fedramp-automation
fedramp-automation copied to clipboard
GSA
Guidance Request for Reference # in Ports, Protocols, Services table
-
This is a ...
- [ ] concern - I think something needs to be different.
- [ x] question - I didn't understand something.
- [ ] kudos - I found something helpful and want to encourage it in future FedRAMP publications.
- [ ] request - I would like to see something additional provided.
-
This relates to ...
- [ ] the FedRAMP OSCAL Registry (Excel File)
- [ ] the Guide to OSCAL-based FedRAMP Content (PDF)
- [ x] the Guide to OSCAL-based FedRAMP System Security Plans (SSP) (PDF)
- [ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP) (PDF)
- [ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR) (PDF)
- [ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M) (PDF)
- [ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
- [ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
- [ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
- [ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
- [ ] General/Overall
- [ ] Other
NOTE: For feedback related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.
-
Where, exactly?
- For the registry, please indicate the tab and cell, or other clear identifier
- For the guide, please indicate the section number and printed page number (lower right corner)
- For the OSCAL XML or JSON files, please indicate XML or JSON; and indicate the line number, field id, or other clear location identifier
section 4.9, page 33
- What is your feedback?
There is no field shown in the example that displays what OSCAL data should fill out the Reference # column. If the guidance could be updated to explicitly state what should go in this column and where in the OSCAL that data can be found, that would be helpful.
-
Is this report specifically related to the Word or Excel files from fedramp.gov? If so, please do not open an issue here. Follow the guidance in this repository's README and contact [email protected].
-
Yes
-
What version of OSCAL are you using? (Check our info on supported OSCAL versions)
1.0.4
- What action would you like to see from the FedRAMP PMO?
Clarification on the field in question.
- Other information (e.g. detailed explanation, related issues, suggestions how to fix, links for us to have context, eg. slack, gitter, etc)
The Reference # column in table 9.1 is intended to refer to one of the cryptographic modules in appendix Q.
This concept in OSCAL is achieved by:
- having a software or hardware
componentfor each cryptographic module (see section 4.10 on page 34) - for each service, having a service
componentthat references the appropriate cryptographic module component via alink.
For example:
<system-implementation>
<!-- user -->
<component uuid="uuid-of-service" type="service">
<title>[SAMPLE]Service Name</title>
<description><p>Describe the service</p></description>
<purpose>Describe the purpose the service is needed.</purpose>
<link href="uuid-of-component-used-by" rel="used-by" />
<link href=" uuid-of-component-provided-by" rel="provided-by" />
<!-- REFERENCE # -->
<link href=" uuid-of-cryptographic-module-component" rel="depends-on" />
<status state="operational" />
<protocol name="http">
<port-range start="80" end="80" transport="TCP"/>
</protocol>
<protocol name="https">
<port-range start="443" end="443" transport="TCP"/>
</protocol>
</component>
<!-- Repeat the component assembly for each row in Table 9.1 -->
<!-- system-inventory -->
</system-implementation>
The following changes will be made:
- OSCAL SSP Guide -- Update section 4.9 ensuring that all of the columns in the Table 9.1 screenshot are clearly explained and represented in the sample OSCAL code snippet.
- OSCAL SSP Guide (web version) -- For planned Markdown version of the SSP Guide, also update Attachments section table by adding hyperlinks to the appropriate section / example for the appendices that can be represented in OSCAL machine-readable format.
- OSCAL SSP Template -- Fix example to match updated SSP guide
