Skip to content

Instantly share code, notes, and snippets.

@ohsh6o

ohsh6o/gist:644ee4729d9765c2865d61b20a276c68

Created July 23, 2021 01:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ohsh6o/644ee4729d9765c2865d61b20a276c68 to your computer and use it in GitHub Desktop.
Save ohsh6o/644ee4729d9765c2865d61b20a276c68 to your computer and use it in GitHub Desktop.
Download ZIP
Sample SSP with Dataset Versioning
Raw
gistfile1.txt
<?xml version="1.0" encoding="UTF-8"?>
<!--This document used file:/Users/astein/Code/fedramp-automation/dist/content/baselines/rev4/xml/FedRAMP_rev4_LOW-baseline-resolved-profile_catalog.xml as the input.-->
<!--This document used file:/Users/astein/Code/sample-ssp.xsl as the transform.-->
<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/release-1.0/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
<!--<?xml-model href="file:/Users/gapinski/branches/fedramp-automation/resources/validations/src/ssp.sch" schematypens="http://purl.oclc.org/dsdl/schematron" title="FedRAMP SSP constraints"?>-->
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
uuid="670fef84-0f43-43cc-b5b9-db779a22a12f">
<metadata>
<title>DRAFT, SAMPLE FedRAMP Rev 4 Low Baseline System Security Plan</title>
<last-modified>2021-07-22T21:46:27.404-04:00</last-modified>
<version>0.1</version>
<oscal-version>1.0.0</oscal-version>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 14-->
<role id="system-owner">
<title>Information System Owner</title>
<short-name>ISO</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 15-->
<role id="authorizing-official">
<title>Authorizing Official</title>
<short-name>AO</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 16-->
<role id="system-poc-management">
<title>Information System Management Point of Contact</title>
<short-name>ISMPoC</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<role id="system-poc-technical">
<title>Information System Technical Point of Contact</title>
<short-name>ISTPoC</short-name>
</role>
<role id="system-poc-other">
<title>Information System Other Point of Contact</title>
<short-name>ISOPoC</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 18-->
<role id="information-system-security-officer">
<title>Information System Security Officer</title>
<short-name>ISSO</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 19-->
<role id="authorizing-official-poc">
<title>Authorizing Official (AO) PoC</title>
<short-name>AOPoC</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<role id="implemented-requirement-responsible-role">
<title>Implemented Control Responsibility Role</title>
</role>
<location uuid="109f217a-22ae-4b68-8974-944046684c5e">
<address/>
</location>
<party type="organization" uuid="f74f1cc7-587b-4001-8d25-e8b562c2eac8">
<name>Cloud Service Provider (CSP) Name</name>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 14-->
<party type="person" uuid="85bbf5fe-62cf-4206-8b3a-65ff651d2443">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 15-->
<party type="person" uuid="1f12b9fb-2546-45ef-a715-c3006f4b6b81">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 16-->
<party type="person" uuid="2c05f4b9-5d26-4bbb-af84-c45a0558a2a9">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<party type="person" uuid="cddefc78-0d51-400f-a556-a22a6ca4d751">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<party type="person" uuid="41bfc5ba-49aa-4970-99ae-a239defd891c">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 18-->
<party type="person" uuid="bbc2c70b-ac43-44fb-aff9-9ba12025203e">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 19-->
<party type="person" uuid="372a6ee5-257d-4fc5-b1e4-afc22a603379">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<party type="person" uuid="1d5ac0b2-545b-402f-ac57-d2a62abf6f1c">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>109f217a-22ae-4b68-8974-944046684c5e</location-uuid>
<member-of-organization>f74f1cc7-587b-4001-8d25-e8b562c2eac8</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 14-->
<responsible-party role-id="system-owner">
<party-uuid>85bbf5fe-62cf-4206-8b3a-65ff651d2443</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 15-->
<responsible-party role-id="authorizing-official">
<party-uuid>1f12b9fb-2546-45ef-a715-c3006f4b6b81</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 16-->
<responsible-party role-id="system-poc-management">
<party-uuid>2c05f4b9-5d26-4bbb-af84-c45a0558a2a9</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<responsible-party role-id="system-poc-technical">
<party-uuid>cddefc78-0d51-400f-a556-a22a6ca4d751</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<responsible-party role-id="system-poc-other">
<party-uuid>41bfc5ba-49aa-4970-99ae-a239defd891c</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 18-->
<responsible-party role-id="information-system-security-officer">
<party-uuid>bbc2c70b-ac43-44fb-aff9-9ba12025203e</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 19-->
<responsible-party role-id="authorizing-official-poc">
<party-uuid>372a6ee5-257d-4fc5-b1e4-afc22a603379</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-party role-id="implemented-requirement-responsible-role">
<party-uuid>1d5ac0b2-545b-402f-ac57-d2a62abf6f1c</party-uuid>
</responsible-party>
</metadata>
<import-profile href=""/>
<system-characteristics>
<system-id identifier-type="https://fedramp.gov">F00000000</system-id>
<system-name>Sample SSP</system-name>
<system-name-short>SSSP</system-name-short>
<description/>
<prop name="authorization-type"
ns="https://fedramp.gov/ns/oscal"
value="fedramp-agency"/>
<prop class="security-eauth"
name="security-eauth-level"
ns="https://fedramp.gov/ns/oscal"
value="2"/>
<security-sensitivity-level>fips-199-low</security-sensitivity-level>
<system-information><!-- Attachment 4, PTA/PIA Designation -->
<prop name="privacy-sensitive" value="yes"/>
<!-- Attachment 4, PTA Qualifying Questions -->
<prop class="pta"
name="pta-1"
ns="https://fedramp.gov/ns/oscal"
value="yes"/>
<!-- Does the ISA collect, maintain, or share PII information from or about the public? -->
<prop class="pta"
name="pta-2"
ns="https://fedramp.gov/ns/oscal"
value="yes"/>
<!-- Has a Privacy Impact Assessment ever been performed for the ISA? -->
<prop class="pta"
name="pta-3"
ns="https://fedramp.gov/ns/oscal"
value="yes"/>
<!-- Is there a Privacy Act System of Records Notice (SORN) for this ISA system? (If so, please specify the SORN ID.) -->
<prop class="pta"
name="pta-4"
ns="https://fedramp.gov/ns/oscal"
value="no"/>
<prop class="pta"
name="sorn-id"
ns="https://fedramp.gov/ns/oscal"
value="[No SORN ID]"/>
<information-type uuid="a7495931-939a-4d7a-a26e-79072ee37e68">
<title/>
<description/>
<categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1">
<information-type-id>C.2.4.1</information-type-id>
</categorization>
<confidentiality-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</integrity-impact>
<availability-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</availability-impact>
</information-type>
</system-information>
<security-impact-level>
<security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
<security-objective-integrity>fips-199-moderate</security-objective-integrity>
<security-objective-availability>fips-199-moderate</security-objective-availability>
</security-impact-level>
<status state="operational"/>
<authorization-boundary>
<description/>
</authorization-boundary>
</system-characteristics>
<system-implementation><!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<user uuid="8f0e4d28-7a04-40ec-ba74-55426d5b762c">
<prop name="type" value="internal"/>
<prop name="privilege-type" value="privileged"/>
<prop name="sensitivity"
ns="https://fedramp.gov/ns/oscal"
value="moderate"/>
<role-id>implemented-requirement-responsible-role</role-id>
<authorized-privilege>
<title>title</title>
<function-performed>function</function-performed>
</authorized-privilege>
</user>
<component type="validation" uuid="772ea84a-0d4e-4225-b82f-66fdc498a934">
<title>FIPS 140-2 Validation</title>
<description>
<p>FIPS 140-2 Validation</p>
</description>
<prop name="validation-reference" value="3928"/>
<link href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3928"
rel="validation-details"/>
<status state="active"/>
</component>
<component type="type" uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<title/>
<description>
<p>This component is the answer to almost everything</p>
</description>
<status state="operational"/>
</component>
</system-implementation>
<control-implementation>
<description/>
<implemented-requirement control-id="ac-1" uuid="0df7a8d9-53a1-49d1-9898-95b7dab78b8e"><!--Access Control Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ac-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ac-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ac-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-1_smt.a.1, ac-1_smt.a.2, ac-1_smt.b.1, ac-1_smt.b.2-->
<statement statement-id="ac-1_smt.a.1" uuid="947346ae-4524-433d-8cb7-bb9de526b4ec">
<by-component uuid="10baf57b-2234-4188-bc4e-6fd491ebef7c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-1_smt.a.2" uuid="fb721904-91d2-4694-b06a-a42f220363df">
<by-component uuid="60531a06-f750-42e4-96e7-b2df4ed74d52"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Procedures to facilitate the implementation of the access control policy and associated access controls; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-1_smt.b.1" uuid="3e573562-bc21-4964-8cb9-cfb6b03bf92d">
<by-component uuid="8c40eea8-768c-442e-908f-5bb37e845275"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Access control policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-1_smt.b.2" uuid="02676176-6ace-4728-8447-dc14b8fc186d">
<by-component uuid="0db61e57-339c-49db-8487-db4e3506bd30"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Access control procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2" uuid="751d46cf-ff1f-4daf-b579-81c1eec0b8be"><!--Account Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ac-2_prm_1">
<value>organization-defined information system account types</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_3">
<value>organization-defined procedures or conditions</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_4">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2_smt.a, ac-2_smt.b, ac-2_smt.c, ac-2_smt.d, ac-2_smt.e, ac-2_smt.f, ac-2_smt.g, ac-2_smt.h, ac-2_smt.i, ac-2_smt.j, ac-2_smt.k-->
<statement statement-id="ac-2_smt.a" uuid="4661a7f6-b9fd-450f-b748-2f1d780d5ccb">
<by-component uuid="31dd875d-da78-4464-9fb9-0c7bf03094fe"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies and selects the following types of information system accounts to support organizational missions/business functions: ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.b" uuid="7ed4c650-3658-4915-ba8d-4db3d7fc2056">
<by-component uuid="aad631d9-473a-4956-8cd2-bf42f4c790a4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigns account managers for information system accounts;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.c" uuid="1ec83e62-8f2a-49a0-9852-00ead1e8e2a2">
<by-component uuid="de450be8-5318-4534-9c73-8dc3b164a5ef"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes conditions for group and role membership;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.d" uuid="6dd82e15-3850-4b4d-bb59-91ad96722c54">
<by-component uuid="65b3974e-5616-4760-909b-f85cb4dda617"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.e" uuid="2aae35d0-fb67-4312-83e9-20b4e190cc5d">
<by-component uuid="fee34515-7b0f-4278-94bb-6e0063bc331a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires approvals by for requests to create information system accounts;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.f" uuid="7a8c8777-ed75-438e-837f-06892eb5b041">
<by-component uuid="d25aeb46-0c79-4fb6-9401-48e88417cdd1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Creates, enables, modifies, disables, and removes information system accounts in accordance with ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.g" uuid="cd7b9832-05cb-4ee2-9e2c-1d84e15049b1">
<by-component uuid="68784f8e-82e5-4fa9-99b6-007c6f721409"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors the use of information system accounts;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.h" uuid="c4395b51-8afd-40bd-ac02-72ba6665c1f2">
<by-component uuid="8ee80617-c719-4c69-9f64-4919b1da25f7"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies account managers:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.i" uuid="737e9b48-6003-4ab2-bdf0-8f6954fe0204">
<by-component uuid="559d7a9a-6579-47a1-b5bf-2491f5dd25cd"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes access to the information system based on:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.j" uuid="ed2df346-8f42-48e7-b7a5-05c2d92b50b6">
<by-component uuid="bd47f224-061a-4358-8fd5-f56eeb5c3b20"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews accounts for compliance with account management requirements ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.k" uuid="d5b018c3-081c-4d2f-b5a7-1e2f517ea255">
<by-component uuid="223cbbd9-febc-481d-9ff6-77433120eb4b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-3" uuid="606d5052-83f5-4b38-9112-33ec6faf0ae6"><!--Access Enforcement-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-3_smt-->
<statement statement-id="ac-3_smt" uuid="66de6287-9459-4d4d-b39f-9f06abe862f3">
<by-component uuid="36184a65-7856-4903-b923-2e3e83cabdc8"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-7" uuid="deaf830b-d57a-432b-aff0-47bf377ff07a"><!--Unsuccessful Logon Attempts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="ac-7_prm_1">
<value>organization-defined number</value>
<!--Constraint: not more than three (3)>-->
</set-parameter>
<set-parameter param-id="ac-7_prm_2">
<value>organization-defined time period</value>
<!--Constraint: fifteen (15) minutes>-->
</set-parameter>
<set-parameter param-id="ac-7_prm_3">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="ac-7_prm_4">
<value>organization-defined time period</value>
<!--Constraint: thirty (30) minutes>-->
</set-parameter>
<set-parameter param-id="ac-7_prm_5">
<value>organization-defined delay algorithm</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-7_smt.a, ac-7_smt.b-->
<statement statement-id="ac-7_smt.a" uuid="7f30b97e-b1d7-4eb6-bdd3-ba8998f9b8e1">
<by-component uuid="13d71dfd-a5e1-4e41-897d-2e66f3681e76"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces a limit of consecutive invalid logon attempts by a user during a ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-7_smt.b" uuid="e9d8b271-d17a-44cc-ad72-91bf47756b76">
<by-component uuid="3dffba6c-6607-4ac6-9f84-0241f97528f9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Automatically when the maximum number of unsuccessful attempts is exceeded.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-8" uuid="684e02e8-f831-4007-9249-06edee9b37bc"><!--System Use Notification-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-8_prm_1">
<value>organization-defined system use notification message or banner</value>
<!--Constraint: see additional Requirements and Guidance>-->
</set-parameter>
<set-parameter param-id="ac-8_prm_2">
<value>organization-defined conditions</value>
<!--Constraint: see additional Requirements and Guidance>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-8_smt.a, ac-8_smt.b, ac-8_smt.c-->
<statement statement-id="ac-8_smt.a" uuid="66d91ca1-104f-4573-9a9d-2cf6c0da78ed">
<by-component uuid="9eac2136-bc76-4521-9697-87e428d9fef1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Displays to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-8_smt.b" uuid="3b8d4adf-bd6e-4d71-a28a-f4928b359ba5">
<by-component uuid="e1fb12a4-cb2a-4725-8205-681a76aad1fb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-8_smt.c" uuid="39ff3482-105e-47b5-a3df-298138138708">
<by-component uuid="f1230f04-1005-4209-b7ba-09399069b4a2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>For publicly accessible systems:</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-14" uuid="622fddbe-5ef3-4ff2-8aca-84a8321ea106"><!--Permitted Actions Without Identification or Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-14_prm_1">
<value>organization-defined user actions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-14_smt.a, ac-14_smt.b-->
<statement statement-id="ac-14_smt.a" uuid="09dc9c27-79f1-414c-a418-e540313c936b">
<by-component uuid="017bc3ad-0f57-477f-bc1b-55ddcd3fe600"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-14_smt.b" uuid="30cc75a9-5386-4103-b8f3-daa5a7997400">
<by-component uuid="6e593499-b802-42d9-968b-bcb0d421b99d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-17" uuid="b19b20b5-dc49-4453-8f62-3084fbefdb5f"><!--Remote Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-17_smt.a, ac-17_smt.b-->
<statement statement-id="ac-17_smt.a" uuid="673ac833-c6df-410a-bb0d-0fbf6b4e1416">
<by-component uuid="36a1ec90-6334-4c37-a587-ebb691fa6228"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-17_smt.b" uuid="138d1582-5db4-4a94-ad7d-3d3f41f62b4a">
<by-component uuid="ae6a2651-65e8-4909-a0aa-691cf2dc7a9b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes remote access to the information system prior to allowing such connections.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-18" uuid="e17780e6-6b3c-44ff-98cf-8a72c14711ae"><!--Wireless Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-18_smt.a, ac-18_smt.b-->
<statement statement-id="ac-18_smt.a" uuid="5f82a2ef-e79e-40ac-b055-0293e2e1f58e">
<by-component uuid="c1d35f2b-3194-4e6f-a153-dc8f328db1ca"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-18_smt.b" uuid="7acedab7-15f1-449d-9f3e-e2963ed789d6">
<by-component uuid="77f47903-d56c-46c3-8e38-42c2da6e7b7b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes wireless access to the information system prior to allowing such connections.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-19" uuid="9e039f6b-9206-484b-b393-8b4265ce3398"><!--Access Control for Mobile Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-19_smt.a, ac-19_smt.b-->
<statement statement-id="ac-19_smt.a" uuid="899b50f7-a6ff-4854-8545-a98c24359933">
<by-component uuid="496ec7c7-e1e0-4d44-91d4-8a377f88cd88"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-19_smt.b" uuid="2fe3f86d-56f2-4bc4-822c-b836e8b15639">
<by-component uuid="7d06fb23-e4ce-424d-b0a8-6fa74a056912"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes the connection of mobile devices to organizational information systems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-20" uuid="c976256c-56d0-4b3f-8a61-01e6424ce6b6"><!--Use of External Information Systems-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-20_smt.a, ac-20_smt.b-->
<statement statement-id="ac-20_smt.a" uuid="8407b933-f5c2-4595-bc81-1f807ab2face">
<by-component uuid="02aec4c2-ea56-4926-b633-db761858d043"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Access the information system from external information systems; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-20_smt.b" uuid="23de6385-edcd-4d3c-bedd-7a0b6d85e3ee">
<by-component uuid="eb37790b-0fcf-4fcb-857b-0fa41df9baf5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Process, store, or transmit organization-controlled information using external information systems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-22" uuid="2e3b01e4-2814-4fca-a9c0-e6d5451ae21b"><!--Publicly Accessible Content-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-22_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least quarterly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-22_smt.a, ac-22_smt.b, ac-22_smt.c, ac-22_smt.d-->
<statement statement-id="ac-22_smt.a" uuid="ffa0c120-cc62-41f4-993c-80437ae752a3">
<by-component uuid="fc53a6c1-f66c-4b52-ae11-1a02468120ca"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Designates individuals authorized to post information onto a publicly accessible information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-22_smt.b" uuid="974298cb-ec23-4954-afb6-be8f201073d5">
<by-component uuid="e6caa7be-2a33-4bac-a1df-b69656b7064b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-22_smt.c" uuid="eb1f284a-5202-4b02-b04c-97914665469d">
<by-component uuid="31dc0c3d-7404-4197-85ec-6a459b736cbe"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-22_smt.d" uuid="788a1cf6-0f6f-4f5e-849b-ab6587fc93ad">
<by-component uuid="1f499fb9-fe61-425b-8047-a6ea8d7c8fef"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the content on the publicly accessible information system for nonpublic information and removes such information, if discovered.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-1" uuid="7949d480-b421-45e1-9fe6-1193f88db726"><!--Security Awareness and Training Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="at-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="at-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="at-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-1_smt.a, at-1_smt.b.1, at-1_smt.b.2-->
<statement statement-id="at-1_smt.a" uuid="317a5305-561f-45e0-8b69-6f3e993384c4">
<by-component uuid="c1ad86fa-9275-40e9-8510-3bec1d3d6df1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-1_smt.b.1" uuid="6d437430-5c45-42c6-862f-890328f8af3b">
<by-component uuid="4042c47e-aea9-4249-b338-ed43df582edf"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security awareness and training policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-1_smt.b.2" uuid="f042eae0-0815-4203-b087-a2c8773fc7dd">
<by-component uuid="065b1f47-6a94-4c3d-847f-f68a30670278"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security awareness and training procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-2" uuid="69fdc221-ffc8-43d9-bcb6-6c9af8405a6c"><!--Security Awareness Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="at-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-2_smt.a, at-2_smt.b, at-2_smt.c-->
<statement statement-id="at-2_smt.a" uuid="0bdc13d0-1301-42b4-87e8-dfd861e1aa01">
<by-component uuid="7d33e103-e1d1-45e5-ab4d-ea150879de9f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>As part of initial training for new users;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-2_smt.b" uuid="d9320418-42e3-4b1e-b430-ab8f32cc5e53">
<by-component uuid="33471c38-3286-41af-a6b9-7849d3ec8306"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-2_smt.c" uuid="35a1d95f-fe43-4738-9377-288baedadb10">
<by-component uuid="60f53000-12a5-4813-b3af-04865f499600"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-3" uuid="f92d2a29-563b-4b76-a4e3-c198d3220483"><!--Role-based Security Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="at-3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-3_smt.a, at-3_smt.b, at-3_smt.c-->
<statement statement-id="at-3_smt.a" uuid="5345d272-02f4-4133-9296-15fcc910775c">
<by-component uuid="2ae06748-bb88-4e3f-b8f6-d1c361513d61"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Before authorizing access to the information system or performing assigned duties;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-3_smt.b" uuid="46bfbb5f-fd14-40db-818e-5a695344db73">
<by-component uuid="fc58ad88-36be-4f0e-9f60-61082f51bc8d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-3_smt.c" uuid="7dca5d0b-0a18-4650-9be7-34d0e80a055f">
<by-component uuid="4c14fce6-c4ca-498c-962e-60cfb0edfdc0"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-4" uuid="90260aed-19de-46fe-89a9-eb44bc6ac003"><!--Security Training Records-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="at-4_prm_1">
<value>organization-defined time period</value>
<!--Constraint: At least one year>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-4_smt.a, at-4_smt.b-->
<statement statement-id="at-4_smt.a" uuid="8981d85b-5abc-4746-a704-3b3e82d0968a">
<by-component uuid="faa93a94-f761-4e33-a9ac-ab653af71b92"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-4_smt.b" uuid="d96e47a5-68df-4ca8-8366-38450255ebc3">
<by-component uuid="9fcca32b-bb16-4af5-b88f-4005ab082430"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains individual training records for .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-1" uuid="0778c371-ff8b-4a3a-a2b6-766e779d9e29"><!--Audit and Accountability Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="au-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="au-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="au-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-1_smt.a, au-1_smt.b.1, au-1_smt.b.2-->
<statement statement-id="au-1_smt.a" uuid="efb433c1-5847-4573-8257-b3ca77db36ee">
<by-component uuid="c620e38e-da65-4924-8a78-0c8e1205b435"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-1_smt.b.1" uuid="5bd39385-49ea-4559-a8f3-38a4198dcfc4">
<by-component uuid="0da208b7-11a8-4899-ae3a-21c314235943"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Audit and accountability policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-1_smt.b.2" uuid="a190dc34-ece0-4cff-b00b-d04fa73df145">
<by-component uuid="330f8313-ae5d-4882-9c0f-f4552ca20dea"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Audit and accountability procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-2" uuid="8fcb2632-22ee-40d5-872b-fa2c6690f36f"><!--Audit Events-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="au-2_prm_1">
<value>organization-defined auditable events</value>
<!--Constraint: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes>-->
</set-parameter>
<set-parameter param-id="au-2_prm_2">
<value>organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event</value>
<!--Constraint: organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-2_smt.a, au-2_smt.b, au-2_smt.c, au-2_smt.d-->
<statement statement-id="au-2_smt.a" uuid="af8d49ff-86f1-4250-89a2-e69028d20d61">
<by-component uuid="f53c5342-f810-4802-9cc8-e27b1393f4cc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines that the information system is capable of auditing the following events: ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-2_smt.b" uuid="d9ce8b24-c470-4842-acf6-0cb6d7bf3228">
<by-component uuid="08ff77f2-cd0c-463a-9fec-583cbe0c924e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-2_smt.c" uuid="a97b1074-8fa0-47ee-8cde-3d90c3d4a8db">
<by-component uuid="1013d157-6b2b-40c8-a1e7-1588e04d2498"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-2_smt.d" uuid="cb404029-f86d-470d-b0e3-80bc40d9e470">
<by-component uuid="e903acb6-32a5-4300-87a7-8f91fc60d8da"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines that the following events are to be audited within the information system: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-3" uuid="0f18e496-9c0a-4433-958f-a50356ea6961"><!--Content of Audit Records-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-3_smt-->
<statement statement-id="au-3_smt" uuid="b4099b68-7085-4cb6-888b-2310469ae830">
<by-component uuid="e9ea25c7-677f-4bdb-a6c9-141c064fce0c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-4" uuid="a0ce5ecf-6e44-4450-bb5b-f5f2055d4a02"><!--Audit Storage Capacity-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-4_prm_1">
<value>organization-defined audit record storage requirements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-4_smt-->
<statement statement-id="au-4_smt" uuid="ba116b5c-764e-4ae8-9913-bf9b19be777f">
<by-component uuid="a03a3366-c2a0-4e5d-a9d4-cca123c0afbb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization allocates audit record storage capacity in accordance with .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-5" uuid="c5019cb6-aaf2-4524-ba05-0cfbbc1e7e6f"><!--Response to Audit Processing Failures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="au-5_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="au-5_prm_2">
<value>organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)</value>
<!--Constraint: organization-defined actions to be taken (overwrite oldest record)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-5_smt.a, au-5_smt.b-->
<statement statement-id="au-5_smt.a" uuid="dd8e3d8d-ffda-4056-942e-9cb865ade86a">
<by-component uuid="6cd63bee-f2b6-4cce-a4d6-b55cd38b3a33"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Alerts in the event of an audit processing failure; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-5_smt.b" uuid="af87c0f5-7b77-4cdc-aae9-5734d33a5208">
<by-component uuid="3aca25f8-458e-4800-8338-5b655d911ce7"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Takes the following additional actions: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-6" uuid="fd653868-2f11-4b4e-a2db-ee74013c72bd"><!--Audit Review, Analysis, and Reporting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="au-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least weekly>-->
</set-parameter>
<set-parameter param-id="au-6_prm_2">
<value>organization-defined inappropriate or unusual activity</value>
</set-parameter>
<set-parameter param-id="au-6_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-6_smt.a, au-6_smt.b-->
<statement statement-id="au-6_smt.a" uuid="8638667d-9e51-4c99-9e0e-f03cd38dc2b1">
<by-component uuid="422694ee-01e2-43a7-8de3-6c0d27f7b3d5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and analyzes information system audit records for indications of ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-6_smt.b" uuid="f3d6425b-31d6-448a-8b93-0bff75d0afea">
<by-component uuid="2e54550e-12b3-4f0c-bf3d-c1955fae75a3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reports findings to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-8" uuid="7b5c5422-f874-4322-9712-a0f2d3862012"><!--Time Stamps-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-8_prm_1">
<value>organization-defined granularity of time measurement</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-8_smt.a, au-8_smt.b-->
<statement statement-id="au-8_smt.a" uuid="305156af-b352-4032-b6fa-e422a7152dac">
<by-component uuid="d2f12162-e98c-491b-9eab-c81d44d48742"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Uses internal system clocks to generate time stamps for audit records; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-8_smt.b" uuid="00a3d576-9893-4899-8f98-20c0555e1f10">
<by-component uuid="28c0857c-9dc2-4682-9b1f-20b8e5446f14"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-9" uuid="587e619a-bba1-453c-aa2f-97e92dc15770"><!--Protection of Audit Information-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-9_smt-->
<statement statement-id="au-9_smt" uuid="bb4029a3-bb80-4a1a-b17b-3693c2ac7240">
<by-component uuid="0d48a1ee-ab99-4792-a0db-0f3f2c766525"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects audit information and audit tools from unauthorized access, modification, and deletion.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-11" uuid="317b7bdd-f424-410f-bfb3-bc07687a4c5c"><!--Audit Record Retention-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-11_prm_1">
<value>organization-defined time period consistent with records retention policy</value>
<!--Constraint: at least ninety days>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-11_smt-->
<statement statement-id="au-11_smt" uuid="3833bf70-c5db-4467-8f55-9ecb278c7491">
<by-component uuid="5d53f05c-851b-4d4a-93da-6ba7d8e5f507"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-12" uuid="ce3260ea-12be-40e9-afd2-720342a070bf"><!--Audit Generation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="au-12_prm_1">
<value>organization-defined information system components</value>
<!--Constraint: all information system and network components where audit capability is deployed/available>-->
</set-parameter>
<set-parameter param-id="au-12_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-12_smt.a, au-12_smt.b, au-12_smt.c-->
<statement statement-id="au-12_smt.a" uuid="144e3c4c-2056-4b6c-9345-f4351125662b">
<by-component uuid="51e91e60-7837-4cbe-a8c3-9b5ab2b2ff4c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides audit record generation capability for the auditable events defined in AU-2 a. at ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-12_smt.b" uuid="2d67ac34-de7a-4979-963d-8b7eb7e07d6b">
<by-component uuid="df73d9fa-cb1c-4e21-9ab5-dd2d91437974"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Allows to select which auditable events are to be audited by specific components of the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-12_smt.c" uuid="3a02067b-d542-44f9-9479-40b805443b4b">
<by-component uuid="b2761f33-3e40-4702-94cb-eb8bfbc34872"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-1" uuid="88784a51-25ac-49ba-96e6-86c258b8756a"><!--Security Assessment and Authorization Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ca-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ca-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ca-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-1_smt.a, ca-1_smt.b.1, ca-1_smt.b.2-->
<statement statement-id="ca-1_smt.a" uuid="0fa781bb-7107-498c-ab15-57973eb35e3e">
<by-component uuid="1abcdc2d-c61a-43f1-8091-bbf95850e774"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-1_smt.b.1" uuid="5c10f90c-9332-405e-9802-7f35f46583dd">
<by-component uuid="bddc4f63-cf0f-437b-bf8f-92d18fcf307c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security assessment and authorization policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-1_smt.b.2" uuid="21686cab-1f0c-4a71-9258-3123c5918a50">
<by-component uuid="be847ee2-3232-40aa-a182-6d4ed05b6829"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security assessment and authorization procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-2" uuid="bfa38c8f-c69e-4bb2-8092-9e792d551893"><!--Security Assessments-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ca-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ca-2_prm_2">
<value>organization-defined individuals or roles</value>
<!--Constraint: individuals or roles to include FedRAMP PMO>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-2_smt.a, ca-2_smt.b, ca-2_smt.c, ca-2_smt.d, ca-2.1_smt-->
<statement statement-id="ca-2_smt.a" uuid="1ceb0907-0f15-438b-bf3d-4a790e45995e">
<by-component uuid="396bfcbc-dfcf-4bd1-9967-2a2313c1340c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a security assessment plan that describes the scope of the assessment including:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-2_smt.b" uuid="d67a7b4d-1dfd-4807-9d61-bfe3df2947c8">
<by-component uuid="9b2badc0-5fb0-42af-a8f5-4ca8fd896e0b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assesses the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-2_smt.c" uuid="e3bb923a-b3fd-4ff8-b3d6-dc05a8556b3e">
<by-component uuid="30a7d0c8-4851-4124-8be3-c42f864ae4b6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Produces a security assessment report that documents the results of the assessment; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-2_smt.d" uuid="a973c719-0dad-4b90-991b-d0013b97206f">
<by-component uuid="a9c0f040-a3dc-46ae-833c-cf8f0f093321"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides the results of the security control assessment to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-2.1" uuid="bb5239c5-64ec-48f6-ba07-554db5c522bb"><!--Independent Assessors-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-2.1_prm_1">
<value>organization-defined level of independence</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-2.1_smt-->
<statement statement-id="ca-2.1_smt" uuid="04d69d60-d5ca-454d-8c9b-e695eddd3da8">
<by-component uuid="3a9284e9-74ea-42e7-aced-5c2d0684f5ae"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs assessors or assessment teams with to conduct security control assessments.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-3" uuid="10329bca-8284-4ea5-97d6-4685b77a6dd1"><!--System Interconnections-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually and on input from FedRAMP>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-3_smt.a, ca-3_smt.b, ca-3_smt.c-->
<statement statement-id="ca-3_smt.a" uuid="febc9e0e-8222-44c7-afc9-a56128a7478c">
<by-component uuid="d57966dc-92c9-4adb-9c87-958a29ad164a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-3_smt.b" uuid="514c81e3-bb98-4b51-93c4-38e8b721792c">
<by-component uuid="d7c6ecfe-07fb-4bef-833d-dd2a48d42af0"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-3_smt.c" uuid="097ef29d-2d02-4b73-a405-92fb38ebaa00">
<by-component uuid="4e05f0d8-9af5-44db-820b-42a4a2721dd6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates Interconnection Security Agreements .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-5" uuid="80e79340-5cbc-463c-bbe4-c23c662550e1"><!--Plan of Action and Milestones-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-5_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-5_smt.a, ca-5_smt.b-->
<statement statement-id="ca-5_smt.a" uuid="b9db4fa8-c62a-4ba5-b1c2-75082eaca8fb">
<by-component uuid="322f33e2-80da-474f-b2ad-74bce1f69dab"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-5_smt.b" uuid="bbadd689-4c71-4a08-97ad-f2ed597ba011">
<by-component uuid="53e41990-7b4d-4257-b85b-567c432e50e6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates existing plan of action and milestones based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-6" uuid="ab4282d5-b607-4dd7-a621-d1adb69f87ba"><!--Security Authorization-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least every three years or when a significant change occurs>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-6_smt.a, ca-6_smt.b, ca-6_smt.c-->
<statement statement-id="ca-6_smt.a" uuid="ddfae74d-4660-435f-807f-138f2cb572a4">
<by-component uuid="dfa187f2-dee2-4c24-b5ff-d3b910196397"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigns a senior-level executive or manager as the authorizing official for the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-6_smt.b" uuid="32811888-1a31-4326-9a72-56f599cfccc8">
<by-component uuid="9f3f221f-218d-4dd2-8013-9218185d6eef"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that the authorizing official authorizes the information system for processing before commencing operations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-6_smt.c" uuid="deaced76-1836-4b5c-9ba8-2fd4426527ef">
<by-component uuid="d013af6c-edb3-4464-8984-c95bdaba8d02"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the security authorization .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-7" uuid="2e6e3353-0bc4-4afb-af93-7d41e5a6b01a"><!--Continuous Monitoring-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="ca-7_prm_1">
<value>organization-defined metrics</value>
</set-parameter>
<set-parameter param-id="ca-7_prm_2">
<value>organization-defined frequencies</value>
</set-parameter>
<set-parameter param-id="ca-7_prm_3">
<value>organization-defined frequencies</value>
</set-parameter>
<set-parameter param-id="ca-7_prm_4">
<value>organization-defined personnel or roles</value>
<!--Constraint: to meet Federal and FedRAMP requirements (See additional guidance)>-->
</set-parameter>
<set-parameter param-id="ca-7_prm_5">
<value>organization-defined frequency</value>
<!--Constraint: to meet Federal and FedRAMP requirements (See additional guidance)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-7_smt.a, ca-7_smt.b, ca-7_smt.c, ca-7_smt.d, ca-7_smt.e, ca-7_smt.f, ca-7_smt.g-->
<statement statement-id="ca-7_smt.a" uuid="5f31db99-96ad-46e1-ae43-4f6b3d9db0f2">
<by-component uuid="446967a6-2c2b-4599-9d10-89d64f4aa9d5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishment of to be monitored;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.b" uuid="198a5898-25e0-423b-ab7f-99c222c813ef">
<by-component uuid="e76cd6d7-afd3-4f76-b525-ca09461e1fa2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishment of for monitoring and for assessments supporting such monitoring;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.c" uuid="a20a2f62-849c-4e7a-bf04-c033fb2370dd">
<by-component uuid="75c12355-9a7e-4350-9d82-795d3adbe198"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.d" uuid="85250e94-a760-45d9-9286-7aaa17bce3fc">
<by-component uuid="ed27e922-afd6-451c-b524-747b55748700"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.e" uuid="168931ac-05a1-4335-8037-7cd96e938163">
<by-component uuid="1133da90-547c-4b63-b660-8207432a4bb3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Correlation and analysis of security-related information generated by assessments and monitoring;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.f" uuid="1dd60255-a14f-4aa3-9c70-fabf1dc2331c">
<by-component uuid="ad5963db-7990-4af8-820c-03e5706123b7"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Response actions to address results of the analysis of security-related information; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.g" uuid="bc58485a-742d-4920-a3f9-a253ec057773">
<by-component uuid="994154cd-789e-4c32-8e3e-26fbdeab73e7"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reporting the security status of organization and the information system to
.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-9" uuid="e2101da8-bc01-4087-b3d3-98966ae06350"><!--Internal System Connections-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-9_prm_1">
<value>organization-defined information system components or classes of components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-9_smt.a, ca-9_smt.b-->
<statement statement-id="ca-9_smt.a" uuid="341c9b78-de36-4adb-b676-bf4ccb98eb94">
<by-component uuid="479c9333-3fa1-4b67-9893-e1f7dcbb79df"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes internal connections of to the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-9_smt.b" uuid="2b5eb68e-5ff1-4305-90d7-7ff189c1dc9a">
<by-component uuid="cb83785e-7bf2-4c2a-b4a8-3a9d3b8a5aa7"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-1" uuid="b3de71d3-5ac2-4cf6-b23c-b7290918afd4"><!--Configuration Management Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="cm-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="cm-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-1_smt.a, cm-1_smt.b.1, cm-1_smt.b.2-->
<statement statement-id="cm-1_smt.a" uuid="67ebe36b-2db0-4316-b5e0-8a84c8c05e63">
<by-component uuid="39a25417-1703-4b42-ac7c-9b49166b6aae"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-1_smt.b.1" uuid="0afc63c8-35fa-4618-bed6-3ab737730d7f">
<by-component uuid="c76a2556-c781-4d01-a755-3e82e03fb5a9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configuration management policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-1_smt.b.2" uuid="05e61fb1-9743-44f5-bb00-2a0a0c52caa8">
<by-component uuid="6c565c17-fa79-4d41-b54f-741b8c295407"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configuration management procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-2" uuid="a3bb6943-b6a0-49a3-ba14-b7af1da014f9"><!--Baseline Configuration-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-2_smt-->
<statement statement-id="cm-2_smt" uuid="1bbab81d-367d-4c42-a7a0-bd1668bdf968">
<by-component uuid="26b17d21-adf4-489d-a12b-92c7067a9e14"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-4" uuid="673c9fe8-155c-462a-be39-8551bdbbfa2d"><!--Security Impact Analysis-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-4_smt-->
<statement statement-id="cm-4_smt" uuid="abd15f52-ad35-414a-9a0d-1f52175daa1c">
<by-component uuid="314d3940-c6de-457a-8022-8db7ebb3294f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-6" uuid="6424e178-e9f9-49a8-bc1b-18de2b3c3619"><!--Configuration Settings-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-6_prm_1">
<value>organization-defined security configuration checklists</value>
<!--Constraint: United States Government Configuration Baseline (USGCB)>-->
</set-parameter>
<set-parameter param-id="cm-6_prm_2">
<value>organization-defined information system components</value>
</set-parameter>
<set-parameter param-id="cm-6_prm_3">
<value>organization-defined operational requirements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-6_smt.a, cm-6_smt.b, cm-6_smt.c, cm-6_smt.d-->
<statement statement-id="cm-6_smt.a" uuid="e83873f3-12ae-4f81-bd79-032d36a0e62d">
<by-component uuid="09de2701-4e33-4419-9af7-04fcde48086b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes and documents configuration settings for information technology products employed within the information system using that reflect the most restrictive mode consistent with operational requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-6_smt.b" uuid="fa040c2b-7db4-40fe-9aba-c0f0d571de21">
<by-component uuid="0d5b316e-a7d5-496e-bc31-3fe13f99b83f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements the configuration settings;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-6_smt.c" uuid="36e0bb10-2ea6-4483-958c-ce5a05750d56">
<by-component uuid="09e123ca-0439-4a60-bcde-476ef9b7f8a3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies, documents, and approves any deviations from established configuration settings for based on ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-6_smt.d" uuid="1eb88fc0-ce21-4171-9967-b0fdfa56e394">
<by-component uuid="c1d08e8f-fb8a-40bf-981d-98a3fcfe1ca3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-7" uuid="1341e52d-9a04-4ef1-9ece-e77a15453260"><!--Least Functionality-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cm-7_prm_1">
<value>organization-defined prohibited or restricted functions, ports, protocols, and/or services</value>
<!--Constraint: United States Government Configuration Baseline (USGCB)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-7_smt.a, cm-7_smt.b-->
<statement statement-id="cm-7_smt.a" uuid="a41f2349-8c98-4edd-9d28-26a4f3e9f25d">
<by-component uuid="1245fc19-c540-4342-a8e4-2479780535a3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configures the information system to provide only essential capabilities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-7_smt.b" uuid="e078a617-c5b0-4f7d-9868-185cc18a71f6">
<by-component uuid="38223cd1-dbbd-4bbd-8e71-68cf1cc584eb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Prohibits or restricts the use of the following functions, ports, protocols, and/or services: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-8" uuid="c0116149-3b7a-4678-b9e5-62ed08dcf026"><!--Information System Component Inventory-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cm-8_prm_1">
<value>organization-defined information deemed necessary to achieve effective information system component accountability</value>
</set-parameter>
<set-parameter param-id="cm-8_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-8_smt.a, cm-8_smt.b-->
<statement statement-id="cm-8_smt.a" uuid="29c53e7a-12a2-4dee-a0da-db4c1f1b8f89">
<by-component uuid="dcb225ef-a057-49f5-90bc-61aeb289ffa4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops and documents an inventory of information system components that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-8_smt.b" uuid="167b5818-5015-4c3d-bdc6-6f7cf3068bc6">
<by-component uuid="743d2e0e-c35e-4b6b-8a49-54a9ceb7a854"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the information system component inventory .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-10" uuid="91f3c672-1cfe-498e-bea6-e53b7fceb47f"><!--Software Usage Restrictions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-10_smt.a, cm-10_smt.b, cm-10_smt.c-->
<statement statement-id="cm-10_smt.a" uuid="b44920af-2227-4274-97d9-1387bcd08f00">
<by-component uuid="01d1c5fd-3d36-46ca-82f8-21b37b452081"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Uses software and associated documentation in accordance with contract agreements and copyright laws;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-10_smt.b" uuid="dd1e90dc-1870-4dcb-89e9-5b475ef0ab6d">
<by-component uuid="281b168e-40be-4b22-8c6b-eb70da604328"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-10_smt.c" uuid="980b5ffe-2d09-4497-a6a2-c6e9ed99f814">
<by-component uuid="f5c6bc73-c030-4393-9602-e433d1895751"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-11" uuid="046787c8-21b1-4bce-a593-159c40cb3e5c"><!--User-installed Software-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-11_prm_1">
<value>organization-defined policies</value>
</set-parameter>
<set-parameter param-id="cm-11_prm_2">
<value>organization-defined methods</value>
</set-parameter>
<set-parameter param-id="cm-11_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: Continuously (via CM-7 (5))>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-11_smt.a, cm-11_smt.b, cm-11_smt.c-->
<statement statement-id="cm-11_smt.a" uuid="43efa127-1ead-42d2-a0a4-cd8f6c43c120">
<by-component uuid="716fa50c-da8d-49dc-ac84-58745ea330b2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes governing the installation of software by users;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-11_smt.b" uuid="6767dd8b-b24f-44f1-a5c1-65060349f8bb">
<by-component uuid="f56b3cf4-89a3-4e72-b941-c21e3647cff5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces software installation policies through ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-11_smt.c" uuid="d348d13c-f1fa-4c78-adad-a6dd737029e4">
<by-component uuid="50ef3877-239c-482f-b11a-42d7ef73c165"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors policy compliance at .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-1" uuid="8c2484fc-dd05-4f78-975e-6230047f2699"><!--Contingency Planning Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cp-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="cp-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="cp-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-1_smt.a, cp-1_smt.b.1, cp-1_smt.b.2-->
<statement statement-id="cp-1_smt.a" uuid="26fd400c-ae38-4720-abe2-1589570e59ec">
<by-component uuid="3ab8e80a-81b1-4be2-91c0-32c7aeba22b7"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-1_smt.b.1" uuid="0f5efaaf-2629-4140-805a-dc4d7da53ef1">
<by-component uuid="f04c2781-bbe9-40f5-a21c-b98475f8a14a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Contingency planning policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-1_smt.b.2" uuid="2270c60b-7f4d-4635-972b-8c46c1667e88">
<by-component uuid="c4efbec0-b1c3-4920-8655-95e895714842"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Contingency planning procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-2" uuid="457d70a4-09ce-43b4-a141-1d894ade45b9"><!--Contingency Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="cp-2_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="cp-2_prm_2">
<value>organization-defined key contingency personnel (identified by name and/or by role) and organizational elements</value>
</set-parameter>
<set-parameter param-id="cp-2_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="cp-2_prm_4">
<value>organization-defined key contingency personnel (identified by name and/or by role) and organizational elements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-2_smt.a, cp-2_smt.b, cp-2_smt.c, cp-2_smt.d, cp-2_smt.e, cp-2_smt.f, cp-2_smt.g-->
<statement statement-id="cp-2_smt.a" uuid="941287ec-59ff-434a-a304-e5e5b6cfbad9">
<by-component uuid="90457b14-c496-49c4-8304-61968d160775"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a contingency plan for the information system that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.b" uuid="4fa870a2-75bf-4fbe-9823-1b42bab50792">
<by-component uuid="f257c95e-d91a-4d5c-a834-9b8c62249bb8"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes copies of the contingency plan to ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.c" uuid="9f36e802-8439-4e4d-b0f9-25d937e67925">
<by-component uuid="df3a395d-a9b3-4bd8-9ca1-a563a34d2cbb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates contingency planning activities with incident handling activities;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.d" uuid="a85de331-39a4-4e20-9ddb-460635e238e2">
<by-component uuid="a6696c41-964c-4a78-9fc5-1170b67a9e57"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the contingency plan for the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.e" uuid="233d5190-4e58-4523-9ae6-bdb7cdce2071">
<by-component uuid="175a7df2-d5be-4e06-93df-726549d6d39d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.f" uuid="dc7404dd-e4e2-4b50-a710-1105251f1913">
<by-component uuid="507dddfd-9996-46d8-930c-3e3014ce1a04"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Communicates contingency plan changes to ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.g" uuid="8492fef3-72cf-4ee4-b263-d0616eb65875">
<by-component uuid="42e2ca15-23bd-497a-9288-939ce3e6ca67"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the contingency plan from unauthorized disclosure and modification.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-3" uuid="7929f804-2a9e-4e31-a099-01033cb51ae4"><!--Contingency Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cp-3_prm_1">
<value>organization-defined time period</value>
<!--Constraint: ten (10) days>-->
</set-parameter>
<set-parameter param-id="cp-3_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-3_smt.a, cp-3_smt.b, cp-3_smt.c-->
<statement statement-id="cp-3_smt.a" uuid="12692aa6-0563-4cbf-a0cf-285d2f9f332c">
<by-component uuid="3d28d821-09ab-4fd7-84ca-2ac6dadda49c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Within of assuming a contingency role or responsibility;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-3_smt.b" uuid="d43bdd80-7966-41c8-aa1b-5cfda144a2fe">
<by-component uuid="91c0ecf1-e0c2-4b0d-adbd-88876abad386"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-3_smt.c" uuid="08a44ab6-c37e-4a16-9a4a-99d11895c128">
<by-component uuid="07429b25-5bcf-419d-a16a-df3c9c4a368e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-4" uuid="dcbd5730-49c5-4b4d-8a14-6e226d9abb00"><!--Contingency Plan Testing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cp-4_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least every three years>-->
</set-parameter>
<set-parameter param-id="cp-4_prm_2">
<value>organization-defined tests</value>
<!--Constraint: classroom exercises/table top written tests>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-4_smt.a, cp-4_smt.b, cp-4_smt.c-->
<statement statement-id="cp-4_smt.a" uuid="0c1596e4-f99b-4b85-925d-a2637f6064f8">
<by-component uuid="978898cc-4dca-49d1-bc6f-4e099601fc07"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Tests the contingency plan for the information system using to determine the effectiveness of the plan and the organizational readiness to execute the plan;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-4_smt.b" uuid="18634fab-d200-4027-ae11-3bb227ae3fd0">
<by-component uuid="02f1fc1f-293d-4242-8d5a-093152b53cb8"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the contingency plan test results; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-4_smt.c" uuid="8cdae726-df6f-451a-9fb4-02d3bcc401c6">
<by-component uuid="86bdf63d-0e43-4fff-957b-a880137d75a9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Initiates corrective actions, if needed.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-9" uuid="86e283b0-6cc3-40a8-b447-0070db572772"><!--Information System Backup-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cp-9_prm_1">
<value>organization-defined frequency consistent with recovery time and recovery point objectives</value>
<!--Constraint: daily incremental; weekly full>-->
</set-parameter>
<set-parameter param-id="cp-9_prm_2">
<value>organization-defined frequency consistent with recovery time and recovery point objectives</value>
<!--Constraint: daily incremental; weekly full>-->
</set-parameter>
<set-parameter param-id="cp-9_prm_3">
<value>organization-defined frequency consistent with recovery time and recovery point objectives</value>
<!--Constraint: daily incremental; weekly full>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-9_smt.a, cp-9_smt.b, cp-9_smt.c, cp-9_smt.d-->
<statement statement-id="cp-9_smt.a" uuid="92e408e9-3f62-422b-a473-8566475fee3e">
<by-component uuid="a5d6e542-12f6-46ee-96b7-38468e5884d6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts backups of user-level information contained in the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-9_smt.b" uuid="3ceb6709-5b3a-4c35-af07-adcddfbef76a">
<by-component uuid="fe7de675-2244-4c27-809f-695eb1fe6ce2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts backups of system-level information contained in the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-9_smt.c" uuid="9fd5f398-7fce-4709-b9d5-ef5ff81e9cb3">
<by-component uuid="70be7959-2ae5-4afd-a271-bbc620692104"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts backups of information system documentation including security-related documentation ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-9_smt.d" uuid="294ec74a-55b5-44b3-a3b5-0bf8824f5401">
<by-component uuid="240a2837-a5f6-4986-996b-835361262413"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the confidentiality, integrity, and availability of backup information at storage locations.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-10" uuid="2a834e4d-f084-40d5-85d5-451b10747fa0"><!--Information System Recovery and Reconstitution-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="partial">
<remarks>
<p>A description the portion of the control that is not satisfied.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-10_smt-->
<statement statement-id="cp-10_smt" uuid="c669364f-f8b6-4126-af83-48fdb818064d">
<by-component uuid="228778a2-c7dd-4fd4-8f90-1d815bec2bbb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-1" uuid="49add0bd-ece8-4d60-aa84-066a65668706"><!--Identification and Authentication Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ia-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ia-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ia-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-1_smt.a, ia-1_smt.b.1, ia-1_smt.b.2-->
