Document connection security

content/documentation/ssp/4-ssp-template-to-oscal-mapping.md

@@ -1154,14 +1154,16 @@ count(/*/system-implementation/user[1]/authorized-privilege[1]/function-performe
 
 FedRAMP authorized services should be used, whenever possible, since their risk is defined.  However, there are instances where CSOs have external systems or services that are not FedRAMP authorized.  In OSCAL, these external systems and services must be identified using `component` assemblies with additional FedRAMP namespace and class properties as shown in the OSCAL representation below.
 
+For components that describe external systems and services that are not FedRAMP-authorized and not part of a leveraged authorization, the component must identify the kind of connection security in use to protect data in transit (e.g. IPSec VPN).
+
 The nature-of-agreement property identifies acceptable agreement types.
 
 {{< figure src="/img/ssp-figure-17.png" title="FedRAMP SSP template external systems (not FedRAMP authorized)." alt="Screenshot of the external system information for non-FedRAMP authorized services in the FedRAMP SSP template." >}}
 
 #### OSCAL Representation
 {{< highlight xml "linenos=table" >}}
 <!-- list any external connections as components in the system-characteristics -->
-<component uuid="uuid-value" type="system">
+<component uuid="uuid-value" type="service">
     <title>[EXAMPLE]External System / Service Name</title>
     <description>
         <p>Briefly describe the interconnection details.</p>
@@ -1200,7 +1202,7 @@ The nature-of-agreement property identifies acceptable agreement types.
         <prop ns="https://fedramp.gov/ns/oscal" name="information" 
             value="Describe the information being transmitted."/>
         <prop ns="https://fedramp.gov/ns/oscal" name="port" class="remote" value="80"/>
-        <prop ns="https://fedramp.gov/ns/oscal" name="interconnection-security" 
+        <prop ns="https://fedramp.gov/ns/oscal" name="connection-security" 
             value="ipsec">
         <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
                 <!-- cut ports, protocols -->
@@ -1481,6 +1483,8 @@ Replace XPath predicate "[1]" with "[2]", "[3]", etc.
 
 Entries in the ports, protocols, and services table are represented as component assemblies, with the component-type flag set to "service". Use a protocol assembly for each protocol associated with the service. For a single port, set the port-range start flag and end flag to the same value.
 
+For components that describe [external systems and services that are not FedRAMP authorized and not part of a leveraged authorization](#ports-protocols-and-services), the component must identify the kind of connection security in use to protect data in transit (e.g. IPSec VPN).
+
 {{< figure src="/img/ssp-figure-20.png" title="FedRAMP SSP template ports, protocols, and services." alt="Screenshot of the ports, protocols, and services information in the FedRAMP SSP template." >}}
 
 #### OSCAL Representation
@@ -1491,6 +1495,7 @@ Entries in the ports, protocols, and services table are represented as component
         <title>[SAMPLE]Service Name</title>
         <description><p>Describe the service</p></description>
         <purpose>Describe the purpose for which the service is needed.</purpose>
+        <prop ns="http://fedramp.gov/ns/oscal" name="connection-security" value="ipsec" />
         <link href="uuid-of-component-used-by" rel="used-by" />
         <link href="uuid-of-component-provided-by" rel="provided-by" />
         <status state="operational" />