Initial publication.
16 |Updated for annual assessment.
25 |Remove this role if there are no ICAs.
88 |Remove this role if there are no ICAs.
95 |Remove this role if there are no ICAs.
102 |Remove this role if there are no ICAs.
109 |There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.
146 |There must be one location for each data center.
160 |There must be at least two data centers.
161 |For a data center, briefly summarize the components at this location.
162 |All data centers must have a conformity tag of "data-center".
163 |A primary data center must also have a conformity tag of "primary-data-center".
164 |There must be one location for each data center.
178 |There must be at least two data centers.
179 |For a data center, briefly summarize the components at this location.
180 |All data centers must have a conformity tag of "data-center"
181 |An alternate or backup data center must also have a conformity tag of "alternate-data-center".
182 |Replace sample CSP information.
190 |This party entry must be present in a FedRAMP SSP.
205 |The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.
206 |This party entry must be present in a FedRAMP SSP.
213 |The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.
214 |Generic placeholder for any external organization.
221 |Generic placeholder for an authorizing agency.
228 |Underlying service provider. Leveraged Authorization.
257 |Exactly one
364 |Exactly one
370 |One or more
380 |Exactly one
386 |One or more
393 |Exactly one
399 |Exactly one
405 |Exactly one
411 |Exactly one
417 |Exactly one
423 |Exactly one
429 |Exactly one
435 |This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and 439 | High baselines.
440 |Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.
441 |Automatically generated OSCAL SSP from OpenControl guidance for Red Hat Enterprise Linux 7.x
This item is useless nevertheless required.
A holistic, top-level explanation of the FedRAMP authorization boundary.
The entire system as depicted in the system authorization boundary
FedRAMP SSP Template Section 13
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 493 | applicable to component-level configuration. 494 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 501 | applicable to component-level configuration. 502 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 512 | applicable to component-level configuration. 513 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 520 | applicable to component-level configuration. 521 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 528 | applicable to component-level configuration. 529 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 539 | applicable to component-level configuration. 540 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 547 | applicable to component-level configuration. 548 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 555 | applicable to component-level configuration. 556 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 566 | applicable to component-level configuration. 567 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 574 | applicable to component-level configuration. 575 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 585 | applicable to the configuration of Red Hat Enterprise Linux. 586 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 593 | applicable to the configuration of Red Hat Enterprise Linux. 594 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 601 | applicable to the configuration of Red Hat Enterprise Linux. 602 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 609 | applicable to the configuration of Red Hat Enterprise Linux. 610 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 617 | applicable to the configuration of Red Hat Enterprise Linux. 618 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 625 | applicable to the configuration of Red Hat Enterprise Linux. 626 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 636 | applicable to the configuration of Red Hat Enterprise Linux. 637 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 644 | applicable to the configuration of Red Hat Enterprise Linux. 645 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 652 | applicable to the configuration of Red Hat Enterprise Linux. 653 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 663 | applicable to the configuration of Red Hat Enterprise Linux. 664 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 671 | applicable to the configuration of Red Hat Enterprise Linux. 672 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 679 | applicable to the configuration of Red Hat Enterprise Linux. 680 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policies and is not 690 | applicable to Red Hat Enterprise Linux configuration. 691 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 701 | applicable to the configuration of Red Hat Enterprise Linux. 702 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 709 | applicable to the configuration of Red Hat Enterprise Linux. 710 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 720 | applicable to the configuration of Red Hat Enterprise Linux. 721 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 731 | applicable to the configuration of Red Hat Enterprise Linux. 732 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 739 | applicable to the configuration of Red Hat Enterprise Linux. 740 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 747 | applicable to the configuration of Red Hat Enterprise Linux. 748 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 755 | applicable to the configuration of Red Hat Enterprise Linux. 756 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 763 | applicable to the configuration of Red Hat Enterprise Linux. 764 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 771 | applicable to the configuration of Red Hat Enterprise Linux. 772 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 779 | applicable to the configuration of Red Hat Enterprise Linux. 780 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 787 | applicable to the configuration of Red Hat Enterprise Linux. 788 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 795 | applicable to the configuration of Red Hat Enterprise Linux. 796 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 803 | applicable to the configuration of Red Hat Enterprise Linux. 804 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 811 | applicable to the configuration of Red Hat Enterprise Linux. 812 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 819 | applicable to the configuration of Red Hat Enterprise Linux. 820 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 827 | applicable to the configuration of Red Hat Enterprise Linux. 828 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 835 | applicable to the configuration of Red Hat Enterprise Linux. 836 |
Describe how is the software component satisfying the control.
Development, documentation, and dissemination of a physical 846 | and environmental protection policy reflects organizational 847 | procedure/policy and is not applicable to component-level 848 | configuration. 849 |
Describe how is the software component satisfying the control.
Organizational review and updates to the physical and 856 | environmental protection policy reflects organizational 857 | procedure/policy and is not applicable to component-level 858 | configuration. 859 |
Describe how is the software component satisfying the control.
Development, approval, and maintenance of a list 869 | of individuals with authorized access to the facility 870 | where the information system resides reflects organizational 871 | procedure/policy and is not applicable to component-level 872 | configuration. 873 |
Describe how is the software component satisfying the control.
Issuing authorization credentials for facility access 880 | reflects organizational procedure/policy and is not 881 | applicable to component-level configuration. 882 |
Describe how is the software component satisfying the control.
Reviewing the access list detailing authorized facility 889 | access by individuals at an organization-defined frequency 890 | reflects organizational procedure/policy and is not 891 | applicable to component-level configuration. 892 |
Describe how is the software component satisfying the control.
Removal of individuals from the facility access list when access 899 | is no longer required reflects organizational procedure/policy 900 | and is not applicable to component-level configuration. 901 |
Describe how is the software component satisfying the control.
Enforcing physical access authorizations at organization-defined 911 | entry/exit points to the facility where the information system resides 912 | reflects organizational procedure/policy and is not applicable to 913 | component-level configuration. 914 |
Describe how is the software component satisfying the control.
Maintaining physical access audit logs for organization-defined 921 | entry/exit points reflects organizational procedure/policy and 922 | is not applicable to component-level configuration. 923 |
Describe how is the software component satisfying the control.
Providing organization-defined security safeguards to control access 930 | to areas within the facility officially designated as publicly 931 | accessible reflects organizational procedure/policy and 932 | is not applicable to component-level configuration. 933 |
Describe how is the software component satisfying the control.
Escorting visitors and monitoring visitor activity during 940 | organization-defined circumstances requiring visitor escorts 941 | and monitoring reflects organizational procedure/policy and 942 | is not applicable to component-level configuration. 943 |
Describe how is the software component satisfying the control.
Securing keys, combinations, and other physical access devices 950 | reflects organizational procedure/policy and 951 | is not applicable to component-level configuration. 952 |
Describe how is the software component satisfying the control.
Inventory of organization-defined physical access devices 959 | at an organization-defined frequency reflects organizational 960 | procedure/policy and is not applicable to component-level 961 | configuration. 962 |
Describe how is the software component satisfying the control.
Changing combinations and keys at an organization-defined frequency 969 | and/or when keys are lost, combinations are compromised, or individuals 970 | are transferred or terminated, reflects organizational procedure/policy 971 | and is not applicable to component-level configuration. 972 |
Describe how is the software component satisfying the control.
Monitoring physical access to the facility where the information 982 | system resides to detect and respond to physical security incidents 983 | reflects organizational procedure/policy and is outside the scope 984 | of component-level configuration. 985 |
Describe how is the software component satisfying the control.
Reviewing physical access logs at an organization-defined 992 | frequency and upon occurence of organization-defined events 993 | or potential indications of events, reflects organizational 994 | procedure/policy and is not applicable to component-level 995 | configuration. 996 |
Describe how is the software component satisfying the control.
Coordinating results of reviews and investigations with 1003 | the organizational incident response capability reflects 1004 | organizational procedure/policy and is not applicable to 1005 | component-level configuration. 1006 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1016 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1023 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1033 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1043 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1053 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1060 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1070 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1080 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1090 | applicable to the configuration of Red Hat Enterprise Linux. 1091 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1098 | applicable to the configuration of Red Hat Enterprise Linux. 1099 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1109 | applicable to the configuration of Red Hat Enterprise Linux. 1110 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1117 | applicable to the configuration of Red Hat Enterprise Linux. 1118 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1125 | applicable to the configuration of Red Hat Enterprise Linux. 1126 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1133 | applicable to the configuration of Red Hat Enterprise Linux. 1134 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1141 | applicable to the configuration of Red Hat Enterprise Linux. 1142 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1152 | applicable to the configuration of Red Hat Enterprise Linux. 1153 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1160 | applicable to the configuration of Red Hat Enterprise Linux. 1161 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1168 | applicable to the configuration of Red Hat Enterprise Linux. 1169 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1176 | applicable to the configuration of Red Hat Enterprise Linux. 1177 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1187 | a personnel security policy to organization-defined personnel 1188 | is outside the scope of Red Hat Enterprise Linux configuration. 1189 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1196 | a personnel security policy to organization-defined personnel 1197 | is outside the scope of Red Hat Enterprise Linux configuration. 1198 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1205 | a personnel security policy to organization-defined personnel 1206 | is outside the scope of Red Hat Enterprise Linux configuration. 1207 |
Describe how is the software component satisfying the control.
Organizational reviews and updates to the personnel security policy 1214 | and personnel security procedures at an organization-defined frequency 1215 | is outside the scope of Red Hat Enterprise Linux configuration. 1216 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1223 | a personnel security policy to organization-defined personnel 1224 | is outside the scope of Red Hat Enterprise Linux configuration. 1225 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1232 | a personnel security policy to organization-defined personnel 1233 | is outside the scope of Red Hat Enterprise Linux configuration. 1234 |
Describe how is the software component satisfying the control.
Organizational assignment of a risk designation to all organizational 1244 | positions is outside the scope of Red Hat Enterprise Linux configuration. 1245 |
Describe how is the software component satisfying the control.
Organizational establishment of screening criteria for individuals 1252 | filling those positions is outside the scope of Red Hat Enterprise Linux 1253 | configuration. 1254 |
Describe how is the software component satisfying the control.
Organizational review and updating of position risk 1261 | designations at an organization-defined frequency is outside the scope 1262 | of Red Hat Enterprise Linux configuration. 1263 |
Describe how is the software component satisfying the control.
Organizational screening of individuals prior to authorizing access 1273 | to the information system is outside the scope of Red Hat Enterprise Linux 1274 | configuration. 1275 |
Describe how is the software component satisfying the control.
Organizational processes to rescreen individuals according to 1282 | organization-defined conditions requiring rescreening and, 1283 | where rescreening is so indicated, the frequency of such 1284 | rescreening, is outside the scope of Red Hat Enterprise Linux 1285 | configuration. 1286 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1296 | employment, information system access is disabled within an 1297 | organization-defined time period, are outside the scope of 1298 | Red Hat Enterprise Linux configuration. 1299 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1306 | employment, any authenticators/credentials associated with the individual 1307 | are terminated/revoked, are outside the scope of 1308 | Red Hat Enterprise Linux configuration. 1309 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1316 | employment, exit interviews are conducted that include a discussion of 1317 | organization-defined information security topics, are outside the scope 1318 | of Red Hat Enterprise Linux configuration. 1319 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1326 | employment, all security-related organizational information 1327 | system-related property is retrieved, are outside the scope 1328 | of Red Hat Enterprise Linux configuration. 1329 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1336 | employment, the organization retains access to organizational 1337 | information systems formerly controlled by the terminated individual, 1338 | are outside the scope of Red Hat Enterprise Linux configuration. 1339 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1346 | employment, the organization notifies organization-defined personnel 1347 | or roles within an organization-defined time period, are outside 1348 | the scope of Red Hat Enterprise Linux configuration. 1349 |
Describe how is the software component satisfying the control.
Organizational processes to review and confirm ongoing operational 1359 | need for current logical and physical access authorizations to 1360 | information systems/facilities when individuals are reassigned or 1361 | transferred to other positions within the organization are 1362 | outside the scope of Red Hat Enterprise Linux configuration. 1363 |
Describe how is the software component satisfying the control.
Organizational processes to initiate organization-defined transfer 1370 | or reassignment actions within organization-defined time period 1371 | following the formal transfer action are outside the scope of 1372 | Red Hat Enterprise Linux configuration. 1373 |
Describe how is the software component satisfying the control.
Organizational processes to modify access authorizations as needed to 1380 | correspond with any changes in oeprational need due to reassignment 1381 | or transfer are outside the scope of Red Hat Enterprise Linux configuration. 1382 |
Describe how is the software component satisfying the control.
Organizational notifications of organization-defined personnel 1389 | or roles within an organization-defined time period are outside 1390 | the scope of Red Hat Enterprise Linux configuration. 1391 |
Describe how is the software component satisfying the control.
Organizational process to develop and document access agreements for 1401 | organizational information systems are outside the scope of 1402 | Red Hat Enterprise Linux configuration. 1403 |
Describe how is the software component satisfying the control.
Organizational reviews and updates to the access agreements at an 1410 | organization-defined frequency are outside the scope of 1411 | Red Hat Enterprise Linux configuration. 1412 |
Describe how is the software component satisfying the control.
Organizational processes that ensure individuals requiring access to 1419 | organizational information and information systems sign and re-sign 1420 | access agreements are outside the scope of Red Hat Enterprise Linux configuration. 1421 |
Describe how is the software component satisfying the control.
Organizational processes that ensure individuals requiring access to 1428 | organizational information and information systems sign and re-sign 1429 | access agreements are outside the scope of Red Hat Enterprise Linux configuration. 1430 |
Describe how is the software component satisfying the control.
Organizational processes that ensure individuals requiring access to 1437 | organizational information and information systems sign and re-sign 1438 | access agreements are outside the scope of Red Hat Enterprise Linux configuration. 1439 |
Describe how is the software component satisfying the control.
Organizational processes to establish security requirements including 1449 | security roles and responsibilities for third-party providers are 1450 | outside the scope of Red Hat Enterprise Linux configuration. 1451 |
Describe how is the software component satisfying the control.
Organizational processes requiring third-party providers to comply 1458 | with personnel security polocies and procedures established by 1459 | the organization are outside the scope of Red Hat Enterprise Linux configuration. 1460 |
Describe how is the software component satisfying the control.
Organizational processes to document presonnel security requirements 1467 | are outside the scope of Red Hat Enterprise Linux configuration. 1468 |
Describe how is the software component satisfying the control.
Organizational processes to require third-party providers to notify 1475 | organization-defined personnel or roles of any personnel transfers or 1476 | terminations of third-party personnel who possess organizational 1477 | credentials and/or badges, or who have information system privileges 1478 | within an organization-defined time period, are outside the 1479 | scope of Red Hat Enterprise Linux configuration. 1480 |
Describe how is the software component satisfying the control.
Organizational monitoring of provider compliance is outside 1487 | the scope of Red Hat Enterprise Linux configuration. 1488 |
Describe how is the software component satisfying the control.
Organizational employment of a formal sanctions process for individuals 1498 | failing to comply with established information security policies 1499 | and procedures is outside the scope of Red Hat Enterprise Linux configuration. 1500 |
Describe how is the software component satisfying the control.
Organizational notification of organization-defined personnel 1507 | or roles within an organization-defined time period when a formal 1508 | employee santions process is initiated, identifying the individual 1509 | sanctioned and the reason for the sanction. 1510 |
Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)
1583 |This should be referenced in the 1584 | system-characteristics/authorization-boundary/diagram/link/@href flag using a value 1585 | of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"
1586 |Section 9.4, Figure 9-2 Network Diagram (graphic)
1594 |This should be referenced in the 1595 | system-characteristics/network-architecture/diagram/link/@href flag using a value 1596 | of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"
1597 |Section 10, Figure 10-1 Data Flow Diagram (graphic)
1605 |This should be referenced in the 1606 | system-characteristics/data-flow/diagram/link/@href flag using a value 1607 | of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"
1608 |Table 15-1 Attachments: Policy Attachment
1620 |Table 15-1 Attachments: Policy Attachment
1632 |Table 15-1 Attachments: Procedure Attachment
1644 |Table 15-1 Attachments: Procedure Attachment
1656 |Table 15-1 Attachments: User's Guide Attachment
1669 |Table 15-1 Attachments: Privacy Impact Assessment
1680 |Table 15-1 Attachments: Rules of Behavior (ROB)
1693 |Table 15-1 Attachments: Contingency Plan (CP) Attachment
1705 |Table 15-1 Attachments: Configuration Management (CM) Plan Attachment
1717 |Table 15-1 Attachments: Incident Response (IR) Plan Attachment
1729 |Table 15-1 Attachments: Separation of Duties Matrix Attachment
1740 |Pointer to High baseline content in OSCAL.
1747 |Pointer to Moderate baseline content in OSCAL.
1754 |Pointer to Low baseline content in OSCAL.
1761 |Initial publication.
16 |Updated for annual assessment.
25 |Remove this role if there are no ICAs.
88 |Remove this role if there are no ICAs.
95 |Remove this role if there are no ICAs.
102 |Remove this role if there are no ICAs.
109 |There must be one location identifying the CSP's primary business address, such as the CSP's HQ, or the address of the system owner's primary business location.
146 |There must be one location for each data center.
160 |There must be at least two data centers.
161 |For a data center, briefly summarize the components at this location.
162 |All data centers must have a conformity tag of "data-center".
163 |A primary data center must also have a conformity tag of "primary-data-center".
164 |There must be one location for each data center.
178 |There must be at least two data centers.
179 |For a data center, briefly summarize the components at this location.
180 |All data centers must have a conformity tag of "data-center"
181 |An alternate or backup data center must also have a conformity tag of "alternate-data-center".
182 |Replace sample CSP information.
190 |This party entry must be present in a FedRAMP SSP.
205 |The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" role in the responsible-party assemblies.
206 |This party entry must be present in a FedRAMP SSP.
213 |The uuid may be different; however, the uuid must be associated with the "fedramp-jab" role in the responsible-party assemblies.
214 |Generic placeholder for any external organization.
221 |Generic placeholder for an authorizing agency.
228 |Underlying service provider. Leveraged Authorization.
257 |Exactly one
364 |Exactly one
370 |One or more
380 |Exactly one
386 |One or more
393 |Exactly one
399 |Exactly one
405 |Exactly one
411 |Exactly one
417 |Exactly one
423 |Exactly one
429 |Exactly one
435 |This OSCAL-based FedRAMP SSP Template can be used for the FedRAMP Low, Moderate, and 439 | High baselines.
440 |Guidance for OSCAL-based FedRAMP Tailored content has not yet been developed.
441 |Automatically generated OSCAL SSP from OpenControl guidance for Red Hat Enterprise Linux 8.x
This item is useless nevertheless required.
A holistic, top-level explanation of the FedRAMP authorization boundary.
The entire system as depicted in the system authorization boundary
FedRAMP SSP Template Section 13
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 493 | applicable to component-level configuration. 494 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 501 | applicable to component-level configuration. 502 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 512 | applicable to component-level configuration. 513 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 520 | applicable to component-level configuration. 521 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 528 | applicable to component-level configuration. 529 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 539 | applicable to component-level configuration. 540 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 547 | applicable to component-level configuration. 548 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 555 | applicable to component-level configuration. 556 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 566 | applicable to component-level configuration. 567 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policy and is not 574 | applicable to component-level configuration. 575 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 585 | applicable to the configuration of Red Hat Enterprise Linux. 586 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 593 | applicable to the configuration of Red Hat Enterprise Linux. 594 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 601 | applicable to the configuration of Red Hat Enterprise Linux. 602 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 609 | applicable to the configuration of Red Hat Enterprise Linux. 610 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 617 | applicable to the configuration of Red Hat Enterprise Linux. 618 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 625 | applicable to the configuration of Red Hat Enterprise Linux. 626 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 636 | applicable to the configuration of Red Hat Enterprise Linux. 637 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 644 | applicable to the configuration of Red Hat Enterprise Linux. 645 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 652 | applicable to the configuration of Red Hat Enterprise Linux. 653 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 663 | applicable to the configuration of Red Hat Enterprise Linux. 664 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 671 | applicable to the configuration of Red Hat Enterprise Linux. 672 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 679 | applicable to the configuration of Red Hat Enterprise Linux. 680 |
Describe how is the software component satisfying the control.
This control reflects organizational procedure/policies and is not 690 | applicable to Red Hat Enterprise Linux configuration. 691 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 701 | applicable to the configuration of Red Hat Enterprise Linux. 702 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 709 | applicable to the configuration of Red Hat Enterprise Linux. 710 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 720 | applicable to the configuration of Red Hat Enterprise Linux. 721 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 731 | applicable to the configuration of Red Hat Enterprise Linux. 732 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 739 | applicable to the configuration of Red Hat Enterprise Linux. 740 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 747 | applicable to the configuration of Red Hat Enterprise Linux. 748 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 755 | applicable to the configuration of Red Hat Enterprise Linux. 756 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 763 | applicable to the configuration of Red Hat Enterprise Linux. 764 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 771 | applicable to the configuration of Red Hat Enterprise Linux. 772 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 779 | applicable to the configuration of Red Hat Enterprise Linux. 780 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 787 | applicable to the configuration of Red Hat Enterprise Linux. 788 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 795 | applicable to the configuration of Red Hat Enterprise Linux. 796 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 803 | applicable to the configuration of Red Hat Enterprise Linux. 804 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 811 | applicable to the configuration of Red Hat Enterprise Linux. 812 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 819 | applicable to the configuration of Red Hat Enterprise Linux. 820 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 827 | applicable to the configuration of Red Hat Enterprise Linux. 828 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 835 | applicable to the configuration of Red Hat Enterprise Linux. 836 |
Describe how is the software component satisfying the control.
Development, documentation, and dissemination of a physical 846 | and environmental protection policy reflects organizational 847 | procedure/policy and is not applicable to component-level 848 | configuration. 849 |
Describe how is the software component satisfying the control.
Organizational review and updates to the physical and 856 | environmental protection policy reflects organizational 857 | procedure/policy and is not applicable to component-level 858 | configuration. 859 |
Describe how is the software component satisfying the control.
Development, approval, and maintenance of a list 869 | of individuals with authorized access to the facility 870 | where the information system resides reflects organizational 871 | procedure/policy and is not applicable to component-level 872 | configuration. 873 |
Describe how is the software component satisfying the control.
Issuing authorization credentials for facility access 880 | reflects organizational procedure/policy and is not 881 | applicable to component-level configuration. 882 |
Describe how is the software component satisfying the control.
Reviewing the access list detailing authorized facility 889 | access by individuals at an organization-defined frequency 890 | reflects organizational procedure/policy and is not 891 | applicable to component-level configuration. 892 |
Describe how is the software component satisfying the control.
Removal of individuals from the facility access list when access 899 | is no longer required reflects organizational procedure/policy 900 | and is not applicable to component-level configuration. 901 |
Describe how is the software component satisfying the control.
Enforcing physical access authorizations at organization-defined 911 | entry/exit points to the facility where the information system resides 912 | reflects organizational procedure/policy and is not applicable to 913 | component-level configuration. 914 |
Describe how is the software component satisfying the control.
Maintaining physical access audit logs for organization-defined 921 | entry/exit points reflects organizational procedure/policy and 922 | is not applicable to component-level configuration. 923 |
Describe how is the software component satisfying the control.
Providing organization-defined security safeguards to control access 930 | to areas within the facility officially designated as publicly 931 | accessible reflects organizational procedure/policy and 932 | is not applicable to component-level configuration. 933 |
Describe how is the software component satisfying the control.
Escorting visitors and monitoring visitor activity during 940 | organization-defined circumstances requiring visitor escorts 941 | and monitoring reflects organizational procedure/policy and 942 | is not applicable to component-level configuration. 943 |
Describe how is the software component satisfying the control.
Securing keys, combinations, and other physical access devices 950 | reflects organizational procedure/policy and 951 | is not applicable to component-level configuration. 952 |
Describe how is the software component satisfying the control.
Inventory of organization-defined physical access devices 959 | at an organization-defined frequency reflects organizational 960 | procedure/policy and is not applicable to component-level 961 | configuration. 962 |
Describe how is the software component satisfying the control.
Changing combinations and keys at an organization-defined frequency 969 | and/or when keys are lost, combinations are compromised, or individuals 970 | are transferred or terminated, reflects organizational procedure/policy 971 | and is not applicable to component-level configuration. 972 |
Describe how is the software component satisfying the control.
Monitoring physical access to the facility where the information 982 | system resides to detect and respond to physical security incidents 983 | reflects organizational procedure/policy and is outside the scope 984 | of component-level configuration. 985 |
Describe how is the software component satisfying the control.
Reviewing physical access logs at an organization-defined 992 | frequency and upon occurence of organization-defined events 993 | or potential indications of events, reflects organizational 994 | procedure/policy and is not applicable to component-level 995 | configuration. 996 |
Describe how is the software component satisfying the control.
Coordinating results of reviews and investigations with 1003 | the organizational incident response capability reflects 1004 | organizational procedure/policy and is not applicable to 1005 | component-level configuration. 1006 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1016 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1023 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1033 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1043 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1053 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1060 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1070 |
Describe how is the software component satisfying the control.
This control is outside the scope of Red Hat Enterprise Linux configuration. 1080 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1090 | applicable to the configuration of Red Hat Enterprise Linux. 1091 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1098 | applicable to the configuration of Red Hat Enterprise Linux. 1099 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1109 | applicable to the configuration of Red Hat Enterprise Linux. 1110 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1117 | applicable to the configuration of Red Hat Enterprise Linux. 1118 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1125 | applicable to the configuration of Red Hat Enterprise Linux. 1126 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1133 | applicable to the configuration of Red Hat Enterprise Linux. 1134 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1141 | applicable to the configuration of Red Hat Enterprise Linux. 1142 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1152 | applicable to the configuration of Red Hat Enterprise Linux. 1153 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1160 | applicable to the configuration of Red Hat Enterprise Linux. 1161 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1168 | applicable to the configuration of Red Hat Enterprise Linux. 1169 |
Describe how is the software component satisfying the control.
This control reflects organizational procedures/policies, and is not 1176 | applicable to the configuration of Red Hat Enterprise Linux. 1177 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1187 | a personnel security policy to organization-defined personnel 1188 | is outside the scope of Red Hat Enterprise Linux configuration. 1189 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1196 | a personnel security policy to organization-defined personnel 1197 | is outside the scope of Red Hat Enterprise Linux configuration. 1198 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1205 | a personnel security policy to organization-defined personnel 1206 | is outside the scope of Red Hat Enterprise Linux configuration. 1207 |
Describe how is the software component satisfying the control.
Organizational reviews and updates to the personnel security policy 1214 | and personnel security procedures at an organization-defined frequency 1215 | is outside the scope of Red Hat Enterprise Linux configuration. 1216 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1223 | a personnel security policy to organization-defined personnel 1224 | is outside the scope of Red Hat Enterprise Linux configuration. 1225 |
Describe how is the software component satisfying the control.
Organizational development, documentation, and dissemination of 1232 | a personnel security policy to organization-defined personnel 1233 | is outside the scope of Red Hat Enterprise Linux configuration. 1234 |
Describe how is the software component satisfying the control.
Organizational assignment of a risk designation to all organizational 1244 | positions is outside the scope of Red Hat Enterprise Linux configuration. 1245 |
Describe how is the software component satisfying the control.
Organizational establishment of screening criteria for individuals 1252 | filling those positions is outside the scope of Red Hat Enterprise Linux 1253 | configuration. 1254 |
Describe how is the software component satisfying the control.
Organizational review and updating of position risk 1261 | designations at an organization-defined frequency is outside the scope 1262 | of Red Hat Enterprise Linux configuration. 1263 |
Describe how is the software component satisfying the control.
Organizational screening of individuals prior to authorizing access 1273 | to the information system is outside the scope of Red Hat Enterprise Linux 1274 | configuration. 1275 |
Describe how is the software component satisfying the control.
Organizational processes to rescreen individuals according to 1282 | organization-defined conditions requiring rescreening and, 1283 | where rescreening is so indicated, the frequency of such 1284 | rescreening, is outside the scope of Red Hat Enterprise Linux 1285 | configuration. 1286 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1296 | employment, information system access is disabled within an 1297 | organization-defined time period, are outside the scope of 1298 | Red Hat Enterprise Linux configuration. 1299 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1306 | employment, any authenticators/credentials associated with the individual 1307 | are terminated/revoked, are outside the scope of 1308 | Red Hat Enterprise Linux configuration. 1309 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1316 | employment, exit interviews are conducted that include a discussion of 1317 | organization-defined information security topics, are outside the scope 1318 | of Red Hat Enterprise Linux configuration. 1319 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1326 | employment, all security-related organizational information 1327 | system-related property is retrieved, are outside the scope 1328 | of Red Hat Enterprise Linux configuration. 1329 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1336 | employment, the organization retains access to organizational 1337 | information systems formerly controlled by the terminated individual, 1338 | are outside the scope of Red Hat Enterprise Linux configuration. 1339 |
Describe how is the software component satisfying the control.
Organizational processes ensuring that, upon termination of individual 1346 | employment, the organization notifies organization-defined personnel 1347 | or roles within an organization-defined time period, are outside 1348 | the scope of Red Hat Enterprise Linux configuration. 1349 |
Describe how is the software component satisfying the control.
Organizational processes to review and confirm ongoing operational 1359 | need for current logical and physical access authorizations to 1360 | information systems/facilities when individuals are reassigned or 1361 | transferred to other positions within the organization are 1362 | outside the scope of Red Hat Enterprise Linux configuration. 1363 |
Describe how is the software component satisfying the control.
Organizational processes to initiate organization-defined transfer 1370 | or reassignment actions within organization-defined time period 1371 | following the formal transfer action are outside the scope of 1372 | Red Hat Enterprise Linux configuration. 1373 |
Describe how is the software component satisfying the control.
Organizational processes to modify access authorizations as needed to 1380 | correspond with any changes in oeprational need due to reassignment 1381 | or transfer are outside the scope of Red Hat Enterprise Linux configuration. 1382 |
Describe how is the software component satisfying the control.
Organizational notifications of organization-defined personnel 1389 | or roles within an organization-defined time period are outside 1390 | the scope of Red Hat Enterprise Linux configuration. 1391 |
Describe how is the software component satisfying the control.
Organizational process to develop and document access agreements for 1401 | organizational information systems are outside the scope of 1402 | Red Hat Enterprise Linux configuration. 1403 |
Describe how is the software component satisfying the control.
Organizational reviews and updates to the access agreements at an 1410 | organization-defined frequency are outside the scope of 1411 | Red Hat Enterprise Linux configuration. 1412 |
Describe how is the software component satisfying the control.
Organizational processes that ensure individuals requiring access to 1419 | organizational information and information systems sign and re-sign 1420 | access agreements are outside the scope of Red Hat Enterprise Linux configuration. 1421 |
Describe how is the software component satisfying the control.
Organizational processes that ensure individuals requiring access to 1428 | organizational information and information systems sign and re-sign 1429 | access agreements are outside the scope of Red Hat Enterprise Linux configuration. 1430 |
Describe how is the software component satisfying the control.
Organizational processes that ensure individuals requiring access to 1437 | organizational information and information systems sign and re-sign 1438 | access agreements are outside the scope of Red Hat Enterprise Linux configuration. 1439 |
Describe how is the software component satisfying the control.
Organizational processes to establish security requirements including 1449 | security roles and responsibilities for third-party providers are 1450 | outside the scope of Red Hat Enterprise Linux configuration. 1451 |
Describe how is the software component satisfying the control.
Organizational processes requiring third-party providers to comply 1458 | with personnel security polocies and procedures established by 1459 | the organization are outside the scope of Red Hat Enterprise Linux configuration. 1460 |
Describe how is the software component satisfying the control.
Organizational processes to document presonnel security requirements 1467 | are outside the scope of Red Hat Enterprise Linux configuration. 1468 |
Describe how is the software component satisfying the control.
Organizational processes to require third-party providers to notify 1475 | organization-defined personnel or roles of any personnel transfers or 1476 | terminations of third-party personnel who possess organizational 1477 | credentials and/or badges, or who have information system privileges 1478 | within an organization-defined time period, are outside the 1479 | scope of Red Hat Enterprise Linux configuration. 1480 |
Describe how is the software component satisfying the control.
Organizational monitoring of provider compliance is outside 1487 | the scope of Red Hat Enterprise Linux configuration. 1488 |
Describe how is the software component satisfying the control.
Organizational employment of a formal sanctions process for individuals 1498 | failing to comply with established information security policies 1499 | and procedures is outside the scope of Red Hat Enterprise Linux configuration. 1500 |
Describe how is the software component satisfying the control.
Organizational notification of organization-defined personnel 1507 | or roles within an organization-defined time period when a formal 1508 | employee santions process is initiated, identifying the individual 1509 | sanctioned and the reason for the sanction. 1510 |
Section 9.2, Figure 9-1 Authorization Boundary Diagram (graphic)
1583 |This should be referenced in the 1584 | system-characteristics/authorization-boundary/diagram/link/@href flag using a value 1585 | of "#d2eb3c18-6754-4e3a-a933-03d289e3fad5"
1586 |Section 9.4, Figure 9-2 Network Diagram (graphic)
1594 |This should be referenced in the 1595 | system-characteristics/network-architecture/diagram/link/@href flag using a value 1596 | of "#61081e81-850b-43c1-bf43-1ecbddcb9e7f"
1597 |Section 10, Figure 10-1 Data Flow Diagram (graphic)
1605 |This should be referenced in the 1606 | system-characteristics/data-flow/diagram/link/@href flag using a value 1607 | of "#ac5d7535-f3b8-45d3-bf3b-735c82c64547"
1608 |Table 15-1 Attachments: Policy Attachment
1620 |Table 15-1 Attachments: Policy Attachment
1632 |Table 15-1 Attachments: Procedure Attachment
1644 |Table 15-1 Attachments: Procedure Attachment
1656 |Table 15-1 Attachments: User's Guide Attachment
1669 |Table 15-1 Attachments: Privacy Impact Assessment
1680 |Table 15-1 Attachments: Rules of Behavior (ROB)
1693 |Table 15-1 Attachments: Contingency Plan (CP) Attachment
1705 |Table 15-1 Attachments: Configuration Management (CM) Plan Attachment
1717 |Table 15-1 Attachments: Incident Response (IR) Plan Attachment
1729 |Table 15-1 Attachments: Separation of Duties Matrix Attachment
1740 |Pointer to High baseline content in OSCAL.
1747 |Pointer to Moderate baseline content in OSCAL.
1754 |Pointer to Low baseline content in OSCAL.
1761 |