aj-stein-nist/agency-ciso-overlay-component.xml

## agency-ciso-overlay-component.xml
<?xml version="1.0" encoding="UTF-8"?>
<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
    uuid="b7071c1c-9c6e-4d91-8891-8cd2734495f1"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://raw.githubusercontent.com/usnistgov/OSCAL/master/xml/schema/oscal_component_schema.xsd">
  <metadata>
    <title>GSA Office of Information Technology CISO Overlay</title>
    <last-modified/>
    <version>20211210</version>
    <oscal-version>1.1.0-alpha</oscal-version>
  </metadata>
  <role id="gsa-system-administrator"/>
  <party/>
    <rule uuid="823ca7d8-0eaf-4485-9526-d63baf8324d8"
     name="GSA OIT 800-53 Tailored Baseline IA Family Policy Conformance Rule">
      <title>Ensure Access of Proper Roles and Personnel of GSA OIT IT Security Policy</title>
      <condition>assigned roles have policy and review it</condition>
      <description>
        <h1>Roles &amp; Responsibilities</h1>
        <p>There are many roles associated with implementing effective I&amp;A policies and procedures.
        The roles and responsibilities provided in this section have been extracted or paraphrased from
        CIO 2100.1 or summarized from GSA and Federal guidance. The responsibilities listed in this
        guide are focused on I&amp;A, a complete set of GSA security roles and responsibilities can be
        found in CIO 2100.1. Throughout this guide, specific processes and procedures for implementing
        NIST's IA controls are described.<p>
        <h2>Authorizing Official AO</h2>
        <p>Responsibilities include the following:</p>
        <ul>
          <li>Reviewing and approving security safeguards of information systems (including IA controls)
          and issuing ATO approvals for each information system under their purview based on the
          acceptability of the security safeguards of the system (risk-management approach).</li>
          <li>Providing support to the ISSM and ISSO of record for each information system under their purview.</li>
        </ul>
        <h2>System/Network Administrators</h2>
        <p>Responsibilities include the following:</p>
        <ul>
          <li>Ensuring the appropriate security requirements are implemented consistent with GSA IT security
          policies and hardening guidelines.</li>
          <li>Utilizing privileged access rights (e.g., “administrator,” “root,” etc.) to a computer based on
          a need-to-use basis (i.e., using accounts with those privileges only when the privileges are
          required to complete an action).</li>
          <li>Ensuring system/network administrators have separate administrator and user accounts, if
          applicable (e.g., Microsoft Windows accounts). A normal user account should be used unless
          administrator rights are required to perform a job function.</li>
          <li>Utilizing GSA provided MFA to ensure strong authentication.</li>
        </ul>
      </description>
      <condition-evaluator uuid="258192c7-17a6-4d69-a2e3-65127f2ab0a3"
        name="gsa-oit-ciso-overlay-id-auth-manual-review"
        type="manual-review">
          <title>Meet with Information System Personnel in Assigned Roles</title>
          <description>
            <p>Staff assigned to the operations and maintenance of this information system will
            be apprised of the identity and authentication policy.</p>
            <p>Policies, procedures, and standards specific to the information system will align
            with this organizational policy, reference it, and expound upon it, as evidenced by
            discussion with said staff.</p>
          </description>
          <link rel="dependency" href="#699249d5-f591-4281-a8ff-c0438b6e24e2"/>
          <link rel="dependency" href="#d0e386c7-52c4-4691-a623-ca7925064833"/>
      </condition-evaluator>
      <condition-target ref-id="gsa-system-administrator">
          <description/>
      </condition-target>
      <prop name="supports" value="#2235cfcb-36d0-47e6-8aac-c1bfbd8fee85"/>
  </rule>
  <component uuid="c7cba7bb-9275-4f90-b02b-418017a8a96d">
    <title/>
    <description/>
    <purpose/>
    <responsible-role/>
    <control-implementation
      uuid="559f76db-060f-44d0-bbc8-fdce1798e4ee"
      source="https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml">
      <description/>
      <implemented-requirement uuid="5a82db6f-3bef-408b-b7f7-8c54b6136580">
        <description/>
        <set-parameter/>
        <statement
          statement-id="ia-1_smt.a "
          uuid="2235cfcb-36d0-47e6-8aac-c1bfbd8fee85">
          <description>
            <p>This component provides GSA organization policy for identity and
            authentication, to support staff operating and maintaining an information
            system for GSA. Included are self-training materials. The policy and materials
            will sufficiently prepare system administrators of an information system
            for audit around this policy, given their responsible role.</p>
          </description>
        </statement>
      </implemented-requirement>
    </control-implementation>
  </component>
  <back-matter>
    <resource uuid="d0e386c7-52c4-4691-a623-ca7925064833">
      <title>GSA CIO IT Security 01-01 Rev. 6</title>
      <rlink media-type="application/pdf"
        href="https://www.gsa.gov/cdnstatic/Identification_and_Authentication_(IA)_[CIO_IT_Security_01-01_Rev_6]_03-20-2019_Signed_BB.pdf">
    </resource>
    <resource uuid="699249d5-f591-4281-a8ff-c0438b6e24e2">
      <title>Self-Assessment Questionnaire for Audit Preparation</title>
      <rlink media-type="text/html"
        href="https://docs.google.com/spreadsheets/d/19BtbNb5AoTB/edit#gid=0"/>
    </resource>
  </back-matter>
</component-definition>
	<?xml version="1.0" encoding="UTF-8"?>
	<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
	uuid="b7071c1c-9c6e-4d91-8891-8cd2734495f1"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://raw.githubusercontent.com/usnistgov/OSCAL/master/xml/schema/oscal_component_schema.xsd">
	<metadata>
	<title>GSA Office of Information Technology CISO Overlay</title>
	<last-modified/>
	<version>20211210</version>
	<oscal-version>1.1.0-alpha</oscal-version>
	</metadata>
	<role id="gsa-system-administrator"/>
	<party/>
	<rule uuid="823ca7d8-0eaf-4485-9526-d63baf8324d8"
	name="GSA OIT 800-53 Tailored Baseline IA Family Policy Conformance Rule">
	<title>Ensure Access of Proper Roles and Personnel of GSA OIT IT Security Policy</title>
	<condition>assigned roles have policy and review it</condition>
	<description>
	<h1>Roles & Responsibilities</h1>
	<p>There are many roles associated with implementing effective I&A policies and procedures.
