Skip to content

Instantly share code, notes, and snippets.

@ohsh6o

ohsh6o/sample_ssp_202107141312.xml

Created July 15, 2021 19:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ohsh6o/cc17a1a49268a1dd8e4fac16b48ba1b1 to your computer and use it in GitHub Desktop.
Save ohsh6o/cc17a1a49268a1dd8e4fac16b48ba1b1 to your computer and use it in GitHub Desktop.
Download ZIP
Example SSP from 10x ASAP SSP Generator Tool
Raw
sample_ssp_202107141312.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--This document used file:/Users/astein/Code/fedramp-automation/baselines/rev4/xml/FedRAMP_rev4_MODERATE-baseline-resolved-profile_catalog.xml as the input.-->
<!--This document used file:/Users/astein/Code/sample-ssp.xsl as the transform.-->
<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/release-1.0/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
<!--<?xml-model href="file:/Users/gapinski/branches/fedramp-automation/resources/validations/src/ssp.sch" schematypens="http://purl.oclc.org/dsdl/schematron" title="FedRAMP SSP constraints"?>-->
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
uuid="f735e812-cbe7-4580-ab58-eb1e6b866f0e">
<metadata>
<title>DRAFT, SAMPLE FedRAMP Rev 4 Moderate Baseline System Security Plan</title>
<last-modified>2021-07-14T09:10:56.63-04:00</last-modified>
<version>0.1</version>
<oscal-version>1.0.0</oscal-version>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 14-->
<role id="system-owner">
<title>Information System Owner</title>
<short-name>ISO</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 15-->
<role id="authorizing-official">
<title>Authorizing Official</title>
<short-name>AO</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 16-->
<role id="system-poc-management">
<title>Information System Management Point of Contact</title>
<short-name>ISMPoC</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<role id="system-poc-technical">
<title>Information System Technical Point of Contact</title>
<short-name>ISTPoC</short-name>
</role>
<role id="system-poc-other">
<title>Information System Other Point of Contact</title>
<short-name>ISOPoC</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 18-->
<role id="information-system-security-officer">
<title>Information System Security Officer</title>
<short-name>ISSO</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 19-->
<role id="authorizing-official-poc">
<title>Authorizing Official (AO) PoC</title>
<short-name>AOPoC</short-name>
</role>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<role id="implemented-requirement-responsible-role">
<title>Implemented Control Responsibility Role</title>
</role>
<location uuid="92a2720f-4b03-475e-8309-1fdde726fda1">
<address/>
</location>
<party type="organization" uuid="084baa39-6abd-4f21-a042-ca7baad702b5">
<name>Cloud Service Provider (CSP) Name</name>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 14-->
<party type="person" uuid="cf1d2a26-187d-4dfe-ba79-0eeff8f67d9f">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 15-->
<party type="person" uuid="2b8e95e7-48ed-40b9-ba92-c86d30ebc65f">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 16-->
<party type="person" uuid="c916d135-1719-4452-94c6-fa6ecce944c2">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<party type="person" uuid="2c39d1ff-ce36-4a2a-9e7b-dc5ef0db1adc">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<party type="person" uuid="e6562ad4-dd31-4656-a1b9-63837f66892a">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 18-->
<party type="person" uuid="bfca7d71-3511-4851-a588-b41fc9d89a3d">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 19-->
<party type="person" uuid="d0549c4a-f1d8-4e8f-9efc-e0fe9e420426">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<party type="person" uuid="e90149b4-6b97-4be5-84c6-708b26b1e2ea">
<name>name</name>
<email-address>name@example.com</email-address>
<telephone-number>+1-303-499-7111</telephone-number>
<location-uuid>92a2720f-4b03-475e-8309-1fdde726fda1</location-uuid>
<member-of-organization>084baa39-6abd-4f21-a042-ca7baad702b5</member-of-organization>
</party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 14-->
<responsible-party role-id="system-owner">
<party-uuid>cf1d2a26-187d-4dfe-ba79-0eeff8f67d9f</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 15-->
<responsible-party role-id="authorizing-official">
<party-uuid>2b8e95e7-48ed-40b9-ba92-c86d30ebc65f</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 16-->
<responsible-party role-id="system-poc-management">
<party-uuid>c916d135-1719-4452-94c6-fa6ecce944c2</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<responsible-party role-id="system-poc-technical">
<party-uuid>2c39d1ff-ce36-4a2a-9e7b-dc5ef0db1adc</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 17-->
<responsible-party role-id="system-poc-other">
<party-uuid>e6562ad4-dd31-4656-a1b9-63837f66892a</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 18-->
<responsible-party role-id="information-system-security-officer">
<party-uuid>bfca7d71-3511-4851-a588-b41fc9d89a3d</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 19-->
<responsible-party role-id="authorizing-official-poc">
<party-uuid>d0549c4a-f1d8-4e8f-9efc-e0fe9e420426</party-uuid>
</responsible-party>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-party role-id="implemented-requirement-responsible-role">
<party-uuid>e90149b4-6b97-4be5-84c6-708b26b1e2ea</party-uuid>
</responsible-party>
</metadata>
<import-profile href=""/>
<system-characteristics>
<system-id identifier-type="https://fedramp.gov">F00000000</system-id>
<system-name>Sample SSP</system-name>
<system-name-short>SSSP</system-name-short>
<description/>
<prop name="authorization-type"
ns="https://fedramp.gov/ns/oscal"
value="fedramp-agency"/>
<prop class="security-eauth"
name="security-eauth-level"
ns="https://fedramp.gov/ns/oscal"
value="2"/>
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
<system-information><!-- Attachment 4, PTA/PIA Designation -->
<prop name="privacy-sensitive" value="yes"/>
<!-- Attachment 4, PTA Qualifying Questions -->
<prop class="pta"
name="pta-1"
ns="https://fedramp.gov/ns/oscal"
value="yes"/>
<!-- Does the ISA collect, maintain, or share PII information from or about the public? -->
<prop class="pta"
name="pta-2"
ns="https://fedramp.gov/ns/oscal"
value="yes"/>
<!-- Has a Privacy Impact Assessment ever been performed for the ISA? -->
<prop class="pta"
name="pta-3"
ns="https://fedramp.gov/ns/oscal"
value="yes"/>
<!-- Is there a Privacy Act System of Records Notice (SORN) for this ISA system? (If so, please specify the SORN ID.) -->
<prop class="pta"
name="pta-4"
ns="https://fedramp.gov/ns/oscal"
value="no"/>
<prop class="pta"
name="sorn-id"
ns="https://fedramp.gov/ns/oscal"
value="[No SORN ID]"/>
<information-type uuid="93aa5c9c-05f6-4542-9b0f-eff96999a28b">
<title/>
<description/>
<categorization system="https://doi.org/10.6028/NIST.SP.800-60v2r1">
<information-type-id>C.2.4.1</information-type-id>
</categorization>
<confidentiality-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</integrity-impact>
<availability-impact>
<base>fips-199-moderate</base>
<selected>fips-199-moderate</selected>
<adjustment-justification>
<p>Required if the base and selected values do not match.</p>
</adjustment-justification>
</availability-impact>
</information-type>
</system-information>
<security-impact-level>
<security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
<security-objective-integrity>fips-199-moderate</security-objective-integrity>
<security-objective-availability>fips-199-moderate</security-objective-availability>
</security-impact-level>
<status state="operational"/>
<authorization-boundary>
<description/>
</authorization-boundary>
</system-characteristics>
<system-implementation><!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<user uuid="09d10206-497f-4549-bc01-8ea54d46090e">
<prop name="type" value="internal"/>
<prop name="privilege-type" value="privileged"/>
<prop name="sensitivity"
ns="https://fedramp.gov/ns/oscal"
value="moderate"/>
<role-id>implemented-requirement-responsible-role</role-id>
<authorized-privilege>
<title>title</title>
<function-performed>function</function-performed>
</authorized-privilege>
</user>
<component type="validation" uuid="772ea84a-0d4e-4225-b82f-66fdc498a934">
<title>FIPS 140-2 Validation</title>
<description>
<p>FIPS 140-2 Validation</p>
</description>
<prop name="validation-reference" value="3928"/>
<link href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3928"
rel="validation-details"/>
<status state="active"/>
</component>
<component type="type" uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<title/>
<description>
<p>This component is the answer to almost everything</p>
</description>
<status state="operational"/>
</component>
</system-implementation>
<control-implementation>
<description/>
<implemented-requirement control-id="ac-1" uuid="9add0342-6100-4f8b-b84a-7acd7b0b777d"><!--Access Control Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ac-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ac-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ac-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-1_smt.a.1, ac-1_smt.a.2, ac-1_smt.b.1, ac-1_smt.b.2-->
<statement statement-id="ac-1_smt.a.1" uuid="90194245-8f70-4ebd-a5cb-dbf76413f64d">
<by-component uuid="c88a9dae-64cf-4088-9281-b43077943c1a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-1_smt.a.2" uuid="0016a40a-b44a-4d49-a84e-1e467b9b863f">
<by-component uuid="0ab53444-b75a-4976-bcea-26425049388d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Procedures to facilitate the implementation of the access control policy and associated access controls; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-1_smt.b.1" uuid="5ba870b0-7a95-4b91-8e73-a712827892f4">
<by-component uuid="4f2fde67-7cdc-4f5e-9b74-3360a58f58c9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Access control policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-1_smt.b.2" uuid="22c809ac-be3d-430a-83e0-3a67d0a82817">
<by-component uuid="69903bf1-14ec-4030-aaef-15de25c4b1ac"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Access control procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2" uuid="3b403160-96ad-4207-abd7-74be9d356721"><!--Account Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ac-2_prm_1">
<value>organization-defined information system account types</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_3">
<value>organization-defined procedures or conditions</value>
</set-parameter>
<set-parameter param-id="ac-2_prm_4">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2_smt.a, ac-2_smt.b, ac-2_smt.c, ac-2_smt.d, ac-2_smt.e, ac-2_smt.f, ac-2_smt.g, ac-2_smt.h, ac-2_smt.i, ac-2_smt.j, ac-2_smt.k, ac-2.1_smt, ac-2.2_smt, ac-2.3_smt, ac-2.4_smt, ac-2.5_smt, ac-2.7_smt.a, ac-2.7_smt.b, ac-2.7_smt.c, ac-2.9_smt, ac-2.10_smt, ac-2.12_smt.a, ac-2.12_smt.b-->
<statement statement-id="ac-2_smt.a" uuid="48ed4ad8-5408-4dc0-8685-6bc039373f28">
<by-component uuid="04fd5202-027c-41c7-9e4e-d5c0edae3248"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies and selects the following types of information system accounts to support organizational missions/business functions: ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.b" uuid="f862a3cd-d631-4dd3-a10e-7fc6483585ec">
<by-component uuid="4e0e367c-f4d7-489f-83a5-6ff6bea0e0c5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigns account managers for information system accounts;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.c" uuid="e5397e9c-3872-4546-8901-e089b42c6645">
<by-component uuid="8d04c932-b017-42d4-a783-ba8e3b127a48"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes conditions for group and role membership;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.d" uuid="155e57fb-14aa-4c71-950e-8bae0da05a39">
<by-component uuid="10d72557-446f-4d45-984e-522ecef0317f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.e" uuid="9e1806c9-c076-44a9-8ace-9049f6b7c5b7">
<by-component uuid="6563fe40-909e-466f-8969-b6958be9b439"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires approvals by for requests to create information system accounts;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.f" uuid="266c3773-a5c3-45bd-bf61-171b44b511e7">
<by-component uuid="c0bf4076-7378-41c6-92ed-75eb8b191d11"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Creates, enables, modifies, disables, and removes information system accounts in accordance with ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.g" uuid="e4b30334-bb19-4d94-a988-7eb735758639">
<by-component uuid="71a43a1c-6d5a-455b-b27d-b4de52752cf2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors the use of information system accounts;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.h" uuid="f7a69950-3398-406c-84a4-896655362604">
<by-component uuid="1ad7a2c1-7416-4d70-b09a-87e4be6cdc3f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies account managers:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.i" uuid="c8dd40f7-264c-43ff-a005-9b15f2530368">
<by-component uuid="7142677b-7c1e-42cf-99c1-45a0f63461b2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes access to the information system based on:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.j" uuid="c11bce69-d600-42c8-9086-4c9c3d28b0a2">
<by-component uuid="c39f8d8e-f848-4de2-a93b-d21ad9097a13"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews accounts for compliance with account management requirements ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2_smt.k" uuid="215001a5-dc5d-4fe9-bed6-ad2ec6abae9b">
<by-component uuid="aef6996c-3ffe-45c0-9d9d-5c3c1cd39473"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.1" uuid="0673a48e-cc44-44e4-9958-4a52ce71c40b"><!--Automated System Account Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.1_smt-->
<statement statement-id="ac-2.1_smt" uuid="e3f6f419-1432-4c5b-9fe3-3e6f9ddf61ac">
<by-component uuid="4b9ecd2e-b9e5-4610-a35d-edc71c337ac0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to support the management of information system accounts.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.2" uuid="acf30f6e-4c21-4043-9fc8-59999f1a8779"><!--Removal of Temporary / Emergency Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-2.2_prm_1">
<value>one of removes or disables</value>
</set-parameter>
<set-parameter param-id="ac-2.2_prm_2">
<value>organization-defined time period for each type of account</value>
<!--Constraint: no more than 30 days for temporary and emergency account types>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.2_smt-->
<statement statement-id="ac-2.2_smt" uuid="411aeda2-44f6-4e86-9699-68c224dcd232">
<by-component uuid="149ab2a1-145c-4e50-99c4-5eccc673af17"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system automatically temporary and emergency accounts after .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.3" uuid="b1b14f98-6e6f-4351-9ff7-71c817a79c35"><!--Disable Inactive Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-2.3_prm_1">
<value>organization-defined time period</value>
<!--Constraint: 90 days for user accounts>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.3_smt-->
<statement statement-id="ac-2.3_smt" uuid="ea0472b6-10cd-4ba2-b9f4-47edaff723c0">
<by-component uuid="1508ea05-eb27-4e6e-8c6a-f11dd09975c3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system automatically disables inactive accounts after .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.4" uuid="e53af3ac-ca1c-470d-b37c-1692197711b7"><!--Automated Audit Actions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-2.4_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.4_smt-->
<statement statement-id="ac-2.4_smt" uuid="054e4285-cabd-413c-9c78-8362eb046567">
<by-component uuid="0be04795-e28c-4b6d-a9eb-9451dd972a70"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.5" uuid="c0edb0c9-77f3-4fcf-ae8c-36b0b05f51ef"><!--Inactivity Logout-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="not-applicable">
<remarks>
<p>An explanation of why the control is not applicable.</p>
</remarks>
</prop>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-2.5_prm_1">
<value>organization-defined time-period of expected inactivity or description of when to log out</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.5_smt-->
<statement statement-id="ac-2.5_smt" uuid="d60df085-9b6f-45e8-b737-9c4baf9d8dee">
<by-component uuid="9f35ba2f-38a6-4795-abee-c147c8945dc5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires that users log out when .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.7" uuid="fc8d1d7d-5953-4049-aa7c-038993b3a5fb"><!--Role-based Schemes-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-2.7_prm_1">
<value>organization-defined actions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.7_smt.a, ac-2.7_smt.b, ac-2.7_smt.c-->
<statement statement-id="ac-2.7_smt.a" uuid="8fa77054-69d6-49c5-94cc-331c708d3170">
<by-component uuid="087caab6-9da4-4dfa-8e46-b5bbe0581d74"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2.7_smt.b" uuid="cb31554e-9672-47dd-871e-5c99664d9a4b">
<by-component uuid="e693b1ef-d10c-4d6e-9778-f2f69026ca7f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors privileged role assignments; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2.7_smt.c" uuid="eba706f8-dc60-457c-8da5-e21887c1c078">
<by-component uuid="93bc5cda-0d9b-4cc6-9a86-c71722c8ded0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Takes when privileged role assignments are no longer appropriate.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.9" uuid="42380461-24c2-4b14-bd11-b440d7e18ea2"><!--Restrictions On Use of Shared / Group Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-2.9_prm_1">
<value>organization-defined conditions for establishing shared/group accounts</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.9_smt-->
<statement statement-id="ac-2.9_smt" uuid="fd9598cd-c757-4786-bc1c-a822780cc14e">
<by-component uuid="50b8f1f4-eca7-45da-9049-c9b691758748"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization only permits the use of shared/group accounts that meet .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.10" uuid="39724c46-fd3f-4a7f-ac9c-2ace965fd8cc"><!--Shared / Group Account Credential Termination-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.10_smt-->
<statement statement-id="ac-2.10_smt" uuid="34c0c957-94c8-473e-9434-bed48938c1b8">
<by-component uuid="ffc98fb3-7539-4307-a67e-7aee841ceded"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system terminates shared/group account credentials when members leave the group.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-2.12" uuid="eb227128-c175-4208-823a-0aa5daa60896"><!--Account Monitoring / Atypical Usage-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-2.12_prm_1">
<value>organization-defined atypical usage</value>
</set-parameter>
<set-parameter param-id="ac-2.12_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-2.12_smt.a, ac-2.12_smt.b-->
<statement statement-id="ac-2.12_smt.a"
uuid="190c5914-6ce9-4cbb-a41f-a6717646ecf6">
<by-component uuid="7b986712-b6af-4673-9703-a4db05e5c2db"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors information system accounts for ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-2.12_smt.b"
uuid="191be822-cca4-4b6e-8f8b-2018eda43304">
<by-component uuid="d8a54017-e947-414a-808a-0ad1e0ce0215"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reports atypical usage of information system accounts to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-3" uuid="7591a920-8c9e-42d6-9171-95dfa7623224"><!--Access Enforcement-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-3_smt-->
<statement statement-id="ac-3_smt" uuid="2bde9d35-ec74-4ce7-b519-bae9e1161288">
<by-component uuid="496665bf-323e-46b6-b4d8-3d663e532fa5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-4" uuid="5c0dd2cc-fb22-443c-857a-52c87d9346da"><!--Information Flow Enforcement-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-4_prm_1">
<value>organization-defined information flow control policies</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-4_smt, ac-4.21_smt-->
<statement statement-id="ac-4_smt" uuid="325855ef-c35d-4e02-abcf-03435874db52">
<by-component uuid="7b9f2934-c48b-4fca-b190-2a68ad3d7bcb"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-4.21" uuid="21fb7ce3-ff42-48f0-b33d-345f66481540"><!--Physical / Logical Separation of Information Flows-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-4.21_prm_1">
<value>organization-defined mechanisms and/or techniques</value>
</set-parameter>
<set-parameter param-id="ac-4.21_prm_2">
<value>organization-defined required separations by types of information</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-4.21_smt-->
<statement statement-id="ac-4.21_smt" uuid="61a37552-68da-4302-83ed-900c7f94f1f3">
<by-component uuid="8a9557c4-9819-4b4b-af9d-2709737e69ac"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system separates information flows logically or physically using to accomplish .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-5" uuid="c14adbdb-9b61-4664-b2ad-ba0b5cebe49b"><!--Separation of Duties-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-5_prm_1">
<value>organization-defined duties of individuals</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-5_smt.a, ac-5_smt.b, ac-5_smt.c-->
<statement statement-id="ac-5_smt.a" uuid="9288c7b1-6a90-4d5e-9717-5d82f4b87e0d">
<by-component uuid="2f804cdb-8222-43dd-8013-fd7498346e90"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Separates ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-5_smt.b" uuid="41afcd1b-42f9-43da-a8f3-e6edfabb81fb">
<by-component uuid="0b104021-492b-4024-a377-60012d9deb69"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents separation of duties of individuals; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-5_smt.c" uuid="fb1c3e33-31e8-4f0a-aa58-d14882f110d5">
<by-component uuid="e0981dd4-9d4e-4bf7-8db0-afbdf618d981"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Defines information system access authorizations to support separation of duties.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-6" uuid="5b4eed00-fb71-4472-9443-842c6a3c727f"><!--Least Privilege-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-6_smt, ac-6.1_smt, ac-6.2_smt, ac-6.5_smt, ac-6.9_smt, ac-6.10_smt-->
<statement statement-id="ac-6_smt" uuid="b099fb56-3b71-4060-b8e4-5f228d5911bb">
<by-component uuid="008e0bb1-8148-4352-b6af-68a48e3a8a07"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-6.1" uuid="9d8c10e0-447c-4d60-b233-211bc6111055"><!--Authorize Access to Security Functions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-6.1_prm_1">
<value>organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-6.1_smt-->
<statement statement-id="ac-6.1_smt" uuid="63fedb4d-7c8e-4370-b72e-2c09a491d8fd">
<by-component uuid="3c4bad80-b0bc-4443-b5be-dc9d31e677a7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization explicitly authorizes access to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-6.2" uuid="0b52a362-3b59-417a-b872-d68e735d769e"><!--Non-privileged Access for Nonsecurity Functions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-6.2_prm_1">
<value>organization-defined security functions or security-relevant information</value>
<!--Constraint: all security functions>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-6.2_smt-->
<statement statement-id="ac-6.2_smt" uuid="bad6c9b1-bc03-4b2f-83e4-d4a69a0532ab">
<by-component uuid="f77bbf94-d63d-4c01-bada-d4d377d7955f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires that users of information system accounts, or roles, with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-6.5" uuid="ee6b8b90-0cb3-40af-a9d7-9ee31e001206"><!--Privileged Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-6.5_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-6.5_smt-->
<statement statement-id="ac-6.5_smt" uuid="de6e9c00-041b-457c-8d07-da25f022107d">
<by-component uuid="c0af4ac9-8d7c-49be-8f96-51d37f27b016"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization restricts privileged accounts on the information system to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-6.9" uuid="41916bc4-15ba-42f1-9968-12e6e36d826a"><!--Auditing Use of Privileged Functions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-6.9_smt-->
<statement statement-id="ac-6.9_smt" uuid="80c431e9-4cb5-4ff5-aad6-29133f0561ce">
<by-component uuid="033057cc-bf55-4d15-855d-519affa39c70"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system audits the execution of privileged functions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-6.10" uuid="eb62dd90-fd66-4d6a-aca5-af3e174e68f1"><!--Prohibit Non-privileged Users from Executing Privileged Functions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-6.10_smt-->
<statement statement-id="ac-6.10_smt" uuid="b7990592-ec78-491c-b47b-8f1a614af83c">
<by-component uuid="76be19ba-9424-4952-b26f-0e0f6972763d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-7" uuid="2e064129-4fe7-49b9-8390-be9a53eb055f"><!--Unsuccessful Logon Attempts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="ac-7_prm_1">
<value>organization-defined number</value>
<!--Constraint: not more than three (3)>-->
</set-parameter>
<set-parameter param-id="ac-7_prm_2">
<value>organization-defined time period</value>
<!--Constraint: fifteen (15) minutes>-->
</set-parameter>
<set-parameter param-id="ac-7_prm_3">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="ac-7_prm_4">
<value>organization-defined time period</value>
<!--Constraint: locks the account/node for thirty minutes>-->
</set-parameter>
<set-parameter param-id="ac-7_prm_5">
<value>organization-defined delay algorithm</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-7_smt.a, ac-7_smt.b-->
<statement statement-id="ac-7_smt.a" uuid="661d7a70-1318-4dc8-ad1c-8b5c99bcb67d">
<by-component uuid="b03a8aaa-f55a-4e25-a769-e0c49df7344e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces a limit of consecutive invalid logon attempts by a user during a ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-7_smt.b" uuid="103c9c1f-7410-4fc8-a99f-0825fe97eb8f">
<by-component uuid="087d86bd-4ea5-44cf-800e-3ec36673cbf7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Automatically when the maximum number of unsuccessful attempts is exceeded.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-8" uuid="bfd80280-c133-4c5e-8c83-a4a8e62e0e2c"><!--System Use Notification-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-8_prm_1">
<value>organization-defined system use notification message or banner</value>
<!--Constraint: see additional Requirements and Guidance>-->
</set-parameter>
<set-parameter param-id="ac-8_prm_2">
<value>organization-defined conditions</value>
<!--Constraint: see additional Requirements and Guidance]>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-8_smt.a, ac-8_smt.b, ac-8_smt.c-->
<statement statement-id="ac-8_smt.a" uuid="c6333165-c708-44a5-8a66-ea98d9f92536">
<by-component uuid="a7404044-92ce-4fb1-bb17-5cab79d2cb68"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Displays to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-8_smt.b" uuid="2c8d35ae-f325-42b7-b7bd-bcd2fe9f54fb">
<by-component uuid="3c54cdee-691a-4b4b-bd06-0a1ad54582d7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-8_smt.c" uuid="7facaa48-6f0b-4e42-8930-a6bc9df1bb17">
<by-component uuid="608ccc80-ffd3-42cb-aaaf-6be4daf2190d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>For publicly accessible systems:</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-10" uuid="d0b1ce8d-86dc-44d8-a91a-d7d218bc1b4e"><!--Concurrent Session Control-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-10_prm_1">
<value>organization-defined account and/or account type</value>
</set-parameter>
<set-parameter param-id="ac-10_prm_2">
<value>organization-defined number</value>
<!--Constraint: three (3) sessions for privileged access and two (2) sessions for non-privileged access>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-10_smt-->
<statement statement-id="ac-10_smt" uuid="31a20055-4992-4aba-8f8c-4abe34ae4d43">
<by-component uuid="0786f441-f551-4457-8460-9e26fb5cca18"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system limits the number of concurrent sessions for each to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-11" uuid="4d4d32c0-a446-4eed-a028-d1fc8fa2e40a"><!--Session Lock-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-11_prm_1">
<value>organization-defined time period</value>
<!--Constraint: fifteen (15) minutes>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-11_smt.a, ac-11_smt.b, ac-11.1_smt-->
<statement statement-id="ac-11_smt.a" uuid="8a4c6dd0-dfa6-4af3-b325-9655bbbefae9">
<by-component uuid="3b1f3b9f-57b0-45a4-aa18-5106f39296f5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Prevents further access to the system by initiating a session lock after of inactivity or upon receiving a request from a user; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-11_smt.b" uuid="b771b241-786d-499e-8c82-e70e5e9020d5">
<by-component uuid="2db6a05c-f0a3-494b-8ef4-f1be34ac31f3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains the session lock until the user reestablishes access using established identification and authentication procedures.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-11.1" uuid="61dce65a-2e9a-4266-8d9d-4949e3bff8f9"><!--Pattern-hiding Displays-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-11.1_smt-->
<statement statement-id="ac-11.1_smt" uuid="338387a0-4962-4f8a-97ff-78d593b1525b">
<by-component uuid="3849f747-ca80-42bf-90ce-b625c73d0d8c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-12" uuid="ace82c36-29a5-4a86-9fa1-5872d12f8ed4"><!--Session Termination-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-12_prm_1">
<value>organization-defined conditions or trigger events requiring session disconnect</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-12_smt-->
<statement statement-id="ac-12_smt" uuid="63dec135-5c2d-46f7-9b5a-3be8007e3e1e">
<by-component uuid="2b17cd30-f39e-48c1-84e0-d723e9669fb9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system automatically terminates a user session after .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-14" uuid="f9295a5e-1d0a-4a17-8549-c46fa0c517ab"><!--Permitted Actions Without Identification or Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-14_prm_1">
<value>organization-defined user actions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-14_smt.a, ac-14_smt.b-->
<statement statement-id="ac-14_smt.a" uuid="14220782-c6d5-4669-bfca-02c270eb82d3">
<by-component uuid="0c618d1d-6658-48eb-b812-e96809be8850"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-14_smt.b" uuid="90d2b6e4-0120-4451-b384-4f00fa11b1ea">
<by-component uuid="4c98e057-4078-44f1-963b-5096185cec96"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-17" uuid="73f737b9-d673-41bb-bbea-1cca7dde97e4"><!--Remote Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-17_smt.a, ac-17_smt.b, ac-17.1_smt, ac-17.2_smt, ac-17.3_smt, ac-17.4_smt.a, ac-17.4_smt.b, ac-17.9_smt-->
<statement statement-id="ac-17_smt.a" uuid="e1873e13-aa72-4873-a1d4-5914893da289">
<by-component uuid="9795021b-254b-48a9-a7b7-6c3a71864297"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-17_smt.b" uuid="7273920b-6760-42fe-8497-714694f7240f">
<by-component uuid="8422e4f3-4efd-4aa9-a3e5-f08f403fc120"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes remote access to the information system prior to allowing such connections.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-17.1" uuid="0df50c64-9d85-46b7-8e8a-846b0db0cbe0"><!--Automated Monitoring / Control-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-17.1_smt-->
<statement statement-id="ac-17.1_smt" uuid="2503aa8d-b394-4f60-8d9e-ac6ae7e385f0">
<by-component uuid="75d11264-ec2f-4f8b-96d0-9cf162e6f0d9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system monitors and controls remote access methods.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-17.2" uuid="55d315e6-0101-4eb0-b5a0-5c8292df1564"><!--Protection of Confidentiality / Integrity Using Encryption-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-17.2_smt-->
<statement statement-id="ac-17.2_smt" uuid="125ec9f5-3b75-4890-8db3-02a0cb9b5154">
<by-component uuid="8d1a27b3-8b95-42c2-8373-258441f8ce9f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-17.3" uuid="a0d75670-3cc3-427c-b0d6-995e013673a4"><!--Managed Access Control Points-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-17.3_prm_1">
<value>organization-defined number</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-17.3_smt-->
<statement statement-id="ac-17.3_smt" uuid="35c75d24-767d-4c96-a253-e2c80625b8d9">
<by-component uuid="b9ee2ecf-5bd3-4de3-b016-7983ba54d819"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system routes all remote accesses through managed network access control points.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-17.4" uuid="350aa09d-25d6-4cb0-b214-80bc893ff411"><!--Privileged Commands / Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-17.4_prm_1">
<value>organization-defined needs</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-17.4_smt.a, ac-17.4_smt.b-->
<statement statement-id="ac-17.4_smt.a"
uuid="d955f026-ea45-409c-ae97-0d6416c3b717">
<by-component uuid="32f9def3-7237-49c7-a842-c3e8727cba25"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes the execution of privileged commands and access to security-relevant information via remote access only for ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-17.4_smt.b"
uuid="ebd495c0-3d74-4901-beb8-e9f2354d8e99">
<by-component uuid="c51b5581-ff24-4b79-9a8e-a98b60f55ef5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents the rationale for such access in the security plan for the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-17.9" uuid="f3466c4d-e0d1-4d67-ab22-ffbc4ca92dd8"><!--Disconnect / Disable Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-17.9_prm_1">
<value>organization-defined time period</value>
<!--Constraint: fifteen 15 minutes>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-17.9_smt-->
<statement statement-id="ac-17.9_smt" uuid="f43a7726-8135-49aa-86bf-6d41085289eb">
<by-component uuid="9563a725-bcc0-4ed5-92a5-15b58fa6f76e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization provides the capability to expeditiously disconnect or disable remote access to the information system within .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-18" uuid="d472a132-f4a8-465f-9279-f4274ab8a8eb"><!--Wireless Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-18_smt.a, ac-18_smt.b, ac-18.1_smt-->
<statement statement-id="ac-18_smt.a" uuid="63bc9d7d-5fd3-4c00-8534-27b4d1e3045f">
<by-component uuid="22d626cb-cb62-45b3-a494-430d914519d4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-18_smt.b" uuid="2c4fda8d-a03c-4d3e-a15a-67c16a5542e7">
<by-component uuid="6a24dcd8-d4c1-4dff-8154-4af8dbbc3927"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes wireless access to the information system prior to allowing such connections.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-18.1" uuid="2b62ba47-e8f1-451f-ac28-7a2aa44d7550"><!--Authentication and Encryption-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="not-applicable">
<remarks>
<p>An explanation of why the control is not applicable.</p>
</remarks>
</prop>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-18.1_prm_1">
<value>one-or-more of users, devices</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-18.1_smt-->
<statement statement-id="ac-18.1_smt" uuid="c0af7aa2-832a-415f-8be6-4f28f3e28466">
<by-component uuid="402561e1-ba92-452b-a6dd-89ecd18e0457"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects wireless access to the system using authentication of and encryption.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-19" uuid="ba7e6139-2797-40f4-b9d4-08a24b6f7e5e"><!--Access Control for Mobile Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-19_smt.a, ac-19_smt.b, ac-19.5_smt-->
<statement statement-id="ac-19_smt.a" uuid="f826974e-33bb-4ccb-a78d-7b365ce476ca">
<by-component uuid="10fc51f4-4406-4b3b-b2cc-6f44f6f87d35"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-19_smt.b" uuid="d4781912-0aaf-4d5b-a0f2-cf0627a971ce">
<by-component uuid="60dc440e-1d2b-48b3-8eb5-a020d64f6bd0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes the connection of mobile devices to organizational information systems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-19.5" uuid="5732814d-293e-4fa6-a1a9-d51742601b67"><!--Full Device / Container-based Encryption-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-19.5_prm_1">
<value>one of full-device encryption or container encryption</value>
</set-parameter>
<set-parameter param-id="ac-19.5_prm_2">
<value>organization-defined mobile devices</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-19.5_smt-->
<statement statement-id="ac-19.5_smt" uuid="64abe755-c221-4052-98ea-4d175f9094c2">
<by-component uuid="e54ea956-92e2-4100-8084-61ec7c2a680c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs to protect the confidentiality and integrity of information on .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-20" uuid="5d68f13e-1c77-4dd9-baf6-a7b4d1b4dd82"><!--Use of External Information Systems-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-20_smt.a, ac-20_smt.b, ac-20.1_smt.a, ac-20.1_smt.b, ac-20.2_smt-->
<statement statement-id="ac-20_smt.a" uuid="040c9793-bb54-4fb7-af0a-9fa760cdf031">
<by-component uuid="393994e1-83db-4ea0-83a8-b99a6988a1c4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Access the information system from external information systems; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-20_smt.b" uuid="3d631c5c-f751-44e0-bf12-e701f84044b4">
<by-component uuid="92deb490-0297-4185-b063-b1701c41f63d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Process, store, or transmit organization-controlled information using external information systems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-20.1" uuid="7d8655fa-0085-4389-8ac1-e62bc49c7369"><!--Limits On Authorized Use-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-20.1_smt.a, ac-20.1_smt.b-->
<statement statement-id="ac-20.1_smt.a"
uuid="ce51186f-7d0b-42d3-8394-040441bce81c">
<by-component uuid="70b3a546-36e2-4b7f-aceb-3b343fbae147"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-20.1_smt.b"
uuid="483375e5-18d6-4edd-8e75-dd9e153681f0">
<by-component uuid="9b67df75-bdb7-47cc-b174-3fdff2b8da59"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-20.2" uuid="6488f3e7-a50f-4a0a-b0b6-74f1e34252b0"><!--Portable Storage Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-20.2_prm_1">
<value>one of restricts or prohibits</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-20.2_smt-->
<statement statement-id="ac-20.2_smt" uuid="cc72ee38-8d32-4b2d-abb1-ba500a318680">
<by-component uuid="41d88a96-518e-40f6-b507-10ce7f0b0395"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization the use of organization-controlled portable storage devices by authorized individuals on external information systems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-21" uuid="08bee8e6-c74a-46ef-a932-9a49b712343c"><!--Information Sharing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ac-21_prm_1">
<value>organization-defined information sharing circumstances where user discretion is required</value>
</set-parameter>
<set-parameter param-id="ac-21_prm_2">
<value>organization-defined automated mechanisms or manual processes</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-21_smt.a, ac-21_smt.b-->
<statement statement-id="ac-21_smt.a" uuid="320aeb40-f2e5-4ff1-b469-4f53b66ea2e5">
<by-component uuid="0b585a3f-78d7-476f-a4a8-c162a6da7061"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-21_smt.b" uuid="1222b3ae-6c12-4dfc-b5ca-2a51e90c711f">
<by-component uuid="f330d538-25ec-4fc6-96ba-247c274dd4e3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs to assist users in making information sharing/collaboration decisions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ac-22" uuid="fa52e923-6fbb-4d14-845b-592c6f0b97a8"><!--Publicly Accessible Content-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ac-22_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least quarterly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ac-22_smt.a, ac-22_smt.b, ac-22_smt.c, ac-22_smt.d-->
<statement statement-id="ac-22_smt.a" uuid="de1300f4-62f7-44f3-a5d1-41eab12e5a08">
<by-component uuid="84d7ae53-dffe-46e4-8e4c-cab64d62ef7a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Designates individuals authorized to post information onto a publicly accessible information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-22_smt.b" uuid="ead91852-6f99-4a1b-b129-0853b8493411">
<by-component uuid="6ffe14f0-2cd4-410d-a6bf-f919ac4b8ef2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-22_smt.c" uuid="87fb1c58-728b-4d97-aa75-510083683e8a">
<by-component uuid="7fde088e-633d-4b2f-9145-5a11881a7a41"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ac-22_smt.d" uuid="cbe623bb-3a79-4897-b578-a366ad7af084">
<by-component uuid="edcb8b1d-50da-43bd-bf4c-dcddaf6a81d5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the content on the publicly accessible information system for nonpublic information and removes such information, if discovered.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-1" uuid="0a79fc80-2ea2-428e-8941-2ea6ca6e8306"><!--Security Awareness and Training Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="at-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="at-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="at-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-1_smt.a, at-1_smt.b.1, at-1_smt.b.2-->
<statement statement-id="at-1_smt.a" uuid="98981559-e80f-4c06-a3a7-f8f3a20f6c38">
<by-component uuid="3a1b6256-2369-4776-ac8f-ce00cd1a9393"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-1_smt.b.1" uuid="eb046565-101d-45f4-b4bf-a9daeba85a83">
<by-component uuid="7f7a31a7-2e8c-4bc8-8e90-78500c2d4227"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security awareness and training policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-1_smt.b.2" uuid="11fc9f23-e77d-411e-8aa5-0156e67e9a75">
<by-component uuid="8e2e6b04-5bef-429b-b602-56ee618ec0ae"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security awareness and training procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-2" uuid="b50af21f-65b4-4dcf-9879-018756079945"><!--Security Awareness Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="at-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-2_smt.a, at-2_smt.b, at-2_smt.c, at-2.2_smt-->
<statement statement-id="at-2_smt.a" uuid="fba8de06-e663-4873-909b-3ca90a63f1de">
<by-component uuid="5c62a6fc-01a9-41d2-bd2f-0b86d0bec8b0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>As part of initial training for new users;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-2_smt.b" uuid="527ac2cb-ef16-4152-9925-cf96db5e8d98">
<by-component uuid="c0b90394-ecd9-4982-8eb1-74af0103eb83"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-2_smt.c" uuid="a645676b-fc3d-4b7a-b408-0b33d587c092">
<by-component uuid="c5c1bf9a-8d81-45c7-ac52-bcb272beb788"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-2.2" uuid="c4cd14c7-c26b-40b3-8626-87cfcb4bfdeb"><!--Insider Threat-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-2.2_smt-->
<statement statement-id="at-2.2_smt" uuid="24246b17-d4eb-4d63-b109-c480a2d5f53f">
<by-component uuid="0703c8ee-5f87-40ae-a8d5-26dd5fb7c23c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-3" uuid="344e956c-31a6-41f7-9a79-0b02e55aeabd"><!--Role-based Security Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="at-3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-3_smt.a, at-3_smt.b, at-3_smt.c-->
<statement statement-id="at-3_smt.a" uuid="792b668b-ae91-47ab-93ce-5ea7457c82e2">
<by-component uuid="852156b8-8afc-41a4-a371-fb056e818138"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Before authorizing access to the information system or performing assigned duties;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-3_smt.b" uuid="a355ca70-9974-4d99-a026-435b885c341b">
<by-component uuid="f58a2867-f76a-4e7b-ba7c-6253af3a4094"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-3_smt.c" uuid="8b69f9bc-b1f7-4106-9fd6-0ef23f9666e8">
<by-component uuid="fb7d490a-a674-456c-824c-dd4b32bb7087"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="at-4" uuid="7e12b184-e00e-477b-a21a-2f6743e2c9e8"><!--Security Training Records-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="at-4_prm_1">
<value>organization-defined time period</value>
<!--Constraint: At least one year>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: at-4_smt.a, at-4_smt.b-->
<statement statement-id="at-4_smt.a" uuid="7d996f72-6776-4994-a39c-415eea33d91c">
<by-component uuid="fcc2cf12-0962-4963-ac6f-67608afb021a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="at-4_smt.b" uuid="aea76185-5aae-40d4-9078-b66019aee72d">
<by-component uuid="49499e53-7ce4-4af5-afe3-613c6686c16a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains individual training records for .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-1" uuid="57d0f6c2-2c57-4286-9f38-f0d820f1d341"><!--Audit and Accountability Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="au-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="au-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="au-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-1_smt.a, au-1_smt.b.1, au-1_smt.b.2-->
<statement statement-id="au-1_smt.a" uuid="67c67e83-6734-42c9-bdb8-0444dca15137">
<by-component uuid="c092c71a-3e6a-487b-a96f-011d6c65fa18"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-1_smt.b.1" uuid="b19b75d1-8d72-4da9-ac88-aef6eb3a4a27">
<by-component uuid="bf7651d6-ff03-438c-bd98-23ec44cb5653"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Audit and accountability policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-1_smt.b.2" uuid="80a341c7-d9e0-48eb-ab54-0ab0b3c21eb4">
<by-component uuid="7fa09cb0-e7e5-4206-aaa0-3f3aa69a9d92"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Audit and accountability procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-2" uuid="75b817d0-5b9d-436b-8ca8-72a1af8b0c89"><!--Audit Events-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="au-2_prm_1">
<value>organization-defined auditable events</value>
<!--Constraint: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes>-->
</set-parameter>
<set-parameter param-id="au-2_prm_2">
<value>organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event</value>
<!--Constraint: organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-2_smt.a, au-2_smt.b, au-2_smt.c, au-2_smt.d, au-2.3_smt-->
<statement statement-id="au-2_smt.a" uuid="77eb7bfa-8768-48d1-b27b-6d29f724f7f8">
<by-component uuid="c6ced49d-41c8-4371-b93a-62d141902c43"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines that the information system is capable of auditing the following events: ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-2_smt.b" uuid="6902ca89-7e8f-422a-a6de-d05f3bf0ef22">
<by-component uuid="f79df204-a2e8-4cdb-849c-ae7aaebfed7c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-2_smt.c" uuid="f33ae249-6302-45b9-8735-f57686507752">
<by-component uuid="9ed984b7-84b4-4eef-9dbc-0d4292613176"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-2_smt.d" uuid="27361428-fcc8-406b-9052-be347317fc59">
<by-component uuid="3616024d-f918-4853-beb3-2af6899e8c9e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines that the following events are to be audited within the information system: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-2.3" uuid="004d92da-5180-4556-858d-a2cdbaa15efb"><!--Reviews and Updates-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-2.3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: annually or whenever there is a change in the threat environment>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-2.3_smt-->
<statement statement-id="au-2.3_smt" uuid="b820fa14-5496-41fb-8ddf-e01f0a0b9bb2">
<by-component uuid="c95328bc-33f8-4523-ba05-832e4ae1d731"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization reviews and updates the audited events .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-3" uuid="7862949a-05fb-42a0-9d70-ee6162ef0d8e"><!--Content of Audit Records-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-3_smt, au-3.1_smt-->
<statement statement-id="au-3_smt" uuid="78e1bbb8-b2da-4d6b-a5c4-e45405351cf8">
<by-component uuid="fadf8a19-a58f-4db9-b96f-cf0523b677cb"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-3.1" uuid="75ca30da-460d-4c2b-ab27-e146e0ccf623"><!--Additional Audit Information-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-3.1_prm_1">
<value>organization-defined additional, more detailed information</value>
<!--Constraint: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-3.1_smt-->
<statement statement-id="au-3.1_smt" uuid="cf32b874-f014-4758-b497-3122c655034e">
<by-component uuid="eed91e81-6397-4b94-9a72-f0ffcfb78614"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system generates audit records containing the following additional information: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-4" uuid="84b848a0-e82e-4f3c-a508-197ca1ccb074"><!--Audit Storage Capacity-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-4_prm_1">
<value>organization-defined audit record storage requirements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-4_smt-->
<statement statement-id="au-4_smt" uuid="d5e1b01b-9a4c-4c07-9567-ffc05fccb2a6">
<by-component uuid="44619cdd-6880-4870-883f-a55d8bffeb14"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization allocates audit record storage capacity in accordance with .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-5" uuid="adce49dd-d4fd-4114-891d-b6c20f6004c0"><!--Response to Audit Processing Failures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="au-5_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="au-5_prm_2">
<value>organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)</value>
<!--Constraint: organization-defined actions to be taken (overwrite oldest record)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-5_smt.a, au-5_smt.b-->
<statement statement-id="au-5_smt.a" uuid="8ac67661-46a0-4dba-844c-a57e650c0aad">
<by-component uuid="a220d3f1-ff74-4bb8-bbc1-b001bfeaaeb5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Alerts in the event of an audit processing failure; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-5_smt.b" uuid="38142fcc-18e7-4c36-a503-a81e6fe2fd2b">
<by-component uuid="0ce0e5c4-1ccd-40e7-8e87-fd714129a2f1"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Takes the following additional actions: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-6" uuid="31cd271a-1813-4743-a804-d35fca77b9d6"><!--Audit Review, Analysis, and Reporting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="au-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least weekly>-->
</set-parameter>
<set-parameter param-id="au-6_prm_2">
<value>organization-defined inappropriate or unusual activity</value>
</set-parameter>
<set-parameter param-id="au-6_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-6_smt.a, au-6_smt.b, au-6.1_smt, au-6.3_smt-->
<statement statement-id="au-6_smt.a" uuid="599f215b-2710-4b5f-8ab0-de5b25a84104">
<by-component uuid="24fa0aca-c26b-4f8e-8226-db47fb5202df"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and analyzes information system audit records for indications of ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-6_smt.b" uuid="384b0f48-9215-4b6e-abe7-940f1647e38d">
<by-component uuid="1c7e6fa1-2cf7-4040-beca-b0d2f743a340"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reports findings to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-6.1" uuid="658fa371-de6d-4d3e-b018-92f7460c6c9c"><!--Process Integration-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-6.1_smt-->
<statement statement-id="au-6.1_smt" uuid="fe2a1c85-a666-4083-9d44-baa735831005">
<by-component uuid="2a24735f-f4e4-4a19-b1b8-a72cb334b911"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-6.3" uuid="e701dc64-fa7c-4bc7-a802-f8c868ccbe1e"><!--Correlate Audit Repositories-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-6.3_smt-->
<statement statement-id="au-6.3_smt" uuid="1013919e-80f1-4c40-a834-26b6f26da368">
<by-component uuid="f3aad029-82f4-4569-bce0-6fe8b4362f2b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-7" uuid="3f1d627f-3931-49b7-91a7-67fc0e0e482b"><!--Audit Reduction and Report Generation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-7_smt.a, au-7_smt.b, au-7.1_smt-->
<statement statement-id="au-7_smt.a" uuid="fc2ffd7c-1908-4191-ab53-70a047c78c1a">
<by-component uuid="ec1f78ca-8e87-47bd-ab7b-e360e6347554"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-7_smt.b" uuid="7d606817-73a4-413c-b506-63fca40ea5a1">
<by-component uuid="18cef96e-7647-43cf-acd4-b1047092ab4b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Does not alter the original content or time ordering of audit records.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-7.1" uuid="43c843dc-09fa-4a03-8153-cc6acebf8499"><!--Automatic Processing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-7.1_prm_1">
<value>organization-defined audit fields within audit records</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-7.1_smt-->
<statement statement-id="au-7.1_smt" uuid="659aa188-4aa2-4964-b1f7-cf0d5930e1f1">
<by-component uuid="8bd44ce8-80e5-4a95-ad30-d07131f82a82"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system provides the capability to process audit records for events of interest based on .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-8" uuid="4ec8126b-9aab-45b8-8ea2-f50053e41166"><!--Time Stamps-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-8_prm_1">
<value>organization-defined granularity of time measurement</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-8_smt.a, au-8_smt.b, au-8.1_smt.a, au-8.1_smt.b-->
<statement statement-id="au-8_smt.a" uuid="f617e1ac-0621-4961-bffd-0be8a466cedf">
<by-component uuid="7c61809e-15e1-4c95-8dd4-25d64fb96b92"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Uses internal system clocks to generate time stamps for audit records; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-8_smt.b" uuid="0cf01563-7a55-4e61-9d21-54a6998d99f0">
<by-component uuid="980aaf52-68f4-4f18-ab4d-638a84ff167e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-8.1" uuid="05dadd9d-c26d-4600-af47-6aed9f0b519a"><!--Synchronization with Authoritative Time Source-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="au-8.1_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: At least hourly>-->
</set-parameter>
<set-parameter param-id="au-8.1_prm_2">
<value>organization-defined authoritative time source</value>
<!--Constraint: http://tf.nist.gov/tf-cgi/servers.cgi>-->
</set-parameter>
<set-parameter param-id="au-8.1_prm_3">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-8.1_smt.a, au-8.1_smt.b-->
<statement statement-id="au-8.1_smt.a" uuid="e5c095cf-78f3-489a-832c-729e61deb4ba">
<by-component uuid="381cdcc9-47f4-4902-abdc-6435eb2164e3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Compares the internal information system clocks with ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-8.1_smt.b" uuid="e093a4a2-bb68-4e99-ba88-322924336058">
<by-component uuid="6087f9a4-b7ad-4b72-a954-22cc8271acab"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-9" uuid="fc7357e8-3b99-4687-a7e5-d916c96da550"><!--Protection of Audit Information-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-9_smt, au-9.2_smt, au-9.4_smt-->
<statement statement-id="au-9_smt" uuid="98159ba7-cf49-4eba-aa20-680d3b486005">
<by-component uuid="f0073034-f4de-43f4-828c-a774af8925c4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects audit information and audit tools from unauthorized access, modification, and deletion.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-9.2" uuid="c66519a2-dad1-4bfb-8b19-29ea160115c2"><!--Audit Backup On Separate Physical Systems / Components-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-9.2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least weekly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-9.2_smt-->
<statement statement-id="au-9.2_smt" uuid="a08abb7e-6973-47cc-a877-05b7681a3888">
<by-component uuid="ef273287-74b3-4b49-a5a1-92ff5c2d86b0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system backs up audit records onto a physically different system or system component than the system or component being audited.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-9.4" uuid="09e0a5b5-e203-4cdf-be87-ebcdab04ebe1"><!--Access by Subset of Privileged Users-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-9.4_prm_1">
<value>organization-defined subset of privileged users</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-9.4_smt-->
<statement statement-id="au-9.4_smt" uuid="e521df98-c370-4320-b94b-96e8ba2278b6">
<by-component uuid="836dd0a1-00ba-4631-8af6-5111042fb99e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization authorizes access to management of audit functionality to only .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-11" uuid="6a0469ab-05a1-4278-b5c3-b05b290cd0e9"><!--Audit Record Retention-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="au-11_prm_1">
<value>organization-defined time period consistent with records retention policy</value>
<!--Constraint: at least ninety days>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-11_smt-->
<statement statement-id="au-11_smt" uuid="e5f2ed67-6b6f-4abd-a564-66ac4ec2a10b">
<by-component uuid="3d5667a0-f851-48ca-9ab3-b7d81f48c601"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="au-12" uuid="1ac0966f-b664-439c-9f2a-dcbb39d68c05"><!--Audit Generation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="au-12_prm_1">
<value>organization-defined information system components</value>
<!--Constraint: all information system and network components where audit capability is deployed/available>-->
</set-parameter>
<set-parameter param-id="au-12_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: au-12_smt.a, au-12_smt.b, au-12_smt.c-->
<statement statement-id="au-12_smt.a" uuid="5e6ac6ff-a000-4df2-a837-871b171fb569">
<by-component uuid="9505b54b-6a59-4df6-a3bb-d2ca7336de8e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides audit record generation capability for the auditable events defined in AU-2 a. at ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-12_smt.b" uuid="eccfc81f-0452-4a2b-994e-d7af843c3347">
<by-component uuid="ca1674b5-0a87-45a4-acd2-b51e888f5da3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Allows to select which auditable events are to be audited by specific components of the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="au-12_smt.c" uuid="c5c34c3a-7e15-410c-98cd-acb9221ef2cd">
<by-component uuid="aed19913-7806-4d75-a5c1-f099a1fdcc07"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-1" uuid="ee86378f-afc4-4090-a858-11781389daa8"><!--Security Assessment and Authorization Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ca-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ca-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ca-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-1_smt.a, ca-1_smt.b.1, ca-1_smt.b.2-->
<statement statement-id="ca-1_smt.a" uuid="3c7cdd9a-54f1-4eb7-9bd1-9c5a4937d717">
<by-component uuid="9c93a4a2-342f-4586-8f9a-1565d278d667"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-1_smt.b.1" uuid="26448b20-8cf8-4e0d-bdaa-b1b6872668e3">
<by-component uuid="ef4387f9-17e5-46d9-b2ca-12e2e02c3b5a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security assessment and authorization policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-1_smt.b.2" uuid="e82fb00e-04f5-4ce4-9356-328261395828">
<by-component uuid="7f607967-a230-4fcb-b132-715440e775d6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security assessment and authorization procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-2" uuid="7b9c9504-3cc3-4799-9150-e65a8af5f5d4"><!--Security Assessments-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="partial">
<remarks>
<p>A description the portion of the control that is not satisfied.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<set-parameter param-id="ca-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ca-2_prm_2">
<value>organization-defined individuals or roles</value>
<!--Constraint: individuals or roles to include FedRAMP PMO>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-2_smt.a, ca-2_smt.b, ca-2_smt.c, ca-2_smt.d, ca-2.1_smt, ca-2.2_smt, ca-2.3_smt-->
<statement statement-id="ca-2_smt.a" uuid="8bc5b24e-3ea7-471c-9bdb-369d37aeb8a9">
<by-component uuid="fd4fecab-ae01-46be-ab9f-40c2e622db6a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a security assessment plan that describes the scope of the assessment including:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-2_smt.b" uuid="f89ac999-bcc5-442d-8ed3-eeea0c7d73ad">
<by-component uuid="95a6e53b-37f1-47e1-a522-14ceb7a51ab3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assesses the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-2_smt.c" uuid="46890713-2994-4949-8bc2-770e4b643ead">
<by-component uuid="de5215a5-6d71-4137-a894-3bc79bb505d3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Produces a security assessment report that documents the results of the assessment; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-2_smt.d" uuid="5e4cb2fd-82fb-40b9-b06e-294b17a5c5ad">
<by-component uuid="a38023b1-f5a4-427e-8ef9-93c5f0d9f33c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides the results of the security control assessment to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-2.1" uuid="4b0fb855-422d-49e4-8a03-7861278ea0ad"><!--Independent Assessors-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-2.1_prm_1">
<value>organization-defined level of independence</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-2.1_smt-->
<statement statement-id="ca-2.1_smt" uuid="a6458b19-4c1b-4650-9af5-2f0c100429da">
<by-component uuid="e80e2da3-affc-4630-81d5-197e3b5e22a4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs assessors or assessment teams with to conduct security control assessments.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-2.2" uuid="7a2799d0-b804-4776-8cfd-d47062711427"><!--Specialized Assessments-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ca-2.2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ca-2.2_prm_2">
<value>one of announced or unannounced</value>
</set-parameter>
<set-parameter param-id="ca-2.2_prm_3">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="ca-2.2_prm_4">
<value>organization-defined other forms of security assessment</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-2.2_smt-->
<statement statement-id="ca-2.2_smt" uuid="960007b9-9ac5-45d7-bd50-0b32103cb370">
<by-component uuid="ad2b660c-b9c6-403c-a4d5-48fcbddac4f4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization includes as part of security control assessments, , , .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-2.3" uuid="06cbc006-adc1-4524-a41f-737bd1d9da1b"><!--External Organizations-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ca-2.3_prm_1">
<value>organization-defined information system</value>
<!--Constraint: any FedRAMP Accredited 3PAO>-->
</set-parameter>
<set-parameter param-id="ca-2.3_prm_2">
<value>organization-defined external organization</value>
<!--Constraint: any FedRAMP Accredited 3PAO>-->
</set-parameter>
<set-parameter param-id="ca-2.3_prm_3">
<value>organization-defined requirements</value>
<!--Constraint: the conditions of the JAB/AO in the FedRAMP Repository>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-2.3_smt-->
<statement statement-id="ca-2.3_smt" uuid="8c08072a-a569-4058-ba17-a92ec7530f63">
<by-component uuid="cbb153fc-f167-48a9-b594-336393e5df0d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization accepts the results of an assessment of performed by when the assessment meets .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-3" uuid="6404a4ac-5d69-4531-9acf-35224fcc9b60"><!--System Interconnections-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually and on input from FedRAMP>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-3_smt.a, ca-3_smt.b, ca-3_smt.c, ca-3.3_smt, ca-3.5_smt-->
<statement statement-id="ca-3_smt.a" uuid="fa479c64-dd24-4ecc-b1eb-ed44db5f1aeb">
<by-component uuid="05a25cd1-ce3e-493c-b93f-15e4a58ce12e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-3_smt.b" uuid="391acdf4-93de-4cd3-8266-ef0fb3a5b3e6">
<by-component uuid="b2abe505-e4b2-4fda-95c8-3dff24289ac4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-3_smt.c" uuid="32608dee-49b0-4a78-bb0b-c7cbf23a519c">
<by-component uuid="bfe016a6-39b7-450b-964b-bcc0f6fe44bd"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates Interconnection Security Agreements .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-3.3" uuid="09d523d7-c5d6-4bdb-8015-b6646b981c91"><!--Unclassified Non-national Security System Connections-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ca-3.3_prm_1">
<value>organization-defined unclassified, non-national security system</value>
</set-parameter>
<set-parameter param-id="ca-3.3_prm_2">
<value>Assignment; organization-defined boundary protection device</value>
<!--Constraint: Boundary Protections which meet the Trusted Internet Connection (TIC) requirements>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-3.3_smt-->
<statement statement-id="ca-3.3_smt" uuid="0eca6f25-dfb2-43ac-9504-7ed49724ab7d">
<by-component uuid="48d480fd-19f5-4b04-b06e-6b5e3be8b6dd"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization prohibits the direct connection of an to an external network without the use of .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-3.5" uuid="dc027290-7112-4fff-8c3d-42503d722d5d"><!--Restrictions On External System Connections-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ca-3.5_prm_1">
<value>one of allow-all, deny-by-exception or deny-all, permit-by-exception</value>
</set-parameter>
<set-parameter param-id="ca-3.5_prm_2">
<value>organization-defined information systems</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-3.5_smt-->
<statement statement-id="ca-3.5_smt" uuid="c450da12-6a36-42f4-b60b-e49224c6359e">
<by-component uuid="38887324-ffa6-4543-bae9-4f76657cfb72"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs policy for allowing to connect to external information systems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-5" uuid="da183c4f-cc4b-4f47-a609-8491a98924b0"><!--Plan of Action and Milestones-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-5_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-5_smt.a, ca-5_smt.b-->
<statement statement-id="ca-5_smt.a" uuid="d72c13f9-4319-49a3-bf6d-93f154aae756">
<by-component uuid="cd2f47af-a040-4d39-8e96-bb8eacbf86df"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-5_smt.b" uuid="32578401-eef1-43c5-8484-90d53f1fe82c">
<by-component uuid="7d55c14c-743d-49ce-b5d1-7590d53ff6b0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates existing plan of action and milestones based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-6" uuid="1e6104ad-0148-4602-a6bf-3439a6bed1db"><!--Security Authorization-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least every three (3) years or when a significant change occurs>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-6_smt.a, ca-6_smt.b, ca-6_smt.c-->
<statement statement-id="ca-6_smt.a" uuid="169f6fb9-028c-459b-938a-5650c544c8ef">
<by-component uuid="0d1ca587-45f4-4576-a3ff-e620eba1bbfc"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigns a senior-level executive or manager as the authorizing official for the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-6_smt.b" uuid="96f669d2-23d3-433e-a525-6ea099ccb80d">
<by-component uuid="4c51ffb7-d2e1-4ca2-b140-a6a2331f6de9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that the authorizing official authorizes the information system for processing before commencing operations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-6_smt.c" uuid="9fe91bf6-566e-47f5-9cfc-9f02bd79ddab">
<by-component uuid="c96cbf3a-05c9-4a0d-be52-7002628f3e12"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the security authorization .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-7" uuid="eec5cfbb-a785-47c3-8da5-de8f92eaa664"><!--Continuous Monitoring-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="ca-7_prm_1">
<value>organization-defined metrics</value>
</set-parameter>
<set-parameter param-id="ca-7_prm_2">
<value>organization-defined frequencies</value>
</set-parameter>
<set-parameter param-id="ca-7_prm_3">
<value>organization-defined frequencies</value>
</set-parameter>
<set-parameter param-id="ca-7_prm_4">
<value>organization-defined personnel or roles</value>
<!--Constraint: to meet Federal and FedRAMP requirements (See additional guidance)>-->
</set-parameter>
<set-parameter param-id="ca-7_prm_5">
<value>organization-defined frequency</value>
<!--Constraint: to meet Federal and FedRAMP requirements (See additional guidance)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-7_smt.a, ca-7_smt.b, ca-7_smt.c, ca-7_smt.d, ca-7_smt.e, ca-7_smt.f, ca-7_smt.g, ca-7.1_smt-->
<statement statement-id="ca-7_smt.a" uuid="63e49d7f-9a51-466f-8551-52b28c0ed37c">
<by-component uuid="885afd0b-98be-4b44-8de3-5f2550ad91c4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishment of to be monitored;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.b" uuid="31653f99-642e-46b3-a17c-2762f70b1742">
<by-component uuid="50e64ef1-bbf0-408c-98be-81173c266a8d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishment of for monitoring and for assessments supporting such monitoring;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.c" uuid="3f5cabfa-aa10-496b-89fb-7e10a20d37af">
<by-component uuid="f3b40ea4-8c44-4306-ae14-96403fca3d87"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.d" uuid="30424d37-d4be-45d1-9e1b-a09d00f541ff">
<by-component uuid="8615be24-feac-47cb-aca7-73f3006b3b33"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.e" uuid="74a52f2d-f5fd-4cf7-b856-19016e7af953">
<by-component uuid="d1701a64-a166-40cf-a094-5a86589a7e3d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Correlation and analysis of security-related information generated by assessments and monitoring;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.f" uuid="1cdd7a0e-c2d8-4608-8070-66009b973373">
<by-component uuid="224341ae-2572-447a-96ac-67b097bf0cdc"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Response actions to address results of the analysis of security-related information; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-7_smt.g" uuid="8bb6c0ef-b381-4b78-8dc6-8c0089f8c913">
<by-component uuid="9b11e0e4-99a1-471c-9377-418480f59887"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reporting the security status of organization and the information system to
.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-7.1" uuid="151b7908-9a6a-45be-9360-9ce0638cd273"><!--Independent Assessment-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-7.1_prm_1">
<value>organization-defined level of independence</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-7.1_smt-->
<statement statement-id="ca-7.1_smt" uuid="439bf1e3-04ee-425f-84ee-5a40b20aa00f">
<by-component uuid="886d2e15-9acf-4015-8397-4b45bddaa14d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs assessors or assessment teams with to monitor the security controls in the information system on an ongoing basis.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-8" uuid="c888ba71-4204-45c2-ad23-15d469c44584"><!--Penetration Testing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ca-8_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ca-8_prm_2">
<value>organization-defined information systems or system components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-8_smt, ca-8.1_smt-->
<statement statement-id="ca-8_smt" uuid="d6df8f9c-7854-4e42-a884-ccc4ce275946">
<by-component uuid="d8fa6d59-20f3-4d38-81c4-66f30d89632b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization conducts penetration testing on .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-8.1" uuid="01ea4019-c016-44de-bbc3-1c2bb9c58cf4"><!--Independent Penetration Agent or Team-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-8.1_smt-->
<statement statement-id="ca-8.1_smt" uuid="0b1bc9cf-4546-47b3-b131-ce1196629baa">
<by-component uuid="4630788d-4329-4466-9f59-945141e81bed"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ca-9" uuid="76da54f6-0328-4bde-b1ec-7570524685cb"><!--Internal System Connections-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ca-9_prm_1">
<value>organization-defined information system components or classes of components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ca-9_smt.a, ca-9_smt.b-->
<statement statement-id="ca-9_smt.a" uuid="0b5e9cbd-2a64-44ce-be6e-d8e698723f8d">
<by-component uuid="f85165e0-aa7c-47b7-9a03-bd42c0a40fa4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes internal connections of to the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ca-9_smt.b" uuid="6f8a291b-1286-4926-87b5-d291b6ae3775">
<by-component uuid="8874f1d4-fd9b-423c-ba92-323e9e8d0138"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-1" uuid="c3cded9b-907c-4d4b-8334-a8ec74365b21"><!--Configuration Management Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="cm-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="cm-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-1_smt.a, cm-1_smt.b.1, cm-1_smt.b.2-->
<statement statement-id="cm-1_smt.a" uuid="6f7dd9ae-8f98-4354-a44c-0f9b0915457f">
<by-component uuid="4324c914-092a-4ec1-b688-c58309e4f9f8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-1_smt.b.1" uuid="80850d8f-66ce-4fb8-8b80-7e6139239d37">
<by-component uuid="b616860c-7293-41a3-a4b9-2c33da06527d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configuration management policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-1_smt.b.2" uuid="82525d5b-84e3-4d29-9f42-ca0dae9eb93b">
<by-component uuid="e7837ddd-cb1d-4426-b9e6-4742dfd17745"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configuration management procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-2" uuid="46c10363-d56f-42a7-b853-00de6daf754e"><!--Baseline Configuration-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-2_smt, cm-2.1_smt.a, cm-2.1_smt.b, cm-2.1_smt.c, cm-2.2_smt, cm-2.3_smt, cm-2.7_smt.a, cm-2.7_smt.b-->
<statement statement-id="cm-2_smt" uuid="b1bede1a-dc77-4bea-b69d-1e9fd2ebe7de">
<by-component uuid="170d9cca-f91d-494b-9a47-d58f23f16929"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-2.1" uuid="5b39f69a-0596-462d-9cad-ed7d12906136"><!--Reviews and Updates-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cm-2.1_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually or when a significant change occurs>-->
</set-parameter>
<set-parameter param-id="cm-2.1_prm_2">
<value>Assignment organization-defined circumstances</value>
<!--Constraint: to include when directed by the JAB>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-2.1_smt.a, cm-2.1_smt.b, cm-2.1_smt.c-->
<statement statement-id="cm-2.1_smt.a" uuid="7ef28f01-37cd-44a7-b3ab-3761004c54d7">
<by-component uuid="511e68ca-9347-4cf7-9bc3-89cd0c1facda"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-2.1_smt.b" uuid="171a8041-419b-485b-94a7-9afbf6e21c60">
<by-component uuid="7891534f-7389-41af-aeee-0fb06ea1993e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required due to ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-2.1_smt.c" uuid="3a9d9df0-b76b-469b-89db-84d03e9de9d4">
<by-component uuid="f2e93cb5-900d-4f42-9055-3cc519099f68"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>As an integral part of information system component installations and upgrades.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-2.2" uuid="7d306d39-dcd8-40bf-ad08-85df061963d3"><!--Automation Support for Accuracy / Currency-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-2.2_smt-->
<statement statement-id="cm-2.2_smt" uuid="5f93f193-45ec-41f6-89d2-736ebf63b9c8">
<by-component uuid="c6131cb7-0428-4a04-8a8b-6be771e90c34"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-2.3" uuid="04f64838-4f13-40a8-9d94-8a0c17c6baee"><!--Retention of Previous Configurations-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cm-2.3_prm_1">
<value>organization-defined previous versions of baseline configurations of the information system</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-2.3_smt-->
<statement statement-id="cm-2.3_smt" uuid="4e3c2f56-d3f6-41d4-be40-ce1d82326b1f">
<by-component uuid="4bc88552-e38e-4337-b035-ff3d41eac153"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization retains to support rollback.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-2.7" uuid="c4d7373f-9606-40f8-b61c-8efff7466623"><!--Configure Systems, Components, or Devices for High-risk Areas-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-2.7_prm_1">
<value>organization-defined information systems, system components, or devices</value>
</set-parameter>
<set-parameter param-id="cm-2.7_prm_2">
<value>organization-defined configurations</value>
</set-parameter>
<set-parameter param-id="cm-2.7_prm_3">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-2.7_smt.a, cm-2.7_smt.b-->
<statement statement-id="cm-2.7_smt.a" uuid="1d3a19d9-1048-4dd6-a3c2-2a9771241d4a">
<by-component uuid="387696e4-482e-4113-bfba-cee7a6e258f4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Issues with to individuals traveling to locations that the organization deems to be of significant risk; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-2.7_smt.b" uuid="8b3fb890-4c24-4e25-b2df-05b4e89c4be3">
<by-component uuid="24995b5b-3998-4a3b-b615-95a04e185694"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Applies to the devices when the individuals return.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-3" uuid="9920048a-56b3-4c05-b35d-5e12f950c2a8"><!--Configuration Change Control-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="cm-3_prm_1">
<value>organization-defined time period</value>
</set-parameter>
<set-parameter param-id="cm-3_prm_2">
<value>organization-defined configuration change control element (e.g., committee, board)</value>
</set-parameter>
<set-parameter param-id="cm-3_prm_3">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="cm-3_prm_4">
<value>organization-defined frequency</value>
</set-parameter>
<set-parameter param-id="cm-3_prm_5">
<value>organization-defined configuration change conditions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-3_smt.a, cm-3_smt.b, cm-3_smt.c, cm-3_smt.d, cm-3_smt.e, cm-3_smt.f, cm-3_smt.g-->
<statement statement-id="cm-3_smt.a" uuid="d6daa2f7-6275-40b4-bad5-bdd808e01f2d">
<by-component uuid="7863979d-6b3f-428e-887a-e18110323de8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines the types of changes to the information system that are configuration-controlled;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-3_smt.b" uuid="b72ad8c8-ae0d-4183-94d9-9c95b1e65195">
<by-component uuid="c19b3224-532e-41ee-bf62-f01eea9fab64"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-3_smt.c" uuid="dfdf54ad-f7f0-4376-91e4-acd20a316cf5">
<by-component uuid="1cfe744f-1093-405f-aaa3-6256845a6466"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents configuration change decisions associated with the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-3_smt.d" uuid="ec3f18b4-e94a-4143-a8c9-9488b612b432">
<by-component uuid="b2ab1a47-da5f-4c70-a656-0926063a3dd3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements approved configuration-controlled changes to the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-3_smt.e" uuid="f037fc79-3846-4fba-9bac-8c184e21b357">
<by-component uuid="f7e297a7-dbcb-4430-88a9-558eccf2f09d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains records of configuration-controlled changes to the information system for ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-3_smt.f" uuid="d4ac3985-a6bb-4977-a97e-b840885931d4">
<by-component uuid="e1d6e30b-0041-45f1-8e49-3fd028e5b887"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Audits and reviews activities associated with configuration-controlled changes to the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-3_smt.g" uuid="1f78b7ad-d34b-4b41-8369-cc7304da7c94">
<by-component uuid="6793fe71-a1f2-46c9-9da0-f36f3ade626c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates and provides oversight for configuration change control activities through that convenes .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-4" uuid="1ee87cb9-3a52-47ae-ba00-7daa178ab7c5"><!--Security Impact Analysis-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-4_smt-->
<statement statement-id="cm-4_smt" uuid="955006a6-a2c2-466e-bd8f-2e8385759e34">
<by-component uuid="92762b10-208e-4a2f-9bfd-1163db4e494b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-5" uuid="5e45b17f-4679-41c5-a7ca-6c1cd4b70cce"><!--Access Restrictions for Change-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-5_smt, cm-5.1_smt, cm-5.3_smt, cm-5.5_smt.a, cm-5.5_smt.b-->
<statement statement-id="cm-5_smt" uuid="94ef2d8d-6828-4d60-b3df-f82b35bca0a0">
<by-component uuid="b9112eb2-9867-4763-919f-b14e34547f1b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-5.1" uuid="ab1e3799-bfdb-46f5-954f-4491f349e73e"><!--Automated Access Enforcement / Auditing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-5.1_smt-->
<statement statement-id="cm-5.1_smt" uuid="fc1edaf7-f3e9-4c87-96f2-1a6d2701cb19">
<by-component uuid="9de6fc35-1559-40ac-81ce-c58dd0b729fa"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system enforces access restrictions and supports auditing of the enforcement actions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-5.3" uuid="c2ac9526-a342-478c-af9e-198e0e0a9da4"><!--Signed Components-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cm-5.3_prm_1">
<value>organization-defined software and firmware components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-5.3_smt-->
<statement statement-id="cm-5.3_smt" uuid="d4d9a654-9994-425f-ba75-5c0b40666b33">
<by-component uuid="cdc3e877-11f7-4334-ba4d-ec4ce12cd4ee"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system prevents the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-5.5" uuid="ec152def-a942-48c7-86e8-5865d052f097"><!--Limit Production / Operational Privileges-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cm-5.5_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least quarterly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-5.5_smt.a, cm-5.5_smt.b-->
<statement statement-id="cm-5.5_smt.a" uuid="23e99b1e-5348-47fb-a9cd-60b8865c102b">
<by-component uuid="f5895cd0-8c32-47d2-a116-dc862ff42d68"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Limits privileges to change information system components and system-related information within a production or operational environment; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-5.5_smt.b" uuid="d0ec155d-fcda-4256-8465-cac39b2aa84a">
<by-component uuid="6be4f5df-e58c-460b-9454-828dde01e7a5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and reevaluates privileges .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-6" uuid="aa1f0c3c-c3d7-4e6b-8efe-b76336c7909f"><!--Configuration Settings-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-6_prm_1">
<value>organization-defined security configuration checklists</value>
</set-parameter>
<set-parameter param-id="cm-6_prm_2">
<value>organization-defined information system components</value>
</set-parameter>
<set-parameter param-id="cm-6_prm_3">
<value>organization-defined operational requirements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-6_smt.a, cm-6_smt.b, cm-6_smt.c, cm-6_smt.d, cm-6.1_smt-->
<statement statement-id="cm-6_smt.a" uuid="d08d5fb9-07b3-41ff-8687-bab51f88e39b">
<by-component uuid="590ec9cf-47e8-47e9-97d2-04e1524d7307"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes and documents configuration settings for information technology products employed within the information system using that reflect the most restrictive mode consistent with operational requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-6_smt.b" uuid="be958744-f3ee-476f-a5f1-f090dbc397e7">
<by-component uuid="3bdc1597-477c-42b4-ab7c-b4558fdcb886"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements the configuration settings;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-6_smt.c" uuid="64dcb760-2f49-4b2d-a1fa-8a9c3ce8112d">
<by-component uuid="5721d877-8f91-47f5-9e21-51203344c4c8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies, documents, and approves any deviations from established configuration settings for based on ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-6_smt.d" uuid="c3ad5bb4-358b-447d-9ca3-eb281c98ecab">
<by-component uuid="8954634d-9aef-4394-976b-3e4e8fc92f78"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-6.1" uuid="e6ea4d21-412e-44c0-baac-bcde4a0f9e8b"><!--Automated Central Management / Application / Verification-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cm-6.1_prm_1">
<value>organization-defined information system components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-6.1_smt-->
<statement statement-id="cm-6.1_smt" uuid="e86318c5-ffdd-4c6d-8225-54bbbc5ed0e0">
<by-component uuid="325d6a1c-3c14-4abf-b6b4-9eb17a4787b0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-7" uuid="c99f1c34-7ea4-4775-af6a-96e2dfa50411"><!--Least Functionality-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cm-7_prm_1">
<value>organization-defined prohibited or restricted functions, ports, protocols, and/or services</value>
<!--Constraint: United States Government Configuration Baseline (USGCB)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-7_smt.a, cm-7_smt.b, cm-7.1_smt.a, cm-7.1_smt.b, cm-7.2_smt, cm-7.5_smt.a, cm-7.5_smt.b, cm-7.5_smt.c-->
<statement statement-id="cm-7_smt.a" uuid="cdd1c5a8-7705-456d-97f9-e706b6bad453">
<by-component uuid="5906a242-564e-4b18-8fba-1f794942eca2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configures the information system to provide only essential capabilities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-7_smt.b" uuid="d2db3fab-21fb-4c2b-a500-b035b16a165e">
<by-component uuid="c696d7e7-9556-4315-a895-5673a054f5c6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Prohibits or restricts the use of the following functions, ports, protocols, and/or services: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-7.1" uuid="e8a5ac35-d6dc-4de0-94e0-a9341be4948a"><!--Periodic Review-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cm-7.1_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<set-parameter param-id="cm-7.1_prm_2">
<value>organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-7.1_smt.a, cm-7.1_smt.b-->
<statement statement-id="cm-7.1_smt.a" uuid="cb610609-dfcc-4b51-a640-abc5e77fd831">
<by-component uuid="10d3e64e-a972-4eff-a67d-acf8f8eb9439"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the information system to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-7.1_smt.b" uuid="ace950ff-08f9-4b47-b114-3569f19f0793">
<by-component uuid="82e8644f-615c-4eff-ada2-b606d9f1feb5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disables .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-7.2" uuid="06cd5599-879c-4b9e-bef3-2e554b4677a1"><!--Prevent Program Execution-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cm-7.2_prm_1">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="cm-7.2_prm_2">
<value>organization-defined policies regarding software program usage and restrictions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-7.2_smt-->
<statement statement-id="cm-7.2_smt" uuid="e2fdbe77-c631-48d8-86cd-6003735fc13c">
<by-component uuid="ff1ca742-0c5a-4043-9567-a362dc26f32d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system prevents program execution in accordance with .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-7.5" uuid="40540ecc-7648-44b6-a003-63eedf878bc9"><!--Authorized Software / Whitelisting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cm-7.5_prm_1">
<value>organization-defined software programs authorized to execute on the information system</value>
</set-parameter>
<set-parameter param-id="cm-7.5_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least Annually or when there is a change>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-7.5_smt.a, cm-7.5_smt.b, cm-7.5_smt.c-->
<statement statement-id="cm-7.5_smt.a" uuid="e31bc754-7336-4a54-8e67-e2ab56a0c4b3">
<by-component uuid="19dcbb14-dbee-4bbc-ae53-84831a6b08ee"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-7.5_smt.b" uuid="11e2086a-ca29-4b92-a0cc-c3069a6a06ce">
<by-component uuid="4eaa72d8-338d-4f33-a09c-958653db5a4e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-7.5_smt.c" uuid="41e61323-297b-4a7c-89b5-bd11325a48f2">
<by-component uuid="7ba47d79-6939-48ee-9fa7-3f5efd84e3c0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the list of authorized software programs .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-8" uuid="4a360d95-1ef3-4987-8692-e2b9b2ba3e24"><!--Information System Component Inventory-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cm-8_prm_1">
<value>organization-defined information deemed necessary to achieve effective information system component accountability</value>
</set-parameter>
<set-parameter param-id="cm-8_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-8_smt.a, cm-8_smt.b, cm-8.1_smt, cm-8.3_smt.a, cm-8.3_smt.b, cm-8.5_smt-->
<statement statement-id="cm-8_smt.a" uuid="c823e26f-ab7a-4d1e-be55-7fb755e7b192">
<by-component uuid="c1fdf35d-89a7-4f0f-a39b-66d952fc8c92"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops and documents an inventory of information system components that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-8_smt.b" uuid="d32fa06f-d5ce-4536-98f5-b5d40345f4c5">
<by-component uuid="33af3cee-1911-4ae7-b5b3-717b24cf1dfe"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the information system component inventory .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-8.1" uuid="be9d66d8-0823-4e09-8bbe-823b556c12c3"><!--Updates During Installations / Removals-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-8.1_smt-->
<statement statement-id="cm-8.1_smt" uuid="9b5d4c1e-cf2a-4037-ac35-c28c00b964e3">
<by-component uuid="43dd316d-7aa3-4bdb-a793-95de232cb781"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-8.3" uuid="972c9367-b9f9-4c3a-9bef-03b10fd18ef4"><!--Automated Unauthorized Component Detection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-8.3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: Continuously, using automated mechanisms with a maximum five-minute delay in detection>-->
</set-parameter>
<set-parameter param-id="cm-8.3_prm_2">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="cm-8.3_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-8.3_smt.a, cm-8.3_smt.b-->
<statement statement-id="cm-8.3_smt.a" uuid="294da77f-568e-4ead-94b3-29c57bca5e44">
<by-component uuid="8f6e8aed-a8ef-4fdf-b3d7-d64a2ed4cbb7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-8.3_smt.b" uuid="5293fe5e-a5d6-40b9-8854-58bb998284b9">
<by-component uuid="c3571fb0-d9fd-4f20-a2a9-a616a67b2227"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Takes the following actions when unauthorized components are detected: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-8.5" uuid="90741732-2359-46f4-a32c-04813da92d9d"><!--No Duplicate Accounting of Components-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-8.5_smt-->
<statement statement-id="cm-8.5_smt" uuid="75606100-e78c-4f07-9620-f647d7d9d175">
<by-component uuid="199a2b4a-bf2d-4835-aa5d-ba046b53a9ba"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-9" uuid="3062bf0f-b0b6-482a-bd4b-3cc9e91e72e0"><!--Configuration Management Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-9_smt.a, cm-9_smt.b, cm-9_smt.c, cm-9_smt.d-->
<statement statement-id="cm-9_smt.a" uuid="cdbc8689-2ea5-4e0a-8c13-5696061f8910">
<by-component uuid="c4ed21b5-5c7b-473a-a263-2464c5e06239"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Addresses roles, responsibilities, and configuration management processes and procedures;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-9_smt.b" uuid="33a1bc6b-3525-43fc-9016-be52fddf7f72">
<by-component uuid="5015479d-b551-4a6a-864f-b7755e01a6b4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-9_smt.c" uuid="a4756f1f-4577-4a16-9e22-15df1cde6491">
<by-component uuid="ee9b6e06-bd15-4a12-a3a6-2d4a09b93529"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Defines the configuration items for the information system and places the configuration items under configuration management; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-9_smt.d" uuid="e42b0675-951f-4261-9075-df3cb8538001">
<by-component uuid="6700e486-d354-4637-a3ef-887fd52dc923"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the configuration management plan from unauthorized disclosure and modification.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-10" uuid="ebda06cc-bce7-4afd-b491-984c1fb2aa6b"><!--Software Usage Restrictions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-10_smt.a, cm-10_smt.b, cm-10_smt.c, cm-10.1_smt-->
<statement statement-id="cm-10_smt.a" uuid="570e8635-1da5-48be-a3dd-99c40756e373">
<by-component uuid="b327496b-0a10-4381-a269-22784ee97296"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Uses software and associated documentation in accordance with contract agreements and copyright laws;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-10_smt.b" uuid="466c94d1-0086-4170-9d5b-7bdfb63d6e35">
<by-component uuid="aadc400a-cbe7-4bfd-8720-dda1e49583af"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-10_smt.c" uuid="0297e906-50a9-47d4-bc32-f145f5e32534">
<by-component uuid="642887d0-13a4-4fc2-8d3e-d23dd4a633ea"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-10.1" uuid="ad336609-c145-4aa7-8e5b-306d9dda6eac"><!--Open Source Software-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cm-10.1_prm_1">
<value>organization-defined restrictions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-10.1_smt-->
<statement statement-id="cm-10.1_smt" uuid="24fda34e-80b8-47c4-ad7f-9965cdd9d4f6">
<by-component uuid="037eb74c-13ac-41a8-b165-d1e126aa6c94"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization establishes the following restrictions on the use of open source software: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cm-11" uuid="1ce8fc1d-1799-43f0-9f00-10e33874affb"><!--User-installed Software-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="partial">
<remarks>
<p>A description the portion of the control that is not satisfied.</p>
</remarks>
</prop>
<!--There are 3 control parameters-->
<set-parameter param-id="cm-11_prm_1">
<value>organization-defined policies</value>
</set-parameter>
<set-parameter param-id="cm-11_prm_2">
<value>organization-defined methods</value>
</set-parameter>
<set-parameter param-id="cm-11_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: Continuously (via CM-7 (5))>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cm-11_smt.a, cm-11_smt.b, cm-11_smt.c-->
<statement statement-id="cm-11_smt.a" uuid="2fdd4597-f824-4733-a90b-52dc185cd8f0">
<by-component uuid="8e036a98-63c3-44ae-8784-b4ca93889fb9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes governing the installation of software by users;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-11_smt.b" uuid="3453e122-f695-4934-b728-13599f3fb0d0">
<by-component uuid="d1fb1921-c5b9-41c4-919d-5d1596774d29"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces software installation policies through ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cm-11_smt.c" uuid="1ac561d4-8206-4efa-88dd-8c2d892a2b0e">
<by-component uuid="a141c48c-3372-4e59-8f11-e48ca29f9d4e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors policy compliance at .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-1" uuid="fcb86669-ced0-4db2-8a9b-b82ed7357542"><!--Contingency Planning Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cp-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="cp-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="cp-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-1_smt.a, cp-1_smt.b.1, cp-1_smt.b.2-->
<statement statement-id="cp-1_smt.a" uuid="7ec199c1-e6b3-4b4c-9b62-15003d72314d">
<by-component uuid="aa776074-0ed3-4b47-88eb-1c5541d8b771"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-1_smt.b.1" uuid="36ac07b7-353a-44ff-a04e-cd025e8611f3">
<by-component uuid="bafdfbec-7e5f-4bfc-b108-83f8cc55a564"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Contingency planning policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-1_smt.b.2" uuid="3c2ad2fc-1563-4a94-9726-8c5e445efed2">
<by-component uuid="32948b47-9704-4b05-9193-c1bc4d110a6c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Contingency planning procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-2" uuid="6178e291-fd90-4cfd-a1a1-ac74aadc2229"><!--Contingency Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="cp-2_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="cp-2_prm_2">
<value>organization-defined key contingency personnel (identified by name and/or by role) and organizational elements</value>
</set-parameter>
<set-parameter param-id="cp-2_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="cp-2_prm_4">
<value>organization-defined key contingency personnel (identified by name and/or by role) and organizational elements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-2_smt.a, cp-2_smt.b, cp-2_smt.c, cp-2_smt.d, cp-2_smt.e, cp-2_smt.f, cp-2_smt.g, cp-2.1_smt, cp-2.2_smt, cp-2.3_smt, cp-2.8_smt-->
<statement statement-id="cp-2_smt.a" uuid="7bb08559-eca8-48e0-8bb4-c673c095b225">
<by-component uuid="f29549d7-1446-486d-bf37-4708247e630b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a contingency plan for the information system that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.b" uuid="e9196961-953a-4b6b-ad94-8828957f7835">
<by-component uuid="cb0c8c8a-7642-4977-be46-5c3c28729822"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes copies of the contingency plan to ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.c" uuid="3e94dbf9-d7ed-4f98-8e73-bb7ad50b6052">
<by-component uuid="8ae6945b-4fee-4f0b-8e97-b208a3e7122a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates contingency planning activities with incident handling activities;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.d" uuid="3253ea52-8ea0-41f5-a05a-b8d500ff054b">
<by-component uuid="a906db57-fa3d-4d21-8163-21583b9f0dad"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the contingency plan for the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.e" uuid="c5cf26d3-6a1f-4efe-9144-da88cfa9f41b">
<by-component uuid="ca1ad712-f80e-4fe7-88cf-99b55f75a60e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.f" uuid="0a4f62ec-f188-46d5-bcb0-12a7481e6e90">
<by-component uuid="c4579826-c873-4797-bb63-e1df6d913b11"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Communicates contingency plan changes to ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-2_smt.g" uuid="edf4ed71-0a62-4a23-a879-7b12dc315d24">
<by-component uuid="35e311a3-7a9b-4f09-bb8b-b564b9bbef97"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the contingency plan from unauthorized disclosure and modification.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-2.1" uuid="c1402a31-598b-42c2-8f5d-1066650c1584"><!--Coordinate with Related Plans-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-2.1_smt-->
<statement statement-id="cp-2.1_smt" uuid="013ecc95-ff1a-48f5-ac2f-b5eced2c498c">
<by-component uuid="fd4d3b29-63e2-4156-882d-ae08d66168ee"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization coordinates contingency plan development with organizational elements responsible for related plans.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-2.2" uuid="9bebba3b-ab7e-449c-9f2a-d85820aa3520"><!--Capacity Planning-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-2.2_smt-->
<statement statement-id="cp-2.2_smt" uuid="9bbc497a-b1a7-488b-bd47-38092355ca5c">
<by-component uuid="b764ecee-c0eb-441d-bd21-c0c4400aa841"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-2.3" uuid="eb347bd9-99e7-43b5-9a8a-ec1a694ae46a"><!--Resume Essential Missions / Business Functions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cp-2.3_prm_1">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-2.3_smt-->
<statement statement-id="cp-2.3_smt" uuid="4e355cb6-80d8-48b7-828e-52b0fedde92a">
<by-component uuid="8fda9cdc-33e4-4910-8c7b-506004d41325"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization plans for the resumption of essential missions and business functions within of contingency plan activation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-2.8" uuid="afe2d084-02b1-4b37-8bd1-ea1f302074f9"><!--Identify Critical Assets-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-2.8_smt-->
<statement statement-id="cp-2.8_smt" uuid="3684eaf1-4283-4059-8133-d7e0516074d3">
<by-component uuid="2120ad90-97b2-44fa-8c55-7b710ae820c5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization identifies critical information system assets supporting essential missions and business functions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-3" uuid="946fe68e-0110-4abb-a8b7-dc8e34b3cc38"><!--Contingency Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cp-3_prm_1">
<value>organization-defined time period</value>
<!--Constraint: ten (10) days>-->
</set-parameter>
<set-parameter param-id="cp-3_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-3_smt.a, cp-3_smt.b, cp-3_smt.c-->
<statement statement-id="cp-3_smt.a" uuid="f1e3a9e2-bf17-481a-b37a-cebc8c3b4b0c">
<by-component uuid="47a84d28-d6e5-42d4-85e4-9f4e789d8719"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Within of assuming a contingency role or responsibility;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-3_smt.b" uuid="95937e99-2c3a-4d8e-a2c8-427969cf94ec">
<by-component uuid="9c4243ba-9532-4866-a920-17e996b95c1a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-3_smt.c" uuid="9563ee26-4dcf-4d16-8324-6f3cfeb99f42">
<by-component uuid="4e267b36-9b46-40bf-b35f-a04a89c5f866"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-4" uuid="cca5e40d-1369-4fa6-acb9-4aca745b319a"><!--Contingency Plan Testing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cp-4_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="cp-4_prm_2">
<value>organization-defined tests</value>
<!--Constraint: functional exercises>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-4_smt.a, cp-4_smt.b, cp-4_smt.c, cp-4.1_smt-->
<statement statement-id="cp-4_smt.a" uuid="415fda20-2fb0-40ac-9e27-a36fb7e82176">
<by-component uuid="94b51764-05a5-4988-822b-1c7757b5b640"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Tests the contingency plan for the information system using to determine the effectiveness of the plan and the organizational readiness to execute the plan;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-4_smt.b" uuid="ff5498eb-9a29-422c-b1a0-8bbbc63ae452">
<by-component uuid="00d064d0-a4fe-43be-85b0-d27107955166"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the contingency plan test results; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-4_smt.c" uuid="412d5d2e-4fe7-44a1-8c4a-3b1f2f07f0c2">
<by-component uuid="595c74d2-5ff7-46d4-bf35-65457114dcbf"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Initiates corrective actions, if needed.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-4.1" uuid="b2795e61-a11f-41d3-ba16-5952b0c34f53"><!--Coordinate with Related Plans-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-4.1_smt-->
<statement statement-id="cp-4.1_smt" uuid="94e70d86-8f03-44ae-9242-0978e70e0672">
<by-component uuid="dfc7b963-9bf5-4a4d-b1e2-dbb96a82c913"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization coordinates contingency plan testing with organizational elements responsible for related plans.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-6" uuid="7fa27f26-5e0a-4b25-9331-271ec8e75ab1"><!--Alternate Storage Site-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-6_smt.a, cp-6_smt.b, cp-6.1_smt, cp-6.3_smt-->
<statement statement-id="cp-6_smt.a" uuid="92b2a8d3-bebd-4ff6-862a-7222e9afcc8e">
<by-component uuid="54f66972-9250-4b36-ac4a-62a32e40c6f5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-6_smt.b" uuid="5fafd242-0be1-417f-a1e8-af2ae30fbc24">
<by-component uuid="1fdc4a56-e440-4721-950f-905d10c53e09"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-6.1" uuid="70154bb2-d898-4558-a7f4-37c35492e735"><!--Separation from Primary Site-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-6.1_smt-->
<statement statement-id="cp-6.1_smt" uuid="925db08d-2bd8-4b5a-89b0-9c5c247a4045">
<by-component uuid="cd17f12e-617c-4b13-9291-2325ff018012"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-6.3" uuid="44437581-9c18-4ab0-9d5c-07762d1b4065"><!--Accessibility-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-6.3_smt-->
<statement statement-id="cp-6.3_smt" uuid="891c1707-288f-441b-bc50-5665cf1fb7c4">
<by-component uuid="54d9f85a-7ca4-41ec-941c-24dc27670c08"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-7" uuid="26b3a1b5-3745-4bf8-a811-158d1da86189"><!--Alternate Processing Site-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cp-7_prm_1">
<value>organization-defined information system operations</value>
</set-parameter>
<set-parameter param-id="cp-7_prm_2">
<value>organization-defined time period consistent with recovery time and recovery point objectives</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-7_smt.a, cp-7_smt.b, cp-7_smt.c, cp-7.1_smt, cp-7.2_smt, cp-7.3_smt-->
<statement statement-id="cp-7_smt.a" uuid="63415de9-a81d-4490-8b09-e765da1e5223">
<by-component uuid="bbdcedd1-7f6c-4714-8e64-ba8d5e41c514"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of for essential missions/business functions within when the primary processing capabilities are unavailable;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-7_smt.b" uuid="97a6b4e2-5282-4565-b09f-c800962f270b">
<by-component uuid="4a27a4be-5c73-4165-8eeb-a6ca8cb0b46c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-7_smt.c" uuid="f044d804-c305-4151-8e31-335d6fa53f77">
<by-component uuid="07d949f7-f04c-454f-a195-56857069566a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-7.1" uuid="c657d358-ebeb-486e-bf45-dd9c7f6bc0a3"><!--Separation from Primary Site-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-7.1_smt-->
<statement statement-id="cp-7.1_smt" uuid="869c73a7-b6c3-41b3-84b0-1832f064017f">
<by-component uuid="8791c70f-09f3-4a4a-84fe-662f52110482"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-7.2" uuid="2dc73b68-5ea4-4de6-ac26-b4505bf5c81b"><!--Accessibility-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-7.2_smt-->
<statement statement-id="cp-7.2_smt" uuid="cfe487cd-2675-43ec-90bd-914b52f0c4b7">
<by-component uuid="d1e18908-d502-4f82-9043-e9374f2e07ea"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-7.3" uuid="425db3bb-c299-4170-89a4-dc3000741485"><!--Priority of Service-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-7.3_smt-->
<statement statement-id="cp-7.3_smt" uuid="a7dc0d12-2322-486a-97fb-8ee82aa5e5fa">
<by-component uuid="d39f417d-f83d-4f9c-bf7f-05158d12d5d6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-8" uuid="795739af-4140-4766-94c4-b05a7a10e62d"><!--Telecommunications Services-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="cp-8_prm_1">
<value>organization-defined information system operations</value>
</set-parameter>
<set-parameter param-id="cp-8_prm_2">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-8_smt, cp-8.1_smt.a, cp-8.1_smt.b, cp-8.2_smt-->
<statement statement-id="cp-8_smt" uuid="b8be97d3-4856-49a6-a5a0-65f47625aa38">
<by-component uuid="d7850e43-c707-4a25-a8e0-40ddf3f5ba6f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of for essential missions and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-8.1" uuid="6666dc0d-df85-4055-b772-abd8f1f2c686"><!--Priority of Service Provisions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-8.1_smt.a, cp-8.1_smt.b-->
<statement statement-id="cp-8.1_smt.a" uuid="5ea16cab-63c5-463a-a5fa-c14d0ad2ab37">
<by-component uuid="0a79baa8-7b29-4fb4-9740-f04b14d3ef93"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-8.1_smt.b" uuid="ae2e7d77-d740-4366-b975-589c98eea787">
<by-component uuid="52498d2a-326c-4cfa-8f53-113d8ce91680"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-8.2" uuid="a5dc3dd2-b190-4ec5-a627-37acfc48a005"><!--Single Points of Failure-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-8.2_smt-->
<statement statement-id="cp-8.2_smt" uuid="68e52f49-1d05-480e-872b-cc5b9d9d92e4">
<by-component uuid="8f4ee190-12ad-4028-ab4c-34ab147a13ef"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-9" uuid="348946a4-b853-4a44-912d-af88f94b0593"><!--Information System Backup-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="cp-9_prm_1">
<value>organization-defined frequency consistent with recovery time and recovery point objectives</value>
<!--Constraint: daily incremental; weekly full>-->
</set-parameter>
<set-parameter param-id="cp-9_prm_2">
<value>organization-defined frequency consistent with recovery time and recovery point objectives</value>
<!--Constraint: daily incremental; weekly full>-->
</set-parameter>
<set-parameter param-id="cp-9_prm_3">
<value>organization-defined frequency consistent with recovery time and recovery point objectives</value>
<!--Constraint: daily incremental; weekly full>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-9_smt.a, cp-9_smt.b, cp-9_smt.c, cp-9_smt.d, cp-9.1_smt, cp-9.3_smt-->
<statement statement-id="cp-9_smt.a" uuid="fedd3013-6418-4a37-ba37-b8cfe20c7e15">
<by-component uuid="eae7fa42-b194-49ae-b330-ffa15bd75d32"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts backups of user-level information contained in the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-9_smt.b" uuid="6a632787-fc08-4a40-a4ef-77b70f24926d">
<by-component uuid="fb2a3b86-b4a3-425b-a132-dd2068cbf866"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts backups of system-level information contained in the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-9_smt.c" uuid="91f147d8-e04b-457d-a283-af0a6075c333">
<by-component uuid="19078bab-297d-4a0d-9138-f10f8865a87f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts backups of information system documentation including security-related documentation ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="cp-9_smt.d" uuid="3a8ebf1f-086d-401f-8832-b34ea88a9fb9">
<by-component uuid="2ca6ae9c-e42b-4326-8fdc-27fd983c6d74"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the confidentiality, integrity, and availability of backup information at storage locations.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-9.1" uuid="8c671576-c039-417b-97e0-7834251e06e1"><!--Testing for Reliability / Integrity-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cp-9.1_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-9.1_smt-->
<statement statement-id="cp-9.1_smt" uuid="201d7c5d-703f-4af7-b2ea-c931dbc2ddd3">
<by-component uuid="f19826f0-699f-4305-bf00-178d022b5b2e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization tests backup information to verify media reliability and information integrity.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-9.3" uuid="1031b688-7ff9-420e-b2ba-7152bc83baab"><!--Separate Storage for Critical Information-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="cp-9.3_prm_1">
<value>organization-defined critical information system software and other security-related information</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-9.3_smt-->
<statement statement-id="cp-9.3_smt" uuid="fed3f1ab-06bf-404b-8d66-e2db126ae83b">
<by-component uuid="8de055d3-42fc-4545-84fa-5b01c4bdaf13"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization stores backup copies of in a separate facility or in a fire-rated container that is not collocated with the operational system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-10" uuid="eb6a08c1-c707-4c62-ac09-c916e2312136"><!--Information System Recovery and Reconstitution-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-10_smt, cp-10.2_smt-->
<statement statement-id="cp-10_smt" uuid="81294d3d-14ad-4770-98b5-225efa5aa144">
<by-component uuid="754c75eb-9071-4db9-9adf-64b1f4f05288"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="cp-10.2" uuid="fdb5bbbd-ce73-4db8-a047-841eb3108327"><!--Transaction Recovery-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: cp-10.2_smt-->
<statement statement-id="cp-10.2_smt" uuid="5649edf2-38f8-4608-a025-e37b65aa9d08">
<by-component uuid="5d5a644b-c657-4265-be22-7a4e8452f871"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements transaction recovery for systems that are transaction-based.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-1" uuid="8f1ea583-8fea-4f4b-86a2-709b3602dd9d"><!--Identification and Authentication Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ia-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ia-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ia-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-1_smt.a, ia-1_smt.b.1, ia-1_smt.b.2-->
<statement statement-id="ia-1_smt.a" uuid="c7934fd5-bcd9-4282-90b1-9221b4864342">
<by-component uuid="42635a5c-4f88-48ae-9aaa-0e5e47235c44"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-1_smt.b.1" uuid="6d88ab1e-da65-4e9b-9fc2-732e1108220e">
<by-component uuid="f971c986-d2c5-4a08-ac07-1d49dfa29d25"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identification and authentication policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-1_smt.b.2" uuid="8305f941-62a6-4be8-a517-933706124eb1">
<by-component uuid="2a75b64d-c7ce-4150-a4a2-1146aa0a12b6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identification and authentication procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2" uuid="9a6132aa-0d35-4c43-ab1f-600ee6fcf0ed"><!--Identification and Authentication (organizational Users)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2_smt, ia-2.1_smt, ia-2.2_smt, ia-2.3_smt, ia-2.5_smt, ia-2.8_smt, ia-2.11_smt, ia-2.12_smt-->
<statement statement-id="ia-2_smt" uuid="af2fea4d-74a5-4088-aabf-a5b820f80322">
<by-component uuid="d3137a6a-f918-4cbf-a3a3-cfd197ba70c0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.1" uuid="64ba2a7e-6d00-4ffc-aee7-701ae649d599"><!--Network Access to Privileged Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.1_smt-->
<statement statement-id="ia-2.1_smt" uuid="813eb657-4053-4b37-a716-1cf63dae4eee">
<by-component uuid="dde84f0a-6cad-43f3-ac23-052157901495"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements multifactor authentication for network access to privileged accounts.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.2" uuid="846c8d4c-6183-490c-93ad-34dbc74664ba"><!--Network Access to Non-privileged Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.2_smt-->
<statement statement-id="ia-2.2_smt" uuid="72a42dd3-d4c2-4431-ad03-270708a78f56">
<by-component uuid="d698c317-7234-4ff7-8484-8486f8f648a8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements multifactor authentication for network access to non-privileged accounts.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.3" uuid="093d5442-51e7-4ea9-9f8b-0e755d1706e4"><!--Local Access to Privileged Accounts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.3_smt-->
<statement statement-id="ia-2.3_smt" uuid="382148a8-7a27-4eea-b651-23d0cc2fa219">
<by-component uuid="d489e20f-45de-4f31-a563-82c730bcd81d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements multifactor authentication for local access to privileged accounts.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.5" uuid="ebe54a9d-0583-4dbe-a31a-1fe05878b71b"><!--Group Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.5_smt-->
<statement statement-id="ia-2.5_smt" uuid="89be0701-756f-4591-889f-6ab041a50ea0">
<by-component uuid="fca269c8-f46f-4f59-a060-bf63b0f137f1"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.8" uuid="32c9f251-0945-4a1f-8435-6c08ceac1a2d"><!--Network Access to Privileged Accounts - Replay Resistant-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.8_smt-->
<statement statement-id="ia-2.8_smt" uuid="db24bbaf-61ad-4295-85df-8797ebd77116">
<by-component uuid="95651f91-986d-40ba-87c8-b45e2df1ebe5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.11" uuid="ff9649cd-ac75-4bfb-bedf-1ecb2249d3b3"><!--Remote Access - Separate Device-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-2.11_prm_1">
<value>organization-defined strength of mechanism requirements</value>
<!--Constraint: FIPS 140-2, NIAP Certification, or NSA approval>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.11_smt-->
<statement statement-id="ia-2.11_smt" uuid="4e9638b4-1d83-475c-b5b9-45fd9bff8d33">
<by-component uuid="a12a9c22-f063-48a0-b0af-16b3a6e11382"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-2.12" uuid="4f92a150-c414-4ee0-b636-dcd9d2fadb04"><!--Acceptance of PIV Credentials-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-2.12_smt-->
<statement statement-id="ia-2.12_smt" uuid="a97c3218-787c-4fe7-9c3b-6adfbb97cceb">
<by-component uuid="db4b7695-0625-477f-b9a8-c0ff99fbbd9e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-3" uuid="b300905a-8fb1-40c8-9749-d269fc7c71b6"><!--Device Identification and Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ia-3_prm_1">
<value>organization-defined specific and/or types of devices</value>
</set-parameter>
<set-parameter param-id="ia-3_prm_2">
<value>one-or-more of local, remote, network</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-3_smt-->
<statement statement-id="ia-3_smt" uuid="878ec36f-35fd-4eaf-a246-b5e9130adaac">
<by-component uuid="0377d3cb-507c-40c0-8524-09ed1cd02aba"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system uniquely identifies and authenticates before establishing a connection.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-4" uuid="93741705-af21-4fdc-bd9c-56ecb57a0003"><!--Identifier Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ia-4_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ia-4_prm_2">
<value>organization-defined time period</value>
<!--Constraint: IA-4 (d) [at least two years]>-->
</set-parameter>
<set-parameter param-id="ia-4_prm_3">
<value>organization-defined time period of inactivity</value>
<!--Constraint: ninety days for user identifiers (See additional requirements and guidance)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-4_smt.a, ia-4_smt.b, ia-4_smt.c, ia-4_smt.d, ia-4_smt.e, ia-4.4_smt-->
<statement statement-id="ia-4_smt.a" uuid="3cf0fed0-13aa-419d-9bdd-a9feaa813688">
<by-component uuid="317e7be4-de51-46f8-8733-692e7844fd27"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Receiving authorization from to assign an individual, group, role, or device identifier;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.b" uuid="d470d4ce-dcb5-435d-b199-70e2f32aa1a7">
<by-component uuid="45d52d74-4525-4db6-acb5-e8370b20033e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Selecting an identifier that identifies an individual, group, role, or device;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.c" uuid="3882b3ea-2730-40f8-b2db-f80873fd0e95">
<by-component uuid="c7c62d10-2eb5-4763-a88f-78712f9451ad"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigning the identifier to the intended individual, group, role, or device;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.d" uuid="a92b2498-e074-4b54-be6d-24af43efd16d">
<by-component uuid="455772e6-9555-4db9-bbed-eeba93fc4f57"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Preventing reuse of identifiers for ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-4_smt.e" uuid="c187814f-b7ca-48f1-a378-5f6b43e8dd95">
<by-component uuid="d76af32f-211c-4c94-a8e9-594bb1e7f0fe"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disabling the identifier after .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-4.4" uuid="c0cebfbc-9ae7-452e-ad0d-cb08216b7438"><!--Identify User Status-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-4.4_prm_1">
<value>organization-defined characteristic identifying individual status</value>
<!--Constraint: contractors; foreign nationals>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-4.4_smt-->
<statement statement-id="ia-4.4_smt" uuid="8f6ecaf0-22b7-4295-baca-c575747e43ae">
<by-component uuid="e0342b4b-991c-442f-85f1-8ca4893e2e73"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization manages individual identifiers by uniquely identifying each individual as .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5" uuid="9cd9b1ba-c7c1-4243-953c-b8b5ed01af64"><!--Authenticator Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="not-applicable">
<remarks>
<p>An explanation of why the control is not applicable.</p>
</remarks>
</prop>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-5_prm_1">
<value>organization-defined time period by authenticator type</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5_smt.a, ia-5_smt.b, ia-5_smt.c, ia-5_smt.d, ia-5_smt.e, ia-5_smt.f, ia-5_smt.g, ia-5_smt.h, ia-5_smt.i, ia-5_smt.j, ia-5.1_smt.a, ia-5.1_smt.b, ia-5.1_smt.c, ia-5.1_smt.d, ia-5.1_smt.e, ia-5.1_smt.f, ia-5.2_smt.a, ia-5.2_smt.b, ia-5.2_smt.c, ia-5.2_smt.d, ia-5.3_smt, ia-5.4_smt, ia-5.6_smt, ia-5.7_smt, ia-5.11_smt-->
<statement statement-id="ia-5_smt.a" uuid="48d55402-e412-4d21-afec-3e5700237fe2">
<by-component uuid="67e07411-6a5c-413a-895a-3ce4c173c244"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.b" uuid="a909186e-c4d7-42ca-9967-4fb0ce552f2c">
<by-component uuid="e43944e1-029b-492a-8173-ba6fb5035c51"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishing initial authenticator content for authenticators defined by the organization;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.c" uuid="4d82a2ea-3027-4e86-84a7-6afa49f251fa">
<by-component uuid="a5f59e41-f706-4783-b838-8ccd7ab2a14f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensuring that authenticators have sufficient strength of mechanism for their intended use;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.d" uuid="76ea0c0c-66f4-4802-a3d8-6a6422d63b54">
<by-component uuid="a75d3577-d530-4198-8e58-3f0a7b4c8a35"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.e" uuid="a86623d1-23a2-48ae-af23-b31095270ae0">
<by-component uuid="e150e545-35b0-47d0-afa4-bab9876e0a53"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changing default content of authenticators prior to information system installation;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.f" uuid="41d641d5-159d-4b6a-b81b-efe385c22c6b">
<by-component uuid="141596c3-f320-415b-8716-130af74b07a0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.g" uuid="ae2a1fab-df25-43ad-9db9-3eebafb96fdc">
<by-component uuid="8064812c-dae5-4212-ab86-87d961c6382f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changing/refreshing authenticators ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.h" uuid="225a2a61-8502-49fe-a129-0dcb3888f8c3">
<by-component uuid="e9a74f92-9f02-4cc7-a1c7-76579624e53c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protecting authenticator content from unauthorized disclosure and modification;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.i" uuid="b26811e7-560d-49df-be81-618710d0ea60">
<by-component uuid="a2dff6f0-f0a2-49ff-82c0-72b083c21c04"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5_smt.j" uuid="58160c78-d89f-4a41-ae18-522021a0e58c">
<by-component uuid="873e7d65-c248-4391-b8c0-b9a166b5192d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changing authenticators for group/role accounts when membership to those accounts changes.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.1" uuid="2bb5c02f-a777-4563-bfff-741cda651ef5"><!--Password-based Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ia-5.1_prm_1">
<value>organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type</value>
</set-parameter>
<set-parameter param-id="ia-5.1_prm_2">
<value>organization-defined number</value>
<!--Constraint: at least one>-->
</set-parameter>
<set-parameter param-id="ia-5.1_prm_3">
<value>organization-defined numbers for lifetime minimum, lifetime maximum</value>
</set-parameter>
<set-parameter param-id="ia-5.1_prm_4">
<value>organization-defined number</value>
<!--Constraint: twenty four (24)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.1_smt.a, ia-5.1_smt.b, ia-5.1_smt.c, ia-5.1_smt.d, ia-5.1_smt.e, ia-5.1_smt.f-->
<statement statement-id="ia-5.1_smt.a" uuid="d7952b8f-c336-48f7-9528-5e1eb8226581">
<by-component uuid="b4d185da-6735-478b-8040-8633cdb90fca"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces minimum password complexity of ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.b" uuid="0bd5e3b8-8c1f-4593-8f37-226eadd1cd7c">
<by-component uuid="a76ba1e0-64fe-4766-ba54-62f98dbde211"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces at least the following number of changed characters when new passwords are created: ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.c" uuid="6ea1993c-9f25-4e8c-9a02-03cd018d82af">
<by-component uuid="6c86f0d1-b9fe-4675-9173-f47d6c50e988"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Stores and transmits only cryptographically-protected passwords;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.d" uuid="6ec52790-bab9-4218-b2c6-77a1448ead0e">
<by-component uuid="64fee17b-49ca-4757-a8ec-60bb9a022c0f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces password minimum and maximum lifetime restrictions of ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.e" uuid="c05ed45c-ea52-41bb-b013-d878ed45a546">
<by-component uuid="a08f90a6-6766-46b8-8da5-60b2e1a12277"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Prohibits password reuse for generations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.1_smt.f" uuid="697d3468-89a7-4074-a411-9f7ceccd9f94">
<by-component uuid="f78ca7f2-933d-4e9c-a415-2bdfc8f7b714"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Allows the use of a temporary password for system logons with an immediate change to a permanent password.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.2" uuid="0c0c0ada-1850-44b4-8e7e-acb2dd12ac9b"><!--Pki-based Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.2_smt.a, ia-5.2_smt.b, ia-5.2_smt.c, ia-5.2_smt.d-->
<statement statement-id="ia-5.2_smt.a" uuid="2ec43ac8-a942-4a12-85de-ac92a8ecdf27">
<by-component uuid="b77bba76-1dac-49c7-9a8e-e6511fc09a88"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.2_smt.b" uuid="80b9fe16-3324-4a6c-a87c-2fde7aa7443c">
<by-component uuid="d1d6e0d3-04c5-489b-a47f-ef8875213196"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces authorized access to the corresponding private key;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.2_smt.c" uuid="84fa232d-cdd1-429f-ba62-7b942eb88506">
<by-component uuid="964ec4cc-e20d-4395-9318-3ca3735a87b4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maps the authenticated identity to the account of the individual or group; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ia-5.2_smt.d" uuid="1277387b-1265-48d7-a25b-7e3c8a8ab031">
<by-component uuid="f8de6d1d-96ed-49d1-97d9-bd9489f60e88"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.3" uuid="15771fc8-4ae7-4009-9c3a-7fd1e36066e8"><!--In-person or Trusted Third-party Registration-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ia-5.3_prm_1">
<value>organization-defined types of and/or specific authenticators</value>
<!--Constraint: All hardware/biometric (multifactor authenticators)>-->
</set-parameter>
<set-parameter param-id="ia-5.3_prm_2">
<value>one of in person or by a trusted third party</value>
<!--Constraint: in person>-->
</set-parameter>
<set-parameter param-id="ia-5.3_prm_3">
<value>organization-defined registration authority</value>
</set-parameter>
<set-parameter param-id="ia-5.3_prm_4">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.3_smt-->
<statement statement-id="ia-5.3_smt" uuid="73c47979-e9ca-4cbe-a132-4f7cd547914e">
<by-component uuid="4b9a3f28-53f7-45c2-b8b4-95de8537770b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires that the registration process to receive be conducted before with authorization by .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.4" uuid="5f46f435-bc8a-4d9d-a5ae-13bcf0d790f3"><!--Automated Support for Password Strength Determination-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-5.4_prm_1">
<value>organization-defined requirements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.4_smt-->
<statement statement-id="ia-5.4_smt" uuid="65bb2cf4-93c8-4e64-a7bb-7f2ccad9d7c5">
<by-component uuid="c031931e-3a63-410e-ab41-a50d4fe82067"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.6" uuid="472aaca2-9737-41fb-aec2-6ef7161611d7"><!--Protection of Authenticators-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.6_smt-->
<statement statement-id="ia-5.6_smt" uuid="c75cee3d-e1c9-4440-8777-e33a0bd7df05">
<by-component uuid="97107309-1a85-4c8c-b6fb-38dc0a12d683"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.7" uuid="4095a5b2-1660-486d-84c1-18f773c17e4a"><!--No Embedded Unencrypted Static Authenticators-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.7_smt-->
<statement statement-id="ia-5.7_smt" uuid="0f20da42-cef5-458b-aa29-9a5284a225b0">
<by-component uuid="b129786d-b0f3-44b3-a2dc-152e14dd529b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-5.11" uuid="4f687bde-39cb-4ff3-ac18-0361a8bd4592"><!--Hardware Token-based Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-5.11_prm_1">
<value>organization-defined token quality requirements</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-5.11_smt-->
<statement statement-id="ia-5.11_smt" uuid="6aa92cab-fb82-45ef-883f-89b225e77a22">
<by-component uuid="3ac05188-147a-4d11-979f-88bab66bc21c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system, for hardware token-based authentication, employs mechanisms that satisfy .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-6" uuid="0a73100b-a8b9-447d-99c1-06192555eac2"><!--Authenticator Feedback-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-6_smt-->
<statement statement-id="ia-6_smt" uuid="61a6e2cf-2924-4370-a16b-e1dd6c4cabbe">
<by-component uuid="2e290554-cfc6-4821-86ed-040a9b195298"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-7" uuid="263e0ee4-dfe1-43ee-a7bc-c4909335b706"><!--Cryptographic Module Authentication-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-7_smt-->
<statement statement-id="ia-7_smt" uuid="5685e4e7-a323-442f-a067-a0113876a01a">
<by-component uuid="40d4cdc6-f39d-4bd6-be8a-8d4e76e1c18c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8" uuid="0d73b337-8023-450d-9145-3f6d603c5689"><!--Identification and Authentication (non-organizational Users)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8_smt, ia-8.1_smt, ia-8.2_smt, ia-8.3_smt, ia-8.4_smt-->
<statement statement-id="ia-8_smt" uuid="bd981afa-ada6-403f-bd06-36db33f24c8d">
<by-component uuid="cbc47f1a-e964-4a3b-be15-b8905d27d072"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.1" uuid="54d55470-9152-4ce6-af73-f2939618e8b1"><!--Acceptance of PIV Credentials from Other Agencies-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.1_smt-->
<statement statement-id="ia-8.1_smt" uuid="728c4ac9-437c-4563-9cff-dc59c598fcee">
<by-component uuid="433385e9-8b58-4609-820d-1b1187d80255"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.2" uuid="588f9fa5-0822-455e-82c4-ef663e1928aa"><!--Acceptance of Third-party Credentials-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.2_smt-->
<statement statement-id="ia-8.2_smt" uuid="a29628c6-7c34-4716-8e6b-5fe45712f42e">
<by-component uuid="84248c02-8d80-4748-a30b-96f5451defd5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system accepts only FICAM-approved third-party credentials.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.3" uuid="50ed1d95-25b3-4c84-b755-f4802c5ecaf0"><!--Use of Ficam-approved Products-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ia-8.3_prm_1">
<value>organization-defined information systems</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.3_smt-->
<statement statement-id="ia-8.3_smt" uuid="aab1c246-1013-4cce-a1b1-d06e32ec9154">
<by-component uuid="ccf5a1d5-8566-4cd5-884f-fae11bd2d600"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs only FICAM-approved information system components in to accept third-party credentials.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ia-8.4" uuid="da185933-42b2-4301-8026-eb3afb0354ac"><!--Use of Ficam-issued Profiles-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ia-8.4_smt-->
<statement statement-id="ia-8.4_smt" uuid="d4155c0b-abaf-43fd-abcb-4a3354046227">
<by-component uuid="83cdc06e-fe80-4d0d-b5be-5ac6265d7368"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system conforms to FICAM-issued profiles.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-1" uuid="bfe441a4-83cd-4634-8ee8-13072c148207"><!--Incident Response Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ir-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ir-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ir-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-1_smt.a, ir-1_smt.b.1, ir-1_smt.b.2-->
<statement statement-id="ir-1_smt.a" uuid="d9ad915b-f6cf-42b2-88cc-a79614ef4092">
<by-component uuid="28e7ed7c-146b-4cd3-8a3f-86f5f29edc90"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-1_smt.b.1" uuid="1dfabc6e-9a82-4eaa-b10d-ceb8f08f51a7">
<by-component uuid="79d20bcd-a061-40e5-a1bb-4dbcb7bb7d19"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incident response policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-1_smt.b.2" uuid="eed94368-ac88-4811-a943-1bc9ca2dbcd1">
<by-component uuid="b01a8044-650b-4395-bd54-9811e1aa9ba7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incident response procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-2" uuid="56ef110f-c408-4658-aab8-65b12b4f587b"><!--Incident Response Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ir-2_prm_1">
<value>organization-defined time period</value>
</set-parameter>
<set-parameter param-id="ir-2_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-2_smt.a, ir-2_smt.b, ir-2_smt.c-->
<statement statement-id="ir-2_smt.a" uuid="5365a898-4353-4432-bf5b-de6b8e2dce2a">
<by-component uuid="b682a7ab-a6a0-4230-ac49-519c19225dd8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Within of assuming an incident response role or responsibility;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-2_smt.b" uuid="0d7aeaed-70c5-410b-b1fa-00bbece5afff">
<by-component uuid="919147cd-c0a1-4887-a671-f07873e894c5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>When required by information system changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-2_smt.c" uuid="f8d63f44-98c9-4956-8dbd-0fe76a76d011">
<by-component uuid="c5752751-be6a-4402-8ae8-c7a4f2d86a54"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
thereafter.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-3" uuid="a1138678-6e18-4f1e-b20b-360436f996fa"><!--Incident Response Testing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ir-3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ir-3_prm_2">
<value>organization-defined tests</value>
<!--Constraint: see additional FedRAMP Requirements and Guidance>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-3_smt, ir-3.2_smt-->
<statement statement-id="ir-3_smt" uuid="0f263f51-4679-421f-a4ab-9d1411143dd6">
<by-component uuid="021a81a7-cd74-46f0-ba62-acff5e963114"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization tests the incident response capability for the information system using to determine the incident response effectiveness and documents the results.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-3.2" uuid="70087433-d693-4209-92e5-74e7e89d3d5a"><!--Coordination with Related Plans-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-3.2_smt-->
<statement statement-id="ir-3.2_smt" uuid="ff1cdea4-e3ec-45d6-80e8-2169791880d9">
<by-component uuid="b3fab935-0e8b-4e8e-bd38-7c1758436fc0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization coordinates incident response testing with organizational elements responsible for related plans.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-4" uuid="b3935ae3-0f14-4d70-a1d3-31796d0b89db"><!--Incident Handling-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-4_smt.a, ir-4_smt.b, ir-4_smt.c, ir-4.1_smt-->
<statement statement-id="ir-4_smt.a" uuid="085546a9-e426-4767-b324-c777cc261502">
<by-component uuid="a0c6bb8b-4a3a-40c7-a7f4-8fcc2e03dc68"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-4_smt.b" uuid="eff1cf39-d0d0-47b1-b8a5-e29bddd5853d">
<by-component uuid="ccc2f4c2-92d2-4983-a497-712ffaf258d3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates incident handling activities with contingency planning activities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-4_smt.c" uuid="b2726385-93db-41dc-a727-0b133744a60a">
<by-component uuid="e4d8670f-d13b-47ad-905a-74cc6d2b61f9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-4.1" uuid="2e355942-78b8-4b75-bddf-0b76ec6fc598"><!--Automated Incident Handling Processes-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-4.1_smt-->
<statement statement-id="ir-4.1_smt" uuid="a2e7e94e-8108-491d-8540-f0e70db4922c">
<by-component uuid="47e8f8b0-30ee-43a2-aae9-56891e9d67b2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to support the incident handling process.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-5" uuid="3ceacdf7-7438-4f1c-9470-fcf90cacde59"><!--Incident Monitoring-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-5_smt-->
<statement statement-id="ir-5_smt" uuid="31975b77-ce4f-4d5a-8ba4-8a1c1719bb4f">
<by-component uuid="f82843e3-b3be-4573-bf62-c7f995bdb3d6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization tracks and documents information system security incidents.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-6" uuid="28a77312-9300-4c07-bfc5-6b345c270710"><!--Incident Reporting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ir-6_prm_1">
<value>organization-defined time period</value>
<!--Constraint: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)>-->
</set-parameter>
<set-parameter param-id="ir-6_prm_2">
<value>organization-defined authorities</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-6_smt.a, ir-6_smt.b, ir-6.1_smt-->
<statement statement-id="ir-6_smt.a" uuid="da9f21f4-7f9c-4f66-95e4-985ba73b8aa6">
<by-component uuid="4f0fee16-cd1b-4951-8461-95ec26516cf0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires personnel to report suspected security incidents to the organizational incident response capability within ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-6_smt.b" uuid="1a95ba34-dd2b-4d56-aca6-54a8f0e5384f">
<by-component uuid="636ab868-9ca1-4169-b144-4a12da8eb165"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reports security incident information to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-6.1" uuid="6c60c2d4-04b0-4b86-97cf-69efaf90fc29"><!--Automated Reporting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-6.1_smt-->
<statement statement-id="ir-6.1_smt" uuid="6bf78c05-b960-4bef-a026-ec1cfa44e80e">
<by-component uuid="129cb7da-036c-405f-8bed-d313fda5cc7f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to assist in the reporting of security incidents.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-7" uuid="9e22f5fc-b424-4558-941f-54bb4479ccbb"><!--Incident Response Assistance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-7_smt, ir-7.1_smt, ir-7.2_smt.a, ir-7.2_smt.b-->
<statement statement-id="ir-7_smt" uuid="c6561cbd-dc40-4fe9-954c-655e76999de8">
<by-component uuid="4b72d3e8-ca47-4e3f-80f5-e14b68f6fd65"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-7.1" uuid="af2c1121-bf0b-4c41-82a5-b397910c70db"><!--Automation Support for Availability of Information / Support-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-7.1_smt-->
<statement statement-id="ir-7.1_smt" uuid="8b46d9c7-8af3-4b1b-aab4-60cf1f893c46">
<by-component uuid="6208adeb-d76f-42de-8b8a-9f90b89aea41"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to increase the availability of incident response-related information and support.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-7.2" uuid="dee43a85-f866-4892-a7af-427b1cdd052d"><!--Coordination with External Providers-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-7.2_smt.a, ir-7.2_smt.b-->
<statement statement-id="ir-7.2_smt.a" uuid="567045d4-4fec-48cb-b62b-cfcc290b225b">
<by-component uuid="75810ffa-4e81-47a7-a207-12eab16fe1c3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-7.2_smt.b" uuid="4a5ba638-4e7e-4d01-8195-e6925083c440">
<by-component uuid="28aec2d7-f99f-49bf-b7a6-bda943751ac7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies organizational incident response team members to the external providers.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-8" uuid="26e49bda-73d7-484b-8eb4-ad6e37906cfb"><!--Incident Response Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ir-8_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ir-8_prm_2">
<value>organization-defined incident response personnel (identified by name and/or by role) and organizational elements</value>
<!--Constraint: see additional FedRAMP Requirements and Guidance>-->
</set-parameter>
<set-parameter param-id="ir-8_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ir-8_prm_4">
<value>organization-defined incident response personnel (identified by name and/or by role) and organizational elements</value>
<!--Constraint: see additional FedRAMP Requirements and Guidance>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-8_smt.a, ir-8_smt.b, ir-8_smt.c, ir-8_smt.d, ir-8_smt.e, ir-8_smt.f-->
<statement statement-id="ir-8_smt.a" uuid="b5b491e6-ded2-4431-bb1e-5a2f6ec5fc2b">
<by-component uuid="0bfffb47-838b-4bda-add3-d0bef9dfb726"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops an incident response plan that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.b" uuid="91915102-eabf-4bf0-89cf-3ad8d15f86ca">
<by-component uuid="9e1ccecf-3933-464e-9fde-f92290723ad6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes copies of the incident response plan to ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.c" uuid="28e382e5-49ce-42fe-a167-77d4f6ba41ce">
<by-component uuid="19fc0134-052f-43ce-badf-fce8ebb919b8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the incident response plan ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.d" uuid="94538ea0-f220-4769-a1dd-a453dec38f03">
<by-component uuid="b295a91e-1a70-4e6e-8e3b-ad5006695c80"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.e" uuid="e9f170fd-5b0d-497f-bf95-796d8fbd969c">
<by-component uuid="7653b896-89dd-4e3b-9ac5-423f9cd45087"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Communicates incident response plan changes to ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-8_smt.f" uuid="5b3ac866-c328-4dc6-9862-c46444665abf">
<by-component uuid="5007fb66-7c58-43e8-9a6b-9fb257dee0d7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the incident response plan from unauthorized disclosure and modification.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-9" uuid="f6f922c4-db2f-4fd5-9785-38a082e16988"><!--Information Spillage Response-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ir-9_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ir-9_prm_2">
<value>organization-defined actions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-9_smt.a, ir-9_smt.b, ir-9_smt.c, ir-9_smt.d, ir-9_smt.e, ir-9_smt.f, ir-9.1_smt, ir-9.2_smt, ir-9.3_smt, ir-9.4_smt-->
<statement statement-id="ir-9_smt.a" uuid="ad6415ca-569c-4481-bcd7-c75c73f6a900">
<by-component uuid="011548af-02de-4865-b53f-23cb0a163278"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifying the specific information involved in the information system contamination;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-9_smt.b" uuid="60c06a19-b8d4-426d-98c9-0d31683c93ad">
<by-component uuid="b471a42e-ccd9-4347-860d-b66d6e52f9d6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Alerting of the information spill using a method of communication not associated with the spill;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-9_smt.c" uuid="b62d680c-b24d-44b6-8acb-88d707fdcc85">
<by-component uuid="e82ed97b-3d45-4c5f-ac71-e0ac798074d4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Isolating the contaminated information system or system component;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-9_smt.d" uuid="8b6ad64b-a72d-4fd7-b2bc-0f7eede02197">
<by-component uuid="59291939-e397-49f6-aae6-b821f03d3d96"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Eradicating the information from the contaminated information system or component;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-9_smt.e" uuid="d9ccfb68-8197-4c0d-88a2-7fe9a7511902">
<by-component uuid="ba124af9-4c5b-4a2d-9792-874b1cc6d619"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifying other information systems or system components that may have been subsequently contaminated; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ir-9_smt.f" uuid="6475ba7a-9eff-4b57-9aed-641ce679136f">
<by-component uuid="c33bf9d8-5b22-4fb9-9003-33156a27a7a6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Performing other .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-9.1" uuid="de1e868f-0c9a-45cc-bb79-db7da1b6c5b0"><!--Responsible Personnel-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ir-9.1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-9.1_smt-->
<statement statement-id="ir-9.1_smt" uuid="a49d5612-31aa-4dad-a097-b6fe16ecaf84">
<by-component uuid="eb509830-82c2-4e82-8cf1-7be182882f94"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization assigns with responsibility for responding to information spills.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-9.2" uuid="2b409fd4-1893-4af0-bac1-6a68a7b1fc1f"><!--Training-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ir-9.2_prm_1">
<value>organization-defined frequency</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-9.2_smt-->
<statement statement-id="ir-9.2_smt" uuid="1061340a-b0a2-47b4-a165-035a8d989530">
<by-component uuid="5a6d2064-f9eb-4399-b7b1-cdb551bea7b9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization provides information spillage response training .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-9.3" uuid="2aa3d573-f2d9-4003-9a57-ed2bb3afb458"><!--Post-spill Operations-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ir-9.3_prm_1">
<value>organization-defined procedures</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-9.3_smt-->
<statement statement-id="ir-9.3_smt" uuid="785ed64e-ef52-465d-8ca5-412e03de7ef2">
<by-component uuid="1d958d13-3d9f-499e-9fdb-72bb8ff688ac"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization implements to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ir-9.4" uuid="77441c35-2070-409a-bda9-1fac94507a71"><!--Exposure to Unauthorized Personnel-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ir-9.4_prm_1">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ir-9.4_smt-->
<statement statement-id="ir-9.4_smt" uuid="984ab0f0-5cb0-4f96-9d9d-7f5fffb46b25">
<by-component uuid="f0735560-aae2-47ca-b4ee-a317695f14f2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs for personnel exposed to information not within assigned access authorizations.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-1" uuid="ac646111-9ad4-42b5-bc2e-bbc535a23bf8"><!--System Maintenance Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ma-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ma-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ma-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-1_smt.a, ma-1_smt.b.1, ma-1_smt.b.2-->
<statement statement-id="ma-1_smt.a" uuid="4dc02eef-4f80-4cf1-9c39-f13878aaa643">
<by-component uuid="c8616ac5-ac97-4cea-a869-d5d9612da959"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-1_smt.b.1" uuid="4be35c64-6147-4701-9b7f-10cab8d19cb5">
<by-component uuid="44830747-b720-4158-b99f-a338b6eb1614"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System maintenance policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-1_smt.b.2" uuid="cf7ae814-62ba-4c9c-9c8b-e35338200a60">
<by-component uuid="47a04c57-52fd-4e36-a7c9-715e0d9b8898"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System maintenance procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-2" uuid="0e3414c1-b8cd-480d-a44d-d0c83074e1e7"><!--Controlled Maintenance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ma-2_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ma-2_prm_2">
<value>organization-defined maintenance-related information</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-2_smt.a, ma-2_smt.b, ma-2_smt.c, ma-2_smt.d, ma-2_smt.e, ma-2_smt.f-->
<statement statement-id="ma-2_smt.a" uuid="89cf3346-1c5f-4686-8f7c-7b2895c06f76">
<by-component uuid="0a44b090-64e6-4a19-8f6e-a51b79d99d6b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.b" uuid="e49fa8a3-16bc-40d4-ba94-9f9a86108f8d">
<by-component uuid="b0bf1f85-dcc6-442b-9d0a-43938a622ac7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.c" uuid="9c217cca-d63d-4655-9244-f896d588a48d">
<by-component uuid="75d31984-7aed-4f90-8530-6753d6ddea0c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires that explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.d" uuid="2b4bb122-26be-4d0d-92f5-2ec6c4d3bef5">
<by-component uuid="7eca7c4c-a69f-4171-b1a4-d7241a8111e7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.e" uuid="1a4e139b-2ea7-44d9-8b21-89d3fb2cad84">
<by-component uuid="ecf36a91-4f27-4651-bf8c-adc7e0f315a6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-2_smt.f" uuid="e2784124-c5ae-4a71-9f3e-8ac2724f00ff">
<by-component uuid="ee36715a-d62f-47d1-a7d9-5cf7fbd71d32"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Includes in organizational maintenance records.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-3" uuid="ca57bd8b-d4bc-44e5-a74d-f7ead05cf264"><!--Maintenance Tools-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-3_smt, ma-3.1_smt, ma-3.2_smt, ma-3.3_smt.a, ma-3.3_smt.b, ma-3.3_smt.c, ma-3.3_smt.d-->
<statement statement-id="ma-3_smt" uuid="ef29df46-1aa3-479a-b878-c85d22683913">
<by-component uuid="c16ca433-41dd-4fc7-a5a6-b0602e58b0af"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization approves, controls, and monitors information system maintenance tools.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-3.1" uuid="f6834ce6-529d-4719-8ae3-4c0b6bc839ce"><!--Inspect Tools-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-3.1_smt-->
<statement statement-id="ma-3.1_smt" uuid="bc3fb714-061b-42e4-84d1-f7833d1700d8">
<by-component uuid="9e466034-6289-4c39-9343-e82fa5326fe5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-3.2" uuid="f0c56b2a-9d50-4739-9107-b337d9eb427b"><!--Inspect Media-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-3.2_smt-->
<statement statement-id="ma-3.2_smt" uuid="c46a1840-0911-4736-af79-313edddd9f8c">
<by-component uuid="f2b4504b-92a0-4167-899b-65c7e698cf93"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-3.3" uuid="3b42b3b3-a7d2-48c2-8881-0dcba0131fdd"><!--Prevent Unauthorized Removal-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ma-3.3_prm_1">
<value>organization-defined personnel or roles</value>
<!--Constraint: the information owner explicitly authorizing removal of the equipment from the facility>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-3.3_smt.a, ma-3.3_smt.b, ma-3.3_smt.c, ma-3.3_smt.d-->
<statement statement-id="ma-3.3_smt.a" uuid="2fd45c67-2815-40a9-8bf1-5e06d0bbdacb">
<by-component uuid="ff3cbcaf-5a81-4913-8432-4eb3a09a9532"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Verifying that there is no organizational information contained on the equipment;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-3.3_smt.b" uuid="e5df9a24-3a5e-4ff8-9719-c5defb6a9bbd">
<by-component uuid="641db378-e576-4ca0-83d5-101a31d4244b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Sanitizing or destroying the equipment;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-3.3_smt.c" uuid="7d84dea5-5fce-4962-9049-9968e2c115fb">
<by-component uuid="15c42c7b-6529-44fa-8618-fdb52898d6ea"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retaining the equipment within the facility; or</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-3.3_smt.d" uuid="367d62b2-a249-4a35-8f9e-8cd231cb6114">
<by-component uuid="e4eeb528-ca45-4501-abf4-bdffaeb1719d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Obtaining an exemption from explicitly authorizing removal of the equipment from the facility.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-4" uuid="f58b043f-99e6-4490-8309-bfca5ead896a"><!--Nonlocal Maintenance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-4_smt.a, ma-4_smt.b, ma-4_smt.c, ma-4_smt.d, ma-4_smt.e, ma-4.2_smt-->
<statement statement-id="ma-4_smt.a" uuid="06aac24a-9812-4ff5-9ed4-33905f2d17c6">
<by-component uuid="f2fe3d5f-670f-46b4-9179-35bba2ddf6d9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Approves and monitors nonlocal maintenance and diagnostic activities;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.b" uuid="5beed42e-f59d-45b2-9e44-6ee3d6060839">
<by-component uuid="526dc018-1164-4ef3-9697-01b9ce933e8b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.c" uuid="cf4cc763-cd1c-4e74-8687-862b4d9889d9">
<by-component uuid="3e9a9b31-acf3-4760-9d9f-7d911426c155"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.d" uuid="8b028a84-0090-4914-ba51-aaa320a7a445">
<by-component uuid="20af7d02-47bb-435e-9258-93cecf580fe6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains records for nonlocal maintenance and diagnostic activities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-4_smt.e" uuid="5c2f7608-a001-4d20-9184-e4647d6ee7ce">
<by-component uuid="f30f3052-b413-4045-a22e-d1a0b515633b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Terminates session and network connections when nonlocal maintenance is completed.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-4.2" uuid="323d4fad-45de-4f39-a4d9-62953e489b7a"><!--Document Nonlocal Maintenance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-4.2_smt-->
<statement statement-id="ma-4.2_smt" uuid="94edd828-f6db-4636-bb60-66b94a1e23be">
<by-component uuid="0de85963-efa5-4380-9efc-b52109ca4cab"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-5" uuid="2b2c6f0c-a748-4f4d-ab8a-cee758cd4429"><!--Maintenance Personnel-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-5_smt.a, ma-5_smt.b, ma-5_smt.c, ma-5.1_smt.a, ma-5.1_smt.b-->
<statement statement-id="ma-5_smt.a" uuid="9c33e1fc-b6a5-41de-aecd-7dec44a3ff12">
<by-component uuid="fa3556b6-4a9c-4de4-a28e-977c0f766a36"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-5_smt.b" uuid="cb98ac2c-3cc6-42c8-b7d7-4a6f0c13569f">
<by-component uuid="8f9ce070-3c8d-49dd-8490-5789a337242c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-5_smt.c" uuid="46bd4d96-f8c1-4d21-bf22-7ab302b145a7">
<by-component uuid="81be1f13-a66c-4d61-8f1b-a1034b39ebd0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-5.1" uuid="70e07681-1084-4623-b700-58141db8706f"><!--Individuals Without Appropriate Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-5.1_smt.a, ma-5.1_smt.b-->
<statement statement-id="ma-5.1_smt.a" uuid="44fa9180-ef2b-4330-a9d1-6e457095352e">
<by-component uuid="204c3c5f-62ee-496e-b1d4-2f8fd9f42438"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ma-5.1_smt.b" uuid="bfc4a131-b966-4202-a70e-1548791a1519">
<by-component uuid="71a171ba-9767-4bfe-9131-bdd91ff4f92d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ma-6" uuid="b4506d90-94c8-402f-b47d-de1a0820ae19"><!--Timely Maintenance-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ma-6_prm_1">
<value>organization-defined information system components</value>
</set-parameter>
<set-parameter param-id="ma-6_prm_2">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ma-6_smt-->
<statement statement-id="ma-6_smt" uuid="35b7f6d4-195d-4499-87b7-dbf05127ed43">
<by-component uuid="2c3ad4f7-96d9-4c6a-b165-0c7888867750"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization obtains maintenance support and/or spare parts for within of failure.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-1" uuid="b18ca8de-a440-4de5-bbdb-da70858a5b1b"><!--Media Protection Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="mp-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="mp-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="mp-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-1_smt.a, mp-1_smt.b.1, mp-1_smt.b.2-->
<statement statement-id="mp-1_smt.a" uuid="db8da810-1b33-4b10-b14b-4b57afee426b">
<by-component uuid="3ee5f60a-8c65-4078-a363-7a945c813a1b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-1_smt.b.1" uuid="dfc6d60a-a513-4fec-bb62-f2006533da7d">
<by-component uuid="3bb6a132-4daf-4792-9dd9-3361e963d564"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Media protection policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-1_smt.b.2" uuid="43b6151a-0136-459a-a2ce-5045d11865d4">
<by-component uuid="ba13be21-1b16-4a7f-87ca-8b55fe8cd415"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Media protection procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-2" uuid="542b3007-63c1-402e-ac69-0ec3266e4d4c"><!--Media Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="not-applicable">
<remarks>
<p>An explanation of why the control is not applicable.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<set-parameter param-id="mp-2_prm_1">
<value>organization-defined types of digital and/or non-digital media</value>
</set-parameter>
<set-parameter param-id="mp-2_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-2_smt-->
<statement statement-id="mp-2_smt" uuid="452c187e-e025-4658-bdca-487a48a7e830">
<by-component uuid="6d8ccb5c-a2e0-4880-87b8-f3b8a3269e83"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization restricts access to to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-3" uuid="1c6a0f31-a614-4c69-8560-7f30f2af92ff"><!--Media Marking-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="mp-3_prm_1">
<value>organization-defined types of information system media</value>
<!--Constraint: no removable media types>-->
</set-parameter>
<set-parameter param-id="mp-3_prm_2">
<value>organization-defined controlled areas</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-3_smt.a, mp-3_smt.b-->
<statement statement-id="mp-3_smt.a" uuid="2f57d4e3-3532-48df-aec7-dc26900b9f3c">
<by-component uuid="376f803a-e771-4f08-8a2d-ce1896d732ba"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-3_smt.b" uuid="cc48ad03-5d8d-4f56-be05-a8da34033836">
<by-component uuid="aae56b80-9b7d-433e-bfae-145a3ec865a4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Exempts from marking as long as the media remain within .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-4" uuid="08b6933a-bae8-438b-b3b9-bfdd006135ac"><!--Media Storage-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="mp-4_prm_1">
<value>organization-defined types of digital and/or non-digital media</value>
<!--Constraint: all types of digital and non-digital media with sensitive information>-->
</set-parameter>
<set-parameter param-id="mp-4_prm_2">
<value>organization-defined controlled areas</value>
<!--Constraint: see additional FedRAMP requirements and guidance>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-4_smt.a, mp-4_smt.b-->
<statement statement-id="mp-4_smt.a" uuid="d4751ae0-3c5c-4d76-9478-cbd75afda5e5">
<by-component uuid="cd3e2ef0-09ce-4ce7-8ee9-9eccc011ac5e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Physically controls and securely stores within ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-4_smt.b" uuid="9ac6b9b7-135e-45b7-bb6a-803bb81ea118">
<by-component uuid="bb336937-b7b7-49ae-9a2a-d780930fce37"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-5" uuid="8694ee78-c2be-4cc4-ac94-f5584dfd5b0b"><!--Media Transport-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="mp-5_prm_1">
<value>organization-defined types of information system media</value>
<!--Constraint: all media with sensitive information>-->
</set-parameter>
<set-parameter param-id="mp-5_prm_2">
<value>organization-defined security safeguards</value>
<!--Constraint: prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-5_smt.a, mp-5_smt.b, mp-5_smt.c, mp-5_smt.d, mp-5.4_smt-->
<statement statement-id="mp-5_smt.a" uuid="77226da8-766f-482a-ad5f-3957d1584d4e">
<by-component uuid="f40ce448-9831-4f07-a0b3-a4943041f621"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects and controls during transport outside of controlled areas using ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-5_smt.b" uuid="02ddb69d-aee1-4298-b2cc-6e087c1a8a7a">
<by-component uuid="45db59a6-d3e8-4800-8516-8bad0df006af"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains accountability for information system media during transport outside of controlled areas;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-5_smt.c" uuid="153cff2f-41d2-407f-97fb-9a8f3d7319f7">
<by-component uuid="f9a09153-b291-41ae-8675-5c25f9963f58"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents activities associated with the transport of information system media; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-5_smt.d" uuid="d76fa9ac-5cac-4da0-aae6-362d9d6e6797">
<by-component uuid="8f0fed1b-4677-4c6d-b691-1cb8bddd590d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Restricts the activities associated with the transport of information system media to authorized personnel.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-5.4" uuid="00953b44-78cc-485b-bc72-4c97bf78796e"><!--Cryptographic Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-5.4_smt-->
<statement statement-id="mp-5.4_smt" uuid="7df421a6-cd54-48ba-97da-0c3ac51acdff">
<by-component uuid="e0f44079-5651-4860-9064-08bf6008d70c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-6" uuid="b8852096-7717-4bd7-9d40-f423557084f8"><!--Media Sanitization-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="mp-6_prm_1">
<value>organization-defined information system media</value>
</set-parameter>
<set-parameter param-id="mp-6_prm_2">
<value>organization-defined sanitization techniques and procedures</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-6_smt.a, mp-6_smt.b, mp-6.2_smt-->
<statement statement-id="mp-6_smt.a" uuid="07a0411a-e6ed-4542-82b0-ddd344e6c11b">
<by-component uuid="c93a8551-5db4-4288-853c-a98b4f3083ef"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Sanitizes prior to disposal, release out of organizational control, or release for reuse using in accordance with applicable federal and organizational standards and policies; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="mp-6_smt.b" uuid="b168a0e7-f51e-476a-ae7e-cfdb4aa1186b">
<by-component uuid="a9a30898-28aa-4e38-aae6-fb68cabebb5b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-6.2" uuid="d85139b2-f652-4b34-a32e-26a443791f6c"><!--Equipment Testing-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="mp-6.2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-6.2_smt-->
<statement statement-id="mp-6.2_smt" uuid="3e4a84f4-6f81-4076-b6da-ce98a0558655">
<by-component uuid="7fb51069-3993-47ca-ba3c-0b0e6905a4bf"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization tests sanitization equipment and procedures to verify that the intended sanitization is being achieved.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-7" uuid="67f93a33-c6df-4823-b89b-1d16252a015e"><!--Media Use-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="mp-7_prm_1">
<value>one of restricts or prohibits</value>
</set-parameter>
<set-parameter param-id="mp-7_prm_2">
<value>organization-defined types of information system media</value>
</set-parameter>
<set-parameter param-id="mp-7_prm_3">
<value>organization-defined information systems or system components</value>
</set-parameter>
<set-parameter param-id="mp-7_prm_4">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-7_smt, mp-7.1_smt-->
<statement statement-id="mp-7_smt" uuid="90f55e75-36c4-4e9a-8193-797a88937fce">
<by-component uuid="edb1279e-0c44-45f7-a576-8cbdd4fc7087"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization the use of on using .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="mp-7.1" uuid="0348db8a-534d-47c9-b4f8-8da091bc0461"><!--Prohibit Use Without Owner-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: mp-7.1_smt-->
<statement statement-id="mp-7.1_smt" uuid="1875f83a-c37b-4666-ad2c-0254e0d78a0c">
<by-component uuid="832ad518-2c0b-4066-b9a4-4004c882e756"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-1" uuid="89366cc3-439b-4f71-b581-aa4f37fc4fee"><!--Physical and Environmental Protection Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="pe-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="pe-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="pe-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-1_smt.a, pe-1_smt.b.1, pe-1_smt.b.2-->
<statement statement-id="pe-1_smt.a" uuid="677bc8b3-2407-44db-a9c8-35abd1e986ad">
<by-component uuid="268ec1a9-b159-46ce-8f2e-f73047c48ce4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-1_smt.b.1" uuid="0c33df1e-f7c6-4e2b-87f0-a9dcad866275">
<by-component uuid="388ba100-824f-4ce5-8c7b-95e3e89a799a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Physical and environmental protection policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-1_smt.b.2" uuid="e2733cf8-aa9c-494d-9331-ec37d8f1d2b1">
<by-component uuid="8cef4f2c-85b3-4d54-9cfb-214d86fc4cb5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Physical and environmental protection procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-2" uuid="b9163bb7-90fa-415a-beae-193818e351a7"><!--Physical Access Authorizations-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pe-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-2_smt.a, pe-2_smt.b, pe-2_smt.c, pe-2_smt.d-->
<statement statement-id="pe-2_smt.a" uuid="39fe1bd8-6d5f-418f-8b10-d9e088f16524">
<by-component uuid="78466556-0600-46a9-97d6-f94f17133821"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-2_smt.b" uuid="db23e6f2-926e-4cda-ac61-de7f4f86229b">
<by-component uuid="2c44c1d1-67d6-4d25-9544-02ab5ee2cb2e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Issues authorization credentials for facility access;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-2_smt.c" uuid="9547809a-9cda-4e07-b57d-20ea2b335f77">
<by-component uuid="787bab74-d777-46eb-af36-4fe8b4bc2fd7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the access list detailing authorized facility access by individuals ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-2_smt.d" uuid="511ddce5-24c0-4fc4-86e7-402c7f0ae4f8">
<by-component uuid="4f48aff5-e7fc-4361-8d4f-15030901e0ba"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Removes individuals from the facility access list when access is no longer required.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-3" uuid="85c34c00-7664-4c83-8e47-0b812925ae89"><!--Physical Access Control-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 9 control parameters-->
<set-parameter param-id="pe-3_prm_1">
<value>organization-defined entry/exit points to the facility where the information system resides</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_2">
<value>it's complicated by parameter inserts</value>
<!--Constraint: CSP defined physical access control systems/devices AND guards>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_3">
<value>organization-defined physical access control systems/devices</value>
<!--Constraint: CSP defined physical access control systems/devices>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_4">
<value>organization-defined entry/exit points</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_5">
<value>organization-defined security safeguards</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_6">
<value>organization-defined circumstances requiring visitor escorts and monitoring</value>
<!--Constraint: in all circumstances within restricted access area where the information system resides>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_7">
<value>organization-defined physical access devices</value>
</set-parameter>
<set-parameter param-id="pe-3_prm_8">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="pe-3_prm_9">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-3_smt.a, pe-3_smt.b, pe-3_smt.c, pe-3_smt.d, pe-3_smt.e, pe-3_smt.f, pe-3_smt.g-->
<statement statement-id="pe-3_smt.a" uuid="68641d24-2cdb-495d-9b21-cda2a0276c0d">
<by-component uuid="91b75831-cdb8-48a1-bf93-16479a5f7982"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Enforces physical access authorizations at by;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.b" uuid="670001bc-b1ce-4ca5-bddd-a2f7aeed5090">
<by-component uuid="8c5be1c6-3ba4-41db-a0b5-8bb9cbed0947"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains physical access audit logs for ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.c" uuid="0b5d54ab-1379-403d-9250-2eaeb2f3a2de">
<by-component uuid="17711e38-81d7-498e-9d3e-f285e8ff2359"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides to control access to areas within the facility officially designated as publicly accessible;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.d" uuid="6ccc3384-1f01-46a8-9190-a1307d66bfab">
<by-component uuid="27947847-0d92-43bd-80d4-41355b67e528"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Escorts visitors and monitors visitor activity ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.e" uuid="83388b62-7b9f-4860-a320-8a220be83815">
<by-component uuid="fbee27f9-0d52-419d-b98a-5fe409cdd230"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Secures keys, combinations, and other physical access devices;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.f" uuid="d6e943c2-9e01-4f8d-819a-117455c5cc76">
<by-component uuid="f7fa179e-5930-42fc-9ef2-c97a7d78b22d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Inventories every ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-3_smt.g" uuid="6cd24818-d605-43d7-87b3-f8f6b3bbbb65">
<by-component uuid="352b7839-0690-4a6c-adc3-b1df89aa7357"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Changes combinations and keys and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-4" uuid="5577e2eb-3992-4fa3-81b6-e3728302b781"><!--Access Control for Transmission Medium-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pe-4_prm_1">
<value>organization-defined information system distribution and transmission lines</value>
</set-parameter>
<set-parameter param-id="pe-4_prm_2">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-4_smt-->
<statement statement-id="pe-4_smt" uuid="5bc4f1f1-b4a4-4631-8f67-a62716cdb547">
<by-component uuid="09f7d710-0e53-4ff0-ba21-ee2b6896c117"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization controls physical access to within organizational facilities using .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-5" uuid="b2056497-9209-4eae-a46d-4c01b17ce356"><!--Access Control for Output Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-5_smt-->
<statement statement-id="pe-5_smt" uuid="19563da3-87ec-4533-b0e9-f5a6fc6e82b6">
<by-component uuid="d759276a-b67f-4669-b48a-ccf8641b7a56"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-6" uuid="76dd5dd8-0201-45e8-a4d4-2008cfccb935"><!--Monitoring Physical Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pe-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<set-parameter param-id="pe-6_prm_2">
<value>organization-defined events or potential indications of events</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-6_smt.a, pe-6_smt.b, pe-6_smt.c, pe-6.1_smt-->
<statement statement-id="pe-6_smt.a" uuid="d345d88e-c7a5-4d47-af93-18c1edfa6281">
<by-component uuid="d98d5a37-6560-4485-9d01-af2cdb20f220"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-6_smt.b" uuid="60e4ac0c-25e9-4ef7-b086-16e14c63d4df">
<by-component uuid="5afb1216-9b24-484e-b1b1-db9828c86458"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews physical access logs and upon occurrence of ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-6_smt.c" uuid="e758f640-3c26-4d98-8570-98338c8420f0">
<by-component uuid="2872346e-d094-41cd-9d9c-89f0df2c7236"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Coordinates results of reviews and investigations with the organizational incident response capability.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-6.1" uuid="38b2b7f0-481a-46cf-a33b-1733bb50b79e"><!--Intrusion Alarms / Surveillance Equipment-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-6.1_smt-->
<statement statement-id="pe-6.1_smt" uuid="67f0257d-40b1-4cf8-8fda-3883458d5fa1">
<by-component uuid="fc9c1fc4-9e78-447e-8153-e43abf436ef4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization monitors physical intrusion alarms and surveillance equipment.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-8" uuid="62b3b742-3755-400d-9290-4a0762f09244"><!--Visitor Access Records-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pe-8_prm_1">
<value>organization-defined time period</value>
<!--Constraint: for a minimum of one (1) year>-->
</set-parameter>
<set-parameter param-id="pe-8_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-8_smt.a, pe-8_smt.b-->
<statement statement-id="pe-8_smt.a" uuid="09fad957-6107-413c-a1bd-000a8aa443b4">
<by-component uuid="aef6240f-1859-4720-b9a2-8343fca4bb98"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains visitor access records to the facility where the information system resides for ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-8_smt.b" uuid="acb48466-2276-47f1-b05f-3a9fc07e69c9">
<by-component uuid="4bae68db-73c3-4329-8a56-e36052d3c522"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews visitor access records .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-9" uuid="a9af6897-d6ae-4b3c-9b84-41938226c3b7"><!--Power Equipment and Cabling-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-9_smt-->
<statement statement-id="pe-9_smt" uuid="b313b2a5-359b-4637-862d-8a9ba3602d6e">
<by-component uuid="7fd05493-d6a1-4ce8-bc3c-5a139cbe37fc"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization protects power equipment and power cabling for the information system from damage and destruction.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-10" uuid="6fca82b8-98b5-4810-8250-4b4697a03709"><!--Emergency Shutoff-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pe-10_prm_1">
<value>organization-defined location by information system or system component</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-10_smt.a, pe-10_smt.b, pe-10_smt.c-->
<statement statement-id="pe-10_smt.a" uuid="e9224fd7-0efa-4a38-a201-c9ef77851b31">
<by-component uuid="b9035743-030f-4edb-85ba-ef84a98f5c1f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides the capability of shutting off power to the information system or individual system components in emergency situations;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-10_smt.b" uuid="3fbbb663-a133-4586-a961-68697b37799f">
<by-component uuid="1878dcef-10c2-4fa2-8863-caa29b623a89"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Places emergency shutoff switches or devices in to facilitate safe and easy access for personnel; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-10_smt.c" uuid="5647395e-1359-41bf-ab4a-19f108a95a69">
<by-component uuid="a0011ae9-b494-474a-863a-364067bbb644"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects emergency power shutoff capability from unauthorized activation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-11" uuid="12d04222-be71-4ff6-b287-a34225328041"><!--Emergency Power-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pe-11_prm_1">
<value>one-or-more of an orderly shutdown of the information system, transition of the information system to long-term alternate power</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-11_smt-->
<statement statement-id="pe-11_smt" uuid="95e9446d-5e70-44f9-b90e-ea8377d8ad33">
<by-component uuid="e7d5d930-cd96-46e8-a023-bafd3eff2126"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization provides a short-term uninterruptible power supply to facilitate in the event of a primary power source loss.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-12" uuid="416d31c7-7437-4ccb-a18c-d2814171e3c3"><!--Emergency Lighting-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-12_smt-->
<statement statement-id="pe-12_smt" uuid="18cbe108-3ac6-478d-9818-b9728d10faab">
<by-component uuid="59b0bb33-9a62-4163-9351-f53830797381"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-13" uuid="dd54ecd1-601e-4e95-bf59-1a3af53102db"><!--Fire Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-13_smt, pe-13.2_smt, pe-13.3_smt-->
<statement statement-id="pe-13_smt" uuid="d0eee254-a013-4639-b222-ad7f5946b4af">
<by-component uuid="1a0b4679-58da-4131-a978-4353d034a6b9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-13.2" uuid="e9fa0191-0644-4755-90b1-4056f2553f4a"><!--Suppression Devices / Systems-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pe-13.2_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="pe-13.2_prm_2">
<value>organization-defined emergency responders</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-13.2_smt-->
<statement statement-id="pe-13.2_smt" uuid="81ac0d01-bf40-4cac-a4d8-00780653ba34">
<by-component uuid="22a28bd2-15a6-460c-96b4-69107a8609cc"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to and .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-13.3" uuid="1b6b4695-ffd3-4544-ba6c-f6cbbc151061"><!--Automatic Fire Suppression-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-13.3_smt-->
<statement statement-id="pe-13.3_smt" uuid="899281a7-0cca-4e68-b12f-85ba37e6e6bd">
<by-component uuid="61199069-e8b7-4043-b82a-a838498a9866"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-14" uuid="d6d2cd09-48da-40b6-abac-41e2fb62b0d3"><!--Temperature and Humidity Controls-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pe-14_prm_1">
<value>organization-defined acceptable levels</value>
<!--Constraint: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments>-->
</set-parameter>
<set-parameter param-id="pe-14_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: continuously>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-14_smt.a, pe-14_smt.b, pe-14.2_smt-->
<statement statement-id="pe-14_smt.a" uuid="f76173a7-c3dc-4944-b9f4-0786394eaacc">
<by-component uuid="1e52b191-ad75-4db9-ab68-7d3ba628ecc8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Maintains temperature and humidity levels within the facility where the information system resides at ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-14_smt.b" uuid="9b7a2028-13d8-414f-8945-d01a20ac9e82">
<by-component uuid="cd85ab21-2224-4b1e-ae0a-292294a55015"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors temperature and humidity levels .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-14.2" uuid="9a66d669-d3b6-4681-b325-7dbf2d364095"><!--Monitoring with Alarms / Notifications-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-14.2_smt-->
<statement statement-id="pe-14.2_smt" uuid="d9c470b2-f4bf-4181-868f-c3188f0c7db4">
<by-component uuid="7b713e54-d6e4-4fc4-a943-53ae75ad8736"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-15" uuid="ca7205ce-cfdd-4bbd-9a73-acea3eeeaab1"><!--Water Damage Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-15_smt-->
<statement statement-id="pe-15_smt" uuid="0a378099-b851-4ec0-8b53-5dd47482fc51">
<by-component uuid="a094eda2-a4b6-4400-b261-df97ef450cea"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-16" uuid="4e89ca2b-425c-42ff-98fd-f36d0cf5d6b8"><!--Delivery and Removal-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pe-16_prm_1">
<value>organization-defined types of information system components</value>
<!--Constraint: all information system components>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-16_smt-->
<statement statement-id="pe-16_smt" uuid="967da9e4-5230-49d9-9740-219c92f4b445">
<by-component uuid="1eb17629-4422-4ed2-9bb3-1f2d1ef0cd5e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pe-17" uuid="15c1493e-3043-429a-bc0b-f53aeee58cc0"><!--Alternate Work Site-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pe-17_prm_1">
<value>organization-defined security controls</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pe-17_smt.a, pe-17_smt.b, pe-17_smt.c-->
<statement statement-id="pe-17_smt.a" uuid="1bafba81-3d47-4d7a-b719-bf174c2ce2f2">
<by-component uuid="4314d599-ba33-4173-a062-9c6f9a2c258c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs at alternate work sites;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-17_smt.b" uuid="693b8987-f12d-412f-b680-81403cbd2a07">
<by-component uuid="80e7cb51-bd43-49ea-a4e8-76c1f22b7ba3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assesses as feasible, the effectiveness of security controls at alternate work sites; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pe-17_smt.c" uuid="114ded5d-437b-476f-a051-eacdac6d6d33">
<by-component uuid="970f7393-e91c-4ae6-8e2c-88cedd3cf26c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides a means for employees to communicate with information security personnel in case of security incidents or problems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-1" uuid="4969b31d-efc3-4d4a-83db-0a6566960f33"><!--Security Planning Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="pl-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="pl-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="pl-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-1_smt.a, pl-1_smt.b.1, pl-1_smt.b.2-->
<statement statement-id="pl-1_smt.a" uuid="d7d227be-52a4-49a1-9e2b-dbfa99476ed9">
<by-component uuid="ddfc9fd4-3745-40de-86db-1314c5fb6393"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-1_smt.b.1" uuid="9a21e8f0-11d1-4529-aefe-110d8a01d4a5">
<by-component uuid="9531253d-bc76-42bd-be05-0a859d666adf"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security planning policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-1_smt.b.2" uuid="e1a5146c-fd71-4682-a68c-a578ae72d3ef">
<by-component uuid="a73a1b76-2fe7-475c-93d2-3d80235f25ff"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security planning procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-2" uuid="59d5f080-8859-474b-8509-9572bb9f046a"><!--System Security Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="pl-2_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="pl-2_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-2_smt.a, pl-2_smt.b, pl-2_smt.c, pl-2_smt.d, pl-2_smt.e, pl-2.3_smt-->
<statement statement-id="pl-2_smt.a" uuid="eaf3bc76-9574-4472-a8e0-0fa3a11b0fab">
<by-component uuid="836e262b-af5b-4493-a1ed-866def38ada3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops a security plan for the information system that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.b" uuid="6e1feba1-ae4d-48aa-968a-a496ab128e03">
<by-component uuid="63befa85-4d7d-47bb-a06c-ff21bffef644"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes copies of the security plan and communicates subsequent changes to the plan to ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.c" uuid="a08e19e1-3baa-4d37-ac2e-dbe4ef1fefba">
<by-component uuid="bb7a6445-6fe5-40ac-89f9-87b115a42a5d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews the security plan for the information system ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.d" uuid="0eb65813-915e-4c27-8503-66e2ea3782b8">
<by-component uuid="41f26d59-f814-40df-a674-f4e08771d3b6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-2_smt.e" uuid="b2daf398-4686-4217-b096-1d09b6ed9993">
<by-component uuid="1e2138dc-0044-4000-aa3b-d6fd2b8ee118"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the security plan from unauthorized disclosure and modification.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-2.3" uuid="b8364c6c-3749-4acb-8afb-8953a6a4b81a"><!--Plan / Coordinate with Other Organizational Entities-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pl-2.3_prm_1">
<value>organization-defined individuals or groups</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-2.3_smt-->
<statement statement-id="pl-2.3_smt" uuid="614860fb-73ac-45d9-871d-0cbf35de2bfd">
<by-component uuid="7ce118e3-1b1d-479c-975d-c881b7d62bc4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization plans and coordinates security-related activities affecting the information system with before conducting such activities in order to reduce the impact on other organizational entities.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-4" uuid="f82ab018-9910-4686-bcb6-d3197ca7d555"><!--Rules of Behavior-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pl-4_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: At least every 3 years>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-4_smt.a, pl-4_smt.b, pl-4_smt.c, pl-4_smt.d, pl-4.1_smt-->
<statement statement-id="pl-4_smt.a" uuid="bd74d238-306c-4966-a9cb-0ba0b4f17b1b">
<by-component uuid="1691e349-3def-482c-b304-ce71ab72e7cb"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-4_smt.b" uuid="2b2d6819-65da-478e-a36e-e6c23109db5a">
<by-component uuid="03f3c5fa-3a86-49ea-b6d1-1f0a8747465d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-4_smt.c" uuid="36d78c53-c97c-4d1e-aa8b-205cfbff49ab">
<by-component uuid="7109b24f-9526-447e-aa08-4f57b4150054"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the rules of behavior ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-4_smt.d" uuid="1489e1a3-dd12-4500-b9ee-94c4b91ae218">
<by-component uuid="2f6adb3d-897d-4d18-80f0-e3f870528045"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-4.1" uuid="deaa00be-70c9-408a-9653-109f02d5c822"><!--Social Media and Networking Restrictions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-4.1_smt-->
<statement statement-id="pl-4.1_smt" uuid="c774684c-2c3e-4af5-a110-fe99c6b28a92">
<by-component uuid="db71a9c7-5e51-4817-9d48-a3414dbfc53c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="pl-8" uuid="d6120a28-762f-4dae-9808-382a8681b29c"><!--Information Security Architecture-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="pl-8_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: At least annually or when a significant change occurs>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: pl-8_smt.a, pl-8_smt.b, pl-8_smt.c-->
<statement statement-id="pl-8_smt.a" uuid="5d133e12-bd18-464a-b364-3cdde0c881cc">
<by-component uuid="b31c9fc0-9f5c-42e2-b3f4-7aa5ba36f85b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops an information security architecture for the information system that:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-8_smt.b" uuid="d42cf409-2a58-4773-8cde-355099b11af8">
<by-component uuid="b30a9ab2-6716-4796-ac23-fbdff73f0df9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the information security architecture to reflect updates in the enterprise architecture; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="pl-8_smt.c" uuid="16afb23a-69b7-444b-8cb6-288026997f95">
<by-component uuid="fb921e7f-f86b-4583-80b2-4c2965fb3100"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-1" uuid="35604268-fa6b-40fa-99fd-d916dc69926a"><!--Personnel Security Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ps-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ps-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-1_smt.a, ps-1_smt.b.1, ps-1_smt.b.2-->
<statement statement-id="ps-1_smt.a" uuid="4e4a9aae-84b3-4a24-99db-8145795646b3">
<by-component uuid="588f9d61-e2d5-4bf4-9d38-8bafb05dcc20"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-1_smt.b.1" uuid="aa337032-29fd-44f0-ba61-5924b7cb8ea8">
<by-component uuid="854720d6-e24c-4c0a-9b9f-b77e494b3e2d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Personnel security policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-1_smt.b.2" uuid="595fcda9-c4d7-4901-b7ca-efa2cd5bcfa1">
<by-component uuid="af647e12-6198-4fba-bb4c-0d850e591358"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Personnel security procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-2" uuid="c54e1b02-49cd-4365-9579-2114b98759a0"><!--Position Risk Designation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ps-2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least every three years>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-2_smt.a, ps-2_smt.b, ps-2_smt.c-->
<statement statement-id="ps-2_smt.a" uuid="71577f24-d3bc-4abd-9967-5048d663118d">
<by-component uuid="4590d0dc-937a-42f0-8e62-dddedf992619"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Assigns a risk designation to all organizational positions;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-2_smt.b" uuid="7eedf4e6-8591-4202-988b-12e9df92ec9d">
<by-component uuid="83c8b5aa-5035-4948-8161-5c6fba5cd885"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes screening criteria for individuals filling those positions; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-2_smt.c" uuid="aa69cecf-d90e-47fb-a3ce-f3b063b2dcfc">
<by-component uuid="160d8fc1-cdb2-4142-a157-5595c31fdfd4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates position risk designations .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-3" uuid="0350b64c-2bb4-4c1d-8b32-fffa59f80328"><!--Personnel Screening-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ps-3_prm_1">
<value>organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening</value>
<!--Constraint: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-3_smt.a, ps-3_smt.b, ps-3.3_smt.a, ps-3.3_smt.b-->
<statement statement-id="ps-3_smt.a" uuid="ee7a37ed-38da-4c6a-841c-145a8583d6bb">
<by-component uuid="b75df1c1-d6e5-46c5-a243-31654d8da8b5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Screens individuals prior to authorizing access to the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-3_smt.b" uuid="92593137-501a-4734-b231-304f135743df">
<by-component uuid="971259b7-fedf-427f-8f13-c88ba4669e75"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Rescreens individuals according to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-3.3" uuid="05422234-6880-4a53-8def-3d9901369797"><!--Information with Special Protection Measures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="ps-3.3_prm_1">
<value>organization-defined additional personnel screening criteria</value>
<!--Constraint: personnel screening criteria - as required by specific information>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-3.3_smt.a, ps-3.3_smt.b-->
<statement statement-id="ps-3.3_smt.a" uuid="45311837-f008-4cbb-8b59-6bf5893662f3">
<by-component uuid="5bc090a1-065f-4a79-b022-cd7681b1de5b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Have valid access authorizations that are demonstrated by assigned official government duties; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-3.3_smt.b" uuid="ad9b8f56-bd85-4994-a648-aecf543b2f99">
<by-component uuid="2e782a66-9415-4c3b-b7a9-ee9f0cebf09f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Satisfy .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-4" uuid="000a974a-5925-4c4f-b88f-1e38720c2545"><!--Personnel Termination-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ps-4_prm_1">
<value>organization-defined time period</value>
<!--Constraint: same day>-->
</set-parameter>
<set-parameter param-id="ps-4_prm_2">
<value>organization-defined information security topics</value>
</set-parameter>
<set-parameter param-id="ps-4_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-4_prm_4">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-4_smt.a, ps-4_smt.b, ps-4_smt.c, ps-4_smt.d, ps-4_smt.e, ps-4_smt.f-->
<statement statement-id="ps-4_smt.a" uuid="b68c0e20-31b2-4fb4-918d-d3ef92f43728">
<by-component uuid="c8d89612-9033-4c54-93d7-f4dcaaa0341f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disables information system access within ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.b" uuid="eb659b47-2ba5-4061-b41a-8c5e256728e7">
<by-component uuid="09239a83-d0a9-4b9c-a53a-f886c8d6b1e0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Terminates/revokes any authenticators/credentials associated with the individual;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.c" uuid="40054644-ecfa-4bc7-9c21-44d2030d64c7">
<by-component uuid="b553634b-5ad0-468d-a0d4-1c05b596db40"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts exit interviews that include a discussion of ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.d" uuid="a34752e3-344a-4ffb-97c1-e6c047bc55d1">
<by-component uuid="b8d4216a-2411-44f5-855b-e2b9c55a11ab"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retrieves all security-related organizational information system-related property;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.e" uuid="e1fb4243-36d9-44bb-95f5-c546ff8f8709">
<by-component uuid="d5781fcd-a9da-48c4-b58e-8fae50600c29"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Retains access to organizational information and information systems formerly controlled by terminated individual; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-4_smt.f" uuid="790da9ee-e25a-422f-95c4-46ac9aa37efe">
<by-component uuid="6ac01106-9d9b-4a6d-9456-7b59c7834086"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies within .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-5" uuid="2fde090d-80cd-4da9-a750-3fb1b01697f7"><!--Personnel Transfer-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="ps-5_prm_1">
<value>organization-defined transfer or reassignment actions</value>
</set-parameter>
<set-parameter param-id="ps-5_prm_2">
<value>organization-defined time period following the formal transfer action</value>
</set-parameter>
<set-parameter param-id="ps-5_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-5_prm_4">
<value>organization-defined time period</value>
<!--Constraint: five days of the time period following the formal transfer action (DoD 24 hours)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-5_smt.a, ps-5_smt.b, ps-5_smt.c, ps-5_smt.d-->
<statement statement-id="ps-5_smt.a" uuid="70e758d1-a197-483a-bba0-03d66284d647">
<by-component uuid="465e82a7-7388-42dd-a0fa-67fa76ed1229"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-5_smt.b" uuid="f97eab90-3c05-4dba-a445-3aef6c725b32">
<by-component uuid="b65430e7-af6b-4df7-9147-e8909eccb52e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Initiates within ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-5_smt.c" uuid="882b1bc6-39c9-4a99-a787-be89ddb3c8df">
<by-component uuid="93678d4d-67fe-495e-be99-6662d69bbc4b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-5_smt.d" uuid="5d5809d7-3814-4afa-9d98-3483444d981c">
<by-component uuid="1e022a44-816a-4904-8aa2-2e38ff994c50"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies within .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-6" uuid="2ebcc4ea-b83d-4b55-874f-651455aca45c"><!--Access Agreements-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ps-6_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<set-parameter param-id="ps-6_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-6_smt.a, ps-6_smt.b, ps-6_smt.c-->
<statement statement-id="ps-6_smt.a" uuid="6738d0ef-a455-4fd9-8a1f-aafe7f62f154">
<by-component uuid="fad1cf1b-e985-40b1-a39c-9c3101a4c22f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops and documents access agreements for organizational information systems;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-6_smt.b" uuid="dbeed35b-ca7a-4b89-a169-6a590eead998">
<by-component uuid="af703132-f57e-4a21-97a4-d6a9ceb8cd33"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews and updates the access agreements ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-6_smt.c" uuid="c6e0555d-2cac-4adb-b2ac-f0449abe4548">
<by-component uuid="327f6ea7-b11e-4e66-b5be-b6ba4fe58e95"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that individuals requiring access to organizational information and information systems:</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-7" uuid="3b64feea-9e0a-4524-a3f3-1f0e74b3344a"><!--Third-party Personnel Security-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ps-7_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-7_prm_2">
<value>organization-defined time period</value>
<!--Constraint: organization-defined time period - same day>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-7_smt.a, ps-7_smt.b, ps-7_smt.c, ps-7_smt.d, ps-7_smt.e-->
<statement statement-id="ps-7_smt.a" uuid="b25f6b69-1885-4364-aa3c-6ece0475bb23">
<by-component uuid="218bdb66-f1c7-430a-a8a1-16c332e913d9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes personnel security requirements including security roles and responsibilities for third-party providers;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.b" uuid="16cb46d1-a3e8-4d8b-9827-8bc889813b14">
<by-component uuid="43685b32-587a-4c21-9070-88194c7a5b73"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires third-party providers to comply with personnel security policies and procedures established by the organization;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.c" uuid="7034823e-e0b6-4710-8ce8-8a4d93107cfc">
<by-component uuid="a39cd76b-9614-4189-8c31-2d3e912a6559"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents personnel security requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.d" uuid="c94f0ba5-3c02-419e-b89b-5cd9bb4bae25">
<by-component uuid="5180de3e-803c-4de1-9718-2ee4ab3a342e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires third-party providers to notify of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-7_smt.e" uuid="e6382e8a-0344-4477-b7de-281dc5f51b72">
<by-component uuid="736ff843-376e-4f43-bf37-17aab9615b6b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors provider compliance.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ps-8" uuid="4988c60d-e746-41bf-9bd6-2e6b48664f72"><!--Personnel Sanctions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ps-8_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ps-8_prm_2">
<value>organization-defined time period</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ps-8_smt.a, ps-8_smt.b-->
<statement statement-id="ps-8_smt.a" uuid="7aebee10-24d0-4483-a272-470f64606d5e">
<by-component uuid="444c3b88-42eb-44af-87e1-7fbb4e583b0a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ps-8_smt.b" uuid="80bf223e-2763-4d99-8857-9a8a14cfbdf5">
<by-component uuid="2bba5a63-a89b-4412-aacd-ac35060cfe04"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-1" uuid="320767de-2cc4-4445-9f6a-5c7c766ef2ad"><!--Risk Assessment Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ra-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ra-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="ra-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-1_smt.a, ra-1_smt.b.1, ra-1_smt.b.2-->
<statement statement-id="ra-1_smt.a" uuid="8650d74c-68d6-48cd-b1f2-492fb6882e36">
<by-component uuid="14381c61-b939-43fa-82ee-89a702292c7d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-1_smt.b.1" uuid="1eac02d4-ad9e-415a-aa25-6cf00049ffca">
<by-component uuid="b1d8888d-4a8d-4cbf-9c27-604977d3e2a4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Risk assessment policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-1_smt.b.2" uuid="97204ffa-fd15-4172-96bd-b1b7838f1a83">
<by-component uuid="abeeb818-9ec2-4060-a1a6-024ad2c05d31"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Risk assessment procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-2" uuid="dd075616-0c9d-405f-9df6-0c1aaee38ff8"><!--Security Categorization-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-2_smt.a, ra-2_smt.b, ra-2_smt.c-->
<statement statement-id="ra-2_smt.a" uuid="7abe4840-c4b3-4c0c-9243-a6052a60b4be">
<by-component uuid="5b8d3037-c208-4751-a2e6-ea7de73137d2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-2_smt.b" uuid="70308f05-e595-458f-8f40-c246988461f2">
<by-component uuid="232ec99b-9c43-4cdf-b185-2b133a7eb981"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents the security categorization results (including supporting rationale) in the security plan for the information system; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-2_smt.c" uuid="5efc7a36-54d3-4e19-9d05-c08744c3f05e">
<by-component uuid="51a9f027-a4f7-4a95-ad4e-0c066579a490"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-3" uuid="779a07a5-89f0-4da1-9a84-aa0a8a0b1be5"><!--Risk Assessment-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="ra-3_prm_1">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="ra-3_prm_2">
<value>organization-defined document</value>
<!--Constraint: security assessment report>-->
</set-parameter>
<set-parameter param-id="ra-3_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least every three (3) years or when a significant change occurs>-->
</set-parameter>
<set-parameter param-id="ra-3_prm_4">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="ra-3_prm_5">
<value>organization-defined frequency</value>
<!--Constraint: at least every three (3) years or when a significant change occurs>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-3_smt.a, ra-3_smt.b, ra-3_smt.c, ra-3_smt.d, ra-3_smt.e-->
<statement statement-id="ra-3_smt.a" uuid="ea863061-3ca5-4cb4-9049-836a41ad842c">
<by-component uuid="de4956a7-95a5-41e5-a7b6-9250f76b85fb"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.b" uuid="f880d9ac-aa85-4973-a56e-4fed083a9b37">
<by-component uuid="16d14874-93ca-4b47-aec2-4760b4a5d5ed"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents risk assessment results in ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.c" uuid="10751820-32f8-41cc-bb6a-4623081d7d9f">
<by-component uuid="3ccc0f5a-adb0-4ad9-80f8-5d1306382ee2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews risk assessment results ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.d" uuid="3d206f51-92a1-43c4-9ad5-4ed1a264b7bf">
<by-component uuid="b86fab7b-b28d-460f-ab1b-bea999c239ee"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disseminates risk assessment results to ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-3_smt.e" uuid="bbbe7958-71fc-4ee0-af3f-59293a3bd8ef">
<by-component uuid="1719d539-d35a-4f29-ad8f-b60b75dc98ac"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates the risk assessment or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5" uuid="255a5683-7203-4255-b539-8c3a40292139"><!--Vulnerability Scanning-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="ra-5_prm_1">
<value>organization-defined frequency and/or randomly in accordance with organization-defined process</value>
<!--Constraint: monthly operating system/infrastructure; monthly web applications and databases>-->
</set-parameter>
<set-parameter param-id="ra-5_prm_2">
<value>organization-defined response times</value>
<!--Constraint: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery>-->
</set-parameter>
<set-parameter param-id="ra-5_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5_smt.a, ra-5_smt.b, ra-5_smt.c, ra-5_smt.d, ra-5_smt.e, ra-5.1_smt, ra-5.2_smt, ra-5.3_smt, ra-5.5_smt, ra-5.6_smt, ra-5.8_smt-->
<statement statement-id="ra-5_smt.a" uuid="5796d91e-4550-4dc8-a306-206cee3f4823">
<by-component uuid="2e599a61-a33f-4ef9-9e20-b319bdcb59a3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.b" uuid="4c18640d-380e-4628-b354-b31fd032477f">
<by-component uuid="47e7bdc0-43d5-4844-b15f-46781e38e639"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.c" uuid="8b421159-135b-4f44-b98c-b755d5cc28e4">
<by-component uuid="66a50598-e2c7-4109-87d0-d61c9d6a9779"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Analyzes vulnerability scan reports and results from security control assessments;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.d" uuid="fdb928b8-5217-4831-84bf-2af6062ef866">
<by-component uuid="7b659511-b85e-4537-a66d-624dcf5e678d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Remediates legitimate vulnerabilities in accordance with an organizational assessment of risk; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="ra-5_smt.e" uuid="7f9aad0d-4ee8-45c5-a328-3f4ea0a4b631">
<by-component uuid="d63f9769-d0fd-437e-9eb4-2f81db677e13"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Shares information obtained from the vulnerability scanning process and security control assessments with to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5.1" uuid="ddc78830-75fb-40f7-b342-181a28c7d1ea"><!--Update Tool Capability-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5.1_smt-->
<statement statement-id="ra-5.1_smt" uuid="2930ea70-5669-4102-823c-5a9e35a8ed7f">
<by-component uuid="01a3013d-6e97-45b3-ac75-1a87714d3e96"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5.2" uuid="db6f77dd-f2c8-4891-9ae7-9d87511a6b0a"><!--Update by Frequency / Prior to New Scan / When Identified-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ra-5.2_prm_1">
<value>it's complicated by parameter inserts</value>
<!--Constraint: prior to a new scan>-->
</set-parameter>
<set-parameter param-id="ra-5.2_prm_2">
<value>organization-defined frequency</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5.2_smt-->
<statement statement-id="ra-5.2_smt" uuid="425fc0da-b011-4f4c-b91d-0359d7e30d0d">
<by-component uuid="291d2020-1512-408d-a9d1-cefacd5a7330"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization updates the information system vulnerabilities scanned .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5.3" uuid="57c4ec51-6df4-41a0-ab79-b92b3aa6bfc5"><!--Breadth / Depth of Coverage-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5.3_smt-->
<statement statement-id="ra-5.3_smt" uuid="74dac769-298f-46fe-9114-8173d182beed">
<by-component uuid="058f9fb7-d548-4426-b6aa-57e91757d4bc"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5.5" uuid="7ab69272-0a03-42b2-815b-fb3ce97cb0b6"><!--Privileged Access-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="ra-5.5_prm_1">
<value>organization-identified information system components</value>
<!--Constraint: operating systems / web applications / databases>-->
</set-parameter>
<set-parameter param-id="ra-5.5_prm_2">
<value>organization-defined vulnerability scanning activities</value>
<!--Constraint: all scans>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5.5_smt-->
<statement statement-id="ra-5.5_smt" uuid="517fb541-2029-44e3-be9b-ca7e71d24878">
<by-component uuid="f7bd2fcc-a9c6-42f1-8cd1-d6ce223fe254"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements privileged access authorization to for selected .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5.6" uuid="4e5b7606-8c0e-48c8-998f-eeca40fd3317"><!--Automated Trend Analyses-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5.6_smt-->
<statement statement-id="ra-5.6_smt" uuid="ae50a314-b9aa-4208-ad7e-ccbe91a3e965">
<by-component uuid="a3bde841-f3db-4d62-834e-c235f9a7b592"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="ra-5.8" uuid="73ecb3ca-1732-4219-8674-a7102a6bd778"><!--Review Historic Audit Logs-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: ra-5.8_smt-->
<statement statement-id="ra-5.8_smt" uuid="0493c61e-8e87-49d5-8f48-f375795ca0ff">
<by-component uuid="fdc11a24-3f7e-4001-a840-173aebd6c9d0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-1" uuid="f381f3df-9415-4c9e-a304-f7c31a9a8c64"><!--System and Services Acquisition Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sa-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="sa-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="sa-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-1_smt.a, sa-1_smt.b.1, sa-1_smt.b.2-->
<statement statement-id="sa-1_smt.a" uuid="d2f21e9b-ce5f-4b5c-a1fe-f3fe9f72245d">
<by-component uuid="72fae0cb-c5ab-456c-9f78-c072bee20266"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-1_smt.b.1" uuid="a405190e-8516-4da5-bf3c-48336eedba11">
<by-component uuid="99874e68-90a6-417e-a7d3-df487ead0539"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and services acquisition policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-1_smt.b.2" uuid="9cf46690-f93e-4767-917c-94a707fe1726">
<by-component uuid="8b11113a-69d1-4d01-81ec-e81704ee80f1"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and services acquisition procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-2" uuid="51e757b4-6e24-417e-855e-3626bd53fc61"><!--Allocation of Resources-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="not-applicable">
<remarks>
<p>An explanation of why the control is not applicable.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-2_smt.a, sa-2_smt.b, sa-2_smt.c-->
<statement statement-id="sa-2_smt.a" uuid="094706b2-17cc-42e9-b6b2-5070c118ee09">
<by-component uuid="1d0ff031-7a33-4fb3-8f75-2cd8d13517c6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines information security requirements for the information system or information system service in mission/business process planning;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-2_smt.b" uuid="224594d4-2ed7-4b22-a656-d6a65cc8a3c5">
<by-component uuid="688e4be9-4009-4a69-b8f8-d3e9752ecbe3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-2_smt.c" uuid="60b4cd90-4b00-409e-b3ba-c3fab96863aa">
<by-component uuid="b2c07cf2-7cce-48ef-a2c1-b3c4c3b45636"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a discrete line item for information security in organizational programming and budgeting documentation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-3" uuid="ef89b8b9-4237-4030-80cb-4661d3ddaa72"><!--System Development Life Cycle-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sa-3_prm_1">
<value>organization-defined system development life cycle</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-3_smt.a, sa-3_smt.b, sa-3_smt.c, sa-3_smt.d-->
<statement statement-id="sa-3_smt.a" uuid="1cba7598-a083-4574-adb2-25779416a76a">
<by-component uuid="6e899161-8181-464b-b7ce-ce37145314fd"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Manages the information system using that incorporates information security considerations;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-3_smt.b" uuid="92c8aff2-3f94-4a7d-a811-a1e1eea7bfa7">
<by-component uuid="9e2ee6b1-1d87-43ad-abc5-78122176dea5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Defines and documents information security roles and responsibilities throughout the system development life cycle;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-3_smt.c" uuid="7daa8e0e-103a-4fae-bce8-adbee0b8db15">
<by-component uuid="fb4cfa2b-d51f-462a-93ea-a2638b535cc5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies individuals having information security roles and responsibilities; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-3_smt.d" uuid="7b689e8c-6a02-486f-a2a5-8eaac9eb5efa">
<by-component uuid="70d5d8a1-79d8-42fd-b0d4-87a7ebda1f64"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Integrates the organizational information security risk management process into system development life cycle activities.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-4" uuid="e4bda95b-10d9-4a1e-a58f-52356f57e06e"><!--Acquisition Process-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-4_smt.a, sa-4_smt.b, sa-4_smt.c, sa-4_smt.d, sa-4_smt.e, sa-4_smt.f, sa-4_smt.g, sa-4.1_smt, sa-4.2_smt, sa-4.8_smt, sa-4.9_smt, sa-4.10_smt-->
<statement statement-id="sa-4_smt.a" uuid="a20ddbdc-7473-4f3c-98c1-ed629e099a62">
<by-component uuid="f5cb82f6-2da1-4821-8b56-f1ef6217904a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security functional requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.b" uuid="889a363b-1e2c-4fbb-8f37-8304523d110f">
<by-component uuid="da975d6f-9224-4e67-8be0-f12cdc36cd8a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security strength requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.c" uuid="f0510a72-829f-4e8b-8960-276313c927df">
<by-component uuid="7c75d957-6aed-4fbc-9f8b-c7918b8e8860"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security assurance requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.d" uuid="ea3632c2-26f7-4847-b82f-5f64898c7748">
<by-component uuid="ae36c65e-e664-4bdc-bbb5-029f8b5d0f20"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Security-related documentation requirements;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.e" uuid="b9f7104c-e34d-4ab5-93f0-ca68b84f3acd">
<by-component uuid="ffc2f11b-101c-4acb-9842-ec6d4b6076ba"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requirements for protecting security-related documentation;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.f" uuid="18dfeb65-915b-4e44-9422-3eefef149df7">
<by-component uuid="62323927-a2d7-450d-8ae1-fea185cfc77a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Description of the information system development environment and environment in which the system is intended to operate; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-4_smt.g" uuid="ee2cc6fa-3efa-46bf-9f54-ae3067407e2a">
<by-component uuid="5573a58b-06d1-4bff-a5c2-922662fe5972"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Acceptance criteria.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-4.1" uuid="d307340c-aebf-4ff9-8137-635b0b4c2230"><!--Functional Properties of Security Controls-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-4.1_smt-->
<statement statement-id="sa-4.1_smt" uuid="9784f015-3994-419f-8486-2bc46fd00c88">
<by-component uuid="156cce62-7d76-4990-a66d-e6617b46bbb7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-4.2" uuid="935c2d3a-2b3a-4c82-a7a4-7c63f3707f25"><!--Design / Implementation Information for Security Controls-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sa-4.2_prm_1">
<value>it's complicated by parameter inserts</value>
<!--Constraint: to include security-relevant external system interfaces and high-level design>-->
</set-parameter>
<set-parameter param-id="sa-4.2_prm_2">
<value>organization-defined design/implementation information</value>
</set-parameter>
<set-parameter param-id="sa-4.2_prm_3">
<value>organization-defined level of detail</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-4.2_smt-->
<statement statement-id="sa-4.2_smt" uuid="c0b47b6d-2aa5-48d4-aac0-7cc0c123bba5">
<by-component uuid="8f0ba1b2-882a-4d6a-b239-99cf18e90add"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: at .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-4.8" uuid="26b1d3b7-991d-40e1-8de7-d962c5bc8f14"><!--Continuous Monitoring Plan-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sa-4.8_prm_1">
<value>organization-defined level of detail</value>
<!--Constraint: at least the minimum requirement as defined in control CA-7>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-4.8_smt-->
<statement statement-id="sa-4.8_smt" uuid="e290af37-f4d3-403d-995b-10f51e9dae9a">
<by-component uuid="315dec51-2dd2-4642-8f5b-dab2884fb24d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-4.9" uuid="c3e81368-e6f3-4453-a7ee-cec9801c3074"><!--Functions / Ports / Protocols / Services in Use-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-4.9_smt-->
<statement statement-id="sa-4.9_smt" uuid="4fb93a8a-f7a1-4ea4-93b3-c5e87581c0c7">
<by-component uuid="9b866483-84f3-401c-810c-6019dec053ff"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-4.10" uuid="16b03058-4d02-439c-896f-ebe952a2e99c"><!--Use of Approved PIV Products-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-4.10_smt-->
<statement statement-id="sa-4.10_smt" uuid="725d4ad2-a480-4971-8925-dbc9733632bf">
<by-component uuid="eefb08ca-75e8-4a02-817e-cd06893d8e70"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-5" uuid="c3315f0f-e4dd-4ba9-9c88-efb8a1520815"><!--Information System Documentation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sa-5_prm_1">
<value>organization-defined actions</value>
</set-parameter>
<set-parameter param-id="sa-5_prm_2">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-5_smt.a, sa-5_smt.b, sa-5_smt.c, sa-5_smt.d, sa-5_smt.e-->
<statement statement-id="sa-5_smt.a" uuid="2b58a83b-967c-41d0-b937-1c4d094be72a">
<by-component uuid="1a5fe5da-42d4-4142-a3d6-79c34cae73b2"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Obtains administrator documentation for the information system, system component, or information system service that describes:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.b" uuid="e0b16fcd-51c1-4ff2-a2f7-0f92e5ef465d">
<by-component uuid="18c1b6c2-ec35-4f80-b39c-6c61fd3b37e9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Obtains user documentation for the information system, system component, or information system service that describes:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.c" uuid="195b0793-f4e1-4579-98d4-dc0f498099c4">
<by-component uuid="6a4e36e5-b59d-4bb8-b897-b4f4eff0b599"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes in response;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.d" uuid="868b0101-c171-4fd2-9a5d-77a6dd26dd8d">
<by-component uuid="18bb4162-726f-4134-9cf0-170949ac2922"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects documentation as required, in accordance with the risk management strategy; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-5_smt.e" uuid="e2543e38-80f5-4ad0-a389-524eed7bde30">
<by-component uuid="32ffca96-89e1-41de-b5ec-c3742d00d394"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Distributes documentation to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-8" uuid="723a5d9f-e0fc-43ce-80b2-a4e53bc454c8"><!--Security Engineering Principles-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-8_smt-->
<statement statement-id="sa-8_smt" uuid="4e181f16-477c-4dba-8ab1-61c62a3b1571">
<by-component uuid="15034183-cc41-41fd-bfcb-a596080dc1a7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-9" uuid="8d7c26bd-95c2-4e55-925f-e109486ac0ee"><!--External Information System Services-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sa-9_prm_1">
<value>organization-defined security controls</value>
<!--Constraint: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system>-->
</set-parameter>
<set-parameter param-id="sa-9_prm_2">
<value>organization-defined processes, methods, and techniques</value>
<!--Constraint: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-9_smt.a, sa-9_smt.b, sa-9_smt.c, sa-9.1_smt.a, sa-9.1_smt.b, sa-9.2_smt, sa-9.4_smt, sa-9.5_smt-->
<statement statement-id="sa-9_smt.a" uuid="657be32d-c0a4-41e1-a7e7-334122acf521">
<by-component uuid="051abd69-b473-4f7d-b774-5d4c39bf6d7e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Requires that providers of external information system services comply with organizational information security requirements and employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-9_smt.b" uuid="0ebc9e25-f63b-471d-b677-6b6a251e1c0e">
<by-component uuid="81d72127-5464-47f9-a930-db3402624b41"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-9_smt.c" uuid="200327bd-609d-4c20-8ea4-3352200c9a72">
<by-component uuid="c9cadae4-1ba0-4ed6-afa2-887cb2ce226a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs to monitor security control compliance by external service providers on an ongoing basis.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-9.1" uuid="827a9142-423d-4d92-9ed4-2e0773e55a37"><!--Risk Assessments / Organizational Approvals-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sa-9.1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-9.1_smt.a, sa-9.1_smt.b-->
<statement statement-id="sa-9.1_smt.a" uuid="53eb2e3e-3e02-4b2f-a0c7-75b040043651">
<by-component uuid="087f625c-16f3-48c1-b267-c1fba3f2b2bd"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-9.1_smt.b" uuid="9dd3fa2e-ee33-46bb-853b-1dd7b49bbb6d">
<by-component uuid="ce181dc9-6b1c-490a-ab40-338bb9a1a4eb"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Ensures that the acquisition or outsourcing of dedicated information security services is approved by .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-9.2" uuid="9a22ec9e-4c35-4f88-97cb-6b5334f1c0c4"><!--Identification of Functions / Ports / Protocols / Services-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sa-9.2_prm_1">
<value>organization-defined external information system services</value>
<!--Constraint: all external systems where Federal information is processed or stored>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-9.2_smt-->
<statement statement-id="sa-9.2_smt" uuid="a89608e9-6831-48f3-bdc0-03352068cbae">
<by-component uuid="917d7e0b-fbdc-4527-9498-fc499a8074c3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires providers of to identify the functions, ports, protocols, and other services required for the use of such services.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-9.4" uuid="19e6cbad-399a-4bd5-8d4e-5eb58880462a"><!--Consistent Interests of Consumers and Providers-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sa-9.4_prm_1">
<value>organization-defined security safeguards</value>
</set-parameter>
<set-parameter param-id="sa-9.4_prm_2">
<value>organization-defined external service providers</value>
<!--Constraint: all external systems where Federal information is processed or stored>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-9.4_smt-->
<statement statement-id="sa-9.4_smt" uuid="095c4395-94f3-4719-b4a9-9d7f3c2a6c31">
<by-component uuid="4879569f-a827-41df-9dce-b17fca55d14a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs to ensure that the interests of are consistent with and reflect organizational interests.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-9.5" uuid="0562a6b6-e835-43bd-a632-49072d3e3bb5"><!--Processing, Storage, and Service Location-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sa-9.5_prm_1">
<value>one-or-more of information processing, information/data, information system services</value>
<!--Constraint: information processing, information data, AND information services>-->
</set-parameter>
<set-parameter param-id="sa-9.5_prm_2">
<value>organization-defined locations</value>
</set-parameter>
<set-parameter param-id="sa-9.5_prm_3">
<value>organization-defined requirements or conditions</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-9.5_smt-->
<statement statement-id="sa-9.5_smt" uuid="706d53a3-a18b-48a6-bc3e-2998036d2c95">
<by-component uuid="9eb353f8-c8e3-4198-ad57-abe65e004ca5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization restricts the location of to based on .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-10" uuid="25d28ed5-2464-4768-9a00-daf765ee61cc"><!--Developer Configuration Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sa-10_prm_1">
<value>one-or-more of design, development, implementation, operation</value>
<!--Constraint: development, implementation, AND operation>-->
</set-parameter>
<set-parameter param-id="sa-10_prm_2">
<value>organization-defined configuration items under configuration management</value>
</set-parameter>
<set-parameter param-id="sa-10_prm_3">
<value>organization-defined personnel</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-10_smt.a, sa-10_smt.b, sa-10_smt.c, sa-10_smt.d, sa-10_smt.e, sa-10.1_smt-->
<statement statement-id="sa-10_smt.a" uuid="b002546a-75a8-4314-ab13-dbe21a7ea3e9">
<by-component uuid="c06c4e58-946b-401a-8c52-941c10cf2be9"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Perform configuration management during system, component, or service ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-10_smt.b" uuid="e1e5dc6e-9fda-45e5-865d-087ac734e45e">
<by-component uuid="53f814b6-ed70-4512-9f38-6d1a7c1cb90a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Document, manage, and control the integrity of changes to ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-10_smt.c" uuid="513ff16f-3d31-4807-a6e6-156d130712ab">
<by-component uuid="1056f33a-046d-4fa9-80f0-dde1f6aee575"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implement only organization-approved changes to the system, component, or service;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-10_smt.d" uuid="726b22da-0387-43a7-a208-d9f02f609f5a">
<by-component uuid="652f0b4a-ebf9-4963-b00a-dae03f940662"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Document approved changes to the system, component, or service and the potential security impacts of such changes; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-10_smt.e" uuid="397884cb-755d-4c13-9b3a-2fbd3f391510">
<by-component uuid="e92766e8-d52f-4190-8e5b-91f236f4157b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Track security flaws and flaw resolution within the system, component, or service and report findings to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-10.1" uuid="a32e991b-8f28-46ba-bebf-5e34610a2379"><!--Software / Firmware Integrity Verification-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-10.1_smt-->
<statement statement-id="sa-10.1_smt" uuid="5fb3b970-df64-4af3-9958-65c3ebaed185">
<by-component uuid="aed2768e-861e-430a-bff8-415e7a8513ae"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-11" uuid="f8589169-8cdf-4405-bc48-e731dab57ff5"><!--Developer Security Testing and Evaluation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sa-11_prm_1">
<value>one-or-more of unit, integration, system, regression</value>
</set-parameter>
<set-parameter param-id="sa-11_prm_2">
<value>organization-defined depth and coverage</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-11_smt.a, sa-11_smt.b, sa-11_smt.c, sa-11_smt.d, sa-11_smt.e, sa-11.1_smt, sa-11.2_smt, sa-11.8_smt-->
<statement statement-id="sa-11_smt.a" uuid="031d7397-0780-47e2-999a-24670e020cb8">
<by-component uuid="4418a88f-cf7e-47ee-be92-45feb7ace735"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Create and implement a security assessment plan;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-11_smt.b" uuid="f7afa031-f0df-4dfd-98b2-b80f4a48d906">
<by-component uuid="b817a5cb-34ab-4c21-9a33-166f9bb01727"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Perform testing/evaluation at ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-11_smt.c" uuid="7e0cca63-2b8e-4f3a-b690-50a67d26cfb8">
<by-component uuid="431ed82f-9d93-4659-8ccf-f5a112dbb6da"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-11_smt.d" uuid="05be44b0-4f43-43d5-9724-a640d9d0f3ea">
<by-component uuid="95a42fbc-9d19-47d6-b71c-859742da9dfc"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implement a verifiable flaw remediation process; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sa-11_smt.e" uuid="34432f89-440c-4385-bb81-11821f2fcaaf">
<by-component uuid="66c055b8-5d54-4570-bf47-6ae64ce05969"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Correct flaws identified during security testing/evaluation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-11.1" uuid="e5713e07-a08b-43b2-bc10-2b15f7a92959"><!--Static Code Analysis-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-11.1_smt-->
<statement statement-id="sa-11.1_smt" uuid="9d6ec2f2-54a6-43ca-bf87-7d0340a76fe6">
<by-component uuid="36ec5fad-6b4c-412e-bed3-8b91a1004439"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-11.2" uuid="ab1e5d64-d42d-4b49-81dd-cde4f18feb39"><!--Threat and Vulnerability Analyses-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-11.2_smt-->
<statement statement-id="sa-11.2_smt" uuid="ba6065a1-2d92-43a4-82c8-513bca0754cb">
<by-component uuid="d603f303-7b31-48ec-961c-1a1956b18679"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sa-11.8" uuid="5327e294-c49e-40f8-9c2c-9b7850d205d2"><!--Dynamic Code Analysis-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sa-11.8_smt-->
<statement statement-id="sa-11.8_smt" uuid="8d93a8d0-957f-46f6-b6b3-5231920c1f6a">
<by-component uuid="4eb4178f-1934-4e0c-b5e6-06b62a85db32"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-1" uuid="ca135129-6b77-4c8d-a1f5-0c96d2b12120"><!--System and Communications Protection Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sc-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="sc-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="sc-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-1_smt.a, sc-1_smt.b.1, sc-1_smt.b.2-->
<statement statement-id="sc-1_smt.a" uuid="30f94d10-2591-4f61-b05c-868e147f4853">
<by-component uuid="d68abf9b-5201-49f1-952a-eb3f8875703d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-1_smt.b.1" uuid="626d9be8-3e2d-41b4-88e2-87c7415a886e">
<by-component uuid="d61e999d-5898-4bbe-8157-e21f155a3bf8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and communications protection policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-1_smt.b.2" uuid="757ae911-f695-46bd-8bb2-7d473b6b43d7">
<by-component uuid="97680bcf-523f-41ca-b4a1-1a7b65b2ca96"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and communications protection procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-2" uuid="16175908-341a-47ae-bc1c-35c54f43fb16"><!--Application Partitioning-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-2_smt-->
<statement statement-id="sc-2_smt" uuid="f91f9e26-a2ea-4279-9ea4-f5a6f1e74980">
<by-component uuid="f1e5fe63-7752-471e-8c69-9940637ee4f6"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system separates user functionality (including user interface services) from information system management functionality.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-4" uuid="f1cc1077-b37b-45f6-a3dd-592f489d109d"><!--Information in Shared Resources-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-4_smt-->
<statement statement-id="sc-4_smt" uuid="991d0030-7922-4443-bb03-cd25050c751e">
<by-component uuid="7791dbd9-72a3-4aa9-b7f1-81840ddf6e07"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system prevents unauthorized and unintended information transfer via shared system resources.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-5" uuid="036c8ea6-21af-4171-860a-81c6c665bbea"><!--Denial of Service Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sc-5_prm_1">
<value>organization-defined types of denial of service attacks or references to sources for such information</value>
</set-parameter>
<set-parameter param-id="sc-5_prm_2">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-5_smt-->
<statement statement-id="sc-5_smt" uuid="b254b537-65bd-4711-ac60-2b50e1541faf">
<by-component uuid="5b1e21c6-d155-441a-b4d8-3706f8401122"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects against or limits the effects of the following types of denial of service attacks: by employing .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-6" uuid="9c5aeedd-6086-4d4b-97ed-40d036aeaf14"><!--Resource Availability-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="sc-6_prm_1">
<value>organization-defined resources</value>
</set-parameter>
<set-parameter param-id="sc-6_prm_2">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="sc-6_prm_3">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-6_smt-->
<statement statement-id="sc-6_smt" uuid="9ec0cdb0-a7a8-4d2d-91c8-33b63667731d">
<by-component uuid="5b296e5a-2b39-4596-b5d3-9a114e553369"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects the availability of resources by allocating by .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7" uuid="318e2c51-13aa-46f5-97fb-db19cfe50554"><!--Boundary Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-7_prm_1">
<value>one of physically or logically</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7_smt.a, sc-7_smt.b, sc-7_smt.c, sc-7.3_smt, sc-7.4_smt.a, sc-7.4_smt.b, sc-7.4_smt.c, sc-7.4_smt.d, sc-7.4_smt.e, sc-7.5_smt, sc-7.7_smt, sc-7.8_smt, sc-7.12_smt, sc-7.13_smt, sc-7.18_smt-->
<statement statement-id="sc-7_smt.a" uuid="e8263999-d816-41ea-a34d-0585d5573380">
<by-component uuid="b37de7e6-98ce-47a6-912e-26648a25395a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7_smt.b" uuid="d5d583ee-5296-4fc0-b6a2-e0e4cb4d26eb">
<by-component uuid="fb036871-4926-40e3-bc8d-8f1b852d9b93"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements subnetworks for publicly accessible system components that are separated from internal organizational networks; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7_smt.c" uuid="53a29e2a-f049-4bf0-8abb-c3b38b5de914">
<by-component uuid="27c8a97f-9fd3-4629-a612-b584a96f2aff"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.3" uuid="c75651a6-9776-49e6-a83d-0bb5939d09b6"><!--Access Points-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.3_smt-->
<statement statement-id="sc-7.3_smt" uuid="ea753c23-a5ba-4c11-97eb-4d7f0bb9bec1">
<by-component uuid="83b64f31-0383-4f60-9404-974290957c8c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization limits the number of external network connections to the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.4" uuid="586cdf18-0092-4299-9693-b92131ef56f0"><!--External Telecommunications Services-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-7.4_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.4_smt.a, sc-7.4_smt.b, sc-7.4_smt.c, sc-7.4_smt.d, sc-7.4_smt.e-->
<statement statement-id="sc-7.4_smt.a" uuid="7aaa2847-4d1e-4b99-b2e5-eeab94aabead">
<by-component uuid="9e801b00-8138-47fd-82a8-1db5135f7e3b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements a managed interface for each external telecommunication service;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7.4_smt.b" uuid="68bcb49f-0184-4f54-b590-f39815324c88">
<by-component uuid="1f8b7886-33f5-4131-b0bb-398886b20a4c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes a traffic flow policy for each managed interface;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7.4_smt.c" uuid="c6fefd28-f2b8-4230-9dc9-daa3a37bbab4">
<by-component uuid="6067cf0d-b97d-46c7-91e3-56c65e487f6e"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects the confidentiality and integrity of the information being transmitted across each interface;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7.4_smt.d" uuid="9291b5db-a10d-4e5b-a8a8-f215cf15c840">
<by-component uuid="d652c4b0-a5b6-438b-b941-05f6ad474e0f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-7.4_smt.e" uuid="e483189f-4b1b-439e-acdd-89fc4e2debc5">
<by-component uuid="142fb1cc-7ab8-4867-85ec-5b57e937d127"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reviews exceptions to the traffic flow policy and removes exceptions that are no longer supported by an explicit mission/business need.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.5" uuid="f9fa315b-984b-48a4-9d42-622c3e5d1545"><!--Deny by Default / Allow by Exception-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.5_smt-->
<statement statement-id="sc-7.5_smt" uuid="55b2f3b7-f118-4269-a19a-eeb0fa5de0b5">
<by-component uuid="5df384a9-173f-42ad-9725-00544168b800"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.7" uuid="b5675ea1-fcd6-475b-9332-ac740ce8bc03"><!--Prevent Split Tunneling for Remote Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.7_smt-->
<statement statement-id="sc-7.7_smt" uuid="f9e9ba4f-d10e-4607-8930-72e2bfc7b9a3">
<by-component uuid="de6c83f0-e309-4bb5-952b-0668bdca731d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.8" uuid="c76deef7-08ed-4f80-9311-f454823c4b31"><!--Route Traffic to Authenticated Proxy Servers-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sc-7.8_prm_1">
<value>organization-defined internal communications traffic</value>
</set-parameter>
<set-parameter param-id="sc-7.8_prm_2">
<value>organization-defined external networks</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.8_smt-->
<statement statement-id="sc-7.8_smt" uuid="e8f8059c-f3fe-4d54-9264-0221eb89642a">
<by-component uuid="1ae40707-6327-42cd-a676-927d8328619c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system routes to through authenticated proxy servers at managed interfaces.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.12" uuid="c826f9aa-efc3-4db3-b275-ed91b7dd2580"><!--Host-based Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sc-7.12_prm_1">
<value>organization-defined host-based boundary protection mechanisms</value>
</set-parameter>
<set-parameter param-id="sc-7.12_prm_2">
<value>organization-defined information system components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.12_smt-->
<statement statement-id="sc-7.12_smt" uuid="15502e93-f8cb-489b-95d0-e69e23ab6304">
<by-component uuid="edf1a077-bd50-48ff-b007-427a7973e026"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization implements at .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.13" uuid="802e58fe-297b-4c60-bc02-406fdc1ac147"><!--Isolation of Security Tools / Mechanisms / Support Components-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-7.13_prm_1">
<value>organization-defined information security tools, mechanisms, and support components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.13_smt-->
<statement statement-id="sc-7.13_smt" uuid="c642c57f-c56c-479e-a36b-aeda77667d32">
<by-component uuid="2471477a-bcc3-4741-ac85-2bfa1b2ab56f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization isolates from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-7.18" uuid="8584e301-acee-470e-880e-414cf8745a10"><!--Fail Secure-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-7.18_smt-->
<statement statement-id="sc-7.18_smt" uuid="fa2d35c9-391f-4e57-b370-225f5c31b071">
<by-component uuid="83244779-46a3-4256-93f2-0428cfe1d803"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system fails securely in the event of an operational failure of a boundary protection device.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-8" uuid="07efec20-1498-4a63-a2bb-22fb66c0838a"><!--Transmission Confidentiality and Integrity-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-8_prm_1">
<value>one-or-more of confidentiality, integrity</value>
<!--Constraint: confidentiality AND integrity>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-8_smt, sc-8.1_smt-->
<statement statement-id="sc-8_smt" uuid="7460a4f4-f23c-4846-b895-86e2534ce34f">
<by-component uuid="c422bb78-1bfb-49a6-b641-845a22de201c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects the of transmitted information.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-8.1" uuid="6c32dd9a-4876-4179-bc86-77d6127668a3"><!--Cryptographic or Alternate Physical Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="planned">
<remarks>
<p>A description of the plan to complete implementation.</p>
</remarks>
</prop>
<prop name="planned-completion-date"
ns="https://fedramp.gov/ns/oscal"
value="2021-09-22Z"/>
<!--There are no control parameters-->
<set-parameter param-id="sc-8.1_prm_1">
<value>one-or-more of prevent unauthorized disclosure of information, detect changes to information</value>
<!--Constraint: prevent unauthorized disclosure of information AND detect changes to information>-->
</set-parameter>
<set-parameter param-id="sc-8.1_prm_2">
<value>organization-defined alternative physical safeguards</value>
<!--Constraint: a hardened or alarmed carrier Protective Distribution System (PDS)>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-8.1_smt-->
<statement statement-id="sc-8.1_smt" uuid="879a4844-5878-4b1c-af89-c30d3f1db98f">
<by-component uuid="62d7f6c6-e7d8-4b9b-83f1-d079c9ac1eb7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements cryptographic mechanisms to during transmission unless otherwise protected by .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-10" uuid="93a9af1d-5388-435b-8bd5-aeff489d797e"><!--Network Disconnect-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-10_prm_1">
<value>organization-defined time period</value>
<!--Constraint: no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-10_smt-->
<statement statement-id="sc-10_smt" uuid="ca9731f6-7bcb-483e-aad2-b9d5cb96d60d">
<by-component uuid="8d716aed-520f-49f9-8c6b-c03f2eb42a09"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system terminates the network connection associated with a communications session at the end of the session or after of inactivity.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-12" uuid="1416dc6e-a080-4ba4-8000-b36581f090e3"><!--Cryptographic Key Establishment and Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-12_prm_1">
<value>organization-defined requirements for key generation, distribution, storage, access, and destruction</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-12_smt, sc-12.2_smt, sc-12.3_smt-->
<statement statement-id="sc-12_smt" uuid="32b7a9f1-6a2b-4a23-8a62-44f460befa32">
<by-component uuid="31727d18-7d2b-4103-903a-3a473413a66f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-12.2" uuid="ba1c5f9a-0a4b-47a7-9911-33938388f0b4"><!--Symmetric Keys-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-12.2_prm_1">
<value>one of NIST FIPS-compliant or NSA-approved</value>
<!--Constraint: NIST FIPS-compliant>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-12.2_smt-->
<statement statement-id="sc-12.2_smt" uuid="3c79113a-f751-49e6-ba03-4dbde570147b">
<by-component uuid="c368af7a-b935-4e54-96ad-3bd335e18c6c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization produces, controls, and distributes symmetric cryptographic keys using key management technology and processes.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-12.3" uuid="3e2281fe-3daf-4311-ab05-1c4e35d3fa03"><!--Asymmetric Keys-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-12.3_prm_1">
<value>one of NSA-approved key management technology and processes or approved PKI Class 3 certificates or prepositioned keying material or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-12.3_smt-->
<statement statement-id="sc-12.3_smt" uuid="e2fc1ae1-7340-4385-8091-3c7e55b80e38">
<by-component uuid="5978a661-98a9-4c81-bdb1-a1bf4a265785"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization produces, controls, and distributes asymmetric cryptographic keys using .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-13" uuid="d4c19a57-85e0-45d8-a7e1-5673328d5fdb"><!--Cryptographic Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-13_prm_1">
<value>organization-defined cryptographic uses and type of cryptography required for each use</value>
<!--Constraint: FIPS-validated or NSA-approved cryptography>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-13_smt-->
<statement statement-id="sc-13_smt" uuid="1ee1aa16-3809-4a78-97f6-fc8cb008257d">
<by-component uuid="16c1b968-1e85-4096-b3ed-5ab53924ebf3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-15" uuid="28ca0eb7-7d04-4724-868c-9bf826d3bee0"><!--Collaborative Computing Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-15_prm_1">
<value>organization-defined exceptions where remote activation is to be allowed</value>
<!--Constraint: no exceptions>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-15_smt.a, sc-15_smt.b-->
<statement statement-id="sc-15_smt.a" uuid="e137dd30-4ee0-4850-9aa6-abd88c31b650">
<by-component uuid="45695f00-49e6-4f41-96d0-2fc9f7c3514a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Prohibits remote activation of collaborative computing devices with the following exceptions: ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-15_smt.b" uuid="41eaf58c-f455-4657-836a-3c0d8501e842">
<by-component uuid="57cd9425-b537-40b7-b940-67133ef936e8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides an explicit indication of use to users physically present at the devices.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-17" uuid="81792e19-7b1d-41c3-b354-d31c2cfa2fb1"><!--Public Key Infrastructure Certificates-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="sc-17_prm_1">
<value>organization-defined certificate policy</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-17_smt-->
<statement statement-id="sc-17_smt" uuid="f1ce66fd-282c-4b54-a4ad-00697dbd4b68">
<by-component uuid="42b3828a-d335-46a4-98e7-f31278c59e8d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization issues public key certificates under an or obtains public key certificates from an approved service provider.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-18" uuid="37165886-cedd-4798-8ffe-af8bbe326355"><!--Mobile Code-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-18_smt.a, sc-18_smt.b, sc-18_smt.c-->
<statement statement-id="sc-18_smt.a" uuid="992b4519-9bc4-40f0-b1d8-e9a0754d9986">
<by-component uuid="5bd4f9cc-f263-49da-8854-7c3775e93753"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Defines acceptable and unacceptable mobile code and mobile code technologies;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-18_smt.b" uuid="13de6363-d857-420a-8f0b-6fc2fb343be2">
<by-component uuid="42b41c4a-2313-40e5-93a3-618ee1ce1667"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-18_smt.c" uuid="94dcd5a3-028f-4bff-9a12-69823df5d649">
<by-component uuid="57bc88b2-d1a3-41d6-b74c-7073fb98f65d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes, monitors, and controls the use of mobile code within the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-19" uuid="34196871-fb5f-41a2-a758-d26d7fc4eec3"><!--Voice Over Internet Protocol-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-19_smt.a, sc-19_smt.b-->
<statement statement-id="sc-19_smt.a" uuid="63d90260-d3de-4f73-80ca-ac2d71620560">
<by-component uuid="1ddf2bab-2f83-494f-9d79-b9b3665967a3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-19_smt.b" uuid="d92211c3-c997-4c76-a9f3-cde74e00fca1">
<by-component uuid="d77869f4-a2ad-409a-b754-72b711f73be7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Authorizes, monitors, and controls the use of VoIP within the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-20" uuid="4e26a8e5-b69e-4d7a-801c-075c2f58f1dc"><!--Secure Name / Address Resolution Service (authoritative Source)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-20_smt.a, sc-20_smt.b-->
<statement statement-id="sc-20_smt.a" uuid="b1d0b293-3658-4b3e-b0fb-7a2f83955d0a">
<by-component uuid="47a4af23-86fd-4020-93ea-0f08d381a59c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="sc-20_smt.b" uuid="45f448df-234f-40f5-acfd-d8dca18642e1">
<by-component uuid="28e2fd79-63aa-4b59-974f-7d5a0ed0d48a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-21" uuid="b5d087c5-b330-4b32-adbb-a4f38ad0190d"><!--Secure Name / Address Resolution Service (recursive or Caching Resolver)-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-21_smt-->
<statement statement-id="sc-21_smt" uuid="b8845ef6-dc02-4102-8c81-f617dfb3a3e5">
<by-component uuid="5a0ffe67-92d3-46f7-9839-93ff80ef6249"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-22" uuid="0217b159-1967-447b-bfa1-5bb1f03ddb8a"><!--Architecture and Provisioning for Name / Address Resolution Service-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-22_smt-->
<statement statement-id="sc-22_smt" uuid="ed4913f1-0fae-47f5-993c-f8d0b6cd3a0e">
<by-component uuid="7569bf4b-84c8-4ec1-8784-6e7d05134e98"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-23" uuid="9016e353-b2e0-4137-ad2b-d771ec2f17f6"><!--Session Authenticity-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-23_smt-->
<statement statement-id="sc-23_smt" uuid="7267d01d-77c6-4621-b9d7-b7555e5f63b6">
<by-component uuid="d9c29c99-aafe-47f6-9c6e-176b3fd7682c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects the authenticity of communications sessions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-28" uuid="d5360293-4575-48ed-8be9-71816b1c3d1b"><!--Protection of Information at Rest-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="sc-28_prm_1">
<value>one-or-more of confidentiality, integrity</value>
<!--Constraint: confidentiality AND integrity>-->
</set-parameter>
<set-parameter param-id="sc-28_prm_2">
<value>organization-defined information at rest</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-28_smt, sc-28.1_smt-->
<statement statement-id="sc-28_smt" uuid="e0d39899-9a1b-466a-be9b-e97f167b70b9">
<by-component uuid="6581a2b1-62c2-46bc-b573-011c80b76be7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system protects the of .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-28.1" uuid="d75a3fad-30aa-4419-81b0-cd3ab7bc52f2"><!--Cryptographic Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="alternative">
<remarks>
<p>A description of the alternative control.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<set-parameter param-id="sc-28.1_prm_1">
<value>organization-defined information</value>
</set-parameter>
<set-parameter param-id="sc-28.1_prm_2">
<value>organization-defined information system components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-28.1_smt-->
<statement statement-id="sc-28.1_smt" uuid="ef948a1a-4957-4a2d-9f59-71f2881c31cb">
<by-component uuid="c99172ac-2643-4d1b-8db6-bc439c768bc0"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of on .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="sc-39" uuid="19a308d5-8e8b-4d45-acb3-5dfa1aa63bb5"><!--Process Isolation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: sc-39_smt-->
<statement statement-id="sc-39_smt" uuid="80377093-9a00-473a-ba4f-b0de4825113f">
<by-component uuid="e3dda2b9-dbca-43ad-b021-d963036f3974"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system maintains a separate execution domain for each executing process.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-1" uuid="e58e09bd-5b7f-4443-ae50-ba9c485949fc"><!--System and Information Integrity Policy and Procedures-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 3 control parameters-->
<set-parameter param-id="si-1_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="si-1_prm_2">
<value>organization-defined frequency</value>
<!--Constraint: at least every 3 years>-->
</set-parameter>
<set-parameter param-id="si-1_prm_3">
<value>organization-defined frequency</value>
<!--Constraint: at least annually>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-1_smt.a, si-1_smt.b.1, si-1_smt.b.2-->
<statement statement-id="si-1_smt.a" uuid="216586d8-d6b4-4e37-b0e1-84465e109601">
<by-component uuid="ea71a085-0753-450c-8e3e-b5d1de2a2195"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Develops, documents, and disseminates to :</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-1_smt.b.1" uuid="016ab2e1-ab12-4595-91a4-4aedb0f482bd">
<by-component uuid="f098c64c-21f8-476f-a4a3-626db4006232"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and information integrity policy ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-1_smt.b.2" uuid="a56d7d28-02cd-4619-a8d6-a0d555afe2e6">
<by-component uuid="f1efe205-513b-4f7e-a79d-f3f059ccfbff"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>System and information integrity procedures .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-2" uuid="2035a7ac-79f8-40f3-83ee-eee88f26e214"><!--Flaw Remediation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-2_prm_1">
<value>organization-defined time period</value>
<!--Constraint: within 30 days of release of updates>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-2_smt.a, si-2_smt.b, si-2_smt.c, si-2_smt.d, si-2.2_smt, si-2.3_smt.a, si-2.3_smt.b-->
<statement statement-id="si-2_smt.a" uuid="ab614eae-ede4-4ad1-90ea-16a1b376ca0b">
<by-component uuid="070753d0-37db-44b2-9687-0d7293970c12"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies, reports, and corrects information system flaws;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-2_smt.b" uuid="78922fa9-21f8-4a51-bdc7-92ec0b6ce6e8">
<by-component uuid="992dde60-766b-4a76-a3b1-2704502de1a7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-2_smt.c" uuid="cce0fb27-0ede-48b2-8ce9-6071ea25c7d1">
<by-component uuid="f36bc667-048b-469f-988b-c135fbf23b70"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Installs security-relevant software and firmware updates within of the release of the updates; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-2_smt.d" uuid="d19e3982-dff9-40a2-92fe-cc073e6b6692">
<by-component uuid="c0240205-bc26-4f24-88a7-3d92b400d75c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Incorporates flaw remediation into the organizational configuration management process.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-2.2" uuid="d97075e8-7202-40c6-acc8-9113a37e27a1"><!--Automated Flaw Remediation Status-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-2.2_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-2.2_smt-->
<statement statement-id="si-2.2_smt" uuid="7e62fbce-df4a-4d5f-b67f-1f0c3eb5a210">
<by-component uuid="b58b28b9-b352-4225-a408-a40474d113e3"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-2.3" uuid="45148a32-b51d-4207-96a8-cd1a7044964e"><!--Time to Remediate Flaws / Benchmarks for Corrective Actions-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-2.3_prm_1">
<value>organization-defined benchmarks</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-2.3_smt.a, si-2.3_smt.b-->
<statement statement-id="si-2.3_smt.a" uuid="cfcb55b7-e255-4252-ba42-90eab82780cf">
<by-component uuid="474ee9f3-be4c-4bfc-ac52-95d6476f6259"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Measures the time between flaw identification and flaw remediation; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-2.3_smt.b" uuid="e7705f3d-eca4-4eab-9d6b-9f749af8df03">
<by-component uuid="bd51a9cb-72e9-4335-9f60-052e2c174a55"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Establishes for taking corrective actions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-3" uuid="2bd2ad80-8690-4376-9625-0e8d64df63d1"><!--Malicious Code Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="si-3_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: at least weekly>-->
</set-parameter>
<set-parameter param-id="si-3_prm_2">
<value>one-or-more of endpoint, network entry/exit points</value>
<!--Constraint: to include endpoints>-->
</set-parameter>
<set-parameter param-id="si-3_prm_3">
<value>it's complicated by parameter inserts</value>
<!--Constraint: to include alerting administrator or defined security personnel>-->
</set-parameter>
<set-parameter param-id="si-3_prm_4">
<value>organization-defined action</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-3_smt.a, si-3_smt.b, si-3_smt.c, si-3_smt.d, si-3.1_smt, si-3.2_smt, si-3.7_smt-->
<statement statement-id="si-3_smt.a" uuid="e69f06f3-791d-47c9-832d-48ad257cece4">
<by-component uuid="a59dd813-812f-4587-a166-e9482b4518ef"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-3_smt.b" uuid="0f47a6ce-0bd2-4e18-a777-0ac5ecd258af">
<by-component uuid="14e5e8cd-211b-4e69-8400-2721094c4e29"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-3_smt.c" uuid="48f29259-98db-40fe-88b5-62342b001efc">
<by-component uuid="affd63ae-b1c7-446e-9d8a-3abe56d70138"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Configures malicious code protection mechanisms to:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-3_smt.d" uuid="e29390eb-d843-40fc-b76a-5ae24867da2f">
<by-component uuid="ded98b84-82a8-4933-ba9c-f0660e779876"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-3.1" uuid="91a6c766-4949-4b09-a3c2-27082aede1ce"><!--Central Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-3.1_smt-->
<statement statement-id="si-3.1_smt" uuid="16f9a1a4-52ac-4f7a-849a-c5c1d93081a1">
<by-component uuid="bea88c69-a2b9-4b6e-930e-b64aa66af70c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization centrally manages malicious code protection mechanisms.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-3.2" uuid="79d8bd75-8e29-4890-ae62-6bdf133a001d"><!--Automatic Updates-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-3.2_smt-->
<statement statement-id="si-3.2_smt" uuid="3fbb42cb-704f-4ee5-a2ad-deca1f449507">
<by-component uuid="3fb88f5d-bb8c-4dcd-8d9c-2ee12cae26d5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system automatically updates malicious code protection mechanisms.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-3.7" uuid="dc6d4c86-ebc2-414a-a17f-d01a5f37a803"><!--Nonsignature-based Detection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-3.7_smt-->
<statement statement-id="si-3.7_smt" uuid="af5d2d49-ab21-41a6-a3d8-dbdb9382cc06">
<by-component uuid="f6b9e267-0ee7-4aaf-a054-6b93de152dda"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements nonsignature-based malicious code detection mechanisms.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4" uuid="2b9f8d72-e85f-499e-9194-918c59929d37"><!--Information System Monitoring-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 6 control parameters-->
<set-parameter param-id="si-4_prm_1">
<value>organization-defined monitoring objectives</value>
</set-parameter>
<set-parameter param-id="si-4_prm_2">
<value>organization-defined techniques and methods</value>
</set-parameter>
<set-parameter param-id="si-4_prm_3">
<value>organization-defined information system monitoring information</value>
</set-parameter>
<set-parameter param-id="si-4_prm_4">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="si-4_prm_5">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="si-4_prm_6">
<value>organization-defined frequency</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4_smt.a, si-4_smt.b, si-4_smt.c, si-4_smt.d, si-4_smt.e, si-4_smt.f, si-4_smt.g, si-4.1_smt, si-4.2_smt, si-4.4_smt, si-4.5_smt, si-4.14_smt, si-4.16_smt, si-4.23_smt-->
<statement statement-id="si-4_smt.a" uuid="cded1094-23d5-4123-bfb4-0e7cb7d09705">
<by-component uuid="1120ae44-d24e-4b82-906a-de332b0c0f20"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Monitors the information system to detect:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.b" uuid="ff8252dd-cf43-4470-84d0-6260f3cfc1ba">
<by-component uuid="afeeb770-c9d3-4bef-bbd4-1a557f7cf9b8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Identifies unauthorized use of the information system through ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.c" uuid="531a2baa-8684-46b6-a7dd-058e3901d233">
<by-component uuid="6b9dbf4f-ee42-495f-8461-5663e947eb46"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Deploys monitoring devices:</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.d" uuid="3956da16-a300-4a09-94eb-f790b0e95df8">
<by-component uuid="4d15eb72-1492-4aee-828c-7b00a1ce295c"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.e" uuid="3cf040f8-d81f-4b45-a461-19f4f6fdda3b">
<by-component uuid="994e889b-6d14-4eb4-88dc-926ea50192a1"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.f" uuid="bc9c989f-eaa9-4df1-b47b-2ff526080c74">
<by-component uuid="024662e7-88bc-4057-ae40-f2de92c59eeb"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-4_smt.g" uuid="49ddbc14-b577-4dd0-ae2a-0195801ddc03">
<by-component uuid="169a8c24-c53b-4932-a93b-7cd7504f7ad5"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Provides to
.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4.1" uuid="1414908d-7ab3-444c-9d70-0b227a3cb8cc"><!--System-wide Intrusion Detection System-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4.1_smt-->
<statement statement-id="si-4.1_smt" uuid="adcd5513-4fed-461d-ad1e-06c1bfaf637a">
<by-component uuid="cccd1b2f-a232-4dd4-a6a1-c461b981aae4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4.2" uuid="a5461635-e2a9-40a1-a35c-38445dbccf58"><!--Automated Tools for Real-time Analysis-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4.2_smt-->
<statement statement-id="si-4.2_smt" uuid="8242118e-fadb-45b5-b919-ec8aa98c3df7">
<by-component uuid="de8bb4e7-7d63-4c5d-8a38-8dab20bf8cb8"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs automated tools to support near real-time analysis of events.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4.4" uuid="01c24387-bd52-4263-8e4f-6ba3abd3a125"><!--Inbound and Outbound Communications Traffic-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-4.4_prm_1">
<value>organization-defined frequency</value>
<!--Constraint: continuously>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4.4_smt-->
<statement statement-id="si-4.4_smt" uuid="0ec527e7-33a6-4b15-8216-99848a438ef8">
<by-component uuid="7d722a25-61ce-4cfe-8708-09da06cb462f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4.5" uuid="5ee8257a-178f-4904-97ef-882e8eb23e25"><!--System-generated Alerts-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="not-applicable">
<remarks>
<p>An explanation of why the control is not applicable.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<set-parameter param-id="si-4.5_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="si-4.5_prm_2">
<value>organization-defined compromise indicators</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4.5_smt-->
<statement statement-id="si-4.5_smt" uuid="2c6764cb-4764-4161-8b90-77b1a12c97b7">
<by-component uuid="ac6cdcc1-365e-420d-946f-7cf3c2a395b7"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system alerts when the following indications of compromise or potential compromise occur: .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4.14" uuid="4e2b4cbe-de43-4967-aa13-d908123c1a9b"><!--Wireless Intrusion Detection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4.14_smt-->
<statement statement-id="si-4.14_smt" uuid="a391a149-24f0-472f-a1cd-d0f129398e62">
<by-component uuid="4a5146ad-966b-4097-ab71-dfd26003eaba"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4.16" uuid="ae0f95c6-eee0-4cdb-ad5e-ba48cdb73553"><!--Correlate Monitoring Information-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4.16_smt-->
<statement statement-id="si-4.16_smt" uuid="e5327fd3-aebd-464f-920d-da6cea36e9c1">
<by-component uuid="bfa9574c-855b-4378-9631-1e853f37142b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization correlates information from monitoring tools employed throughout the information system.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-4.23" uuid="cb07b59f-adfc-42cf-83a8-194cea81d21d"><!--Host-based Devices-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<set-parameter param-id="si-4.23_prm_1">
<value>organization-defined host-based monitoring mechanisms</value>
</set-parameter>
<set-parameter param-id="si-4.23_prm_2">
<value>organization-defined information system components</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-4.23_smt-->
<statement statement-id="si-4.23_smt" uuid="ff1986df-0262-4dcf-b3d3-7165ae57ff9f">
<by-component uuid="ad01cf8d-2fcd-42ad-b55b-5539e6c61434"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization implements at .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-5" uuid="4bcda9ed-5a0a-4ea4-85ee-a4007e0d4c4d"><!--Security Alerts, Advisories, and Directives-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 5 control parameters-->
<set-parameter param-id="si-5_prm_1">
<value>organization-defined external organizations</value>
<!--Constraint: to include US-CERT>-->
</set-parameter>
<set-parameter param-id="si-5_prm_2">
<value>it's complicated by parameter inserts</value>
<!--Constraint: to include system security personnel and administrators with configuration/patch-management responsibilities>-->
</set-parameter>
<set-parameter param-id="si-5_prm_3">
<value>organization-defined personnel or roles</value>
</set-parameter>
<set-parameter param-id="si-5_prm_4">
<value>organization-defined elements within the organization</value>
</set-parameter>
<set-parameter param-id="si-5_prm_5">
<value>organization-defined external organizations</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-5_smt.a, si-5_smt.b, si-5_smt.c, si-5_smt.d-->
<statement statement-id="si-5_smt.a" uuid="82975b34-dd54-4f3d-b0a1-63d11568a488">
<by-component uuid="86762cb7-6cac-4234-9ff1-d35f9f383272"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Receives information system security alerts, advisories, and directives from on an ongoing basis;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-5_smt.b" uuid="37367235-68d2-4bb3-9dd0-91150f362284">
<by-component uuid="eac51417-010a-4739-839c-5fdfa4aa2fe4"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Generates internal security alerts, advisories, and directives as deemed necessary;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-5_smt.c" uuid="fe7e84b2-8e31-4cdb-a9db-e886ed47ee8e">
<by-component uuid="95f445b4-a609-4426-ae99-e9fd30be3d5a"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Disseminates security alerts, advisories, and directives to: ; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-5_smt.d" uuid="b2123ea2-c4da-4096-aaaa-5f87d44c5c98">
<by-component uuid="213d10dd-0809-42dd-afdb-f2bbbc30a2af"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-6" uuid="9800e069-e463-4c87-ac56-56b837868939"><!--Security Function Verification-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 7 control parameters-->
<set-parameter param-id="si-6_prm_1">
<value>organization-defined security functions</value>
</set-parameter>
<set-parameter param-id="si-6_prm_2">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="si-6_prm_3">
<value>organization-defined system transitional states</value>
<!--Constraint: to include upon system startup and/or restart>-->
</set-parameter>
<set-parameter param-id="si-6_prm_4">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<set-parameter param-id="si-6_prm_5">
<value>organization-defined personnel or roles</value>
<!--Constraint: to include system administrators and security personnel>-->
</set-parameter>
<set-parameter param-id="si-6_prm_6">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="si-6_prm_7">
<value>organization-defined alternative action(s)</value>
<!--Constraint: to include notification of system administrators and security personnel>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-6_smt.a, si-6_smt.b, si-6_smt.c, si-6_smt.d-->
<statement statement-id="si-6_smt.a" uuid="364cd6a0-4b6f-43a1-a516-0dc6474b8309">
<by-component uuid="872ceafa-9236-41c9-a4a9-873c7d2e0441"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Verifies the correct operation of ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-6_smt.b" uuid="759bf2b3-89ab-43ff-8e9d-b59f893956f7">
<by-component uuid="789e9976-e318-42fc-b690-1b333fc24efe"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Performs this verification ;</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-6_smt.c" uuid="f114c2dd-5b46-48c1-8fdb-446f4cfcedcc">
<by-component uuid="a1dbea04-2f50-42b7-b78e-e3e42c68f660"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Notifies of failed security verification tests; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-6_smt.d" uuid="7c95c16c-5a70-4927-b1ee-22caa4e579c2">
<by-component uuid="41cb7521-a7ea-44c8-8703-80a2a9d31c4f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>
when anomalies are discovered.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-7" uuid="46da40e2-3c31-4858-a15a-26d58b479533"><!--Software, Firmware, and Information Integrity-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-7_prm_1">
<value>organization-defined software, firmware, and information</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-7_smt, si-7.1_smt, si-7.7_smt-->
<statement statement-id="si-7_smt" uuid="43006d9c-b13d-4b93-b141-474a58a38ff7">
<by-component uuid="eae1fdb5-98bd-45ea-83df-e3c7004bb60f"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization employs integrity verification tools to detect unauthorized changes to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-7.1" uuid="6702e335-f998-47b2-a421-421063b4d3c9"><!--Integrity Checks-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are 4 control parameters-->
<set-parameter param-id="si-7.1_prm_1">
<value>organization-defined software, firmware, and information</value>
</set-parameter>
<set-parameter param-id="si-7.1_prm_2">
<value>it's complicated by parameter inserts</value>
</set-parameter>
<set-parameter param-id="si-7.1_prm_3">
<value>organization-defined transitional states or security-relevant events</value>
<!--Constraint: Selection to include security relevant events>-->
</set-parameter>
<set-parameter param-id="si-7.1_prm_4">
<value>organization-defined frequency</value>
<!--Constraint: at least monthly>-->
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-7.1_smt-->
<statement statement-id="si-7.1_smt" uuid="7fabf46c-9b2a-42c4-990e-4091bfee4b7b">
<by-component uuid="f964bc09-1e05-4e2c-b168-acfc3e141078"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system performs an integrity check of
.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-7.7" uuid="45fdc29a-1e56-450d-b586-5be42facaa66"><!--Integration of Detection and Response-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-7.7_prm_1">
<value>organization-defined security-relevant changes to the information system</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-7.7_smt-->
<statement statement-id="si-7.7_smt" uuid="d1888d73-fc94-4ebd-b14f-1b3cca2f93d3">
<by-component uuid="c5a1dbe6-8587-442e-b4f3-7833483d03de"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization incorporates the detection of unauthorized into the organizational incident response capability.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-8" uuid="c4481f79-c775-4651-b965-1d65beea11f6"><!--Spam Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-8_smt.a, si-8_smt.b, si-8.1_smt, si-8.2_smt-->
<statement statement-id="si-8_smt.a" uuid="878577b2-544f-4230-87ac-e6917160d839">
<by-component uuid="7a995e32-b8ab-4bd1-a8db-b95a110ce04b"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-8_smt.b" uuid="9f443337-bb93-46b5-b78b-05a2145388eb">
<by-component uuid="81cc18d0-f3c2-4926-8426-5542f5e18299"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-8.1" uuid="0e8ecb25-b403-4810-a28b-3dbf8b373272"><!--Central Management-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-8.1_smt-->
<statement statement-id="si-8.1_smt" uuid="a948f972-0556-4175-b421-9ce028eea520">
<by-component uuid="10f84065-50fd-4e88-9563-0bf745bc97da"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization centrally manages spam protection mechanisms.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-8.2" uuid="273a0aab-dca6-441c-97d6-950ca89d6847"><!--Automatic Updates-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="partial">
<remarks>
<p>A description the portion of the control that is not satisfied.</p>
</remarks>
</prop>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-8.2_smt-->
<statement statement-id="si-8.2_smt" uuid="9144a27e-fe65-4da4-a972-c5ed2903a60e">
<by-component uuid="d7a52d3c-fc94-4bee-8a13-93a2e4dde118"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system automatically updates spam protection mechanisms.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-10" uuid="54942b5f-1879-4a87-8229-16f456df7740"><!--Information Input Validation-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-10_prm_1">
<value>organization-defined information inputs</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-10_smt-->
<statement statement-id="si-10_smt" uuid="51f4497d-dd7b-42cf-824f-b82c105f3b67">
<by-component uuid="7480bd5a-7826-4921-b8e9-5375e2405d65"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system checks the validity of .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-11" uuid="46ce239a-3c8c-464b-9fb0-4d96525c7590"><!--Error Handling-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-11_prm_1">
<value>organization-defined personnel or roles</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-11_smt.a, si-11_smt.b-->
<statement statement-id="si-11_smt.a" uuid="f61129fd-9d26-4fdd-a715-8461d4d1dc67">
<by-component uuid="09600b99-38db-4751-8de9-c5213727423d"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and</p>
</remarks>
</by-component>
</statement>
<statement statement-id="si-11_smt.b" uuid="4b47f61e-78a6-47e5-91b0-c0a011247f6e">
<by-component uuid="3d74bcea-8ef6-47c3-88d2-9edd46f1f576"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>Reveals error messages only to .</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-12" uuid="ea165863-4e9a-4ad7-834e-658094209d09"><!--Information Handling and Retention-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There are no control parameters-->
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-12_smt-->
<statement statement-id="si-12_smt" uuid="232c8472-4123-4619-a1c0-2164ccbc45d9">
<by-component uuid="0d52f691-902c-4791-9cd9-1a26f759fe00"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
<implemented-requirement control-id="si-16" uuid="2b374a22-9d62-439c-a1e2-6782dcb73988"><!--Memory Protection-->
<prop name="implementation-status"
ns="https://fedramp.gov/ns/oscal"
value="implemented"/>
<!--There is 1 control parameter-->
<set-parameter param-id="si-16_prm_1">
<value>organization-defined security safeguards</value>
</set-parameter>
<!--See DRAFT Guide to OSCAL-based FedRAMP System Security Plans page 36-->
<responsible-role role-id="implemented-requirement-responsible-role"/>
<!--Required response points: si-16_smt-->
<statement statement-id="si-16_smt" uuid="6d8b7b7d-58d1-45f4-ab95-10640969c4fa">
<by-component uuid="333f5464-be95-4093-b7c8-c1ba4db680dc"
component-uuid="085c4a00-8521-44bd-9188-7e08095ce1b0">
<description>
<p>This description is more than 20 characters in length</p>
</description>
<remarks>
<p>The information system implements to protect its memory from unauthorized code execution.</p>
</remarks>
</by-component>
</statement>
</implemented-requirement>
</control-implementation>
<back-matter><!--Access Control Policy and Procedures attachments-->
<resource uuid="bf5de77b-e2ac-416c-8836-cb239b24d9ba">
<title>AC-1 Access Control Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ac-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ac-1-policy.txt" media-type="text/plain">QUMtMSBBY2Nlc3MgQ29udHJvbCBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="b41f5c88-e3a7-491b-83e5-337010521f13">
<title>AC-1 Access Control Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ac-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ac-1-procedures.txt" media-type="text/plain">QUMtMSBBY2Nlc3MgQ29udHJvbCBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Awareness and Training Policy and Procedures attachments-->
<resource uuid="71efb7b3-c2c2-42d8-bae7-af244e2f9534">
<title>AT-1 Security Awareness and Training Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-at-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-at-1-policy.txt" media-type="text/plain">QVQtMSBTZWN1cml0eSBBd2FyZW5lc3MgYW5kIFRyYWluaW5nIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="8d660ca2-c631-4e29-86a6-92706c7daef4">
<title>AT-1 Security Awareness and Training Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-at-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-at-1-procedures.txt" media-type="text/plain">QVQtMSBTZWN1cml0eSBBd2FyZW5lc3MgYW5kIFRyYWluaW5nIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Audit and Accountability Policy and Procedures attachments-->
<resource uuid="c2aa384d-a71d-47f6-bd56-cca71ba1bb0f">
<title>AU-1 Audit and Accountability Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-au-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-au-1-policy.txt" media-type="text/plain">QVUtMSBBdWRpdCBhbmQgQWNjb3VudGFiaWxpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="fcf14555-9fa2-466c-b10b-60de8d305c5c">
<title>AU-1 Audit and Accountability Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-au-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-au-1-procedures.txt" media-type="text/plain">QVUtMSBBdWRpdCBhbmQgQWNjb3VudGFiaWxpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Security Assessment and Authorization Policy and Procedures attachments-->
<resource uuid="ce7e3a61-169d-4f31-8707-9c1781145fc5">
<title>CA-1 Security Assessment and Authorization Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ca-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ca-1-policy.txt" media-type="text/plain">Q0EtMSBTZWN1cml0eSBBc3Nlc3NtZW50IGFuZCBBdXRob3JpemF0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="5dc59f83-f273-4260-acf7-299bdcc35293">
<title>CA-1 Security Assessment and Authorization Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ca-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ca-1-procedures.txt" media-type="text/plain">Q0EtMSBTZWN1cml0eSBBc3Nlc3NtZW50IGFuZCBBdXRob3JpemF0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Configuration Management Policy and Procedures attachments-->
<resource uuid="696dded2-051e-4a92-a352-c1d8e787713c">
<title>CM-1 Configuration Management Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-cm-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-cm-1-policy.txt" media-type="text/plain">Q00tMSBDb25maWd1cmF0aW9uIE1hbmFnZW1lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="c04d4c67-5729-446d-aadf-9cc5eb6584dd">
<title>CM-1 Configuration Management Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-cm-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-cm-1-procedures.txt" media-type="text/plain">Q00tMSBDb25maWd1cmF0aW9uIE1hbmFnZW1lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Contingency Planning Policy and Procedures attachments-->
<resource uuid="83797894-5e10-40f1-bf0f-7aeaf058ae8e">
<title>CP-1 Contingency Planning Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-cp-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-cp-1-policy.txt" media-type="text/plain">Q1AtMSBDb250aW5nZW5jeSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="69f8f3a7-cbb8-4a94-b0f5-2d0cfb283dce">
<title>CP-1 Contingency Planning Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-cp-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-cp-1-procedures.txt" media-type="text/plain">Q1AtMSBDb250aW5nZW5jeSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Identification and Authentication Policy and Procedures attachments-->
<resource uuid="dda896a4-bb49-4951-9c22-d20c6b82f2b5">
<title>IA-1 Identification and Authentication Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ia-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ia-1-policy.txt" media-type="text/plain">SUEtMSBJZGVudGlmaWNhdGlvbiBhbmQgQXV0aGVudGljYXRpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="2d828c29-724b-4feb-9f77-a6d258bfbb36">
<title>IA-1 Identification and Authentication Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ia-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ia-1-procedures.txt" media-type="text/plain">SUEtMSBJZGVudGlmaWNhdGlvbiBhbmQgQXV0aGVudGljYXRpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Incident Response Policy and Procedures attachments-->
<resource uuid="dbb812f8-80f9-45da-adf1-ecb29d0a14f2">
<title>IR-1 Incident Response Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ir-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ir-1-policy.txt" media-type="text/plain">SVItMSBJbmNpZGVudCBSZXNwb25zZSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="03e77a3e-cebb-47a3-9778-3601d31e0b06">
<title>IR-1 Incident Response Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ir-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ir-1-procedures.txt" media-type="text/plain">SVItMSBJbmNpZGVudCBSZXNwb25zZSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Maintenance Policy and Procedures attachments-->
<resource uuid="f678bed3-1328-4900-ac7f-7fa408fa7321">
<title>MA-1 System Maintenance Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ma-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ma-1-policy.txt" media-type="text/plain">TUEtMSBTeXN0ZW0gTWFpbnRlbmFuY2UgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="ace0581a-9331-40d1-ae73-7718be422e45">
<title>MA-1 System Maintenance Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ma-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ma-1-procedures.txt" media-type="text/plain">TUEtMSBTeXN0ZW0gTWFpbnRlbmFuY2UgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Media Protection Policy and Procedures attachments-->
<resource uuid="8c1915f9-433a-4809-b87d-b32a4c4f7298">
<title>MP-1 Media Protection Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-mp-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-mp-1-policy.txt" media-type="text/plain">TVAtMSBNZWRpYSBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="9c521f31-e445-4497-91a9-b30321bbe2f0">
<title>MP-1 Media Protection Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-mp-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-mp-1-procedures.txt" media-type="text/plain">TVAtMSBNZWRpYSBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Physical and Environmental Protection Policy and Procedures attachments-->
<resource uuid="d2bdeb8a-4b0d-49bc-9e85-389ade2d1eda">
<title>PE-1 Physical and Environmental Protection Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-pe-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-pe-1-policy.txt" media-type="text/plain">UEUtMSBQaHlzaWNhbCBhbmQgRW52aXJvbm1lbnRhbCBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="464190aa-2ada-4ef6-a592-570217b31293">
<title>PE-1 Physical and Environmental Protection Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-pe-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-pe-1-procedures.txt" media-type="text/plain">UEUtMSBQaHlzaWNhbCBhbmQgRW52aXJvbm1lbnRhbCBQcm90ZWN0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--Planning Policy and Procedures attachments-->
<resource uuid="5c37d370-78f9-446e-a618-895bb13cde61">
<title>PL-1 Security Planning Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-pl-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-pl-1-policy.txt" media-type="text/plain">UEwtMSBTZWN1cml0eSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="5b1a233f-1f54-494d-9d01-feb5a8518d1e">
<title>PL-1 Security Planning Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-pl-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-pl-1-procedures.txt" media-type="text/plain">UEwtMSBTZWN1cml0eSBQbGFubmluZyBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<!--Personnel Security Policy and Procedures attachments-->
<resource uuid="f00af191-2d81-48b6-87c6-e686e57bcaaa">
<title>PS-1 Personnel Security Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ps-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ps-1-policy.txt" media-type="text/plain">UFMtMSBQZXJzb25uZWwgU2VjdXJpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="79dc26a3-023f-47a1-b0b0-03ab2bcdbf10">
<title>PS-1 Personnel Security Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ps-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ps-1-procedures.txt" media-type="text/plain">UFMtMSBQZXJzb25uZWwgU2VjdXJpdHkgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--Risk Assessment Policy and Procedures attachments-->
<resource uuid="66436d35-0d86-4faa-b590-d32aaf943cff">
<title>RA-1 Risk Assessment Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-ra-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-ra-1-policy.txt" media-type="text/plain">UkEtMSBSaXNrIEFzc2Vzc21lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="c6eec76c-2180-4fee-86d3-662c7dacbf80">
<title>RA-1 Risk Assessment Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-ra-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-ra-1-procedures.txt" media-type="text/plain">UkEtMSBSaXNrIEFzc2Vzc21lbnQgUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--System and Services Acquisition Policy and Procedures attachments-->
<resource uuid="47901abb-e414-4cee-89c9-49c4eb894734">
<title>SA-1 System and Services Acquisition Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-sa-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-sa-1-policy.txt" media-type="text/plain">U0EtMSBTeXN0ZW0gYW5kIFNlcnZpY2VzIEFjcXVpc2l0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFBvbGljeQ==</base64>
</resource>
<resource uuid="49ff3b72-6304-4915-8398-83d9376da1d0">
<title>SA-1 System and Services Acquisition Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-sa-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-sa-1-procedures.txt" media-type="text/plain">U0EtMSBTeXN0ZW0gYW5kIFNlcnZpY2VzIEFjcXVpc2l0aW9uIFBvbGljeSBhbmQgUHJvY2VkdXJlcyAtIFByb2NlZHVyZXM=</base64>
</resource>
<!--System and Communications Protection Policy and Procedures attachments-->
<resource uuid="a1b3ce1b-0035-4fa4-9c06-48e1b4061c6d">
<title>SC-1 System and Communications Protection Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-sc-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-sc-1-policy.txt" media-type="text/plain">U0MtMSBTeXN0ZW0gYW5kIENvbW11bmljYXRpb25zIFByb3RlY3Rpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUG9saWN5</base64>
</resource>
<resource uuid="75e53b48-3fdb-4e56-8342-dcc75ece59e2">
<title>SC-1 System and Communications Protection Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-sc-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-sc-1-procedures.txt" media-type="text/plain">U0MtMSBTeXN0ZW0gYW5kIENvbW11bmljYXRpb25zIFByb3RlY3Rpb24gUG9saWN5IGFuZCBQcm9jZWR1cmVzIC0gUHJvY2VkdXJlcw==</base64>
</resource>
<!--System and Information Integrity Policy and Procedures attachments-->
<resource uuid="24039674-4fae-4517-b71f-fc3d672446b8">
<title>SI-1 System and Information Integrity Policy and Procedures - Policy</title>
<prop name="type" value="policy"/>
<rlink href="SSSP-A1-ISPP-si-1-policy.txt"/>
<base64 filename="SSSP-A1-ISPP-si-1-policy.txt" media-type="text/plain">U0ktMSBTeXN0ZW0gYW5kIEluZm9ybWF0aW9uIEludGVncml0eSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQb2xpY3k=</base64>
</resource>
<resource uuid="47d7852a-f397-4f98-a183-c5525bcdf1a6">
<title>SI-1 System and Information Integrity Policy and Procedures - Procedures</title>
<prop name="type" value="procedures"/>
<rlink href="SSSP-A1-ISPP-si-1-procedures.txt"/>
<base64 filename="SSSP-A1-ISPP-si-1-procedures.txt" media-type="text/plain">U0ktMSBTeXN0ZW0gYW5kIEluZm9ybWF0aW9uIEludGVncml0eSBQb2xpY3kgYW5kIFByb2NlZHVyZXMgLSBQcm9jZWR1cmVz</base64>
</resource>
<resource uuid="3ab96681-d459-4b3a-bdcd-4038f1915b64">
<title>User Guide</title>
<rlink href="SSSP-A2-UG.txt"/>
<base64 filename="SSSP-A2-UG.txt" media-type="text/plain">VXNlciBHdWlkZQ==</base64>
</resource>
<resource uuid="fb38e94b-92a2-4c8a-a587-74c3df0171ff">
<title>Privacy Impact Analysis</title>
<rlink href="SSSP-A4-PIA.txt"/>
<base64 filename="SSSP-A4-PIA.txt" media-type="text/plain">UHJpdmFjeSBJbXBhY3QgQW5hbHlzaXM=</base64>
</resource>
<resource uuid="2329837d-7d5e-48c1-8aec-750f7cd377ba">
<title>Rules of Behavior</title>
<rlink href="SSSP-A5-ROB.txt"/>
<base64 filename="SSSP-A5-ROB.txt" media-type="text/plain">UnVsZXMgb2YgQmVoYXZpb3I=</base64>
</resource>
<resource uuid="151b75bb-6719-4098-bcde-ffb943597d87">
<title>Information System Contingency Plan</title>
<rlink href="SSSP-A6-ISCP.txt"/>
<base64 filename="SSSP-A6-ISCP.txt" media-type="text/plain">SW5mb3JtYXRpb24gU3lzdGVtIENvbnRpbmdlbmN5IFBsYW4=</base64>
</resource>
<resource uuid="6ed59356-244f-4a04-b58e-10271008558b">
<title>Configuration Management Plan</title>
<rlink href="SSSP-A7-CMP.txt"/>
<base64 filename="SSSP-A7-CMP.txt" media-type="text/plain">Q29uZmlndXJhdGlvbiBNYW5hZ2VtZW50IFBsYW4=</base64>
</resource>
<resource uuid="e07e9e82-7023-4019-afad-29f8d87036a9">
<title>Incident Response Plan</title>
<rlink href="SSSP-A8-IRP.txt"/>
<base64 filename="SSSP-A8-IRP.txt" media-type="text/plain">SW5jaWRlbnQgUmVzcG9uc2UgUGxhbg==</base64>
</resource>
<resource uuid="bb5668c2-3128-40d1-a347-89fcde1e36d3">
<title>CIS Workbook</title>
<rlink href="SSSP-A9-CIS-Workbook.txt"/>
<base64 filename="SSSP-A9-CIS-Workbook.txt" media-type="text/plain">Q0lTIFdvcmtib29r</base64>
</resource>
<resource uuid="f7cce702-1a8e-449e-b30c-342b1d1689e2">
<title>Inventory</title>
<rlink href="SSSP-A13-INV.txt"/>
<base64 filename="SSSP-A13-INV.txt" media-type="text/plain">SW52ZW50b3J5</base64>
</resource>
</back-matter>
</system-security-plan>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment