-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSP Completeness Checks: 7 External Systems and Services Not Having FedRAMP Authorization #808
Comments
There are five scenarios that require tracking as part of External Systems and Services Not Having FedRAMP Authorization:
In all scenarios:
Scenario 1: A non-authorized service from a FedRAMP leveraged authorizationA service from an underlying leveraged system, where the underlying system is FedRAMP-authorized; however, the service is not included in the underlying system's authorization. (The service is not included in the underlying's system's FedRAMP Marketplace details.)
graph LR;
A[This System<br />type='this-system']-->B[Non-Authorized Leveraged Service<br />type='service']-->C[Leveraged System<br />type='system'];
Scenario 2: An interconnection between this system and an external systemFedRAMP-Authorized System connecting to an external system that may or may not be FedRAMP-authorized.
graph LR;
A[This System<br />type='this-system']-->B[Interconnection<br />type='interconnection']-->C[External System<br />type='system'];
Scenario 3: A service or API from an external system other than the leveraged systemFedRAMP-Authorized System using an API or service from an external system:
graph LR;
A[This System<br />type='this-system']-->B[External Service<br />type='service']-->C[External System<br />type='system'];
Scenario 4: A service or API from this system and offered to external systemsWhen the system represented by the SSP ("this-system") offers an API or service for external systems:
graph LR;
A[This System<br />type='this-system']-->B[Offered Service or API<br />type='service']-->C[External System<br />type='system'];
Scenario 5: A CLI that connects to leveraged or external systemsFedRAMP-Authorized System using an CLI to manage remote or underlying system:
graph LR;
A[This System<br />type='this-system']-->B[Management CLI<br />type='software']-->C[External or Leveraged System<br />type='system'];
|
TARGET:
|
Table 7.1 Constraint GoalsThere are two primary goals to constraints related to table 7.1:
Although all of table 7.1 is represented using components, only the "interconnection" component type always represents communication that crosses the authorization boundary. Additional content is required in "service" and "software" component types to determine if they represent communication that crosses the boundary. ConstraintsCheckboxes BelowThe checkboxes are to track the inclusion of the constraint in a defined task issue. Checked indicates the constraint should be fully covered by a task that appears in the task list at the top. Critical ConstraintsSome component types can represent either inter- or intra- boundary communication. As a result, certain fields are required to disambiguate.
Constraints that apply to the entire group:
Allowed Values:
Constraint Grouping:There is some variance in the the required information based on the nature of the communication crossing the boundary. Some constraints must be applied to a sub-set of the components. Constraints that apply only to interconnections:
Constraints that apply to external communication other-than interconnections
Constraints that apply to external communications other an offered services/APIs
Constraints that apply to external communications other an non-authorized leveraged services
NOTE: There may be no way to exclude this property only from external services that are non-authorized services of a leveraged system as the relationship between the service and its system (which would have a leveraged authorization property) is via an href with a URI fragment. I am unaware of how to decompose a URI fragment to just the resolvable UUID portion (essentially by dropping the leading hash/#). Worst case, we can make the hosting environment property required for all components in the group and not make this distinction. |
NIST OSCAL Issues Blocking This Issue
These are being addressed by PR usnistgov/OSCAL#2077 |
@brian-ruf for the first scenario, are you also taking into account the additional props for a service that does not have a FedRAMP ATO? Since it is "offered by" the packaged, but not actually authorized, will the iso-poc's still be required, and the connection agreement, or can we still piggy back off of the lev-auth poc and sla? This may be a @aj-stein-gsa question, but I like this structure. Scenario's 2-5 seem like they are fully covered under OSCAL and defined in the FedRAMP use case. For the constraint grouping, what is the use case for linking the interconnection component to this-system? Is it strictly for external implementation points? I am not sure that this constraint should be included, as the this-system already represents the entire package. Specificity should be included where more detail is needed and provides value to the reviewer. It could maybe be a conditional constraint, but I would want to understand what value that constraint brings to the assessor and Authorization process. |
@Telos-sa you actually caught a mistake. It was supposed to be "provided-by", not "offered-by". I've corrected. "provided-by" is part of the core OSCAL syntax. Yes the goals here are as follows:
It's still a work in progress, but I'm working on one example for each of the above scenarios here: |
Changed |
Modifying the "user-authentication" property/extension to an "authentication-method" property/extension as the true intention of this information is to document the nature of any authentication method, whether it be external users or external systems/automation accounts. |
@brian-ruf, just a heads up because I can tell this may be the same thing as the leveraged authorization prop will likely be the same thing, that prop elsewhere is already wrapping on a review. If we wanted to change that, we may want to notify Gabe as he is working on #891. |
@aj-stein-gsa thank you. Yes, I actually needed to make notes/revisions to PR #921, as well as issues #807, #891, #893, #897, and created issue #924. The good news is this will check boxes in both 807 and 808. While I did have to tweak the language associated with the allowed values, it turned out that language was missing from the PR anyway. So we can get the updated language in when that gets corrected. |
After consultation with the review team as captured in #935, we have eliminated "risk", "mitigation", and "impact" property/extensions in favor of a "poam-item" link. This is based on the assertion that every entry in Table 7.1 is required to have a corresponding POA&M entry. The primary benefits of referring to the POA&M entry can include:
|
We need allowed values for the "connection-security" prop/extension. Created issue #961 to address this. |
For "service" or "software" components with an "implementation-point" of "external" it is clear that communication crosses the boundary. For "service" and "software" components I am adding a "communicates-externally" prop/extension that is required when the "implementation-point" is "internal". This is how tools will know to impose Table 7-1 information requirements on these internal components. (information types, authentication, POA&M item, etc.) |
In the wake of recent revisions, and in an effort to reduce future rework, I am moving to the following approach for things like properties and links that should appear in some components, but not others based on complex conditions:
In other words, allowed value constraints should always trust that cardinality or complex circumstances are enforced by other constraints and are not the "responsibility" of the allowed value constraint. This should also simplify error messages. |
For this new prop "communicates-externally", what are the expected values of this new prop? should it be a "yes"/"no"? |
@Telos-sa, yes. That is correct. There will be an allowed values constraint that defines/enforces, "yes" and "no" as the two allowed values for "communicates-externally" |
This is a ...
fix - something needs to be different
This relates to ...
User Story
As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:
Goals
SSP Completeness checks are defined, tested and documented
Dependencies
No response
Acceptance Criteria
Other information
No response
TASKS
user-authentication
Allowed Values #921The text was updated successfully, but these errors were encountered: