/
ssp-example.xml
397 lines (396 loc) · 22 KB
/
ssp-example.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
uuid="cff8385f-108e-40a5-8f7a-82f3dc0eaba8">
<metadata>
<title>Enterprise Logging and Auditing System Security Plan</title>
<last-modified>2024-02-01T13:57:28.355446-04:00</last-modified>
<version>1.1</version>
<oscal-version>1.1.2</oscal-version>
<role id="legal-officer">
<title>Legal Officer</title>
</role>
<role id="maintainer">
<title>System Maintainer</title>
</role>
<role id="asset-owner">
<title>System Assets Owner</title>
</role>
<role id="provider">
<title>System Provider</title>
</role>
<role id="asset-administrator">
<title>System Assets Admin</title>
</role>
<party uuid="3b2a5599-cc37-403f-ae36-5708fa804b27" type="organization">
<name>Enterprise Asset Owners</name>
</party>
<party uuid="833ac398-5c9a-4e6b-acba-2a9c11399da0" type="organization">
<name>Enterprise Asset Administrators</name>
</party>
<party uuid="ec485dcf-2519-43f5-8e7d-014cc315332d" type="organization">
<name>Legal Department</name>
</party>
<party uuid="0f0c15ed-565e-4ce9-8670-b54853d0bf03" type="organization">
<name>IT Department</name>
</party>
<party uuid="96c362ee-a012-4e07-92f3-486ab303b0e7" type="organization">
<name>Acme Corp</name>
</party>
</metadata>
<import-profile href="#b78aa3ec-915d-475b-8097-46813fae1825" />
<system-characteristics>
<system-id identifier-type="https://ietf.org/rfc/rfc4122">d7456980-9277-4dcb-83cf-f8ff0442623b</system-id>
<system-name>Enterprise Logging and Auditing System</system-name>
<description>
<p>This is an example of a system that provides enterprise logging and log auditing
capabilities.</p>
</description>
<prop name="cloud-deployment-model" value="private-cloud" />
<prop name="cloud-service-model" value="iaas" />
<security-sensitivity-level>moderate</security-sensitivity-level>
<system-information>
<information-type uuid="7d28ac6e-5970-4f4c-a508-5a3715f0f02b">
<title>System and Network Monitoring</title>
<description>
<p>This system maintains historical logging and auditing information for all
client devices connected to this system.</p>
</description>
<categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1">
<information-type-id>C.3.5.8</information-type-id>
</categorization>
<confidentiality-impact>
<base>fips-199-moderate</base>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-moderate</base>
</integrity-impact>
<availability-impact>
<base>fips-199-low</base>
</availability-impact>
</information-type>
</system-information>
<security-impact-level>
<security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
<security-objective-integrity>fips-199-moderate</security-objective-integrity>
<security-objective-availability>fips-199-low</security-objective-availability>
</security-impact-level>
<status state="other">
<remarks>
<p>This is an example, and is not intended to be implemented as a system</p>
</remarks>
</status>
<authorization-boundary>
<description>
<p>The description of the authorization boundary would go here.</p>
</description>
</authorization-boundary>
</system-characteristics>
<system-implementation>
<user uuid="9824089b-322c-456f-86c4-4111c4200f69">
<title>System Administrator</title>
<prop name="type" value="internal" />
<role-id>asset-administrator</role-id>
</user>
<user uuid="9824089b-322c-456f-86c4-4111c4200f62">
<title>System Maintainer</title>
<prop name="type" value="internal" />
<role-id>maintainer</role-id>
</user>
<user uuid="ae8de94c-835d-4303-83b1-114b6a117a07">
<title>Audit Team</title>
<prop name="type" value="internal" />
<role-id>asset-owner</role-id>
</user>
<user uuid="372ce7a3-92b0-437e-a98c-24d29f9bfab8">
<title>Legal Department</title>
<prop name="type" value="internal" />
<role-id>legal-officer</role-id>
</user>
<user uuid="372ce7a3-92b0-437e-a98c-55d29f9bfab8">
<title>Provider</title>
<prop name="type" value="internal" />
<role-id>provider</role-id>
</user>
<component type="this-system" uuid="74042245-3db1-4f4d-be9a-ceb62d81152c">
<title>This System</title>
<description>
<p>The system described by this SSP.</p>
</description>
<status state="operational"/>
</component>
<component uuid="e00acdcf-911b-437d-a42f-b0b558cc4f03" type="software">
<title>Logging Server</title>
<description>
<p>Provides a means for hosts to publish logged events to a central server.</p>
</description>
<status state="operational" />
<responsible-role role-id="provider">
<party-uuid>96c362ee-a012-4e07-92f3-486ab303b0e7</party-uuid>
</responsible-role>
<responsible-role role-id="asset-owner">
<party-uuid>3b2a5599-cc37-403f-ae36-5708fa804b27</party-uuid>
</responsible-role>
<responsible-role role-id="asset-administrator">
<party-uuid>833ac398-5c9a-4e6b-acba-2a9c11399da0</party-uuid>
</responsible-role>
</component>
<component uuid="795533ab-9427-4abe-820f-0b571bacfe6d" type="policy">
<title>Enterprise Logging, Monitoring, and Alerting Policy</title>
<description>
<p>Requires all components to send logs to the enterprise logging solution</p>
<ul>
<li>
<p>Requires all components synchronize their time with the appropriate
enterprise time service, and at what frequency.</p>
</li>
<li>
<p>Identifies the events that must be captured</p>
</li>
<li>
<p>Identifies who is responsible/accountable for performing these functions</p>
</li>
</ul>
</description>
<prop name="version" value="2.1" />
<prop name="release-date" value="2018-10-15" />
<status state="operational" />
<responsible-role role-id="maintainer">
<party-uuid>ec485dcf-2519-43f5-8e7d-014cc315332d</party-uuid>
</responsible-role>
</component>
<component uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1" type="process">
<title>System Integration Process</title>
<description>
<p>Ensures proper integration into the enterprise as new systems are brought into
production.</p>
</description>
<prop name="release-date" value="2018-10-15" />
<link href="#795533ab-9427-4abe-820f-0b571bacfe6d" rel="implements-policy">
<text>Ensures logs from components in new system are able to published to the
logging server. Ensures log monitoring capabilities recognize new system as
authorized.</text>
</link>
<status state="operational" />
<responsible-role role-id="maintainer">
<party-uuid>0f0c15ed-565e-4ce9-8670-b54853d0bf03</party-uuid>
</responsible-role>
</component>
<component uuid="fa39eb84-3014-46b4-b6bc-7da10527c262" type="process">
<title>Inventory Management Process</title>
<description>
<p>Describes how new components are introduced into the system - ensures monitoring
teams know about every asset that should be producing logs, thus should be
monitored.</p>
</description>
<prop name="release-date" value="2018-10-15" />
<link href="#795533ab-9427-4abe-820f-0b571bacfe6d" rel="implements-policy">
<text>Ensures that all host are known and authorized. Ensures that these hosts
publish log events to the logging server.</text>
</link>
<status state="operational" />
<responsible-role role-id="maintainer">
<party-uuid>0f0c15ed-565e-4ce9-8670-b54853d0bf03</party-uuid>
</responsible-role>
</component>
<component uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99" type="guidance">
<title>Configuration Management Guidance</title>
<description>
<p>Describes how to configure a component to ensure its logs are transmitted to
Splunk in the appropriate format. Also describes how to configure time
synchronization.</p>
</description>
<prop name="release-date" value="2018-10-15" />
<link href="#795533ab-9427-4abe-820f-0b571bacfe6d" rel="implements-policy">
<text>Ensures that all host are configured to publish log events to the logging
server.</text>
</link>
<status state="operational" />
<responsible-role role-id="maintainer">
<party-uuid>0f0c15ed-565e-4ce9-8670-b54853d0bf03</party-uuid>
</responsible-role>
</component>
<inventory-item uuid="c9c32657-a0eb-4cf2-b5c1-20928983063c">
<description>
<p>The logging server.</p>
</description>
<prop name="asset-id" value="asset-id-logging-server" />
<responsible-party role-id="asset-administrator">
<party-uuid>833ac398-5c9a-4e6b-acba-2a9c11399da0</party-uuid>
</responsible-party>
<responsible-party role-id="asset-owner">
<party-uuid>3b2a5599-cc37-403f-ae36-5708fa804b27</party-uuid>
</responsible-party>
<implemented-component component-uuid="e00acdcf-911b-437d-a42f-b0b558cc4f03" >
<prop name="asset-id" value="logging-server"></prop>
</implemented-component>
<implemented-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d">
<prop name="asset-id" value="legal policy"></prop>
</implemented-component>
</inventory-item>
<remarks>
<p>This is a partial implementation that addresses the logging server portion of the
auditing system.</p>
</remarks>
</system-implementation>
<control-implementation>
<description>
<p>This is the control implementation for the system.</p>
</description>
<implemented-requirement uuid="aaadb3ff-6ae8-4332-92db-211468c52af2" control-id="au-1">
<statement statement-id="au-1_smt" uuid="7ad47329-dc55-4196-a19d-178a8fe7438d" />
<statement statement-id="au-1_smt.a" uuid="f3887a91-9ed3-425c-b305-21e4634a1c34">
<by-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d"
uuid="a74681b2-fbcb-46eb-90fd-0d55aa74ac7b">
<description>
<p>The legal department develops, documents and disseminates this policy to
all staff and contractors within the organization.</p>
</description>
<set-parameter param-id="au-1_prm_1">
<value>all staff and contractors within the organization</value>
</set-parameter>
</by-component>
<by-component component-uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1"
uuid="4f873ce6-dd49-4a46-bd4a-5041c22665f1">
<description>
<p>The IT department created and maintains this procedure. This department
disseminates it to all IT staff who administer this system when the
staff member is assigned and annually through training.</p>
</description>
<set-parameter param-id="au-1_prm_1">
<value>all IT staff who administer this system when the staff member is assigned and annually through training</value>
</set-parameter>
</by-component>
<by-component component-uuid="fa39eb84-3014-46b4-b6bc-7da10527c262"
uuid="ea85a624-cd21-4c63-abe0-f66087e97241">
<description>
<p>The IT department created and maintains this procedure. This department
disseminates it to all IT staff who administer this system when the
staff member is assigned and annually through training.</p>
</description>
<set-parameter param-id="au-1_prm_1">
<value>all IT staff who administer this system when the staff member is assigned and annually through training</value>
</set-parameter>
</by-component>
<by-component component-uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99"
uuid="b5e5823a-844f-4306-a5ab-7e110679e0d5">
<description>
<p>The IT department created and maintains this procedure. This department
disseminates it to all IT staff who administer this system when the
staff member is assigned and annually through training.</p>
</description>
<set-parameter param-id="au-1_prm_1">
<value>all IT staff who administer this system when the staff member is assigned and annually through training</value>
</set-parameter>
</by-component>
</statement>
<statement statement-id="au-1_smt.a.1" uuid="6fe632bd-33aa-4eea-a507-a37f0d212085">
<by-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d"
uuid="2d0a7b08-da7f-4691-b99c-8fd9df02b25c">
<description>
<p>This policy explicitly states the purpose and scope of the policy in
Section 1. Roles and responsibilities are described in Section 2. This
section also describes responsibilities for organizational coordination.
