levels>
<value id="low" label="Low" label-short="L" />
<value id="moderate" label="Moderate" label-short="M" />
<value id="high" label="High" label-short="H" />
</levels>

<authorization-type>
<value id="fedramp-jab" label="FedRAMP JAB P-ATO" label-short="JAB" />
<value id="fedramp-agency" label="FedRAMP Agency ATO" label-short="Agency" />
<value id="fedramp-li-saas" label="FedRAMP Tailored for LI-SaaS" label-short="LI-SaaS" />
</authorization-type>

<service-model>
<value id="saas" label="Software as a Service" label-short="SaaS" />
<value id="paas" label="Platform as a Service" label-short="PaaS" />
<value id="iaas" label="Infrastructure as a Service" label-short="IaaS" />
<value id="other" label="Other" label-short="Other" />
</service-model>

<deployment-model>
<value id="public" label="Public" label-short="Public" />
<value id="private" label="Private" label-short="Private" />
<value id="community-usgov-only" label="Government Only Community" label-short="USG Community" />
<value id="hybrid" label="Hybrid" label-short="Hybrid" />
</deployment-model>

<system-status>
<value id="operational" label="Operational" label-short="Operational" />
<value id="under-development" label="Under Development" label-short="Development" />
<value id="under-major-modification" label="Major Modification" label-short="Major Mod." />
<value id="disposition" label="Alternative Implementation" label-short="Alternative" />
<value id="other" label="Other" label-short="Other" />
</system-status>

<user-type>
<value id="internal" label="Internal" label-short="I" />
<value id="external" label="External" label-short="E" />
</user-type>

<privilege-type>
<value id="P" label="Privileged" label-short="P" />
<value id="NP" label="Non-Privileged" label-short="NP" />
<value id="NLA" label="No Logical Access" label-short="NLA" />
</privilege-type>

<user-sensitivity>
<value id="high-risk" label="High Risk" label-short="High" />
<value id="severe" label="Severe" label-short="Sev." />
<value id="moderate" label="Moderate" label-short="Mod." />
<value id="limited" label="Limited" label-short="Lim." />
<value id="na" label="Not Applicable" label-short="N/A" />
</user-sensitivity>

<interconnection-direction>
<value id="incoming" label="Incoming" label-short="In" />
<value id="outgoing" label="Outgoing" label-short="Out" />
</interconnection-direction>

<interconnection-security>
<value id="ipsec" label="Incoming" label-short="In" />
<value id="vpn" label="Outgoing" label-short="Out" />
<value id="ssl" label="Outgoing" label-short="Out" />
<value id="certificate" label="Outgoing" label-short="Out" />
<value id="secure-file-transfer" label="Outgoing" label-short="Out" />
<value id="other" label="Other" label-short="Out" />
</interconnection-security>

<component-type>
<value id="software" label="Software" label-short="S/W" />
<value id="hardware" label="Hardware" label-short="H/W" />
<value id="service" label="Service" label-short="Svc" />
<value id="policy" label="Policy" label-short="Pol" />
<value id="process" label="Process" label-short="Pros" />
<value id="procedure" label="Procedure" label-short="Proc" />
<value id="plan" label="Plan" label-short="Plan" />
<value id="guidance" label="Guidance" label-short="Guide" />
<value id="standard" label="Standard" label-short="Std" />
<value id="validation" label="Validation" label-short="Val" />
<value id="customer" label="Customer" label-short="Cust" />
<value id="*" label="Any Other" label-short="*" />
</component-type>

<asset-type>
<value id="os" label="Operating System" label-short="OS" />
<value id="database" label="Database" label-short="DB" />
<value id="web-server" label="Service" label-short="Web" />
<value id="dns-server" label="Policy" label-short="DNS" />
<value id="email-server" label="Process" label-short="eMail" />
<value id="directory-server" label="Procedure" label-short="LDAP" />
<value id="pbx" label="Private Branch Exchange" label-short="PBX" />
<value id="firewall" label="Firewall" label-short="FW" />
<value id="router" label="Router" label-short="Rtr" />
<value id="switch" label="Switch" label-short="Swtch" />
<value id="storage-array" label="Storage Array" label-short="Store" />
<value id="*" label="Any Other" label-short="*" />
</asset-type>

<implementation-status>
<value id="implemented" label="Implemented" label-short="Implemented" />
<value id="partial" label="Partially Implemented" label-short="Partial" />
<value id="planned" label="Planned" label-short="Planned" />
<value id="alternative" label="Alternative Implementation" label-short="Alternative" />
<value id="na" label="Not Applicable" label-short="N/A" />
</implementation-status>

<control-origination>
<value id="sp-corporate" label="Service Provider (Corporate)" label-short="SP Corporate" />
<value id="sp-system" label="Service Provider (System Specific)" label-short="SP System" />
<value id="customer-configured" label="Configured by Customer" label-short="Cust. Configured" />
<value id="customer-provided" label="Provided by Customer" label-short="Cust. Provided" />
<value id="inherited" label="Inherited" label-short="Inherited"/>
</control-origination>

<citation-tye>
<value id="law" label="Law or Statute" label-short="Law" />
<value id="regulation" label="Regulation or Directive" label-short="Regulation" />
<value id="standard" label="Industry Standard" label-short="Standard" />
<value id="guidance" label="Guidance" label-short="Guidance" />
<value id="pii" label="Privacy Impact Information" label-short="P.I.I."/>
</citation-tye>

<resource-tye>
<value id="policy" label="Polciy" label-short="Policy" />
<value id="procedure" label="Procedure" label-short="Procedure" />
<value id="guide" label="Guidance Document" label-short="Guidance" />
<value id="pia" label="Privacy Impact Assessment" label-short="P.I.A." />
<value id="rob" label="Rules of Behavior" label-short="R.O.B."/>
<value id="plan" label="Plan" label-short="PLan"/>
</resource-tye>

</fedramp-values>
Loading