<statement statement-id="ia-1_smt.a" uuid="f35304f3-6328-4968-b91b-5dfa30464c6e">
<by-component uuid="dd82c318-21e7-4946-a3d1-f23883f8bdfd"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-1_smt.b.1" uuid="4aefb350-d1fa-43bf-866b-9a64938e767b">
<by-component uuid="ff4b28cb-9faf-4aa2-8da4-e86ab152d0f4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identification and authentication policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-1_smt.b.2" uuid="c7d0823f-e982-415d-a523-c05be9638516">
<by-component uuid="f6881fa6-f118-4dfa-8425-e2e4bdd6c153"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identification and authentication procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2" uuid="ef9860f5-3fe3-4cb0-89df-60d32287ee38"><!--Identification and Authentication (organizational Users)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2_smt, ia-2.1_smt, ia-2.12_smt-->
<statement statement-id="ia-2_smt" uuid="48f8f7a1-e9b9-4e76-b90e-bd3f315c4fab">
<by-component uuid="a4d652b2-c8e1-4fc0-8475-8b54635a11da"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.1" uuid="f425bdda-ca17-42f0-a088-9198df6bacd9"><!--Network Access to Privileged Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.1_smt-->
<statement statement-id="ia-2.1_smt" uuid="ce632254-ddcf-43f1-a83b-ee3568bc2e03">
<by-component uuid="e5154b04-21ee-4692-95e8-fea4fb74cbe9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements multifactor authentication for network access to privileged accounts.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.12" uuid="fea50f58-fe50-4b38-b3a0-20aec84993c5"><!--Acceptance of PIV Credentials-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.12_smt-->
<statement statement-id="ia-2.12_smt" uuid="5f6aa359-462b-4ccc-9bfd-428862023ed5">
<by-component uuid="51488321-fadb-4abe-b463-cf34abd32a2a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-4" uuid="88c236ba-e05c-4ba0-b5cb-8ba00ba924c0"><!--Identifier Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ia-4_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ia-4_prm_2">
<value>organization-defined time period</value>
<!--Constraint: IA-4 (d) [at least two years]>-->
</set-parameter>
<set-parameter param-id="ia-4_prm_3">
<value>organization-defined time period of inactivity</value>
<!--Constraint: ninety days for user identifiers (See additional requirements and guidance)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-4_smt.a, ia-4_smt.b, ia-4_smt.c, ia-4_smt.d, ia-4_smt.e-->
<statement statement-id="ia-4_smt.a" uuid="9aaa7530-8301-4029-8fc0-00bbf28f96b8">
<by-component uuid="bac9a89d-4423-46d8-99ca-d93a8c73f5ea"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Receiving authorization from to assign an individual, group, role, or device identifier;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.b" uuid="4b9a2a32-347d-4144-b28a-f0634003be20">
<by-component uuid="1d56de93-2b4e-4268-b9ba-7722cc82f201"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Selecting an identifier that identifies an individual, group, role, or device;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.c" uuid="ba254a71-8c9d-4551-afe5-fcceeb0b48a6">
<by-component uuid="42ccf251-3688-4c38-a67e-549f1bf3e825"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigning the identifier to the intended individual, group, role, or device;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.d" uuid="01a87e8c-74e6-4dc0-97c4-3b628b5c06e8">
<by-component uuid="01c39c7c-501d-4ed0-bd0a-d4696068022e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Preventing reuse of identifiers for ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.e" uuid="b3eaf6ba-9e85-4a70-a43d-0aca9413d278">
<by-component uuid="df300366-3f55-46b5-9fdc-d1c3e211b4c7"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disabling the identifier after .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5" uuid="fb1f4a0f-b837-4052-9942-da5530d2ea80"><!--Authenticator Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-5_prm_1">
<value>organization-defined time period by authenticator type</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5_smt.a, ia-5_smt.b, ia-5_smt.c, ia-5_smt.d, ia-5_smt.e, ia-5_smt.f, ia-5_smt.g, ia-5_smt.h, ia-5_smt.i, ia-5_smt.j, ia-5.1_smt.a, ia-5.1_smt.b, ia-5.1_smt.c, ia-5.1_smt.d, ia-5.1_smt.e, ia-5.1_smt.f, ia-5.11_smt-->
<statement statement-id="ia-5_smt.a" uuid="56141f26-59fc-4bd5-ae52-e55a584fcb91">
<by-component uuid="4472b722-ebb4-4cfd-974d-ebb381c1d4d4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.b" uuid="4054d4f3-db77-4f74-bdc4-ba54a1e77c1b">
<by-component uuid="abc29f04-41e2-42c0-999b-fe1e0cdce788"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishing initial authenticator content for authenticators defined by the organization;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.c" uuid="a30a34b8-17d7-4835-bbd1-6257c67e6b96">
<by-component uuid="85d700db-db12-4ee8-89f6-c176a14e2add"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensuring that authenticators have sufficient strength of mechanism for their intended use;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.d" uuid="4bb5c27a-d0fa-4924-b179-7f6e75ebc018">
<by-component uuid="99561506-4a64-41e2-9d2b-9ef52d797216"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.e" uuid="a1cdaa40-b271-486d-b66f-009e94468345">
<by-component uuid="23ae33c3-efc6-46fc-bbf0-43448076d58a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changing default content of authenticators prior to information system installation;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.f" uuid="a14aaecb-b0a6-439b-98aa-3102683efab9">
<by-component uuid="3bd6dc13-7556-4825-9afe-2c8b55e5b1e2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.g" uuid="01abf701-7e50-49cc-b35d-9b1aa3e85d72">
<by-component uuid="64b32636-e4d6-491b-835f-c7b609f3e1b3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changing/refreshing authenticators ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.h" uuid="a00c8298-c2df-490b-ad0f-8be3dafa7ad3">
<by-component uuid="fc415128-1fcb-42cf-804f-ebefd05501b4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protecting authenticator content from unauthorized disclosure and modification;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.i" uuid="2dc76e92-e60a-467a-af3b-f36a37005227">
<by-component uuid="965c81ad-9e1c-401a-9a86-2997fa4f0b01"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.j" uuid="9c096984-bccf-4416-a6ba-cd1c5cd55449">
<by-component uuid="872930d0-4abd-4b16-9cd3-ead51a828aa1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changing authenticators for group/role accounts when membership to those accounts changes.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.1" uuid="6208a6bc-f4ee-40c2-acc5-18a7f9512d38"><!--Password-based Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ia-5.1_prm_1">
<value>organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type</value>
</set-parameter>
<set-parameter param-id="ia-5.1_prm_2">
<value>organization-defined number</value>
<!--Constraint: at least one>-->
</set-parameter>
<set-parameter param-id="ia-5.1_prm_3">
<value>organization-defined numbers for lifetime minimum, lifetime maximum</value>
</set-parameter>
<set-parameter param-id="ia-5.1_prm_4">
<value>organization-defined number</value>
<!--Constraint: twenty four>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.1_smt.a, ia-5.1_smt.b, ia-5.1_smt.c, ia-5.1_smt.d, ia-5.1_smt.e, ia-5.1_smt.f-->
<statement statement-id="ia-5.1_smt.a" uuid="6d607cab-e8cb-47fb-abc1-002d930ef38e">
<by-component uuid="279db5fe-e663-4589-b953-d6b7eb94c1ce"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces minimum password complexity of ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.b" uuid="2cef8f24-9f93-4381-b795-650f71d81971">
<by-component uuid="322e8964-b191-4feb-b84c-96af555a99d9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces at least the following number of changed characters when new passwords are created: ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.c" uuid="8120b10a-6fb5-4873-9b0e-8f7c8caa935c">
<by-component uuid="3b3f5e2f-2dbf-4687-96ee-7a574e36b565"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Stores and transmits only cryptographically-protected passwords;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.d" uuid="abadf4e8-2596-44a0-8a88-8da6b327f435">
<by-component uuid="1a7c9ebe-fc59-4c92-94e7-ecb910c2a2a9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces password minimum and maximum lifetime restrictions of ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.e" uuid="4188759b-5a03-4d6f-a0be-9e3fdd6d277e">
<by-component uuid="5565f9e1-1793-497d-8e0a-1b76654ca1da"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Prohibits password reuse for generations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.f" uuid="c120560d-7044-40a0-817d-e8eb998f471e">
<by-component uuid="747474bf-aba1-463f-8f5e-9fb507c8b089"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Allows the use of a temporary password for system logons with an immediate change to a permanent password.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.11" uuid="56d6665f-a998-4a2b-bd31-b4e4e4c31905"><!--Hardware Token-based Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-5.11_prm_1">
<value>organization-defined token quality requirements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.11_smt-->
<statement statement-id="ia-5.11_smt" uuid="9fd8a65b-0535-4828-8fd9-6468c1d8e4d8">
<by-component uuid="8ad9dd5a-ac80-4f2b-b064-d4bb25094011"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system, for hardware token-based authentication, employs mechanisms that satisfy .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-6" uuid="a347a8d9-4343-4c0a-92e9-392f3631a1f7"><!--Authenticator Feedback-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-6_smt-->
<statement statement-id="ia-6_smt" uuid="024e1905-4e96-472e-b9aa-aee1e30b2e1b">
<by-component uuid="aed9bb68-36e3-4938-a925-f8086fae99f3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-7" uuid="6a802b87-6532-447b-b1c6-b44a75e08194"><!--Cryptographic Module Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-7_smt-->
<statement statement-id="ia-7_smt" uuid="98a7e0eb-a0d5-4ba6-8547-894d77f92622">
<by-component uuid="d43f0ad0-a4ba-4b78-98fd-787a79a2b41a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8" uuid="5a2d350d-c0df-4499-9e0c-f137bdafe4f4"><!--Identification and Authentication (non-organizational Users)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8_smt, ia-8.1_smt, ia-8.2_smt, ia-8.3_smt, ia-8.4_smt-->
<statement statement-id="ia-8_smt" uuid="37dd1a63-8bc8-4dd9-abba-f46c0e75f26a">
<by-component uuid="b8625b97-9b18-4873-8cc9-8d9c063999d5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.1" uuid="cff367f1-516c-4635-8478-fff900210ea0"><!--Acceptance of PIV Credentials from Other Agencies-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.1_smt-->
<statement statement-id="ia-8.1_smt" uuid="5529072c-24af-4eba-a052-d73b285710fe">
<by-component uuid="3f8f7c55-f7d2-48b9-a449-1021e97a9aa6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.2" uuid="61b99ed8-2046-41c9-a2ec-62b42260af77"><!--Acceptance of Third-party Credentials-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.2_smt-->
<statement statement-id="ia-8.2_smt" uuid="05b1f3e2-3322-4ae8-a3be-08a4a85295f2">
<by-component uuid="a495a789-e8b3-4960-b977-2dc7c2ad984e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system accepts only FICAM-approved third-party credentials.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.3" uuid="503f82d9-d37e-491d-ab24-ad3222bf2069"><!--Use of Ficam-approved Products-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-8.3_prm_1">
<value>organization-defined information systems</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.3_smt-->
<statement statement-id="ia-8.3_smt" uuid="e239b05a-1240-45a1-87fb-22f615f87279">
<by-component uuid="0be98063-9b52-4386-a3f8-6a38ad33192c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs only FICAM-approved information system components in to accept third-party credentials.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.4" uuid="c8a6702f-86bc-4d08-83e8-a595f5909e3a"><!--Use of Ficam-issued Profiles-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.4_smt-->
<statement statement-id="ia-8.4_smt" uuid="c69d583f-37c5-4c70-9a0d-c780eabc763a">
<by-component uuid="79f2419c-df8c-46a3-b6ee-c05a2d1fde3f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system conforms to FICAM-issued profiles.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-1" uuid="a5925fa9-f744-4ae8-95fa-cf70ad5f5621"><!--Incident Response Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ir-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ir-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ir-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-1_smt.a, ir-1_smt.b.1, ir-1_smt.b.2-->
<statement statement-id="ir-1_smt.a" uuid="06f580c3-6969-4c88-bc69-b99f57566fcf">
<by-component uuid="e4227e93-45ef-4d6d-b443-9cfb3f6c83d6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-1_smt.b.1" uuid="af533e6b-77c1-41da-9cb1-ae00388af09b">
<by-component uuid="63a13a8b-2ba4-4fc6-82b6-3d0ec9eeb7b2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incident response policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-1_smt.b.2" uuid="e464215d-d652-4e3d-9b68-fa848b4c13c0">
<by-component uuid="7cab30db-1d60-4944-80f3-b394b08a3490"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incident response procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-2" uuid="79b79367-b4bf-44e1-8e8c-32b0a25bab92"><!--Incident Response Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ir-2_prm_1">
<value>organization-defined time period</value>
</set-parameter>
<set-parameter param-id="ir-2_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-2_smt.a, ir-2_smt.b, ir-2_smt.c-->
<statement statement-id="ir-2_smt.a" uuid="93eedc3f-521d-47f9-82fc-823fc03d29b9">
<by-component uuid="dd1deddc-8080-4e33-ba6a-673d78d80cc4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Within of assuming an incident response role or responsibility;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-2_smt.b" uuid="35036d21-e552-4e78-9d72-4a4296f8863a">
<by-component uuid="ecfdeb25-a796-449d-85e7-7a71d55947a5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-2_smt.c" uuid="8aedea15-c7e1-44de-bec7-c333f3440594">
<by-component uuid="5132d179-6dbb-4229-ba0f-912b71597b91"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-4" uuid="9eb37ebb-481a-4a6f-95f0-f37270c255bd"><!--Incident Handling-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-4_smt.a, ir-4_smt.b, ir-4_smt.c-->
<statement statement-id="ir-4_smt.a" uuid="09355c12-c6bc-4e84-b613-1d5043ef1c86">
<by-component uuid="52917db2-fb65-403b-9e21-74f7eba45ff1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-4_smt.b" uuid="a57adc41-1556-478c-80d8-cc5695b6cf2d">
<by-component uuid="70a61675-3acb-409f-92f8-859b3b1f325e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates incident handling activities with contingency planning activities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-4_smt.c" uuid="0a746050-2574-4476-88c8-b8843c199c25">
<by-component uuid="a66536b6-69db-4d57-af5a-2a6f3e7d036f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-5" uuid="6c8c681f-5df9-486c-a3aa-580c3a58bbdb"><!--Incident Monitoring-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-5_smt-->
<statement statement-id="ir-5_smt" uuid="0d11078f-4dcb-499c-9fdd-ba5fd93481a3">
<by-component uuid="fe04dd56-2d15-4847-a714-167fea8dd545"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization tracks and documents information system security incidents.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-6" uuid="573fb950-df96-4fc0-8fd3-0098129db5f1"><!--Incident Reporting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ir-6_prm_1">
<value>organization-defined time period</value>
<!--Constraint: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)>-->
</set-parameter>
<set-parameter param-id="ir-6_prm_2">
<value>organization-defined authorities</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-6_smt.a, ir-6_smt.b-->
<statement statement-id="ir-6_smt.a" uuid="19c5db2b-8ac6-4aaa-b1d8-3c2ef88d4833">
<by-component uuid="156f79a8-6414-4e9a-bcaa-c5b95ca07a50"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires personnel to report suspected security incidents to the organizational incident response capability within ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-6_smt.b" uuid="0d78bd42-f706-4010-82af-25e846e6a07b">
<by-component uuid="f07d5e7c-7c02-49f6-a101-427fd118df0f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reports security incident information to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-7" uuid="58a84f25-6805-4d1d-975f-96627c2b5150"><!--Incident Response Assistance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-7_smt-->
<statement statement-id="ir-7_smt" uuid="fe283dd2-2e07-4732-bade-5137193ac429">
<by-component uuid="cb306866-e667-479f-8086-3db60d8ea4eb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-8" uuid="27721e52-20bf-45c6-a9ce-add798a57344"><!--Incident Response Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ir-8_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ir-8_prm_2">
<value>organization-defined incident response personnel (identified by name and/or by role) and organizational elements</value>
<!--Constraint: see additional FedRAMP Requirements and Guidance>-->
</set-parameter>
<set-parameter param-id="ir-8_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ir-8_prm_4">
<value>organization-defined incident response personnel (identified by name and/or by role) and organizational elements</value>
<!--Constraint: see additional FedRAMP Requirements and Guidance>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-8_smt.a, ir-8_smt.b, ir-8_smt.c, ir-8_smt.d, ir-8_smt.e, ir-8_smt.f-->
<statement statement-id="ir-8_smt.a" uuid="8d71cdef-3826-4b63-822d-8220e028b4b5">
<by-component uuid="a959192b-6966-4fe6-a49f-83feda96ef57"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops an incident response plan that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.b" uuid="6ecbd91e-0b39-4411-97a0-ab437cbadb15">
<by-component uuid="6a1b550e-8bfd-471a-9ed7-063c1524f2f3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes copies of the incident response plan to ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.c" uuid="4523959b-e12c-425b-991d-53e895299094">
<by-component uuid="72230f9a-16b2-4ed2-bde0-00803162159c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the incident response plan ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.d" uuid="2b887f60-725a-4310-87b2-7f5db7fb9884">
<by-component uuid="7a697909-92d5-4a63-b317-50000a8477df"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.e" uuid="574c7f9a-5133-446f-b555-2d05d9591db5">
<by-component uuid="28797990-ac31-4a2a-9b47-001de3d80745"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Communicates incident response plan changes to ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.f" uuid="bbdd8f92-132f-4ae8-97ac-81ebb5050e17">
