SSP Review Feedback for September 2022

.oscal/ssp/simple.yaml

@@ -1,14 +1,15 @@
+# yaml-language-server: $schema=https://gist.githubusercontent.com/aj-stein-nist/323a00aab93355cc78c23d2dc6cc894e/raw/64799377a7fbd722219152baed24e510cb865e6b/oscal_complete.json
+
 system-security-plan:
   uuid: ##########ID##########
-
   metadata:
     title: Leveraging SaaS System Security Plan
     last-modified: 2022-09-08T00:00:00.0000-04:00
     version: "0.1"
     oscal-version: 1.0.4
     roles:
-      - id: admin
-        title: Administrator
+      - id: application-admin
+        title: Application Administrator
     parties:
       - uuid: ##########ID##########
         type: person
@@ -18,8 +19,9 @@ system-security-plan:
 
   system-characteristics:
     system-ids:
-      - id: saas_system_iaas_customer
-    system-name: Leveraging SaaS System
+      - id: ##########ID##########
+        identifier-type: http://ietf.org/rfc/rfc4122
+    system-name: OSCAL Workflow Example System
     description: >
       NO CONTENT HERE FOR NOW
     security-sensitivity-level: low
@@ -42,15 +44,16 @@ system-security-plan:
       security-objective-integrity: fips-199-low
       security-objective-availability: fips-199-low
     status:
-      state: operational
+      state: under-development
+      remarks: This example system is under development and will never be operational by design.
     authorization-boundary:
       description: This system is for demonstration purposes only.
 
   system-implementation:
     users:
       - uuid: ##########ID##########
         role-ids:
-          - admin
+          - application-admin
         authorized-privileges:
           - title: Developer
             functions-performed:
@@ -74,52 +77,53 @@ system-security-plan:
         control-id: ac-8
         set-parameters:
           - param-id: ac-8_prm_1
-            values: >-
-              You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 
-              3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage 
-              media attached to this network or to a computer on this network. You understand and consent to the following: you 
-              may access this information system for authorized use only; unauthorized use of the system is prohibited and subject 
-              to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data 
-              transiting or stored on this information system at any time and for any lawful Government purpose, the Government may 
-              monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; 
-              and any communications or data transiting or stored on this information system may be disclosed or used for any lawful 
-              Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to 
-              safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and 
-              using this system indicates your understanding of this warning.
+            values:
+            - >-
+                You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 
+                3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage 
+                media attached to this network or to a computer on this network. You understand and consent to the following: you 
+                may access this information system for authorized use only; unauthorized use of the system is prohibited and subject 
+                to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data 
+                transiting or stored on this information system at any time and for any lawful Government purpose, the Government may 
+                monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; 
+                and any communications or data transiting or stored on this information system may be disclosed or used for any lawful 
+                Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to 
+                safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and 
+                using this system indicates your understanding of this warning.
         statements:
           - statement-id: ac-8_smt.a
             uuid: ##########ID##########
-              by-components:
-                - component-uuid: ##########ID##########
-                  uuid: ##########ID##########
-                  description: >-
-                    The system use notification will be implemented in the following locations before allowing access:
-                      * Server log in
-                      * Application log in
-                  props:
-                    - name: responsibility
-                      value: provider
+            by-components:
+              - component-uuid: 19821111-b352-4ff2-8978-365479971f87
+                uuid: cedc1d30-5336-4bac-a88b-1681eae664a1
+                description: >-
+                  The system use notification will be implemented in the following locations before allowing access:
+                    * Server log in
+                    - Application log in
+                props:
+                  - name: responsibility
+                    value: provider
           - statement-id: ac-8_smt.b
             uuid: ##########ID##########
-              by-components:
-                - component-uuid: ##########ID##########
-                  uuid: ##########ID##########
-                  description: >-
-                    The system use notification will remain visible until the user completes the actions required to attempt to log into the system.
-                  props:
-                    - name: responsibility
-                      value: provider
+            by-components:
+              - component-uuid: ##########ID##########
+                uuid: ##########ID##########
+                description: >-
+                  The system use notification will remain visible until the user completes the actions required to attempt to log into the system.
+                props:
+                  - name: responsibility
+                    value: provider
           - statement-id: ac-8_smt.c
             uuid: ##########ID##########
-              by-components:
-                - component-uuid: ##########ID##########
-                  uuid: ##########ID##########
-                  description: >-
-                    This system is not authorized to be publicly accessible.  If any response from the system can be displayed on screen, 
-                    such as a terminal window or web browser, the system use notification will be emitted.
-                  props:
-                    - name: responsibility
-                      value: provider       
+            by-components:
+              - component-uuid: ##########ID##########
+                uuid: ##########ID##########
+                description: >-
+                  This system is not authorized to be publicly accessible.  If any response from the system can be displayed on screen, 
+                  such as a terminal window or web browser, the system use notification will be emitted.
+                props:
+                  - name: responsibility
+                    value: provider
 
 
   back-matter: