From 6bc3c7fbcac3f3e6333d096723cd8b5c9a039173 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Fri, 29 Nov 2024 13:54:07 -0500 Subject: [PATCH 1/2] Document connection-security prop for #931 --- content/documentation/ssp/4-ssp-template-to-oscal-mapping.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index 4c08d4b..07e89e9 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -1481,6 +1481,8 @@ Replace XPath predicate "[1]" with "[2]", "[3]", etc. Entries in the ports, protocols, and services table are represented as component assemblies, with the component-type flag set to "service". Use a protocol assembly for each protocol associated with the service. For a single port, set the port-range start flag and end flag to the same value. +For components that describe [external systems and services that are not FedRAMP authorized and not part of a leveraged authorization](#ports-protocols-and-services), the component must identify the kind of connection security in use to protect data in transit (e.g. IPSec VPN). + {{< figure src="/img/ssp-figure-20.png" title="FedRAMP SSP template ports, protocols, and services." alt="Screenshot of the ports, protocols, and services information in the FedRAMP SSP template." >}} #### OSCAL Representation @@ -1491,6 +1493,7 @@ Entries in the ports, protocols, and services table are represented as component [SAMPLE]Service Name

Describe the service

 Describe the purpose for which the service is needed. + From 779caebe55f1729ce7d1fc1fdb2c5abc9f7cc468 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Fri, 29 Nov 2024 14:03:15 -0500 Subject: [PATCH 2/2] Correct external service prop docs for #931 --- .../documentation/ssp/4-ssp-template-to-oscal-mapping.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md index 07e89e9..3f536a4 100644 --- a/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md +++ b/content/documentation/ssp/4-ssp-template-to-oscal-mapping.md @@ -1154,6 +1154,8 @@ count(/*/system-implementation/user[1]/authorized-privilege[1]/function-performe FedRAMP authorized services should be used, whenever possible, since their risk is defined. However, there are instances where CSOs have external systems or services that are not FedRAMP authorized. In OSCAL, these external systems and services must be identified using `component` assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below. +For components that describe external systems and services that are not FedRAMP-authorized and not part of a leveraged authorization, the component must identify the kind of connection security in use to protect data in transit (e.g. IPSec VPN). + The nature-of-agreement property identifies acceptable agreement types. {{< figure src="/img/ssp-figure-17.png" title="FedRAMP SSP template external systems (not FedRAMP authorized)." alt="Screenshot of the external system information for non-FedRAMP authorized services in the FedRAMP SSP template." >}} @@ -1161,7 +1163,7 @@ The nature-of-agreement property identifies acceptable agreement types. #### OSCAL Representation {{< highlight xml "linenos=table" >}} - + [EXAMPLE]External System / Service Name

Briefly describe the interconnection details.

@@ -1200,7 +1202,7 @@ The nature-of-agreement property identifies acceptable agreement types. -