From 374859932bffb75654b7cbdc5c4a22caa3e01f45 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 30 Aug 2022 10:28:33 -0400 Subject: [PATCH 1/4] OSCAL set-parameter values are arrays. When using YAML, we still have to have an array of one item with a scalar. We can still use the special scalar declaration `>-` but need it to be in an array element. --- .oscal/ssp/simple.yaml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.oscal/ssp/simple.yaml b/.oscal/ssp/simple.yaml index e26ce85..e2d209a 100644 --- a/.oscal/ssp/simple.yaml +++ b/.oscal/ssp/simple.yaml @@ -1,6 +1,7 @@ +# yaml-language-server: $schema=../schemas/oscal_complete.json + system-security-plan: uuid: ##########ID########## - metadata: title: Leveraging SaaS System Security Plan last-modified: 2022-09-08T00:00:00.0000-04:00 @@ -74,18 +75,19 @@ system-security-plan: control-id: ac-8 set-parameters: - param-id: ac-8_prm_1 - values: >- - You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, - 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage - media attached to this network or to a computer on this network. You understand and consent to the following: you - may access this information system for authorized use only; unauthorized use of the system is prohibited and subject - to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data - transiting or stored on this information system at any time and for any lawful Government purpose, the Government may - monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; - and any communications or data transiting or stored on this information system may be disclosed or used for any lawful - Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to - safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and - using this system indicates your understanding of this warning. + values: + - > + You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, + 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage + media attached to this network or to a computer on this network. You understand and consent to the following: you + may access this information system for authorized use only; unauthorized use of the system is prohibited and subject + to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data + transiting or stored on this information system at any time and for any lawful Government purpose, the Government may + monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; + and any communications or data transiting or stored on this information system may be disclosed or used for any lawful + Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to + safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and + using this system indicates your understanding of this warning. statements: - statement-id: ac-8_smt.a uuid: ##########ID########## From 628b96a1482e8f21349186a1b2aa9b6bae1f3d22 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 30 Aug 2022 13:18:57 -0400 Subject: [PATCH 2/4] Indents of by-components breaks validation. Not 100% clear if this is invalid syntax, but the by-components were double-indented and YAML validators did interpreted this as an embedded closure/block and not more properties of the same statement in the array. --- .oscal/ssp/simple.yaml | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.oscal/ssp/simple.yaml b/.oscal/ssp/simple.yaml index e2d209a..f557c86 100644 --- a/.oscal/ssp/simple.yaml +++ b/.oscal/ssp/simple.yaml @@ -1,4 +1,4 @@ -# yaml-language-server: $schema=../schemas/oscal_complete.json +# yaml-language-server: $schema=https://gist.githubusercontent.com/aj-stein-nist/323a00aab93355cc78c23d2dc6cc894e/raw/64799377a7fbd722219152baed24e510cb865e6b/oscal_complete.json system-security-plan: uuid: ##########ID########## @@ -76,7 +76,7 @@ system-security-plan: set-parameters: - param-id: ac-8_prm_1 values: - - > + - >- You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you @@ -91,26 +91,26 @@ system-security-plan: statements: - statement-id: ac-8_smt.a uuid: ##########ID########## - by-components: - - component-uuid: ##########ID########## - uuid: ##########ID########## - description: >- - The system use notification will be implemented in the following locations before allowing access: - * Server log in - * Application log in - props: - - name: responsibility - value: provider + by-components: + - component-uuid: 19821111-b352-4ff2-8978-365479971f87 + uuid: cedc1d30-5336-4bac-a88b-1681eae664a1 + description: >- + The system use notification will be implemented in the following locations before allowing access: + * Server log in + - Application log in + props: + - name: responsibility + value: provider - statement-id: ac-8_smt.b uuid: ##########ID########## - by-components: - - component-uuid: ##########ID########## - uuid: ##########ID########## - description: >- - The system use notification will remain visible until the user completes the actions required to attempt to log into the system. - props: - - name: responsibility - value: provider + by-components: + - component-uuid: ##########ID########## + uuid: ##########ID########## + description: >- + The system use notification will remain visible until the user completes the actions required to attempt to log into the system. + props: + - name: responsibility + value: provider - statement-id: ac-8_smt.c uuid: ##########ID########## by-components: From 1595bc609b25fb8bc3759bd91d01f72b3f02541d Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 30 Aug 2022 13:33:39 -0400 Subject: [PATCH 3/4] Adapt System ID and System Name Per our discussion on the topic of generalized and making this MVP, we may want to consider just giving the example app a name and pick yet another random identifier. Leveraging SaaS and information might be a confusing given the simplification of context we want. --- .oscal/ssp/simple.yaml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/.oscal/ssp/simple.yaml b/.oscal/ssp/simple.yaml index f557c86..6caae0b 100644 --- a/.oscal/ssp/simple.yaml +++ b/.oscal/ssp/simple.yaml @@ -8,8 +8,8 @@ system-security-plan: version: "0.1" oscal-version: 1.0.4 roles: - - id: admin - title: Administrator + - id: application-admin + title: Application Administrator parties: - uuid: ##########ID########## type: person @@ -19,8 +19,9 @@ system-security-plan: system-characteristics: system-ids: - - id: saas_system_iaas_customer - system-name: Leveraging SaaS System + - id: ##########ID########## + identifier-type: http://ietf.org/rfc/rfc4122 + system-name: OSCAL Workflow Example System description: > NO CONTENT HERE FOR NOW security-sensitivity-level: low @@ -51,7 +52,7 @@ system-security-plan: users: - uuid: ##########ID########## role-ids: - - admin + - application-admin authorized-privileges: - title: Developer functions-performed: @@ -113,15 +114,15 @@ system-security-plan: value: provider - statement-id: ac-8_smt.c uuid: ##########ID########## - by-components: - - component-uuid: ##########ID########## - uuid: ##########ID########## - description: >- - This system is not authorized to be publicly accessible. If any response from the system can be displayed on screen, - such as a terminal window or web browser, the system use notification will be emitted. - props: - - name: responsibility - value: provider + by-components: + - component-uuid: ##########ID########## + uuid: ##########ID########## + description: >- + This system is not authorized to be publicly accessible. If any response from the system can be displayed on screen, + such as a terminal window or web browser, the system use notification will be emitted. + props: + - name: responsibility + value: provider back-matter: From bede99ec656d6223999e43285337f60d276010a9 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 30 Aug 2022 13:36:15 -0400 Subject: [PATCH 4/4] Update state to under dev. I mean, isn't it? --- .oscal/ssp/simple.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.oscal/ssp/simple.yaml b/.oscal/ssp/simple.yaml index 6caae0b..7178f6f 100644 --- a/.oscal/ssp/simple.yaml +++ b/.oscal/ssp/simple.yaml @@ -44,7 +44,8 @@ system-security-plan: security-objective-integrity: fips-199-low security-objective-availability: fips-199-low status: - state: operational + state: under-development + remarks: This example system is under development and will never be operational by design. authorization-boundary: description: This system is for demonstration purposes only.