diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index ef5eb49a..4e4ca7e7 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -22,11 +22,11 @@ jobs: name: Check, Convert and Validate Content runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 if: github.repository != env.HOME_REPO || github.ref != 'refs/heads/main' with: submodules: recursive - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main' with: submodules: recursive @@ -34,7 +34,7 @@ jobs: - name: Install xmllint run: sudo apt-get install -y libxml2-utils - name: Cache generated content for OSCAL build artifacts - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 with: path: | build/oscal/build/node_modules diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index 0dc03fe8..d4b25537 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -12,7 +12,7 @@ jobs: name: Add issue to project runs-on: ubuntu-20.04 steps: - - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c + - uses: actions/add-to-project@0609a2702eefb44781da00f8e04901d6e5cd2b92 with: project-url: https://github.com/orgs/usnistgov/projects/25 github-token: ${{ secrets.COMMIT_TOKEN }} diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 0ed8d8f8..d23a5d52 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -12,7 +12,7 @@ jobs: name: DefaultLabelsActions runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - uses: lannonbr/issue-label-manager-action@e8dbcd8198e86a1e98d5372e55db976fed9ba6f7 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/src/examples/shared-responsibility/xml/example-share-responsibility.xml b/src/examples/shared-responsibility/xml/example-share-responsibility.xml new file mode 100644 index 00000000..23d0d0fd --- /dev/null +++ b/src/examples/shared-responsibility/xml/example-share-responsibility.xml @@ -0,0 +1,54 @@ + + + + CSP IaaS Shared Responsibility Plan + 2024-03-30T11:00:00.000000-04:00 + 1.0 + 1.1.2 + + John Smith + john.smith@csp.com + + + Bob Jones + bob.jones@saas.com + + + + CSP IaaS System Security Plan + 2024-02-01T13:57:28.355446-04:00 + 2024-02-01T13:57:28.355446-04:00 + 0.3 + + + +

This shared responsibility model documents the application level security responsibilities + between the CSP and leveraging SaaS customer.

+
+ + + + +

Describes how the application satisfies AC-2, Part a.

+
+ + +

The CSP maintains the core user access management system for the application. User + accounts can be created, modified, enabled, disabled, and removed.

+
+
+ + +

The leveraging SaaS customer is responsible for determining the access requirements + for their users and formally requesting account creation, modification, enabling, + disabling, and removal actions from the CSP.

+
+
+
+
+
+
+
\ No newline at end of file diff --git a/src/examples/ssp/xml/oscal_leveraged-example_ssp.xml b/src/examples/ssp/xml/oscal_leveraged-example_ssp.xml index bf2aa596..776204a5 100644 --- a/src/examples/ssp/xml/oscal_leveraged-example_ssp.xml +++ b/src/examples/ssp/xml/oscal_leveraged-example_ssp.xml @@ -1,12 +1,11 @@ - CSP IaaS System Security Plan 2024-02-01T13:57:28.355446-04:00 0.3 - 1.1.2 + 1.2.0 Administrator @@ -16,14 +15,20 @@ Internal POC for Customers - +

Leveraged Authorization POC

- + + + 11111111-0000-4000-9000-100000000001 +
+ + + csp_iaas_system Leveraged IaaS System @@ -32,19 +37,19 @@ authorized IaaS.

 Cust-A    Cust-B    Cust-C
-  |         |         |
-  +---------+---------+
-            |
-  +-------------------+
-  |  Leveraging SaaS  |
-  +-------------------+
-            |
-            |
-  +-------------------+
-  |  Leveraged IaaS   |
-  |    this file      |
-  +-------------------+
-            
+| | | ++---------+---------+ + | ++-------------------+ +| Leveraging SaaS | ++-------------------+ + | + | ++-------------------+ +| Leveraged IaaS | +| this file | ++-------------------+ +

In this example, the IaaS SSP specifies customer responsibilities for certain controls.

The SaaS must address these for the control to be fully satisfied.

@@ -119,6 +124,8 @@ Cust-A Cust-B Cust-C
+ Administrator + admin admin Administrator @@ -129,126 +136,32 @@ Cust-A Cust-B Cust-C This System

This Leveraged IaaS.

-

The entire system as depicted in the system authorization boundary

-
- - - - Application - -

An application within the IaaS, exposed to SaaS customers and their downstream - customers.

-

This Leveraged IaaS maintains aspects of the application.

-

The Leveraging SaaS maintains aspects of their assigned portion of the - application.

-

The customers of the Leveraging SaaS maintain aspects of their sub-assigned - portions of the application.

+

The entire system as depicted in the system authorization boundary.

- - - 11111111-0000-4000-9000-100000000001 -
- -

This is a collection of control responses.

+

This is a placeholder control implementation section.

- - - privileged and non-privileged - - - - -

Response for the "This System" component.

-

Overall description of how "This System" satisfies AC-2, Part a.

-

Response for the "This System" component.

-

Overall description of how "This System" satisfies AC-2, Part a.

-

Response for the "This System" component.

-

Overall description of how "This System" satisfies AC-2, Part a.

-

Response for the "This System" component.

-

Overall description of how "This System" satisfies AC-2, Part a.

-
- - -

Optional description about what is being exported.

-
- - -

Consumer-appropriate description of what a leveraging system may - inherite from THIS SYSTEM in the context of satisfying - satisfaction of AC-2, part a.

-
- - 11111111-0000-4000-9000-100000000001 - -
- - -

Leveraging system's responsibilities with respect to inheriting - this capability.

-

In the context of the application component in satisfaction of - AC-2, part a.

-
- - 11111111-0000-4000-9000-100000000002 - -
-
-
- - -

Describes how the application satisfies AC-2, Part a.

-
- - -

Optional description about what is being exported.

-
- - -

Consumer-appropriate description of what may be inherited.

-

In the context of the application component in satisfaction of - AC-2, part a.

-
- - 11111111-0000-4000-9000-100000000001 - -
- - -

Leveraging system's responsibilities with respect to inheriting - this capability.

-

In the context of the application component in satisfaction of - AC-2, part a.

-
- - 11111111-0000-4000-9000-100000000002 - -
-
-
+ + -

a. Identifies and selects the following types of information system accounts - to support organizational missions/business functions: [Assignment: - privileged and non-privileged];

+

This is a sample control response.

+
+ + 11111111-0000-4000-9000-100000000001 + + - -

The organization:

-

a. Identifies and selects the following types of information system accounts to - support organizational missions/business functions: [Assignment: - organization-defined information system account types];

-

b. Assigns account managers for information system accounts;

-

c. Establishes conditions for group and role membership;

-

d. through j. omitted

-
+ + +

This is a placeholder by component control implementation section.

+
+ +