Management commitment and compliance statements are made in the board’s
directive memo dated January 1, 2012.</p>
</description>
</by-component>
</statement>
<statement statement-id="au-1_smt.a.2" uuid="dbe9af68-1cd9-4ff1-965b-8f887351d411">
<by-component component-uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1"
uuid="dd4fd380-7a2a-4fba-9e98-933ba5cfc04d">
<description>
<p>This process aligns with the enterprise Logging, Monitoring, and Alerting
Policy, Version 2.1, October 15, 2018. The following processes work
together to fully implement the policy: System Integration Process,
Inventory Management Process, Configuration Management, Log Review
Process, and Monitoring and Alerting Process</p>
</description>
</by-component>
<by-component component-uuid="fa39eb84-3014-46b4-b6bc-7da10527c262"
uuid="3b912d0f-2463-497c-8d8a-72416f38e999">
<description>
<p>This process aligns with the enterprise Logging, Monitoring, and Alerting
Policy, Version 2.1, October 15, 2018. The following processes work
together to fully implement the policy: System Integration Process,
Inventory Management Process, Configuration Management, Log Review
Process, and Monitoring and Alerting Process</p>
</description>
</by-component>
<by-component component-uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99"
uuid="226ee2a2-cbdb-498f-8182-94dfa013476c">
<description>
<p>This process aligns with the enterprise Logging, Monitoring, and Alerting
Policy, Version 2.1, October 15, 2018. The following processes work
together to fully implement the policy: System Integration Process,
Inventory Management Process, Configuration Management, Log Review
Process, and Monitoring and Alerting Process</p>
</description>
</by-component>
</statement>
<statement statement-id="au-1_smt.b" uuid="b1773cd6-afc5-4c87-84a7-f182e6be5af9">
<remarks>
<p>N/A</p>
</remarks>
</statement>
<statement statement-id="au-1_smt.b.1" uuid="75873308-f37d-4e89-9c27-29f3dee4b314">
<by-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d"
uuid="23903c59-1327-46f0-9c28-09ec7f144214">
<description>
<p>The legal department reviews this policy annually, and other times as
necessary in response to regulatory or organizational changes. The legal
department updates the policy as needed based on these reviews.</p>
</description>
<set-parameter param-id="au-1_prm_2">
<value>annually, and other times as necessary in response to regulatory or organizational changes</value>
</set-parameter>
</by-component>
</statement>
<statement statement-id="au-1_smt.b.2" uuid="74b5b0f2-9915-4f80-b7cd-379566442ab6">
<by-component component-uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1"
uuid="0c45b6e2-f85b-4656-a6cc-2a302d184720">
<description>
<p>The IT department reviews this process annually, and other times as
necessary in response to regulatory or organizational changes. The IT
department updates the policy as needed based on these reviews.</p>
</description>
<set-parameter param-id="au-1_prm_3">
<value>annually, and other times as necessary in response to regulatory or organizational changes</value>
</set-parameter>
</by-component>
<by-component component-uuid="fa39eb84-3014-46b4-b6bc-7da10527c262"
uuid="094f02ce-4b7a-405c-90a5-ab4d95133f74">
<description>
<p>The IT department reviews this process annually, and other times as
necessary in response to regulatory or organizational changes. The IT
department updates the policy as needed based on these reviews.</p>
</description>
<set-parameter param-id="au-1_prm_3">
<value>annually, and other times as necessary in response to regulatory or organizational changes</value>
</set-parameter>
</by-component>
<by-component component-uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99"
uuid="7ec8b7ec-d931-4055-ac74-6d288d636787">
<description>
<p>The IT department reviews this process annually, and other times as
necessary in response to regulatory or organizational changes. The IT
department updates the policy as needed based on these reviews</p>
</description>
<set-parameter param-id="au-1_prm_3">
<value>annually, and other times as necessary in response to regulatory or organizational changes</value>
</set-parameter>
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
<back-matter>
<resource uuid="b78aa3ec-915d-475b-8097-46813fae1825">
<description>
<p>NIST Special Publication 800-53 Revision 4: Moderate Baseline Profile</p>
</description>
<rlink media-type="application/oscal.catalog+xml" href="../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml"/>
<rlink media-type="application/oscal.catalog+json" href="../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json"/>
<rlink media-type="application/oscal.catalog+yaml" href="../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.yaml"/>
</resource>
</back-matter>
</system-security-plan>