-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssp.go
224 lines (182 loc) · 9.18 KB
/
ssp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
package domain
import (
"time"
)
type OperationalStatus int
const (
Disposition OperationalStatus = iota
Operational
Other
UnderDevelopment
UnderMajorModification
)
func (os OperationalStatus) String() string {
return [...]string{"disposition", "operational", "other", "under-development", "under-major-modification"}[os]
}
// AuthorizationBoundary defines the system's authorization boundary. It includes a description and optional diagrams illustrating the boundary.
// It can also contain links to additional resources and arbitrary properties.
// For example, the boundary of a cloud-based service might include the cloud infrastructure, network components, and hosted applications.
type AuthorizationBoundary struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Diagrams is an optional collection of visual representations of the boundary.
Diagrams []Diagram `json:"diagrams,omitempty"`
}
// DataFlow describes the logical flow of information within the system and across its boundaries.
// For example, this could represent how data flows from user interfaces to backend services in a web application.
type DataFlow struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Description is a summary of the system's data flow.
Diagrams []Diagram `json:"diagrams,omitempty"`
}
// Diagram provides a visual representation of the system, or some aspect of it.
// For example, a diagram could illustrate the system's network architecture.
type Diagram struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Caption provides a brief annotation for the diagram.
Caption string `json:"caption,omitempty"`
// Uuid is a machine-oriented, globally unique identifier that can be used to reference this diagram elsewhere in this or other OSCAL instances.
Uuid string `json:"uuid"`
}
type Impact struct {
Props []Property `json:"props"`
Links []Link `json:"links"`
Base string `json:"base"`
Selected string `json:"selected"`
AdjustmentJustification string `json:"adjustment_justification"`
}
// InventoryItem A single managed inventory item within the system.
type InventoryItem struct {
Uuid Uuid `json:"uuid"`
// A summary of the inventory item stating its purpose within the system.
ImplementedComponents []Component `json:"implemented-components,omitempty"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Reference to Party docs
ResponsibleParties []Uuid `json:"responsible-parties,omitempty"`
}
// LeveragedAuthorization A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common catalog provider.
type LeveragedAuthorization struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
DateAuthorized string `json:"date-authorized"`
// A machine-oriented identifier reference to the party that manages the leveraged system.
Party Uuid `json:"party-uuid"`
}
// NetworkArchitecture A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.
type NetworkArchitecture struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Diagrams []Diagram `json:"diagrams,omitempty"`
}
type Statement struct {
// TODO: By-components
Uuid Uuid `json:"uuid"`
Id string `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
ResponsibleRoles []Uuid `json:"responsibleRoles"`
}
// SystemCharacteristics Contains the characteristics of the system, such as its name, purpose, and security impact level.
type SystemCharacteristics struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Metadata
AuthorizationBoundary AuthorizationBoundary `json:"authorization_boundary"`
ControlImplementation []Uuid `json:"control_implementation"`
DataFlow DataFlow `json:"data_flow"`
DateAuthorized time.Time `json:"date_authorized"`
ImportProfile []Uuid `json:"import_profile"`
NetworkArchitecture NetworkArchitecture `json:"network_architecture"`
ResponsibleParties []Uuid `json:"responsible_parties"`
SecurityImpactLevel SecurityImpactLevel `json:"security_impact_level"`
// The overall information system sensitivity categorization, such as defined by FIPS-199.
SecuritySensitivityLevel string `json:"security_sensitivity_level"`
Status OperationalStatus `json:"status"`
// One of http://fedramp.gov/ns/oscal, https://fedramp.gov", http://ietf.org/rfc/rfc4122", https://ietf.org/rfc/rfc4122
SystemIds []string `json:"system_ids"`
SystemInformation SystemInformation `json:"system_information"`
// The full name of the system.
SystemName string `json:"system_name"`
// A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.
SystemNameShort string `json:"system_name_short"`
}
type SecurityImpactLevel struct {
ObjectiveAvailability string `json:"objective_availability"`
ObjectiveConfidentiality string `json:"objective_confidentiality"`
ObjectiveIntegrity string `json:"objective_integrity"`
}
// SystemImplementation Provides information as to how the system is implemented.
type SystemImplementation struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Components []Component `json:"components"`
InventoryItems []InventoryItem `json:"inventory-items,omitempty"`
LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"`
Users []User `json:"users"`
}
type SystemInformation struct {
// Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
InformationTypes []InformationType `json:"information_types"`
Links []Link `json:"links"`
Props []Property `json:"props"`
Uuid Uuid `json:"uuid"`
}
type InformationType struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
AvailabilityImpact Impact `json:"availability_impact"`
Categorizations []InformationTypeCategorization `json:"categorizations"`
ConfidentialityImpact Impact `json:"confidentiality_impact"`
IntegrityImpact Impact `json:"integrity_impact"`
}
type InformationTypeCategorization struct {
Ids []string `json:"ids"` // NOTE: This part is a bit blurred
System string `json:"system"` // This is an enum but right now it has only one value: http://doi.org/10.6028/NIST.SP.800-60v2r1
}
type SystemSecurityPlan struct {
Title string `json:"title"`
Uuid Uuid `json:"uuid"`
BackMatter BackMatter `json:"backmatter"`
Metadata
// Reference to the control implementation
ControlImplementation []Uuid `json:"control_implementation"`
// Reference to a profile
ImportProfile Uuid `json:"import_profile"`
SystemCharacteristics SystemCharacteristics `json:"system_characteristics"`
}