OSCAL SSP fields mapping
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of OSCAL SSP fields mapping
This document details how the CAM (Continuous Authorization Management) system exports authorization package and control data into the OSCAL (Open Security Controls Assessment Language) System Security Plan (SSP) format. It provides comprehensive field mappings between CAM fields and the corresponding OSCAL SSP fields. This enables ServiceNow customers to understand how their authorization package data is structured and transformed when exported to OSCAL SSP, facilitating standardized security documentation and compliance reporting.
Show less
Key Sections and Field Mappings
- Metadata: Maps general authorization package information such as UUID, name, version, last modified date, and OSCAL standard version. This helps identify and version the exported SSP.
- User and Role Mapping: Connects roles and users in CAM to OSCAL, including role IDs, names, user names, and UUIDs, along with role assignments in the package.
- Profile Reference: Links the authorization package to a baseline profile, enabling traceability to the security standards or baselines applied.
- Authorization Boundary: Captures details about the system or authorization boundary, including its name, short name, description, status, and mission-critical designation. It ties the SSP to the specific system context.
- Security Impact: Defines security sensitivity and impact levels on confidentiality, integrity, and availability, reflecting the system’s risk posture.
- Package Properties: Includes attributes such as skip attestations flag, package activity status, revision version, privacy sensitivity, impact change justification, percentage of controls implemented, and counts of vulnerabilities and security incidents.
- System Components: Details individual components within the authorization boundary, including their names, descriptions, types, and current status.
- Controls: Maps control implementation data such as control IDs, UUIDs, compliance status, workflow state, owners, respondents, assessment frequency, attestation references, discussion notes, weighting, synchronization flags, and role assignments. This comprehensive mapping supports detailed control-level tracking and reporting.
- Control Requirements: Provides mapping for individual control requirement states, descriptions, numbering, and respondents, enabling granular control assessment documentation.
- Back Matter: Includes references to linked profile JSON files, supporting linkage and navigation within the OSCAL framework.
Practical Benefits for ServiceNow Customers
By understanding these mappings, ServiceNow customers can:
- Ensure accurate and consistent export of authorization package data into OSCAL SSP format for compliance and audit purposes.
- Maintain traceability of roles, users, and control responsibilities within exported security documentation.
- Leverage detailed control and requirement status information to monitor compliance and assessment progress.
- Integrate with OSCAL-based workflows and standards, improving interoperability with external assessment and authorization processes.
- Gain insights into system boundary definitions and security impact levels, facilitating risk management.
These mappings enable the automated and structured sharing of security package data, helping organizations streamline their authorization and compliance efforts using ServiceNow CAM and OSCAL standards.
CAM exports authorization package and control data to OSCAL System Security Plan (SSP) format using the following field mappings.
Metadata
| OSCAL SSP field | CAM field | Description |
|---|---|---|
uuid |
Authorization package UUID | Unique identifier of the authorization package |
metadata.title |
Authorization package name | Name of the authorization package |
metadata.version |
Package version | Version of the authorization package |
metadata.last-modified |
Last modified date | Date the SSP was last modified |
metadata.oscal-version |
OSCAL version | Version of the OSCAL standard used |
User and role mapping
| OSCAL SSP field | CAM field | Description |
|---|---|---|
metadata.roles[].id |
Role ID | System identifier of the role (for example, system-owner, ISSO) |
metadata.roles[].title |
Role name | Display name of the role |
metadata.parties[].name |
User name | Name of the user associated with the package |
metadata.parties[].uuid |
User UUID | Unique identifier of the user |
metadata.responsible-parties[].role-id |
Role assignment | Role assigned to a party in the package |
metadata.responsible-parties[].party-uuids[] |
Assigned user | UUID of the user assigned to the role |
Profile reference
| OSCAL SSP field | CAM field | Description |
|---|---|---|
import-profile.href |
Baseline profile | Reference to the profile (baseline) linked to the package |
Authorization boundary
| OSCAL SSP field | CAM field | Description |
|---|---|---|
system-characteristics.system-name |
Authorization boundary name | Name of the authorization boundary |
system-characteristics.system-name-short |
Authorization boundary short name | Short name of the authorization boundary |
system-characteristics.system-ids[].id |
Authorization package number | ServiceNow record number of the package (for example, AP0010030) |
system-characteristics.description |
Authorization boundary description | Description of the authorization boundary |
system-characteristics.status.state |
Authorization boundary status | Current status of the boundary (for example, under-development) |
system-characteristics.authorization-boundary.description |