<by-component uuid="b1f58fc5-fa44-4a3b-b95a-b09f2188a795"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the incident response plan from unauthorized disclosure and modification.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-1" uuid="94767e4c-4179-47e8-9d7e-1142f613de80"><!--System Maintenance Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ma-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ma-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ma-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-1_smt.a, ma-1_smt.b.1, ma-1_smt.b.2-->
<statement statement-id="ma-1_smt.a" uuid="146a8529-02d6-4fb5-88c2-ef8c6a04a040">
<by-component uuid="ef707f32-4011-489a-ae74-97af27bec728"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-1_smt.b.1" uuid="87881551-75e2-4767-9e01-1aab396915fc">
<by-component uuid="5cb4e420-03cc-4c47-8d41-595c94021811"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System maintenance policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-1_smt.b.2" uuid="f1f779ce-2e02-4bfa-a9a4-c3b9370a7186">
<by-component uuid="595ae136-6380-45c1-93a8-c2cae211ea2b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System maintenance procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-2" uuid="9d175c09-1931-4d86-8b4f-33c6ab5ff5a3"><!--Controlled Maintenance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ma-2_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ma-2_prm_2">
<value>organization-defined maintenance-related information</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-2_smt.a, ma-2_smt.b, ma-2_smt.c, ma-2_smt.d, ma-2_smt.e, ma-2_smt.f-->
<statement statement-id="ma-2_smt.a" uuid="e58b030d-45f0-42d2-a0ac-f0c1f0c6732f">
<by-component uuid="bf8ceab0-65b7-4e49-88c9-9bbe201b502e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.b" uuid="aeed2e51-fc86-42dd-adfb-64cbfbd35279">
<by-component uuid="96e34295-f4e4-4e49-beb2-4523beb4601f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.c" uuid="c9f2036d-a92a-4660-976e-d5d83e079275">
<by-component uuid="cf2e161b-7616-4bf4-ac40-13a11f9c2a1d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires that explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.d" uuid="f6ce190a-05d5-42fc-ac24-346940ac10b9">
<by-component uuid="31303c74-ed11-4956-aed4-f6f24d415af6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.e" uuid="f2732f25-9a18-479f-8343-de1ed6faef86">
<by-component uuid="006f3ff7-30c6-4c5b-a054-0673c7b9271a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.f" uuid="f277db73-9e37-49c5-b6a2-eaf3f007f23f">
<by-component uuid="1d389494-f60f-4b45-b2e5-a7fc1ee19d38"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Includes in organizational maintenance records.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-4" uuid="9a506174-5fac-4a55-a442-e5e120d057ab"><!--Nonlocal Maintenance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="planned">
<remarks>
<p>A description of the plan to complete implementation.</p>
</remarks>
</prop>
<prop name="planned-completion-date"
ns="https://fedramp.gov/ns/oscal"
value="2021-09-22Z"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-4_smt.a, ma-4_smt.b, ma-4_smt.c, ma-4_smt.d, ma-4_smt.e-->
<statement statement-id="ma-4_smt.a" uuid="d8e431cc-8819-4874-9b57-bd4782a4eb8a">
<by-component uuid="c0119e8a-0276-4e92-aaca-3a169b3737b1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Approves and monitors nonlocal maintenance and diagnostic activities;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.b" uuid="400d93a8-7aa9-44cb-b61c-249774c5afa8">
<by-component uuid="9dc0e173-0a27-41d1-b933-e2d75772983b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.c" uuid="9fe63f9c-4573-4233-99d3-d0925a4593da">
<by-component uuid="6360ec2b-25b8-4d3b-9bf8-69ff9760247f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.d" uuid="4b83d5e6-60c1-41fc-a079-1443bad6c2c4">
<by-component uuid="bdaf1ddd-24d0-4b21-bd9b-efac8093298c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains records for nonlocal maintenance and diagnostic activities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.e" uuid="613187c2-1d9d-46ef-9a67-35f314e6e154">
<by-component uuid="00aca0bf-d7b9-4054-8716-f526d16d82fc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Terminates session and network connections when nonlocal maintenance is completed.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-5" uuid="c88f63cb-0e32-425a-b168-8af5589adf2f"><!--Maintenance Personnel-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-5_smt.a, ma-5_smt.b, ma-5_smt.c-->
<statement statement-id="ma-5_smt.a" uuid="cb1e082d-d342-4b68-b540-6e3768d1d454">
<by-component uuid="b7b28cf2-f5ab-46f2-bd77-cef78ae0a1bc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-5_smt.b" uuid="768dfcf7-246e-415d-bc73-ff409050d05f">
<by-component uuid="65cd34b0-1366-4373-ab26-fa9b2edf22a4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-5_smt.c" uuid="329804f2-fc29-48b2-be4d-780b6bac9dfa">
<by-component uuid="e4db94b6-7fc0-4b54-a4ab-daa755ceb3f0"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-1" uuid="457aeaa8-d012-4686-a4e2-6e02230c185c"><!--Media Protection Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="mp-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="mp-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="mp-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-1_smt.a, mp-1_smt.b.1, mp-1_smt.b.2-->
<statement statement-id="mp-1_smt.a" uuid="8ba14a88-8b77-4b85-82c7-7adcedf4759e">
<by-component uuid="7083b271-7298-45e7-b9a8-946a46e80d36"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-1_smt.b.1" uuid="b26d8f54-fb9c-4aab-b895-d2f09ba5dfbd">
<by-component uuid="188ecb56-1abf-45da-85c9-22a27c089759"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Media protection policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-1_smt.b.2" uuid="2f3cb162-f9f5-4956-b2a6-84b59790a437">
<by-component uuid="c541d098-7623-4769-a439-7c10e6f15151"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Media protection procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-2" uuid="bf872fda-32ca-47b4-8fe4-7039c08e64d4"><!--Media Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="mp-2_prm_1">
<value>organization-defined types of digital and/or non-digital media</value>
</set-parameter>
<set-parameter param-id="mp-2_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-2_smt-->
<statement statement-id="mp-2_smt" uuid="1e228d1c-eccd-4594-b68d-d4ffad58d9a2">
<by-component uuid="446c2095-dc9b-4259-ac92-6bbc6d43616a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization restricts access to to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-6" uuid="b8742cda-6fb9-43ca-8c7c-7755eccc4bec"><!--Media Sanitization-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="mp-6_prm_1">
<value>organization-defined information system media</value>
</set-parameter>
<set-parameter param-id="mp-6_prm_2">
<value>organization-defined sanitization techniques and procedures</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-6_smt.a, mp-6_smt.b-->
<statement statement-id="mp-6_smt.a" uuid="67995331-71b4-4e91-bfca-bde80956f896">
<by-component uuid="167e2c4d-e8b0-423a-9704-87a309755bdb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Sanitizes prior to disposal, release out of organizational control, or release for reuse using in accordance with applicable federal and organizational standards and policies; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-6_smt.b" uuid="b260b847-ce0c-4dd9-9483-ff6c72a0e897">
<by-component uuid="96493c79-ae12-4b5a-bef1-405e0049d481"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-7" uuid="8c375075-fd56-40da-8063-c0aa0770a778"><!--Media Use-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="mp-7_prm_1">
<value>one of restricts or prohibits</value>
</set-parameter>
<set-parameter param-id="mp-7_prm_2">
<value>organization-defined types of information system media</value>
</set-parameter>
<set-parameter param-id="mp-7_prm_3">
<value>organization-defined information systems or system components</value>
</set-parameter>
<set-parameter param-id="mp-7_prm_4">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-7_smt-->
<statement statement-id="mp-7_smt" uuid="3190f2f5-756f-461f-bfab-bc9b14cad939">
<by-component uuid="982f38cf-be18-41db-9f6a-bf87ed697397"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization the use of on using .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-1" uuid="3c472a4d-9c4a-45c7-86b5-a22237a981c4"><!--Physical and Environmental Protection Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="pe-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="pe-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="pe-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-1_smt.a, pe-1_smt.b.1, pe-1_smt.b.2-->
<statement statement-id="pe-1_smt.a" uuid="eb7335bb-4afc-47af-bd62-66a05aaff03c">
<by-component uuid="45dcb4b8-afad-459c-b49b-dbc237a50481"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-1_smt.b.1" uuid="b90ef9c3-f891-4750-9fc7-773688a83641">
<by-component uuid="f6db4c84-8616-40cf-b9c7-d7756eed2390"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Physical and environmental protection policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-1_smt.b.2" uuid="f46d0ced-251c-415d-a358-d4a6a8b5048a">
<by-component uuid="c201197e-9379-4a84-b9e4-255464a93995"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Physical and environmental protection procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-2" uuid="59c28391-5e20-448c-9c8e-0d95fedc69e3"><!--Physical Access Authorizations-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pe-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-2_smt.a, pe-2_smt.b, pe-2_smt.c, pe-2_smt.d-->
<statement statement-id="pe-2_smt.a" uuid="f3838396-a53e-4e38-af82-689c07c68f7c">
<by-component uuid="9ce46b0b-8ee7-402e-99df-2a1b2020b800"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-2_smt.b" uuid="1385031f-5ce3-4a70-8015-071dbc25f451">
<by-component uuid="1f0a84a9-9560-49f0-a76e-307fd2868d88"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Issues authorization credentials for facility access;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-2_smt.c" uuid="df0a867c-c130-4959-b8d3-46b5ef103b30">
<by-component uuid="52527dad-e17f-4533-b4d2-36a964190356"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the access list detailing authorized facility access by individuals ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-2_smt.d" uuid="88736b75-0562-4cca-8bff-4aa6a0c5c69b">
<by-component uuid="f7bc641e-967f-420e-bce0-4e69e8b837ef"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Removes individuals from the facility access list when access is no longer required.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-3" uuid="ca86823c-3cb4-4981-95b3-95173437d2a0"><!--Physical Access Control-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 9 control parameters-->
<set-parameter param-id="pe-3_prm_1">
<value>organization-defined entry/exit points to the facility where the information system resides</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_2">
<value>it's complicated by parameter inserts</value>
<!--Constraint: CSP defined physical access control systems/devices AND guards>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_3">
<value>organization-defined physical access control systems/devices</value>
<!--Constraint: CSP defined physical access control systems/devices>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_4">
<value>organization-defined entry/exit points</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_5">
<value>organization-defined security safeguards</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_6">
<value>organization-defined circumstances requiring visitor escorts and monitoring</value>
<!--Constraint: in all circumstances within restricted access area where the information system resides>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_7">
<value>organization-defined physical access devices</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_8">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_9">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-3_smt.a, pe-3_smt.b, pe-3_smt.c, pe-3_smt.d, pe-3_smt.e, pe-3_smt.f, pe-3_smt.g-->
<statement statement-id="pe-3_smt.a" uuid="6061455b-4826-489a-84ff-0b2b747e37d2">
<by-component uuid="6b6e00e0-ee8b-4e07-abab-32a405a81367"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces physical access authorizations at by;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.b" uuid="1c9945d4-d152-4463-a934-fe5e8671ce8d">
<by-component uuid="7e8cdb97-72bf-45d4-b884-0e7ff005562e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains physical access audit logs for ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.c" uuid="9fd82b08-e2dc-450c-b090-4adce0bbaa90">
<by-component uuid="4113c95c-7158-4936-9aad-b410b372c296"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides to control access to areas within the facility officially designated as publicly accessible;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.d" uuid="7d501834-b82b-4383-ab96-6cfcff2e1ded">
<by-component uuid="a19ba26c-751c-4126-82cf-a5ef9236cb3f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Escorts visitors and monitors visitor activity ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.e" uuid="03bae739-5c6b-4037-bf1c-1570294a9f57">
<by-component uuid="e62f11fa-7168-4bfd-9e22-cba1bfa95596"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Secures keys, combinations, and other physical access devices;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.f" uuid="5dc5a94a-b6c0-48b6-8e82-5a447b40deea">
<by-component uuid="ace60302-cc89-4afd-b055-8004c9118fc3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Inventories every ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.g" uuid="7cae024b-c3bf-4aa2-a779-3293db39fc5d">
<by-component uuid="4a7f93db-5adf-433e-99f1-3897c70a2b20"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changes combinations and keys and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-6" uuid="ade8ba8e-f4a0-4f51-96fa-4d9c163a0fc6"><!--Monitoring Physical Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pe-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<set-parameter param-id="pe-6_prm_2">
<value>organization-defined events or potential indications of events</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-6_smt.a, pe-6_smt.b, pe-6_smt.c-->
<statement statement-id="pe-6_smt.a" uuid="ed02471d-5b8a-44ac-b294-69adaa4b6f2f">
<by-component uuid="7182144a-1de1-4212-838f-6f81ad9f1003"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-6_smt.b" uuid="fa3ba3d8-f6f1-47c0-927b-21acfd660d31">
<by-component uuid="83544812-fd50-425d-93c0-75d620cda8fc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews physical access logs and upon occurrence of ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-6_smt.c" uuid="95b622bc-4ba4-42b8-bb09-3865f139bf9f">
<by-component uuid="8c6ff2e4-9c01-46ba-8882-8ce55cc0bb53"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates results of reviews and investigations with the organizational incident response capability.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-8" uuid="b1c366d7-f838-443c-bc7a-0363f271e6a9"><!--Visitor Access Records-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<set-parameter param-id="pe-8_prm_1">
<value>organization-defined time period</value>
<!--Constraint: for a minimum of one (1) year>-->
</set-parameter>
<set-parameter param-id="pe-8_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-8_smt.a, pe-8_smt.b-->
<statement statement-id="pe-8_smt.a" uuid="8022d925-ae3f-4d09-9a8e-a90252b7309d">
<by-component uuid="cbf3a754-49f0-49c1-94ef-4f79a2e9f15c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains visitor access records to the facility where the information system resides for ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-8_smt.b" uuid="81dbde03-949b-4d5d-865b-6409f41736cc">
<by-component uuid="058b9990-1a9d-4f32-9c14-fd55dc8d7ca4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews visitor access records .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-12" uuid="a65bc485-19d1-4ce0-bf23-3fac0f55ca9f"><!--Emergency Lighting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-12_smt-->
<statement statement-id="pe-12_smt" uuid="3500db93-af1c-4f24-80ed-5262c4de4e0f">
<by-component uuid="3527c656-3878-4be3-8407-0fdd25f07b6d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-13" uuid="b445711f-8077-4376-8a38-f9ac22c5649a"><!--Fire Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-13_smt-->
<statement statement-id="pe-13_smt" uuid="772999eb-5b25-48cc-ab49-6361961b292a">
<by-component uuid="a2997344-504c-4662-85b7-7000dba49692"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-14" uuid="58c84ad7-99f3-4831-b6cd-ab0399f592f6"><!--Temperature and Humidity Controls-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pe-14_prm_1">
<value>organization-defined acceptable levels</value>
<!--Constraint: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments>-->
</set-parameter>
<set-parameter param-id="pe-14_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: continuously>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-14_smt.a, pe-14_smt.b-->
<statement statement-id="pe-14_smt.a" uuid="306ea489-657b-4ef8-9b1d-adda987505db">
<by-component uuid="6871d6df-b6b3-4085-bb8b-0066f3445bf8"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains temperature and humidity levels within the facility where the information system resides at ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-14_smt.b" uuid="c63708f0-68f1-49fe-8eef-0b1248ac8ff1">
<by-component uuid="c445c0b1-767e-49d3-8774-ffb1ea3adb60"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors temperature and humidity levels .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-15" uuid="d30bb597-87d0-4075-ad1e-3c30d7a06d19"><!--Water Damage Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-15_smt-->
<statement statement-id="pe-15_smt" uuid="2cf0e9c1-e56f-442a-9c63-96f36a41a29d">
<by-component uuid="c84d4f82-2d7b-4c09-9925-ee89ed7d4da1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-16" uuid="2bf95048-9176-455e-b0c7-08c8a4edb7ac"><!--Delivery and Removal-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pe-16_prm_1">
<value>organization-defined types of information system components</value>
<!--Constraint: all information system components>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-16_smt-->
<statement statement-id="pe-16_smt" uuid="eb2e0e2e-df32-401c-bf70-656b81c996ea">
<by-component uuid="70d1f8f3-d602-4923-9240-ccddf0ff5627"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-1" uuid="37e3a450-918b-4cf1-bf7b-5070a46ae16e"><!--Security Planning Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="pl-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="pl-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="pl-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-1_smt.a, pl-1_smt.b.1, pl-1_smt.b.2-->
<statement statement-id="pl-1_smt.a" uuid="a3061f3c-9f96-43eb-990f-c6fe46222c33">
<by-component uuid="d810bed5-727c-4c07-be47-9456569ccadb"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-1_smt.b.1" uuid="077ff174-df46-4d4b-aa54-7c5f6af24ad1">
