diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml
index ef5eb49a..4e4ca7e7 100644
--- a/.github/workflows/content-artifacts.yml
+++ b/.github/workflows/content-artifacts.yml
@@ -22,11 +22,11 @@ jobs:
name: Check, Convert and Validate Content
runs-on: ubuntu-20.04
steps:
- - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
if: github.repository != env.HOME_REPO || github.ref != 'refs/heads/main'
with:
submodules: recursive
- - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main'
with:
submodules: recursive
@@ -34,7 +34,7 @@ jobs:
- name: Install xmllint
run: sudo apt-get install -y libxml2-utils
- name: Cache generated content for OSCAL build artifacts
- uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
+ uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319
with:
path: |
build/oscal/build/node_modules
diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml
index 0dc03fe8..d4b25537 100644
--- a/.github/workflows/issue-triage.yml
+++ b/.github/workflows/issue-triage.yml
@@ -12,7 +12,7 @@ jobs:
name: Add issue to project
runs-on: ubuntu-20.04
steps:
- - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c
+ - uses: actions/add-to-project@0609a2702eefb44781da00f8e04901d6e5cd2b92
with:
project-url: https://github.com/orgs/usnistgov/projects/25
github-token: ${{ secrets.COMMIT_TOKEN }}
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 0ed8d8f8..d23a5d52 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -12,7 +12,7 @@ jobs:
name: DefaultLabelsActions
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
- uses: lannonbr/issue-label-manager-action@e8dbcd8198e86a1e98d5372e55db976fed9ba6f7
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/src/examples/shared-responsibility/xml/example-share-responsibility.xml b/src/examples/shared-responsibility/xml/example-share-responsibility.xml
new file mode 100644
index 00000000..23d0d0fd
--- /dev/null
+++ b/src/examples/shared-responsibility/xml/example-share-responsibility.xml
@@ -0,0 +1,54 @@
+
+ This shared responsibility model documents the application level security responsibilities
+ between the CSP and leveraging SaaS customer. Describes how the application satisfies AC-2, Part a. The CSP maintains the core user access management system for the application. User
+ accounts can be created, modified, enabled, disabled, and removed. The leveraging SaaS customer is responsible for determining the access requirements
+ for their users and formally requesting account creation, modification, enabling,
+ disabling, and removal actions from the CSP. Leveraged Authorization POC
Cust-A Cust-B Cust-C - | | | - +---------+---------+ - | - +-------------------+ - | Leveraging SaaS | - +-------------------+ - | - | - +-------------------+ - | Leveraged IaaS | - | this file | - +-------------------+ -+| | | ++---------+---------+ + | ++-------------------+ +| Leveraging SaaS | ++-------------------+ + | + | ++-------------------+ +| Leveraged IaaS | +| this file | ++-------------------+ +
In this example, the IaaS SSP specifies customer responsibilities for certain controls.
The SaaS must address these for the control to be fully satisfied.
@@ -119,6 +124,8 @@ Cust-A Cust-B Cust-CThis Leveraged IaaS.
-The entire system as depicted in the system authorization boundary
-An application within the IaaS, exposed to SaaS customers and their downstream - customers.
-This Leveraged IaaS maintains aspects of the application.
-The Leveraging SaaS maintains aspects of their assigned portion of the - application.
-The customers of the Leveraging SaaS maintain aspects of their sub-assigned - portions of the application.
+The entire system as depicted in the system authorization boundary.
This is a collection of control responses.
+This is a placeholder control implementation section.
Response for the "This System" component.
-Overall description of how "This System" satisfies AC-2, Part a.
-Response for the "This System" component.
-Overall description of how "This System" satisfies AC-2, Part a.
-Response for the "This System" component.
-Overall description of how "This System" satisfies AC-2, Part a.
-Response for the "This System" component.
-Overall description of how "This System" satisfies AC-2, Part a.
-Optional description about what is being exported.
-Consumer-appropriate description of what a leveraging system may - inherite from THIS SYSTEM in the context of satisfying - satisfaction of AC-2, part a.
-Leveraging system's responsibilities with respect to inheriting - this capability.
-In the context of the application component in satisfaction of - AC-2, part a.
-Describes how the application satisfies AC-2, Part a.
-Optional description about what is being exported.
-Consumer-appropriate description of what may be inherited.
-In the context of the application component in satisfaction of - AC-2, part a.
-Leveraging system's responsibilities with respect to inheriting - this capability.
-In the context of the application component in satisfaction of - AC-2, part a.
-a. Identifies and selects the following types of information system accounts - to support organizational missions/business functions: [Assignment: - privileged and non-privileged];
+This is a sample control response.
The organization:
-a. Identifies and selects the following types of information system accounts to - support organizational missions/business functions: [Assignment: - organization-defined information system account types];
-b. Assigns account managers for information system accounts;
-c. Establishes conditions for group and role membership;
-d. through j. omitted
-This is a placeholder by component control implementation section.
+