forked from usnistgov/OSCAL
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cleanup of models and data (usnistgov#476)
* Schematron now reports duplicate definitions in a Metaschema as an error: see usnistgov#465, usnistgov#475 * Catalog metaschema and SP800-53 catalog adjustments renaming 'subcontrol' to 'control' per Issue usnistgov#473 * Refactored metaschemas to avoid definition clashes; more/better Schematron to detect such clashes * Adding new module now required by catalog and profile metaschemas * Revising profiles to be valid to newly revised schema (no more references to subcontrol elements only controls) * Bug fix in Metaschema Schematron * Delete FedRAMP_HIGH-baseline_profile.xml * Delete FedRAMP_LOW-baseline_profile.xml * Delete FedRAMP_MODERATE-baseline_profile.xml * Create temp.txt * Revised FedRAMP Profiles These files include revisions to the FedRAMP baselines, plus a small FedRAMP catalog that provides three subcontrols added by FedRAMP. * Delete temp.txt * moved updated fedramp content to correct location * New and improved FedRAMP profiles * Repaired broken markdown conversion; added missing title content to FedRAMP catalog * add note about b -> strong and i -> em (#9) * Changed inline markup in FedRAMP profiles for lossless conversion * One more adjustment in Markdown->XML conversion (images) * One more time (cleaning up cleanup)
- Loading branch information
1 parent
662c7bc
commit 6497556
Showing
8 changed files
with
3,751 additions
and
5,534 deletions.
There are no files selected for viewing
4,270 changes: 929 additions & 3,341 deletions
4,270
fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
1,224 changes: 784 additions & 440 deletions
1,224
fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" | ||
| id="uuid-20190723-133200-001"> | ||
| <metadata> | ||
| <title>FedRAMP Additional Controls</title> | ||
| <last-modified-date>2019-07-23T13:20:00.000-04:00</last-modified-date> | ||
| <version>1.0</version> | ||
| <oscal-version>1.0.0</oscal-version> | ||
| <prop name="keywords">FedRAMP, Assurance, computer security, FISMA, Privacy Act, Risk Management Framework, security controls, security requirements</prop> | ||
| <role id="creator"> | ||
| <title>Document creator</title> | ||
| </role> | ||
| <role id="contact"> | ||
| <title>Contact</title> | ||
| </role> | ||
| <party id="fedramp" role-id="creator contact"> | ||
| <org> | ||
| <org-name>Federal Risk and Authorization Management Program (FedRAMP)</org-name> | ||
| <email>info@fedramp.gov</email> | ||
| <url>https://fedramp.gov</url> | ||
| </org> | ||
| </party> | ||
| <notes> | ||
| <p>No notes.</p> | ||
| </notes> | ||
| </metadata> | ||
| <group class="family" id="ac"> | ||
| <title>Access Control</title> | ||
| <control class="SP800-53" id="ac-8"> | ||
| <title>System Use Notification</title> | ||
| <control class="SP800-53" id="ac-8.fr"> | ||
| <title>AC-8 Additional FedRAMP Requirements and Guidance</title> | ||
| <prop name="label">AC-8 Req</prop> | ||
| <part id="ac-8.fr_smt.1" name="item"> | ||
| <prop name="label">Requirement:</prop> | ||
| <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p> | ||
| </part> | ||
| <part id="ac-8.fr_smt.2" name="item"> | ||
| <prop name="label">Requirement:</prop> | ||
| <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p> | ||
| </part> | ||
| <part id="ac-8.fr_smt.3" name="item"> | ||
| <prop name="label">Requirement:</prop> | ||
| <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p> | ||
| </part> | ||
| </control> | ||
| </control> | ||
| </group> | ||
| <group class="family" id="ca"> | ||
| <title>CA-7 Security Assessment and Authorization</title> | ||
| <control class="SP800-53" id="ca-7"> | ||
| <title>Continuous Monitoring</title> | ||
| <control class="SP800-53-enhancement" id="ca-7.fr"> | ||
| <title>Additional FedRAMP Requirements and Guidance</title> | ||
| <prop name="label">CA-7 Req</prop> | ||
| <part id="ca-7.fr_smt.1" name="item"> | ||
| <prop name="label">Requirement 1</prop> | ||
| <p>Operating System Scans: at least monthly</p> | ||
| </part> | ||
| <part id="ca-7.fr_smt.2" name="item"> | ||
| <prop name="label">Requirement 2</prop> | ||
| <p>Database and Web Application Scans: at least monthly</p> | ||
| </part> | ||
| <part id="ca-7.fr_smt.3" name="item"> | ||
| <prop name="label">Requirement 3</prop> | ||
| <p>All scans performed by Independent Assessor: at least annually</p> | ||
| </part> | ||
| <part id="ca-7.fr_gdn.1" name="guidance"> | ||
| <p>CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates.</p> | ||
| </part> | ||
| <part id="ca-7.fr_gdn.2" name="guidance"> | ||
| <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a></p> | ||
| </part> | ||
| </control> | ||
| </control> | ||
| </group> | ||
| <group class="family" id="sc"> | ||
| <title>System and Communications Protection</title> | ||
| <control class="SP800-53" id="sc-15"> | ||
| <title>System and Communications Protection Policy and Procedures</title> | ||
| <control class="SP800-53-enhancement" id="sc-15.fr"> | ||
| <title>SC-15 Additional FedRAMP Requirements and Guidance</title> | ||
| <prop name="label">SC-15 Req</prop> | ||
| <part id="sc-15.fr_smt" name="item"> | ||
| <prop name="label">Requirement</prop> | ||
| <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p> | ||
| </part> | ||
| </control> | ||
| </control> | ||
| </group> | ||
| <back-matter> | ||
| <resource id="fedramp-conmon-guide"> | ||
| <rlink media-type="application/pdf" | ||
| href="https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf"/> | ||
| </resource> | ||
| </back-matter> | ||
| </catalog> |
Oops, something went wrong.