<by-component uuid="30d02266-03ec-437f-8896-e58b2d2e32dc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security planning policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-1_smt.b.2" uuid="c9650b41-9ca1-4d46-883c-29c11bfb8570">
<by-component uuid="f566e9b9-60ed-4e24-a4ec-2e4a7b94190e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security planning procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-2" uuid="cf5fb4e3-72c0-421c-8df6-67272b9497a8"><!--System Security Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pl-2_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="pl-2_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-2_smt.a, pl-2_smt.b, pl-2_smt.c, pl-2_smt.d, pl-2_smt.e-->
<statement statement-id="pl-2_smt.a" uuid="b5050e4b-a83e-43b4-ac7c-c9727d92194e">
<by-component uuid="a196c83d-fa43-430a-9035-b961fde231e2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a security plan for the information system that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.b" uuid="2024489a-0d1e-4728-a87f-130836fcf77f">
<by-component uuid="b224c0c7-104b-4675-b75f-bec04d0b839b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes copies of the security plan and communicates subsequent changes to the plan to ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.c" uuid="0628d6d3-ffee-413a-92e9-3c63241ef634">
<by-component uuid="fe311ce2-d788-442c-9be8-c3d2ba966d10"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the security plan for the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.d" uuid="2b0c57f2-782f-40ef-ab0c-19318d35265a">
<by-component uuid="40956e54-9a1f-456b-98fb-d1f577344243"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.e" uuid="18f68837-46dd-4398-868c-b85c1747cb12">
<by-component uuid="4456e327-61d0-43e8-ba9e-ce7d897f7769"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the security plan from unauthorized disclosure and modification.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-4" uuid="6bd09e5e-4a25-4241-826d-95fed4ada979"><!--Rules of Behavior-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pl-4_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: At least every 3 years>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-4_smt.a, pl-4_smt.b, pl-4_smt.c, pl-4_smt.d-->
<statement statement-id="pl-4_smt.a" uuid="df1669e8-3045-4ffd-902c-424a1ef1114b">
<by-component uuid="4f7599bc-8ce2-4689-bc28-84520f3b79f1"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-4_smt.b" uuid="42082288-8b2b-417d-b245-f773414b5574">
<by-component uuid="5bd4b05a-d97e-4d07-bb14-f1a2520e4d8f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-4_smt.c" uuid="3dbe60a5-ce93-44ac-b98e-8685fc6d547c">
<by-component uuid="558eea8c-c3be-456a-9d17-4d2a8ee07174"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the rules of behavior ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-4_smt.d" uuid="bae189a5-5c14-4c92-9869-fd07c5de4d1e">
<by-component uuid="131b10da-1d6c-4f1b-a5be-7fb040423690"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-1" uuid="5ebc5501-21af-4ba6-8012-1b2aecf4a215"><!--Personnel Security Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ps-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ps-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-1_smt.a, ps-1_smt.b.1, ps-1_smt.b.2-->
<statement statement-id="ps-1_smt.a" uuid="a6df5d6c-7ffb-4cd3-b102-1ef0798529c7">
<by-component uuid="cea16812-812b-4aba-bc06-55e34b3677e8"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-1_smt.b.1" uuid="0ccc170a-28cd-4b3b-81dd-ca8e60e9f0d2">
<by-component uuid="4eb7874e-5f33-4e17-b694-8b54471a30d6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Personnel security policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-1_smt.b.2" uuid="86e83410-edf4-4499-a832-e621d5cd2316">
<by-component uuid="b11769a2-8d85-4c9e-a914-c52e0dd62944"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Personnel security procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-2" uuid="9694c884-4e8a-4035-835d-dffc846dea39"><!--Position Risk Designation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There is 1 control parameter-->
<set-parameter param-id="ps-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least every three years>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-2_smt.a, ps-2_smt.b, ps-2_smt.c-->
<statement statement-id="ps-2_smt.a" uuid="374fb7a7-2e6f-4e21-bd7a-0cb8396c2e7e">
<by-component uuid="4a31ca25-daaa-48a0-959d-46fb460c0814"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigns a risk designation to all organizational positions;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-2_smt.b" uuid="e6dc6e7d-9274-4610-804c-86e95ba56316">
<by-component uuid="474644ed-ef02-473f-9ad3-057f6b16dd54"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes screening criteria for individuals filling those positions; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-2_smt.c" uuid="a2ee6f94-3bdd-4566-aac6-9ed4f6cc1b10">
<by-component uuid="c722599a-cae4-4cba-9854-c9c9b5d78b7c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates position risk designations .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-3" uuid="c8c643bd-5af6-49bc-99e5-c664321b060c"><!--Personnel Screening-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ps-3_prm_1">
<value>organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening</value>
<!--Constraint: For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-3_smt.a, ps-3_smt.b-->
<statement statement-id="ps-3_smt.a" uuid="75f48448-34b7-4219-9480-1157fcd88111">
<by-component uuid="60ae10bc-e988-4b40-b773-51d2a18ead73"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Screens individuals prior to authorizing access to the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-3_smt.b" uuid="95bdf5cf-ddcd-44a6-95ac-650a83726ba0">
<by-component uuid="437b5a8b-8863-49da-a057-2e82f3c71554"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Rescreens individuals according to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-4" uuid="5c9c76f4-7458-4e4d-8fd2-b36ea749cc55"><!--Personnel Termination-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ps-4_prm_1">
<value>organization-defined time period</value>
<!--Constraint: same day>-->
</set-parameter>
<set-parameter param-id="ps-4_prm_2">
<value>organization-defined information security topics</value>
</set-parameter>
<set-parameter param-id="ps-4_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-4_prm_4">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-4_smt.a, ps-4_smt.b, ps-4_smt.c, ps-4_smt.d, ps-4_smt.e, ps-4_smt.f-->
<statement statement-id="ps-4_smt.a" uuid="de70044d-be53-4cf6-8327-566d79e2b06c">
<by-component uuid="770b79eb-a7af-4c13-af3c-a542dae7a775"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disables information system access within ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.b" uuid="dc699fdb-05fc-4c7d-b6df-04ff5703d041">
<by-component uuid="90f8881b-1ac5-4863-9888-87b42bd5d863"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Terminates/revokes any authenticators/credentials associated with the individual;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.c" uuid="7da9add1-9f2d-4d5f-a753-19e69c35f58d">
<by-component uuid="41240318-d1f3-4756-9cd1-a0ff1ae67e4b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts exit interviews that include a discussion of ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.d" uuid="a4c4c6bb-0f48-4f0b-bf5d-eba276f1ecaf">
<by-component uuid="440d87d4-fbe7-4d3b-95ce-63957df0b53b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retrieves all security-related organizational information system-related property;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.e" uuid="1c6ccbb2-4856-47bc-9047-7765dc048e7f">
<by-component uuid="f78c72ba-1d05-43c0-b49d-67fb338b1b5c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains access to organizational information and information systems formerly controlled by terminated individual; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.f" uuid="4183ae79-eebf-4ded-99a5-7dbda72742bf">
<by-component uuid="dad2e14f-35ee-4067-851d-3013275c89f3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies within .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-5" uuid="23a53faa-a24f-4707-930e-1ca176bad6e3"><!--Personnel Transfer-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ps-5_prm_1">
<value>organization-defined transfer or reassignment actions</value>
</set-parameter>
<set-parameter param-id="ps-5_prm_2">
<value>organization-defined time period following the formal transfer action</value>
</set-parameter>
<set-parameter param-id="ps-5_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-5_prm_4">
<value>organization-defined time period</value>
<!--Constraint: five days of the time period following the formal transfer action (DoD 24 hours)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-5_smt.a, ps-5_smt.b, ps-5_smt.c, ps-5_smt.d-->
<statement statement-id="ps-5_smt.a" uuid="18912d90-197b-4a57-a031-d858e29cb07a">
<by-component uuid="846a0e99-66b2-4f3e-b76b-04c2f43a0de9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-5_smt.b" uuid="cc1180ce-ae59-4d9d-a9c8-a5e054470f82">
<by-component uuid="46db14d7-4d60-4a06-b4b7-5a53ee7d9800"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Initiates within ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-5_smt.c" uuid="bbd6b278-b99c-4b4d-92d3-895f9f0eef8d">
<by-component uuid="f4cdb095-32f2-4f4d-ad95-df43dad2bed0"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-5_smt.d" uuid="fe2b37ca-70e6-49de-967e-dbbb71be3326">
<by-component uuid="0c2976a5-3a03-46ea-945d-1d4353d2de97"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies within .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-6" uuid="fb7c660e-5060-4843-a6b2-cf2cc0ac558c"><!--Access Agreements-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ps-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ps-6_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-6_smt.a, ps-6_smt.b, ps-6_smt.c-->
<statement statement-id="ps-6_smt.a" uuid="327eeb1a-650d-4c04-a9e8-ecfe76f171af">
<by-component uuid="445eb625-5d87-4680-91b7-51dbe9e6359d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops and documents access agreements for organizational information systems;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-6_smt.b" uuid="32488d8d-7a10-461b-929d-1c05a405432e">
<by-component uuid="f60364c8-0c9d-4231-b999-ae501e507f77"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the access agreements ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-6_smt.c" uuid="e543647e-7375-4ab4-99a9-b0cff80d775e">
<by-component uuid="f4bbfb00-ef32-4b7b-8f4e-4a7a336a5960"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that individuals requiring access to organizational information and information systems:</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-7" uuid="a519a15e-211e-4e7b-a0bd-11f92cbf82fa"><!--Third-party Personnel Security-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ps-7_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-7_prm_2">
<value>organization-defined time period</value>
<!--Constraint: organization-defined time period - same day>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-7_smt.a, ps-7_smt.b, ps-7_smt.c, ps-7_smt.d, ps-7_smt.e-->
<statement statement-id="ps-7_smt.a" uuid="a6752f8d-359e-4c98-b2d6-e0f2c125b57d">
<by-component uuid="98808eee-9ac2-4afa-b654-bbb43ecec919"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes personnel security requirements including security roles and responsibilities for third-party providers;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.b" uuid="b575f52f-cc60-4b04-9319-75ebb4b5331f">
<by-component uuid="31d455fe-8a44-4f59-8749-bd37a23d7b0e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires third-party providers to comply with personnel security policies and procedures established by the organization;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.c" uuid="79a8fc08-a938-4ec9-b8c6-38ced1c1b8de">
<by-component uuid="d04b7063-ec8d-4295-8982-cc1a3fa0ca23"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents personnel security requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.d" uuid="6e14d171-7554-447e-818f-2f5ab4332c46">
<by-component uuid="fe54302f-d175-4b3c-a318-1975750bf610"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires third-party providers to notify of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.e" uuid="a5f6a3c8-df2f-4d70-916c-d776233cbb34">
<by-component uuid="09df41aa-e29a-4b55-abe8-cd0f5d46d204"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors provider compliance.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-8" uuid="5e0a543b-b990-4d70-a363-3d5112925fc3"><!--Personnel Sanctions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ps-8_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-8_prm_2">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-8_smt.a, ps-8_smt.b-->
<statement statement-id="ps-8_smt.a" uuid="27cd05d5-bbec-4282-b208-72138645a076">
<by-component uuid="ade7d633-d813-4219-a474-5fb1e662534c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-8_smt.b" uuid="36b81d57-8f90-46ed-bbb4-efad6dcf2996">
<by-component uuid="7caccccb-4a4e-4d1b-9d57-c9ca7fa889cf"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-1" uuid="f2c62219-38cb-4178-be05-58416497b220"><!--Risk Assessment Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ra-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ra-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ra-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-1_smt.a, ra-1_smt.b.1, ra-1_smt.b.2-->
<statement statement-id="ra-1_smt.a" uuid="3c18db4f-f5eb-4815-992e-c83ef292c940">
<by-component uuid="9a0de131-cdb1-47a6-aec6-8552d0c6e764"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-1_smt.b.1" uuid="1edd6204-ca90-4f67-86d2-d4bcc0b2db10">
<by-component uuid="e933bdfc-5ce0-4ef1-b555-c50fd3687759"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Risk assessment policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-1_smt.b.2" uuid="f68a5077-1c66-4e88-be08-4eea9fa50810">
<by-component uuid="4151bd76-97f3-4abc-bfda-8d743619a916"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Risk assessment procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-2" uuid="5a66a87a-049b-4d8f-af16-217080b4d7e4"><!--Security Categorization-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-2_smt.a, ra-2_smt.b, ra-2_smt.c-->
<statement statement-id="ra-2_smt.a" uuid="cdec5590-1949-476e-826d-ece9dc2e024f">
<by-component uuid="871f8093-68b0-42d7-bdb1-9481e016c43e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-2_smt.b" uuid="516f3d02-86cf-4152-98d6-80ed7df7e169">
<by-component uuid="816a465e-ebdb-4efa-a491-fae8469e8634"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents the security categorization results (including supporting rationale) in the security plan for the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-2_smt.c" uuid="fff566c5-a3ac-4433-9420-bd8d27088c80">
<by-component uuid="d87fbbbb-4b82-4eaa-9c4d-58ad93324813"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-3" uuid="3fa90c5c-9b9a-4c83-b13c-fc7227695c95"><!--Risk Assessment-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="partial">
<remarks>
<p>A description the portion of the control that is not satisfied.</p>
</remarks>
</prop>
<!--There are 5 control parameters-->
<set-parameter param-id="ra-3_prm_1">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="ra-3_prm_2">
<value>organization-defined document</value>
<!--Constraint: security assessment report>-->
</set-parameter>
<set-parameter param-id="ra-3_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least every three (3) years or when a significant change occurs>-->
</set-parameter>
<set-parameter param-id="ra-3_prm_4">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ra-3_prm_5">
<value>organization-defined frequency</value>
<!--Constraint: at least every three (3) years or when a significant change occurs>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-3_smt.a, ra-3_smt.b, ra-3_smt.c, ra-3_smt.d, ra-3_smt.e-->
<statement statement-id="ra-3_smt.a" uuid="98a5d225-7884-43df-8b11-07f5ba173ee8">
<by-component uuid="6138ad7f-3a35-419f-9b42-4b6323d2c83c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.b" uuid="34132768-5fd1-4328-9243-7fbdd6eb210b">
<by-component uuid="1630f99b-6c93-4c61-a8b5-c3f9369627cc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents risk assessment results in ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.c" uuid="eff2274d-bb81-4cd7-9eb2-597277917208">
<by-component uuid="688235dd-2e30-4a5e-8292-3c3ca41238fd"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews risk assessment results ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.d" uuid="fce529a6-6a7f-4360-9c0a-6ee08bf999b3">
<by-component uuid="8b0b2b38-3fdb-4a50-b48e-a0ff3b715536"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disseminates risk assessment results to ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.e" uuid="b8736aad-ac99-4741-b669-459bf76a3bf3">
<by-component uuid="e22d827a-6955-4559-9125-dff9854c83e2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the risk assessment or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5" uuid="86d6ef8f-3dff-4686-a85e-5c54891693c3"><!--Vulnerability Scanning-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ra-5_prm_1">
<value>organization-defined frequency and/or randomly in accordance with organization-defined process</value>
<!--Constraint: monthly operating system/infrastructure; monthly web applications and databases>-->
</set-parameter>
<set-parameter param-id="ra-5_prm_2">
<value>organization-defined response times</value>
<!--Constraint: [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.>-->
</set-parameter>
<set-parameter param-id="ra-5_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5_smt.a, ra-5_smt.b, ra-5_smt.c, ra-5_smt.d, ra-5_smt.e-->
<statement statement-id="ra-5_smt.a" uuid="65e4e4ba-c531-48e7-82b4-5740fa9194c1">
<by-component uuid="0ab4d185-2acf-43ad-9d02-bd9c793cb94a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.b" uuid="92a3c77e-0681-4de4-8674-fabac8c6fb25">
<by-component uuid="744f9e2b-9746-4d50-8042-b2b86ec1b155"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.c" uuid="357153dc-d391-426f-9816-c9cd9f3b78aa">
<by-component uuid="4b0f7f2c-37cb-4175-9d49-6753edcdaedc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Analyzes vulnerability scan reports and results from security control assessments;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.d" uuid="a7dda79a-93b9-4d85-90b0-adf922494abd">
<by-component uuid="2c91250e-59ee-4421-adf1-38d83bb15747"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Remediates legitimate vulnerabilities in accordance with an organizational assessment of risk; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.e" uuid="953d8792-abde-4531-a6ef-34d585ebb836">
<by-component uuid="87432a3f-afad-4252-b040-2f9e22782895"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Shares information obtained from the vulnerability scanning process and security control assessments with to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-1" uuid="5a248c31-15de-4115-bd0f-01b2d7681fb1"><!--System and Services Acquisition Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sa-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="sa-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="sa-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-1_smt.a, sa-1_smt.b.1, sa-1_smt.b.2-->
<statement statement-id="sa-1_smt.a" uuid="9644503b-e33e-40c6-9b24-9e8f1fd19f96">
<by-component uuid="0acdc1b6-6631-4788-b4c3-197b767878f3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-1_smt.b.1" uuid="35721c55-04a8-4f48-b930-6dab945cccd1">
<by-component uuid="5b3559cb-3465-4db5-a7ee-0b8882c21606"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and services acquisition policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-1_smt.b.2" uuid="66593378-54e8-400d-ae08-089968f4053d">
<by-component uuid="1e4588b5-dec1-4f9f-aa9a-4d6cb89480cc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and services acquisition procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-2" uuid="93445b45-fe14-4ea4-9a66-c6d1bacadf07"><!--Allocation of Resources-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-2_smt.a, sa-2_smt.b, sa-2_smt.c-->
<statement statement-id="sa-2_smt.a" uuid="8e897f25-98d4-459a-8b42-fce887b7a073">
<by-component uuid="d37df455-87f0-4a95-81e2-2bb8f1842bb5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines information security requirements for the information system or information system service in mission/business process planning;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-2_smt.b" uuid="b8483c44-2f43-4992-b846-dea03621e1ae">
<by-component uuid="7a791447-ccc4-438b-a835-c8868d793250"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-2_smt.c" uuid="e2ea1f84-a924-48d9-9e81-dadd8b3c0fbe">
<by-component uuid="135d8cca-80f1-49ab-a290-71faffcb491b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a discrete line item for information security in organizational programming and budgeting documentation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-3" uuid="40cbeaf0-3144-4a3c-8321-a8a3b89e48a6"><!--System Development Life Cycle-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sa-3_prm_1">
<value>organization-defined system development life cycle</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-3_smt.a, sa-3_smt.b, sa-3_smt.c, sa-3_smt.d-->
<statement statement-id="sa-3_smt.a" uuid="5d02005e-110e-413f-ab71-8cff261a8399">
<by-component uuid="5e5781b8-98d7-4b6f-bbeb-33999c123624"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Manages the information system using that incorporates information security considerations;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-3_smt.b" uuid="4927c9ee-1ed2-438b-aaf5-8fe4387d4d32">
<by-component uuid="4fe6f2ba-ce31-4f98-8368-b7f7cd05754b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Defines and documents information security roles and responsibilities throughout the system development life cycle;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-3_smt.c" uuid="92e1e9c1-5e53-4f55-96d2-460ec25bfe2f">
<by-component uuid="6499730c-e55c-427d-9958-3b0381bec2c5"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies individuals having information security roles and responsibilities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-3_smt.d" uuid="c5e888b4-38e3-46e2-9a40-a3778c12b80b">
<by-component uuid="e6dd8401-9d42-46b7-923f-f4291a6103ec"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Integrates the organizational information security risk management process into system development life cycle activities.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-4" uuid="339451b9-756e-4ab0-9e85-a3ef9609b466"><!--Acquisition Process-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="planned">
<remarks>
<p>A description of the plan to complete implementation.</p>
</remarks>
</prop>
<prop name="planned-completion-date"
ns="https://fedramp.gov/ns/oscal"
value="2021-09-22Z"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-4_smt.a, sa-4_smt.b, sa-4_smt.c, sa-4_smt.d, sa-4_smt.e, sa-4_smt.f, sa-4_smt.g-->
<statement statement-id="sa-4_smt.a" uuid="f16671f0-4699-470e-8e62-c87aee20213f">
<by-component uuid="312c88c6-b172-4ca0-8cae-78c2303e3335"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security functional requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.b" uuid="b8183531-142c-48ee-b8a7-7c2327494788">
<by-component uuid="71eddf9d-cab3-4b7d-9ee9-c24e52c1559f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security strength requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.c" uuid="4a2853cd-bc41-4526-a371-206592a235b9">
<by-component uuid="32e4648b-636f-4c91-94d5-9f00c57cd918"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security assurance requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.d" uuid="73d60990-54a0-44c2-bdd7-e5de39d6d899">
<by-component uuid="2aac9381-b689-41c5-ab07-17dddeb235ce"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security-related documentation requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.e" uuid="389ee3d1-a7e4-4fbc-9e61-5d943473884f">
<by-component uuid="73aa8da8-4c40-4bb5-b4c3-cddf4bd8b2cf"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requirements for protecting security-related documentation;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.f" uuid="b213d78b-ffbf-4169-9169-d1061ae34015">
<by-component uuid="b6f7ae2b-61c4-430f-9b9d-330b21ae921b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Description of the information system development environment and environment in which the system is intended to operate; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.g" uuid="4445ef79-a6b7-453c-8771-bdfddabcd7b6">
<by-component uuid="bac8ed7b-3dc1-45ee-8a9d-6972328d0c1e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Acceptance criteria.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-5" uuid="6c0e71eb-e369-4666-be74-c8b08b6df635"><!--Information System Documentation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sa-5_prm_1">
<value>organization-defined actions</value>
</set-parameter>
<set-parameter param-id="sa-5_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-5_smt.a, sa-5_smt.b, sa-5_smt.c, sa-5_smt.d, sa-5_smt.e-->
<statement statement-id="sa-5_smt.a" uuid="86cc47b7-6fde-44fb-b09a-98ae556c9b12">
<by-component uuid="02fa550b-333e-415a-a5ff-478445d7c2da"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Obtains administrator documentation for the information system, system component, or information system service that describes:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.b" uuid="9a3c67ec-0fef-4f00-8100-420ba33ba568">
<by-component uuid="16e6ccec-8333-45e8-a919-aeb5cfa5805a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Obtains user documentation for the information system, system component, or information system service that describes:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.c" uuid="85021447-d600-4e79-b847-1a1a65f2a44f">
<by-component uuid="2844626f-3503-4da7-9b97-20e2fde94c13"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes in response;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.d" uuid="5f44c8b2-2e59-4a82-8040-5751763c9e54">
<by-component uuid="4b7d89d3-c731-4896-aabc-9c89003c222e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects documentation as required, in accordance with the risk management strategy; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.e" uuid="9029fd32-872b-4d05-9521-014a0feb7994">
<by-component uuid="d4155e2d-19b4-4e62-85e5-0979ca43bece"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes documentation to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-9" uuid="2213b4a9-57d9-49b6-a57b-7c9d28bb8cf2"><!--External Information System Services-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sa-9_prm_1">
<value>organization-defined security controls</value>
<!--Constraint: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system>-->
</set-parameter>
<set-parameter param-id="sa-9_prm_2">
<value>organization-defined processes, methods, and techniques</value>
<!--Constraint: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-9_smt.a, sa-9_smt.b, sa-9_smt.c-->
<statement statement-id="sa-9_smt.a" uuid="c1e939d1-e421-4b53-a692-decaf3421bd9">
<by-component uuid="3d6d82f5-ecd6-4fa5-b31c-dcca41b34067"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires that providers of external information system services comply with organizational information security requirements and employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-9_smt.b" uuid="516af934-1b2e-475d-af34-345343f926bc">
<by-component uuid="2e1387d9-34c3-4066-8255-53ffbdd3b23b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-9_smt.c" uuid="588dffc1-4520-4983-a6b3-3c54b753a60f">
<by-component uuid="81a78cd3-7676-4200-8872-2666f761cded"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs to monitor security control compliance by external service providers on an ongoing basis.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-1" uuid="b19e8b90-5b42-4aa3-8138-76dee0714213"><!--System and Communications Protection Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sc-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="sc-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="sc-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-1_smt.a, sc-1_smt.b.1, sc-1_smt.b.2-->
<statement statement-id="sc-1_smt.a" uuid="520656b9-48ee-497d-8052-324d5a8cf092">
<by-component uuid="adc685eb-fae9-4d3b-9f97-fc2398c2487f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-1_smt.b.1" uuid="3131acba-d871-4d18-a20f-931631cf8557">
<by-component uuid="38b859bd-5b79-43fe-8b63-4dbb608548e4"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and communications protection policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-1_smt.b.2" uuid="99f5cc13-6380-4c54-a4fa-39defb2b2cf8">
<by-component uuid="e37a2339-c275-42cf-aa6f-a24d63dcec0f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and communications protection procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-5" uuid="26301d52-4c20-42e9-9d60-0ea7e3149761"><!--Denial of Service Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sc-5_prm_1">
<value>organization-defined types of denial of service attacks or references to sources for such information</value>
</set-parameter>
<set-parameter param-id="sc-5_prm_2">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-5_smt-->
<statement statement-id="sc-5_smt" uuid="1e5cf417-378c-4a30-ac5e-df0547f3cd83">
<by-component uuid="d8bd56f3-583d-400b-8916-2c640dc333ad"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects against or limits the effects of the following types of denial of service attacks: by employing .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7" uuid="957fe51b-6c86-4eb7-b6b4-3dd3edbbe549"><!--Boundary Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-7_prm_1">
<value>one of physically or logically</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7_smt.a, sc-7_smt.b, sc-7_smt.c-->
<statement statement-id="sc-7_smt.a" uuid="696cdcaa-54d4-4805-ab2a-da1ac3fa161a">
<by-component uuid="8e6efa87-daa8-476f-ba34-c03693bd96c6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7_smt.b" uuid="083fbb6b-cf06-4ebd-8453-153898036d21">
<by-component uuid="3eb476bb-f764-4882-a9fa-e287a2e1e01e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements subnetworks for publicly accessible system components that are separated from internal organizational networks; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7_smt.c" uuid="4a464a02-8d7e-4886-aa46-16786736ddc5">
<by-component uuid="9e59a54b-0ed7-4fd9-9b7d-3d62e8b889cc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-12" uuid="cd33a45f-1ccd-4b2b-b599-73672f49bd98"><!--Cryptographic Key Establishment and Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-12_prm_1">
<value>organization-defined requirements for key generation, distribution, storage, access, and destruction</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-12_smt-->
<statement statement-id="sc-12_smt" uuid="1563d618-4b44-4f55-b454-d23dea14caa2">
<by-component uuid="8b3109af-ec1c-4053-8c69-cce7f41af24c"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-13" uuid="87d8832d-e1d5-4948-9292-486a97c56ceb"><!--Cryptographic Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-13_prm_1">
<value>organization-defined cryptographic uses and type of cryptography required for each use</value>
<!--Constraint: FIPS-validated or NSA-approved cryptography>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-13_smt-->
<statement statement-id="sc-13_smt" uuid="b5852f7b-d1c9-4f9d-a29e-22249364ba05">
<by-component uuid="613c6f34-d565-4229-8b40-d80c50864587"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-15" uuid="0e59fb42-e586-4308-b800-0d911bc6174c"><!--Collaborative Computing Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-15_prm_1">
<value>organization-defined exceptions where remote activation is to be allowed</value>
<!--Constraint: no exceptions>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-15_smt.a, sc-15_smt.b-->
<statement statement-id="sc-15_smt.a" uuid="348f0a81-a507-4e2e-ae19-14750438d419">
<by-component uuid="0a976e7d-2023-4fe5-8639-4f50f4c5dc11"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Prohibits remote activation of collaborative computing devices with the following exceptions: ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-15_smt.b" uuid="30e53174-77cd-4f8a-8f90-9d9a609b5d8d">
<by-component uuid="4da1c2b7-0f69-4ce4-9c97-8819b816371b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides an explicit indication of use to users physically present at the devices.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-20" uuid="6ea299af-3b37-455f-8330-b063d758901d"><!--Secure Name / Address Resolution Service (authoritative Source)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-20_smt.a, sc-20_smt.b-->
<statement statement-id="sc-20_smt.a" uuid="0ee9261a-e264-4bc4-96d5-4c785d686013">
<by-component uuid="912d082f-89b5-448b-90f5-879ae4aa97bc"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-20_smt.b" uuid="362379b4-07a3-416d-9937-f62761188a30">
<by-component uuid="e1a03c68-4e43-463b-8ba3-25e4a1fab51a"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-21" uuid="e72d901f-336c-4ad6-a597-8c540479e726"><!--Secure Name / Address Resolution Service (recursive or Caching Resolver)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-21_smt-->
<statement statement-id="sc-21_smt" uuid="54970561-20ba-4c73-9f46-ef56e7fea881">
<by-component uuid="fc9f92e7-912b-4049-ab4c-431327737cbf"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-22" uuid="97bc0e25-b351-4f0d-96b4-247217055bec"><!--Architecture and Provisioning for Name / Address Resolution Service-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-22_smt-->
<statement statement-id="sc-22_smt" uuid="0a2c2ac2-7485-41f6-9afb-2513eed3e95e">
<by-component uuid="b8da2799-28b6-401e-9d5e-26aa64091f04"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-39" uuid="177c1110-6713-4def-aec6-8f3efe26fbcf"><!--Process Isolation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-39_smt-->
<statement statement-id="sc-39_smt" uuid="3118f76c-6793-4a8c-af6a-bd255560a33d">
<by-component uuid="9daf7bf9-52dc-4b70-afa2-fb4286fdba93"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system maintains a separate execution domain for each executing process.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-1" uuid="b619b655-c2a3-449f-bb0d-65063efaf95d"><!--System and Information Integrity Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="si-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="si-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="si-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-1_smt.a, si-1_smt.b.1, si-1_smt.b.2-->
<statement statement-id="si-1_smt.a" uuid="dbf362f1-20f1-498d-9979-dff536b393fd">
<by-component uuid="fda9bec3-0554-4643-bde2-981f8b54fdb9"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-1_smt.b.1" uuid="90cd6b8d-bf39-4ffe-8437-a52fc65ebc2f">
<by-component uuid="e8fea63a-b784-4b6f-8e0a-0ae1ebf61a1f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and information integrity policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-1_smt.b.2" uuid="0105473a-044a-4891-8222-1e3d5c177baa">
<by-component uuid="b0a029ce-9580-4b08-902e-dc360ac9be0b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and information integrity procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-2" uuid="acabc2ea-8dc3-4721-bc73-84b054264916"><!--Flaw Remediation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-2_prm_1">
<value>organization-defined time period</value>
<!--Constraint: within 30 days of release of updates>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-2_smt.a, si-2_smt.b, si-2_smt.c, si-2_smt.d-->
<statement statement-id="si-2_smt.a" uuid="37f972ce-ef2f-4368-a3a0-6770a032ad4f">
<by-component uuid="4382fdc8-b0e4-499c-8801-098e8690bdb6"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies, reports, and corrects information system flaws;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-2_smt.b" uuid="3476982a-7c73-4140-b910-367a895266ce">
<by-component uuid="10fce4e7-2884-49cb-9270-f526253695de"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-2_smt.c" uuid="2e5d236f-4b24-42a8-8e61-2f17d8eae021">
<by-component uuid="91925801-fde2-4c38-a8e2-857d62d2e1c3"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Installs security-relevant software and firmware updates within of the release of the updates; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-2_smt.d" uuid="d52bec7b-a4cb-4271-a29a-2f4343b905f4">
<by-component uuid="8c181aaa-d8dc-4484-b33f-0a7d21022aa0"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incorporates flaw remediation into the organizational configuration management process.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-3" uuid="0a8cd49b-69e1-487d-8c54-cd8c36f9864e"><!--Malicious Code Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="si-3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least weekly>-->
</set-parameter>
<set-parameter param-id="si-3_prm_2">
<value>one-or-more of endpoint, network entry/exit points</value>
<!--Constraint: to include endpoints>-->
</set-parameter>
<set-parameter param-id="si-3_prm_3">
<value>it's complicated by parameter inserts</value>
<!--Constraint: to include alerting administrator or defined security personnel>-->
</set-parameter>
<set-parameter param-id="si-3_prm_4">
<value>organization-defined action</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-3_smt.a, si-3_smt.b, si-3_smt.c, si-3_smt.d-->
<statement statement-id="si-3_smt.a" uuid="5d39afe6-c4d0-42ee-a398-df8d539f508a">
<by-component uuid="7ae82663-8d31-4d34-a6a5-b97c41050b2e"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-3_smt.b" uuid="5d8dfa76-9cba-4108-8023-623e5b95e2e7">
<by-component uuid="69288d72-b373-4754-ac61-84da39757777"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-3_smt.c" uuid="f5a7d7d6-4eb4-4ec5-bba4-63537dcf4907">
<by-component uuid="e59d0495-cb67-4cb9-9bb1-d21f3ab64363"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configures malicious code protection mechanisms to:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-3_smt.d" uuid="10fe2ea9-45a7-4cbd-875c-7d1834aafdbd">
<by-component uuid="50bdc1a5-3eb3-4531-af1f-48109d3c2147"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4" uuid="ea7577c0-0115-40ea-890f-032d23250ad6"><!--Information System Monitoring-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 6 control parameters-->
<set-parameter param-id="si-4_prm_1">
<value>organization-defined monitoring objectives</value>
</set-parameter>
<set-parameter param-id="si-4_prm_2">
<value>organization-defined techniques and methods</value>
</set-parameter>
<set-parameter param-id="si-4_prm_3">
<value>organization-defined information system monitoring information</value>
</set-parameter>
<set-parameter param-id="si-4_prm_4">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="si-4_prm_5">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="si-4_prm_6">
<value>organization-defined frequency</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4_smt.a, si-4_smt.b, si-4_smt.c, si-4_smt.d, si-4_smt.e, si-4_smt.f, si-4_smt.g-->
<statement statement-id="si-4_smt.a" uuid="900d13ae-d8d4-4ed6-9489-0220e4957e57">
<by-component uuid="bacb8440-fc89-4a08-a08a-68eccf1c121b"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors the information system to detect:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.b" uuid="f04e92ff-29bf-48eb-bc74-18a38a748109">
<by-component uuid="c170ec9e-61ad-4540-8db0-540489f52708"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies unauthorized use of the information system through ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.c" uuid="9ddb67fd-aa61-4ec8-aa9a-ce4e2d725959">
<by-component uuid="bf9f68f8-4da8-4bf4-ab13-cdd5052494ec"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Deploys monitoring devices:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.d" uuid="69927740-c941-4cf0-8334-67035315e612">
<by-component uuid="1ae08207-a2cc-449f-81ed-1b74525ee874"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.e" uuid="6d2f2a29-330a-4307-acb4-e93b1fe9b58c">
<by-component uuid="366a9231-6372-4a23-b8cc-248fd4583c8d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.f" uuid="37ea811d-974b-496a-b477-f18c7aeca621">
<by-component uuid="e622cb52-991f-45ba-928b-ea06b969df01"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.g" uuid="e3c5e026-fdff-43c2-8704-d2f6b53d4964">
<by-component uuid="1a2b2e29-e033-42cf-870e-b8ba7613759d"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides to
.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-5" uuid="eb3e0dfd-0f78-4280-b723-6246a67d3d64"><!--Security Alerts, Advisories, and Directives-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="si-5_prm_1">
<value>organization-defined external organizations</value>
<!--Constraint: to include US-CERT>-->
</set-parameter>
<set-parameter param-id="si-5_prm_2">
<value>it's complicated by parameter inserts</value>
<!--Constraint: to include system security personnel and administrators with configuration/patch-management responsibilities>-->
</set-parameter>
<set-parameter param-id="si-5_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="si-5_prm_4">
<value>organization-defined elements within the organization</value>
</set-parameter>
<set-parameter param-id="si-5_prm_5">
<value>organization-defined external organizations</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-5_smt.a, si-5_smt.b, si-5_smt.c, si-5_smt.d-->
<statement statement-id="si-5_smt.a" uuid="434d7f9f-24bc-4b26-a407-93d55d9f7469">
<by-component uuid="fefc4bec-2dba-45f8-b28e-0c08ca9e2fb2"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Receives information system security alerts, advisories, and directives from on an ongoing basis;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-5_smt.b" uuid="567ce66a-621a-499d-be57-b0901a2a7048">
<by-component uuid="165baa7b-2c3d-499b-81df-9afd8d7f6954"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Generates internal security alerts, advisories, and directives as deemed necessary;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-5_smt.c" uuid="addf6346-38c1-469b-ac85-976a14083ae1">
<by-component uuid="082a5e08-fb2d-48c1-ac7f-cf160cdbf460"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disseminates security alerts, advisories, and directives to: ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-5_smt.d" uuid="ea27edd6-9cd0-46a9-9e24-7bf885196aa6">
<by-component uuid="57020268-6ed1-4f31-9c9d-15bad0440539"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-12" uuid="1896818f-3fe6-4baf-a289-89cac42bdf89"><!--Information Handling and Retention-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-12_smt-->
<statement statement-id="si-12_smt" uuid="b572981a-4355-41f2-adeb-149e79e51a42">
<by-component uuid="3c32d0d8-da67-46fe-9745-70d19debcaab"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-16" uuid="678f15e1-e9f7-4696-8e55-36c7bb7e1db6"><!--Memory Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-16_prm_1">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-16_smt-->
<statement statement-id="si-16_smt" uuid="075816ee-a601-42c7-9f35-9dd32ecb6e3b">
<by-component uuid="c7dd1e05-9c03-4aca-80ff-90bed0d2324f"
component-uuid="4b7936b9-e814-47c0-b152-65cb5b556c3c">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements to protect its memory from unauthorized code execution.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
<back-matter><!--Access Control Policy and Procedures attachments-->
<resource uuid="65ff3eb5-3970-4890-a7a7-dd884b792517">
<title>AC-1 Access Control Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ac-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ac-1-policy.txt" media-type="text/plain">QUMtMSBBY2Nlc3MgQ29udHJvbCBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="e362581a-0bdc-4a7a-9a6a-6945667e5389">
<title>AC-1 Access Control Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ac-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ac-1-procedures.txt" media-type="text/plain">QUMtMSBBY2Nlc3MgQ29udHJvbCBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Awareness and Training Policy and Procedures attachments-->
<resource uuid="6de9795f-9084-4824-a589-b2fa4e3106b4">
<title>AT-1 Security Awareness and Training Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-at-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-at-1-policy.txt" media-type="text/plain">QVQtMSBTZWN1cml0eSBBd2FyZW5lc3MgYW5kIFRyYWluaW5nIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="0b802faf-cb5a-4e90-8f8b-fc3bbe79292a">
<title>AT-1 Security Awareness and Training Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-at-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-at-1-procedures.txt" media-type="text/plain">QVQtMSBTZWN1cml0eSBBd2FyZW5lc3MgYW5kIFRyYWluaW5nIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Audit and Accountability Policy and Procedures attachments-->
<resource uuid="0c68b369-688b-4195-a91e-95af56f70132">
<title>AU-1 Audit and Accountability Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-au-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-au-1-policy.txt" media-type="text/plain">QVUtMSBBdWRpdCBhbmQgQWNjb3VudGFiaWxpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="2a976b15-5830-426f-badb-a996eb80f67a">
<title>AU-1 Audit and Accountability Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-au-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-au-1-procedures.txt" media-type="text/plain">QVUtMSBBdWRpdCBhbmQgQWNjb3VudGFiaWxpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Security Assessment and Authorization Policy and Procedures attachments-->
<resource uuid="565358bc-a503-40b0-b5b4-d584cf407dac">
<title>CA-1 Security Assessment and Authorization Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ca-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ca-1-policy.txt" media-type="text/plain">Q0EtMSBTZWN1cml0eSBBc3Nlc3NtZW50IGFuZCBBdXRob3JpemF0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="bcba5b1a-3c3d-4372-a352-c73399e8a915">
<title>CA-1 Security Assessment and Authorization Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ca-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ca-1-procedures.txt" media-type="text/plain">Q0EtMSBTZWN1cml0eSBBc3Nlc3NtZW50IGFuZCBBdXRob3JpemF0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Configuration Management Policy and Procedures attachments-->
<resource uuid="8d66529a-a2bb-4ffc-9738-f04c0bcfc333">
<title>CM-1 Configuration Management Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-cm-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-cm-1-policy.txt" media-type="text/plain">Q00tMSBDb25maWd1cmF0aW9uIE1hbmFnZW1lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="df89e401-8166-44c7-bce4-c53acba610d2">
<title>CM-1 Configuration Management Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-cm-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-cm-1-procedures.txt" media-type="text/plain">Q00tMSBDb25maWd1cmF0aW9uIE1hbmFnZW1lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Contingency Planning Policy and Procedures attachments-->
<resource uuid="95dad843-0d10-4d1c-8216-4fbc47a5d79b">
<title>CP-1 Contingency Planning Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-cp-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-cp-1-policy.txt" media-type="text/plain">Q1AtMSBDb250aW5nZW5jeSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="a03f23bf-49df-4272-aa51-ac3abb81f8ab">
<title>CP-1 Contingency Planning Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-cp-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-cp-1-procedures.txt" media-type="text/plain">Q1AtMSBDb250aW5nZW5jeSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Identification and Authentication Policy and Procedures attachments-->
<resource uuid="79b1bfa8-10ca-4e36-9c65-8f1e1aefeab2">
<title>IA-1 Identification and Authentication Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ia-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ia-1-policy.txt" media-type="text/plain">SUEtMSBJZGVudGlmaWNhdGlvbiBhbmQgQXV0aGVudGljYXRpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="0439f8e6-a2e2-41a8-9902-db1e4cf00049">
<title>IA-1 Identification and Authentication Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ia-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ia-1-procedures.txt" media-type="text/plain">SUEtMSBJZGVudGlmaWNhdGlvbiBhbmQgQXV0aGVudGljYXRpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Incident Response Policy and Procedures attachments-->
<resource uuid="cb0c204d-cc7f-4ff2-9b8d-e1eb5b379f85">
<title>IR-1 Incident Response Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ir-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ir-1-policy.txt" media-type="text/plain">SVItMSBJbmNpZGVudCBSZXNwb25zZSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="5edad64f-61a3-42ba-b0de-57238f72198e">
<title>IR-1 Incident Response Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ir-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ir-1-procedures.txt" media-type="text/plain">SVItMSBJbmNpZGVudCBSZXNwb25zZSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Maintenance Policy and Procedures attachments-->
<resource uuid="3206b4d5-e14f-49f6-b562-52105f0b28d6">
<title>MA-1 System Maintenance Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ma-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ma-1-policy.txt" media-type="text/plain">TUEtMSBTeXN0ZW0gTWFpbnRlbmFuY2UgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="7a9c4cf7-4f7a-41be-8f1c-1f46a7bbc7f4">
<title>MA-1 System Maintenance Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ma-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ma-1-procedures.txt" media-type="text/plain">TUEtMSBTeXN0ZW0gTWFpbnRlbmFuY2UgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Media Protection Policy and Procedures attachments-->
<resource uuid="270039bd-07da-42b7-885f-3ffe77046256">
<title>MP-1 Media Protection Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-mp-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-mp-1-policy.txt" media-type="text/plain">TVAtMSBNZWRpYSBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="92e4d9f5-6262-4844-b13e-6b2543be820a">
<title>MP-1 Media Protection Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-mp-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-mp-1-procedures.txt" media-type="text/plain">TVAtMSBNZWRpYSBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Physical and Environmental Protection Policy and Procedures attachments-->
<resource uuid="23eb9983-2765-477f-82a9-9da6da5e6a48">
<title>PE-1 Physical and Environmental Protection Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-pe-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-pe-1-policy.txt" media-type="text/plain">UEUtMSBQaHlzaWNhbCBhbmQgRW52aXJvbm1lbnRhbCBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="1904e1b6-59bf-43ad-b6ac-46d0cbcec723">
<title>PE-1 Physical and Environmental Protection Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-pe-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-pe-1-procedures.txt" media-type="text/plain">UEUtMSBQaHlzaWNhbCBhbmQgRW52aXJvbm1lbnRhbCBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Planning Policy and Procedures attachments-->
<resource uuid="bf91b381-a9eb-4017-b31b-35db170b51a8">
<title>PL-1 Security Planning Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-pl-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-pl-1-policy.txt" media-type="text/plain">UEwtMSBTZWN1cml0eSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="ff892cd0-3c19-4669-a10e-58ac0ca38b6e">
<title>PL-1 Security Planning Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-pl-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-pl-1-procedures.txt" media-type="text/plain">UEwtMSBTZWN1cml0eSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Personnel Security Policy and Procedures attachments-->
<resource uuid="5c2ba3d2-9734-4b1f-8480-078dba5773b0">
<title>PS-1 Personnel Security Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ps-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ps-1-policy.txt" media-type="text/plain">UFMtMSBQZXJzb25uZWwgU2VjdXJpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="7c504502-49ca-4221-81c7-f77594fc9aa9">
<title>PS-1 Personnel Security Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ps-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ps-1-procedures.txt" media-type="text/plain">UFMtMSBQZXJzb25uZWwgU2VjdXJpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Risk Assessment Policy and Procedures attachments-->
<resource uuid="1c3382f7-0d6b-47b1-9012-892749105ed9">
<title>RA-1 Risk Assessment Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ra-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ra-1-policy.txt" media-type="text/plain">UkEtMSBSaXNrIEFzc2Vzc21lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="5c54db28-4375-49b4-8ecc-0110a7a7c6b8">
<title>RA-1 Risk Assessment Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ra-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ra-1-procedures.txt" media-type="text/plain">UkEtMSBSaXNrIEFzc2Vzc21lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--System and Services Acquisition Policy and Procedures attachments-->
<resource uuid="11ba29ac-46fa-46d8-bda8-7779f685ecc1">
<title>SA-1 System and Services Acquisition Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-sa-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-sa-1-policy.txt" media-type="text/plain">U0EtMSBTeXN0ZW0gYW5kIFNlcnZpY2VzIEFjcXVpc2l0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="5f5b8513-2a83-498f-a134-992195a28ede">
<title>SA-1 System and Services Acquisition Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-sa-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-sa-1-procedures.txt" media-type="text/plain">U0EtMSBTeXN0ZW0gYW5kIFNlcnZpY2VzIEFjcXVpc2l0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--System and Communications Protection Policy and Procedures attachments-->
<resource uuid="27344674-1a5e-4dda-96a8-f2898f47fbff">
<title>SC-1 System and Communications Protection Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-sc-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-sc-1-policy.txt" media-type="text/plain">U0MtMSBTeXN0ZW0gYW5kIENvbW11bmljYXRpb25zIFByb3RlY3Rpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="d70108fa-506b-44eb-a44f-82f9aaf8faf9">
<title>SC-1 System and Communications Protection Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-sc-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-sc-1-procedures.txt" media-type="text/plain">U0MtMSBTeXN0ZW0gYW5kIENvbW11bmljYXRpb25zIFByb3RlY3Rpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--System and Information Integrity Policy and Procedures attachments-->
<resource uuid="c9fcb2e1-e9cd-409b-b6e6-a2a102a7d0aa">
<title>SI-1 System and Information Integrity Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-si-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-si-1-policy.txt" media-type="text/plain">U0ktMSBTeXN0ZW0gYW5kIEluZm9ybWF0aW9uIEludGVncml0eSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="36870878-fba8-4704-a8ef-4fc6bea931cc">
<title>SI-1 System and Information Integrity Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-si-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-si-1-procedures.txt" media-type="text/plain">U0ktMSBTeXN0ZW0gYW5kIEluZm9ybWF0aW9uIEludGVncml0eSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<resource uuid="a70d9168-c5d2-4531-9651-2894e58ad66a">
<title>User Guide</title>
<rlink href="SSSP-A2-UG.txt"/>
<base64 filename="SSSP-A2-UG.txt" media-type="text/plain">VXNlciBHdWlkZQ==</base64>
</resource>
<resource uuid="6166d13b-c299-4802-8ffe-71b6c58a882e">
<title>Privacy Impact Analysis</title>
<rlink href="SSSP-A4-PIA.txt"/>
<base64 filename="SSSP-A4-PIA.txt" media-type="text/plain">UHJpdmFjeSBJbXBhY3QgQW5hbHlzaXM=</base64>
</resource>
<resource uuid="2658c852-7416-4777-b2cc-8fcaf4e8d72b">
<title>Rules of Behavior</title>
<rlink href="SSSP-A5-ROB.txt"/>
<base64 filename="SSSP-A5-ROB.txt" media-type="text/plain">UnVsZXMgb2YgQmVoYXZpb3I=</base64>
</resource>
<resource uuid="9c39c08a-a108-4f67-9568-496d7b94b786">
<title>Information System Contingency Plan</title>
<rlink href="SSSP-A6-ISCP.txt"/>
<base64 filename="SSSP-A6-ISCP.txt" media-type="text/plain">SW5mb3JtYXRpb24gU3lzdGVtIENvbnRpbmdlbmN5IFBsYW4=</base64>
</resource>
<resource uuid="b68c78e2-fed1-4562-9f4a-402157bf6522">
<title>Configuration Management Plan</title>
<rlink href="SSSP-A7-CMP.txt"/>
<base64 filename="SSSP-A7-CMP.txt" media-type="text/plain">Q29uZmlndXJhdGlvbiBNYW5hZ2VtZW50IFBsYW4=</base64>
</resource>
<resource uuid="d58e9f9c-caae-4250-aa2c-33b08590380d">
<title>Incident Response Plan</title>
<rlink href="SSSP-A8-IRP.txt"/>
<base64 filename="SSSP-A8-IRP.txt" media-type="text/plain">SW5jaWRlbnQgUmVzcG9uc2UgUGxhbg==</base64>
</resource>
<resource uuid="51773bcf-615b-49d0-8e90-d55df5e11acd">
<title>CIS Workbook</title>
<rlink href="SSSP-A9-CIS-Workbook.txt"/>
<base64 filename="SSSP-A9-CIS-Workbook.txt" media-type="text/plain">Q0lTIFdvcmtib29r</base64>
</resource>
<resource uuid="d18860e2-0b25-46bf-b306-cadf67e0acc3">
<title>Inventory</title>
<rlink href="SSSP-A13-INV.txt"/>
<base64 filename="SSSP-A13-INV.txt" media-type="text/plain">SW52ZW50b3J5</base64>
</resource>
</back-matter>
</system-security-plan>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment