Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Example SSP Reflecting Latest FedRAMP OSCAL Modeling #925

Open
wants to merge 53 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
a5ae413
example-ssp WIP
brian-ruf Nov 8, 2024
31e979e
Example UUID Legend Creation
brian-ruf Nov 8, 2024
dfb251c
WIP
brian-ruf Nov 9, 2024
0a3a6e1
oscal-cli validation cleanup
brian-ruf Nov 9, 2024
bc4b2cd
Leveraged Authorization revisions
brian-ruf Nov 11, 2024
24a7caf
WIP SSP Example, Made AwesomeCloudSSP2.xml XML Schema valid
brian-ruf Nov 14, 2024
7bdcf52
Component WIP
brian-ruf Nov 15, 2024
7c93843
Ch 7 External WIP
brian-ruf Nov 15, 2024
d5f4594
External system/service WIP
brian-ruf Nov 15, 2024
a13306d
Table 7.1 WIP
brian-ruf Nov 15, 2024
a53d3b7
Table 7.1 examples WIP
brian-ruf Nov 19, 2024
d7743f0
Tables 6.1 and 7.1 WIP
brian-ruf Nov 21, 2024
8522fbe
Table 6.1 and 7.1 WIP
Nov 21, 2024
0f59992
example-ssp WIP
brian-ruf Nov 8, 2024
939402b
Example UUID Legend Creation
brian-ruf Nov 8, 2024
20c578e
WIP
brian-ruf Nov 9, 2024
9111641
oscal-cli validation cleanup
brian-ruf Nov 9, 2024
e17dae5
Leveraged Authorization revisions
brian-ruf Nov 11, 2024
155a97d
WIP SSP Example, Made AwesomeCloudSSP2.xml XML Schema valid
brian-ruf Nov 14, 2024
21582e3
Component WIP
brian-ruf Nov 15, 2024
ccf4923
Ch 7 External WIP
brian-ruf Nov 15, 2024
bfbc6b9
External system/service WIP
brian-ruf Nov 15, 2024
e071643
Table 7.1 WIP
brian-ruf Nov 15, 2024
adbf9dc
Table 7.1 examples WIP
brian-ruf Nov 19, 2024
18fef78
Tables 6.1 and 7.1 WIP
brian-ruf Nov 21, 2024
60c2913
Table 6.1 and 7.1 WIP
Nov 21, 2024
18bd9f2
added example ssp to fedramp_extensions.feature
Nov 21, 2024
50c771b
Merge branch 'example-ssp' of github.com:brian-ruf/fedramp-automation…
Nov 21, 2024
53da905
WIP
Nov 21, 2024
51dfea8
fixed import URL
Nov 21, 2024
1c341d7
fixed party-uuids in component
Nov 21, 2024
a18b110
removed zone identifier file
Nov 21, 2024
8915671
interconnection updates WIP
brian-ruf Nov 22, 2024
5d8d510
leveraged authorizations and interconnections
brian-ruf Nov 23, 2024
f6eb3d6
LA and External/Intercon cleanup
brian-ruf Nov 26, 2024
75f273f
fixing validation errors
brian-ruf Nov 26, 2024
ef659d8
more cleanup
brian-ruf Nov 26, 2024
445e036
more cleanup
brian-ruf Nov 26, 2024
78336ae
attachment cleanup
brian-ruf Nov 27, 2024
4109c76
revised resources to omit defunct FedRAMP acronyms attachment, plus a…
brian-ruf Dec 3, 2024
3d8fcde
attachment modeling WIP
brian-ruf Dec 4, 2024
d8beca6
attachment modeling WIP
brian-ruf Dec 4, 2024
9605ba8
SSP component cleanup, UUID planning for implemented controls
brian-ruf Dec 4, 2024
6161401
attachments WIP
brian-ruf Dec 6, 2024
55fe3e4
syntax cleanup
brian-ruf Dec 6, 2024
b0d42a0
additional table 6-1, 7-1 revisions
brian-ruf Dec 9, 2024
b94a79b
enumerating all controls WIP
brian-ruf Dec 11, 2024
adfea54
documents and other component work
brian-ruf Dec 17, 2024
24cd966
Crypto WIP
brian-ruf Dec 24, 2024
4b7fbf8
cryptographic modules WIP
brian-ruf Dec 24, 2024
51e68e9
all inventory-items now point to valid components
brian-ruf Dec 30, 2024
0f1bd9d
moved from 'baseline-configuration-name' prop to 'baseline' link
brian-ruf Dec 31, 2024
dd4871a
WIP
brian-ruf Jan 7, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions features/fedramp_extensions.feature
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ Examples:
| ssp-all-VALID.xml |
# | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml |
# | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml |
| ../../../content/rev5/examples/ssp/xml/FedRAMP-SSP-Example.OSCAL.xml |


@full-coverage
Scenario: Preparing constraint coverage analysis
Expand Down
44 changes: 33 additions & 11 deletions src/content/awesome-cloud/xml/AwesomeCloudSSP2.xml
Original file line number Diff line number Diff line change
Expand Up @@ -146,25 +146,37 @@
</security-impact-level>
<status state="operational"/>
<authorization-boundary>
<description/>
<description>
<p></p>
</description>
<diagram uuid="16ebbf5d-b2ca-4447-9ea0-da9ef5a9a1a1">
<description/>
<description>
<p></p>
</description>
<link href="#51cbc2c8-7eb8-4ab1-a9fc-5a742508c968" rel="diagram"/>
<caption/>
</diagram>
</authorization-boundary>
<network-architecture>
<description/>
<description>
<p></p>
</description>
<diagram uuid="5d35e4e0-2dc3-4871-a0aa-c65039a62c1b">
<description/>
<description>
<p></p>
</description>
<link href="#2de57f8e-9611-47f6-a124-a2095265627a" rel="diagram"></link>
<caption/>
</diagram>
</network-architecture>
<data-flow>
<description/>
<description>
<p></p>
</description>
<diagram uuid="8ecdf38a-f2c9-4e3a-a597-e7335769b537">
<description/>
<description>
<p></p>
</description>
<link href="#5ed3e8a9-3fdd-49e6-a4a3-a1485a496e07" rel="diagram"></link>
<caption/>
</diagram>
Expand Down Expand Up @@ -272,7 +284,9 @@
</user>
<component uuid="19a38c5f-e4af-494b-a482-acf22c28a448" type="this-system" xmlns="http://csrc.nist.gov/ns/oscal/1.0">
<title>The AwesomeCloud Software as a Service (SaaS) Solution</title>
<description/>
<description>
<p></p>
</description>
<prop name="component-type" value="system"/>
<status state="operational"/>
</component>
Expand Down Expand Up @@ -659,7 +673,9 @@
</inventory-item>
</system-implementation>
<control-implementation>
<description/>
<description>
<p></p>
</description>
<implemented-requirement control-id="cm-8" uuid="41af2ac0-5e22-488d-a052-549a46ad181d">
<!-- Control title: Information System Component Inventory -->
<prop name="control-origination" ns="https://fedramp.gov/ns/oscal" value="sp-system"/>
Expand Down Expand Up @@ -737,19 +753,25 @@
<!--Authorization Boundary Diagram-->
<resource uuid="51cbc2c8-7eb8-4ab1-a9fc-5a742508c968">
<title>Authorization Boundary Diagram</title>
<description/>
<description>
<p></p>
</description>
<rlink href="../artifacts/AwesomeCloudHLA2.png"/>
</resource>
<!--Network Architecture Diagram-->
<resource uuid="2de57f8e-9611-47f6-a124-a2095265627a">
<title>Network Architecture Diagram</title>
<description/>
<description>
<p></p>
</description>
<rlink href="../artifacts/AwesomeCloudHLA2.png"/>
</resource>
<!--Data Flow Diagram-->
<resource uuid="5ed3e8a9-3fdd-49e6-a4a3-a1485a496e07">
<title>Data Flow Diagram</title>
<description/>
<description>
<p></p>
</description>
<rlink href="../artifacts/AwesomeCloudHLA2.png"/>
</resource>
<!--Laws and Regulations-->
Expand Down
140 changes: 140 additions & 0 deletions src/content/rev5/examples/UUIDs_for_Examples_Legend.md
brian-ruf marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
# UUIDs for Examples

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is important for all of our stakeholders to know (aka we are going to reject their package if they don't name their UUIDs correctly), it may be worth making a diagram to add to this file. (It could be worth it anyways just for the sake of clarity and so that different visual learners can understand this because I'm having trouble parsing it out)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kyhu65867 this is only for creating examples with easier-to-read UUIDs. Our stakeholders should not be using this for real packages.

The idea was to have consistency in how these example UUIDs appear from one example to the next. It was in response to feedback we had received about the difficulty of following examples with truly random UUIDs (as is their nature) and balancing that against other feedback that all our examples should be valid. (Thus preventing us from using things like component-uuid="[uuid-of-component]" which is easier to understand, but invalid.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That said, I agree a diagram is helpful and I'll work on something when I'm done the analysis work.


Example content with UUIDs can be difficult to follow due to the long, intentionally-random naure of UUIDs. It is possible to craft UUID values that are treated as valid by OSCAL validation tools, yet are easier to follow for developers.

# Example UUID Format

OSCAL allows v4 or v5 UUIDs as defined in [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122).
Please note that UUID values are hexidecimal. Any digit may contain the numbers 0 - 9 and the lower-case letters a - f.

The format used for examples is v4 compliant as follows:

```
00000000-0000-4000-8000-FFF0TTT00###
FILE MODEL ^ ^ FIELD SEQUENCE
```

**FILE**: The first grouping represents the OSCAL file. All digits are the same.
- If an example involves the SSP of two systems, the first system's SSP will use UUID values that starts with all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the second system will use UUID values that start with all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`)
- If an example involves a catalog and a profile, the catalog will use all 1's (`11111111-xxxx-4000-8000-xxxxxxxxxxxx`) and the prifle will use all 2's (`22222222-xxxx-4000-8000-xxxxxxxxxxxx`).


**MODEL**: The second group of characters represents the model as follows:
- The values are as follows:
- `0000`: Catalog
- `1111`: Profile
- `2222`: SSP
- `3333`: Component Definition
- `4444`: SAP
- `5555`: SAR
- `6666`: POA&M
- - If an example involves the SSP of two systems, both SSPs will use UUID values that have all 2's in the second grouping (`11111111-2222-4000-8000-xxxxxxxxxxxx` and `22222222-2222-4000-8000-xxxxxxxxxxxx`)


**^**: indicates a UUID v4 required digit.
- The `4` in the third group is required by RFC-4122 to indicate the value is a v4 UUID.
- The first digit in the forth group is rquired by RFC-4122 to always be `8`, `9`, or `a` - `f` (bimary `1xxx`). For example UUIDs, always use `8`.
- We will always use `4000` for the third grouping.
- We will always use `8000` for the forth grouping.


**FIELD**: `FFF`: Indicates the OSCAL field name associated with the UUID

**Metadata and Back Matter**
- `-0000`=root
- `-0010`=resource
- `-0020`=prop
- `-0030`=location
- `-0040`=party
- `-0050`=action

**SSP**
- `-0060`=information-type
- `-0070`=diagram
- `-0080`=user
- `-0090`=component
- `-0100`=protocol
- `-0110`=inventory-item
- `-0120####`=implemented-requirement
- `-0120cccc##`=statement
- `-0120ccccss##`=by-component
- `-0130cccc01xx`=provided
- `-0130cccc02xx`=responsibility
- `-0140cccc01xx`=inherited
- `-0140cccc02xx`=satisfied
- `-0190`=leveraged-authorization

_Fields for other models to be added as we work with those models._


- `TT`: Used to further distinguish a field that can have multiple types. It is optional and may be difficult to manage. Only use when this clarity is helpful or necessary.

**Component Types** (`TT`)
- `0000`=This System
- `0010`=System
- `0020`=Interconnection
- `0030`=Software
- `0040`=Hardware
- `0050`=Service
- `0060`=Policy
- `0070`=Physical
- `0080`=Process/Procedure
- `0090`=Plan
- `0100`=Guidance
- `0110`=Standard
- `0120`=Validation
- `0130`=Network
- `0140`=Connection

**Enumeration**
- `0###`: A simple sequence number. (`001`, `002`, through `fff`)
- Start a new sequence for each system/model/field.


# Examples:

### "This System"

Always `11111111-2222-4000-8000-009000000000` in its SSP.


### Resource UUIDs

All parties in example SSP content use:
- `11111111-2222-4000-8001-001000000###`, where the first resource is `11111111-2222-4000-8001-001000000001`, the second party is `11111111-2222-4000-8001-001000000002`, etc.


Backmatter resources in an SSP will always appear as:
- `11111111-2222-4000-8001-001000000###`

Where:
- `11111111` represents the primary system in the example.
- `-2222` indicates this is in an SSP model.
- `-0010` indicates it is for a resource.
- The final three digits are assigned in sequence to each resource.

### Parties

All parties in example SSP content use:
- `11111111-2222-4000-8001-004000000###`, where the first party is `11111111-2222-4000-8001-004000000001`, the second party is `-004000000002`, etc.

Where:
- `11111111` represents the primary system in the example.
- `-2222` indicates this is in an SSP model.
- `0040` indicates it is for a party.
- The final three digits are assigned in sequence to each party.

### Components

All components in example SSP content use:
- `11111111-2222-4000-8001-0090TTT00###`, where the first resource is `11111111-2222-4000-8001-009000800001`, the second resource is `11111111-2222-4000-8001-009001200002`, etc.

Where:
- `11111111` represents the primary system in the example.
- `-2222` indicates this is in an SSP model.
- `-00900120` indicates it is for a component of type `validation`.
- `-00900080` indicates it is for a component of type `process-procedure`
- The final three digits are assigned in sequence to each component as in the other examples above; however, the 6th - 8th digits in the last grouping are non-zero.



2 changes: 2 additions & 0 deletions src/content/rev5/examples/ssp/xml/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
*.sh
*.sarif
Loading