Authorization boundary description | Description of the system boundary |
system-characteristics.authorization-boundary.props[@name=mission-critical] |
Mission critical | Indicates whether the system is mission-critical |
Security impact
| OSCAL SSP field | CAM field | Description |
|---|---|---|
system-characteristics.security-sensitivity-level |
Security sensitivity level | Overall sensitivity level (for example, fips-199-HIGH) |
system-characteristics.security-impact-level.security-objective-confidentiality |
Confidentiality impact | Confidentiality impact level |
system-characteristics.security-impact-level.security-objective-integrity |
Integrity impact | Integrity impact level |
system-characteristics.security-impact-level.security-objective-availability |
Availability impact | Availability impact level |
Package properties
| OSCAL SSP field | CAM field | Description |
|---|---|---|
system-characteristics.props[@name=skip-attestations] |
Skip attestations | Indicates whether attestations are skipped for all controls |
system-characteristics.props[@name=active] |
Active | Indicates whether the authorization package is active |
system-characteristics.props[@name=version] |
Revision | Revision version of the package |
system-characteristics.props[@name=privacy-sensitive-system] |
Privacy sensitive system | Indicates whether the system is privacy sensitive |
system-characteristics.props[@name=impact-change-justification] |
Impact change justification | Justification provided when the recommended impact is changed |
system-characteristics.props[@name=percentage-of-controls-implemented] |
Percentage of controls implemented | Percentage of controls implemented in the package |
system-characteristics.props[@name=number-of-vulnerable-items] |
Number of vulnerable items | Count of vulnerable items associated with the package |
system-characteristics.props[@name=number-of-security-incidents] |
Number of security incidents | Count of security incidents associated with the package |
System components
| OSCAL SSP field | CAM field | Description |
|---|---|---|
system-implementation.components[].title |
Authorization boundary name | Name of the system component |
system-implementation.components[].description |
Authorization boundary description | Description of the system component |
system-implementation.components[].type |
Component type | Type of the component (for example, this-system) |
system-implementation.components[].status.state |
Component status | Current status of the component |
Controls
| OSCAL SSP field | CAM field | Description |
|---|---|---|
control-implementation.implemented-requirements[].control-id |
Control ID | Identifier of the implemented control |
control-implementation.implemented-requirements[].uuid |
Control UUID | Unique identifier of the implemented control record |
control-implementation.implemented-requirements[].props[@name=status] |
Compliance status | Compliance status of the control (for example, Not Applicable, Compliant) |
control-implementation.implemented-requirements[].props[@name=state] |
Control state | Workflow state of the control (for example, Draft, Review) |
control-implementation.implemented-requirements[].props[@name=owner] |
Control owner | UUID of the user who owns the control |
control-implementation.implemented-requirements[].props[@name=respondents] |
Respondents | UUID of users assigned as respondents for the control |
control-implementation.implemented-requirements[].props[@name=frequency] |
Assessment frequency | Frequency at which the control is assessed (for example, Annually) |
control-implementation.implemented-requirements[].props[@name=attestation] |
Attestation | Reference to the attestation record for the control |
control-implementation.implemented-requirements[].props[@name=discussion] |
Discussion | Discussion notes for the control |
control-implementation.implemented-requirements[].props[@name=weighting] |
Weighting | Weighting assigned to the control |
control-implementation.implemented-requirements[].props[@name=sync_with_entity_owner] |
Sync with entity owner | Indicates whether the control owner is synced with the entity owner |
control-implementation.implemented-requirements[].props[@name=requirement_level_attestation] |
Requirement level attestation | Indicates whether attestation is at the requirement level |
control-implementation.implemented-requirements[].responsible-roles[].role-id |
Control role | Role assigned at the control level (for example, owner, control-respondents) |
control-implementation.implemented-requirements[].responsible-roles[].party-uuids[] |
Assigned user | UUID of the user assigned to the control role |
Control requirements
| OSCAL SSP field | CAM field | Description |
|---|---|---|
control-implementation.implemented-requirements[].statements[].props[@name=state] |
Control requirement state | Workflow state of the control requirement |
control-implementation.implemented-requirements[].statements[].props[@name=description] |
Control requirement description | Description of the control requirement |
control-implementation.implemented-requirements[].statements[].props[@name=requirement_number] |
Requirement number | Number of the control requirement |
control-implementation.implemented-requirements[].statements[].props[@name=respondents] |
Requirement respondents | UUID of users assigned as respondents for the requirement |
Back matter
| OSCAL SSP field | CAM field | Description |
|---|---|---|
back-matter.resources[].rlinks[].href |
Profile reference | Path to the linked profile JSON file |