	The roles and responsibilities provided in this section have been extracted or paraphrased from
	CIO 2100.1 or summarized from GSA and Federal guidance. The responsibilities listed in this
	guide are focused on I&A, a complete set of GSA security roles and responsibilities can be
	found in CIO 2100.1. Throughout this guide, specific processes and procedures for implementing
	NIST's IA controls are described.<p>
	<h2>Authorizing Official AO</h2>
	<p>Responsibilities include the following:</p>
	<ul>
	<li>Reviewing and approving security safeguards of information systems (including IA controls)
	and issuing ATO approvals for each information system under their purview based on the
	acceptability of the security safeguards of the system (risk-management approach).</li>
	<li>Providing support to the ISSM and ISSO of record for each information system under their purview.</li>
	</ul>
	<h2>System/Network Administrators</h2>
	<p>Responsibilities include the following:</p>
	<ul>
	<li>Ensuring the appropriate security requirements are implemented consistent with GSA IT security
	policies and hardening guidelines.</li>
	<li>Utilizing privileged access rights (e.g., “administrator,” “root,” etc.) to a computer based on
	a need-to-use basis (i.e., using accounts with those privileges only when the privileges are
	required to complete an action).</li>
	<li>Ensuring system/network administrators have separate administrator and user accounts, if
	applicable (e.g., Microsoft Windows accounts). A normal user account should be used unless
	administrator rights are required to perform a job function.</li>
	<li>Utilizing GSA provided MFA to ensure strong authentication.</li>
	</ul>
	</description>
	<condition-evaluator uuid="258192c7-17a6-4d69-a2e3-65127f2ab0a3"
	name="gsa-oit-ciso-overlay-id-auth-manual-review"
	type="manual-review">
	<title>Meet with Information System Personnel in Assigned Roles</title>
	<description>
	<p>Staff assigned to the operations and maintenance of this information system will
	be apprised of the identity and authentication policy.</p>
	<p>Policies, procedures, and standards specific to the information system will align
	with this organizational policy, reference it, and expound upon it, as evidenced by
	discussion with said staff.</p>
	</description>
	<link rel="dependency" href="#699249d5-f591-4281-a8ff-c0438b6e24e2"/>
	<link rel="dependency" href="#d0e386c7-52c4-4691-a623-ca7925064833"/>
	</condition-evaluator>
	<condition-target ref-id="gsa-system-administrator">
	<description/>
	</condition-target>
	<prop name="supports" value="#2235cfcb-36d0-47e6-8aac-c1bfbd8fee85"/>
	</rule>
	<component uuid="c7cba7bb-9275-4f90-b02b-418017a8a96d">
	<title/>
	<description/>
	<purpose/>
	<responsible-role/>
	<control-implementation
	uuid="559f76db-060f-44d0-bbc8-fdce1798e4ee"
	source="https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml">
	<description/>
	<implemented-requirement uuid="5a82db6f-3bef-408b-b7f7-8c54b6136580">
	<description/>
	<set-parameter/>
	<statement
	statement-id="ia-1_smt.a "
	uuid="2235cfcb-36d0-47e6-8aac-c1bfbd8fee85">
	<description>
	<p>This component provides GSA organization policy for identity and
	authentication, to support staff operating and maintaining an information
	system for GSA. Included are self-training materials. The policy and materials
	will sufficiently prepare system administrators of an information system
	for audit around this policy, given their responsible role.</p>
	</description>
	</statement>
	</implemented-requirement>
	</control-implementation>
	</component>
	<back-matter>
	<resource uuid="d0e386c7-52c4-4691-a623-ca7925064833">
	<title>GSA CIO IT Security 01-01 Rev. 6</title>
	<rlink media-type="application/pdf"
	href="https://www.gsa.gov/cdnstatic/Identification_and_Authentication_(IA)_[CIO_IT_Security_01-01_Rev_6]_03-20-2019_Signed_BB.pdf">
	</resource>
	<resource uuid="699249d5-f591-4281-a8ff-c0438b6e24e2">
	<title>Self-Assessment Questionnaire for Audit Preparation</title>
	<rlink media-type="text/html"
	href="https://docs.google.com/spreadsheets/d/19BtbNb5AoTB/edit#gid=0"/>
	</resource>
	</back-matter>
	</component-definition>