{"system-security-plan":{"uuid":"11111111-2222-4000-8000-000000000000","metadata":{"roles":[{"id":"cloud-service-provider","title":"Cloud Service Provider","short-name":"CSP"},{"id":"information-system-security-officer","title":"Information System Security Officer","short-name":"ISSO"}],"title":"FedRAMP OSCAL New Core System Security Plan (SSP)","parties":[{"name":"Cloud Service Provider (CSP) Name","type":"organization","uuid":"11111111-2222-4000-8000-004000000001","links":[{"rel":"homepage","href":"http://example.com"}],"addresses":[{"city":"Anywhere","state":"ST","addr-lines":["1234 S. Main St."],"postal-code":"00000"}],"short-name":"CSP Acronym/Short Name"}],"version":"NEW-CORE-EXAMPLE","published":"2026-04-14T00:00:00Z","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"cfff9082-7855-47ae-b16e-45e700514858"}],"last-modified":"2026-04-15T00:00:00Z","oscal-version":"1.2.1","responsible-parties":[{"role-id":"cloud-service-provider","party-uuids":["11111111-2222-4000-8000-004000000001"]}]},"import-profile":{"href":"https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json"},"system-characteristics":{"props":[{"name":"cloud-service-model","value":"saas"},{"name":"cloud-deployment-model","value":"government-only-cloud"}],"status":{"state":"operational"},"data-flow":{"diagrams":[{"uuid":"11111111-2222-4000-8000-007000000003","links":[{"rel":"diagram","href":"./data_flow_diagram.pdf","media-type":"application/pdf"}],"description":"Dataflow diagram narriative."}],"description":"A holistic, top-level explanation of the system's data flows."},"system-ids":[{"id":"F00000000","identifier-type":"http://fedramp.gov/ns/oscal"}],"description":"Provide the system description here","system-name":"System's Full Name","system-name-short":"System's Short Name or Acronym","system-information":{"information-types":[{"uuid":"11111111-2222-4000-8000-006000000001","title":"Information Type Name","description":"OSCAL requires at leaset one entry.\n\nFor MVP, either just leave this description or paste Appendix K table here.\n\nBreak Appendix K down to individual entries after MVP."}]},"network-architecture":{"diagrams":[{"uuid":"11111111-2222-4000-8000-007000000002","links":[{"rel":"diagram","href":"./network_architecture.pdf","media-type":"application/pdf"}],"description":"A diagram-specific explanation."}],"description":"Network architecture narriative."},"authorization-boundary":{"diagrams":[{"uuid":"11111111-2222-4000-8000-007000000001","links":[{"rel":"diagram","href":"./authorization_boundary.pdf","media-type":"application/pdf"}],"description":"Authorization boundary narriative."}],"description":"A holistic, top-level explanation of the FedRAMP authorization boundary."},"security-sensitivity-level":"fips-199-high"},"system-implementation":{"users":[{"uuid":"11111111-2222-4000-8000-008000000001","authorized-privileges":[{"title":"none","functions-performed":["none"]}]}],"components":[{"type":"this-system","uuid":"11111111-2222-4000-8000-009000000000","title":"This System","status":{"state":"operational"},"description":"This component represents the entire authorization boundary, as depicted in the system authorization boundary diagram.\n\nFedRAMP requires exactly one \\\"this-system\\\" component, which is used in control implementation responses and interconnections."}],"inventory-items":[{"uuid":"11111111-2222-4000-8000-011000000001","links":[{"rel":"validated-by","href":"https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4985"}],"props":[{"name":"asset-type","value":"os"},{"name":"asset-id","value":"unique-asset-id"},{"name":"asset-tag","value":"xyz-123"},{"name":"public","value":"no"},{"name":"virtual","value":"no"},{"name":"vlan-id","value":"VLAN Identifier"},{"name":"network-id","value":"Network Identifier"},{"name":"label","value":"Diagram Label"},{"name":"sort-id","value":"000001"},{"name":"baseline-configuration-name","value":"STIG-xyz"},{"name":"allows-authenticated-scan","value":"no","remarks":"If no, explain why. If yes, omit remarks field."},{"name":"function","value":"Required brief, text-based description."},{"name":"model","value":"Model Number"},{"name":"software-name","value":"software-name"},{"name":"software-version","value":"V 0.0.0"},{"name":"software-patch-level","value":"Patch-Level"},{"name":"ipv4-address","value":"0.0.0.0"},{"name":"ipv6-address","value":"0000:0000:0000:0000"},{"name":"fqdn","value":"example.com"},{"name":"uri","value":"https://examplec.om"},{"name":"netbios-name","value":"netbios-name"},{"name":"mac-address","value":"00:00:00:00:00:00"},{"name":"serial-number","value":"Serial #"},{"name":"asset-tag","value":"Asset Tag"},{"ns":"http://fedramp.gov/ns/oscal","name":"scan-type","value":"infrastructure"},{"name":"baseline-configuration-name","value":"Baseline Config. Name"},{"name":"physical-location","value":"Physical location of Asset"},{"name":"is-scanned","value":"yes"}],"remarks":"COMMENTS: Additional information about this item, such as the admin and asset owner.","description":"Flat-File Example (No implemented-component)."}]},"control-implementation":{"description":"There is one control in this example. Follow this pattern for each additional control.","implemented-requirements":[{"uuid":"11111111-2222-4000-8000-012000010000","control-id":"ac-1","statements":[{"uuid":"11111111-2222-4000-8000-012000010100","statement-id":"ac-1_smt.a","by-components":[{"uuid":"11111111-2222-4000-8000-012000010101","description":"Describe how Part a is satisfied within the system as a whole.","component-uuid":"11111111-2222-4000-8000-009000000000","responsible-roles":[{"remarks":"An error in the OSCAL metaschema incorrectly requires at leat one `party-uuid` to be present.\n\nFor now, just use the `party-uuid` of the CSP parties entry. \n\nThe `party-uuid` will be removed from the MVP once [Issue 2122](https://github.com/usnistgov/OSCAL/issues/2122) is resolved.","role-id":"information-system-security-officer","party-uuids":["11111111-2222-4000-8000-004000000001"]}],"implementation-status":{"state":"implemented"}}]},{"uuid":"11111111-2222-4000-8000-012000010200","statement-id":"ac-1_smt.b","by-components":[{"uuid":"11111111-2222-4000-8000-012000010201","props":[{"ns":"http://fedramp.gov/ns/oscal","name":"planned-completion-date","value":"2024-01-31Z"}],"description":"Describe how Part b is satisfied within the system as a whole.","component-uuid":"11111111-2222-4000-8000-009000000000","responsible-roles":[{"remarks":"An error in the OSCAL metaschema incorrectly requires at leat one `party-uuid` to be present.\n\nFor now, just use the `party-uuid` of the CSP parties entry. \n\nThe `party-uuid` will be removed from the MVP once [Issue 2122](https://github.com/usnistgov/OSCAL/issues/2122) is resolved.","role-id":"information-system-security-officer","party-uuids":["11111111-2222-4000-8000-004000000001"]}],"implementation-status":{"state":"partial","remarks":"Describe the plan to complete the implementation."}}]},{"uuid":"11111111-2222-4000-8000-012000010300","statement-id":"ac-1_smt.c","by-components":[{"uuid":"11111111-2222-4000-8000-012000010301","description":"Describe how Part b-1 is satisfied.","component-uuid":"11111111-2222-4000-8000-009000000000","responsible-roles":[{"remarks":"An error in the OSCAL metaschema incorrectly requires at leat one `party-uuid` to be present.\n\nFor now, just use the `party-uuid` of the CSP parties entry. \n\nThe `party-uuid` will be removed from the MVP once [Issue 2122](https://github.com/usnistgov/OSCAL/issues/2122) is resolved.","role-id":"information-system-security-officer","party-uuids":["11111111-2222-4000-8000-004000000001"]}],"implementation-status":{"state":"implemented"}}]}],"set-parameters":[{"values":["all managers, administrators and users of the system"],"param-id":"ac-01_odp.01"},{"values":["all managers and administrators of the system"],"param-id":"ac-01_odp.02"},{"values":["System-level"],"param-id":"ac-01_odp.03"},{"values":["System Architect"],"param-id":"ac-01_odp.04"},{"values":["at least every 3 years"],"param-id":"ac-01_odp.05"},{"values":["change in organizational legal status or ownership"],"param-id":"ac-01_odp.06"},{"values":["at least annually"],"param-id":"ac-01_odp.07"},{"values":["change in policy or a security incident involving a failure of access control mechanisms"],"param-id":"ac-01_odp.08"}]}]},"back-matter":{"resources":[{"uuid":"11111111-2222-4000-8000-001000000054","title":"Boundary Diagram","rlinks":[{"href":"./attachments/diagrams/boundary.png"}]},{"uuid":"11111111-2222-4000-8000-001000000055","title":"Network Diagram","rlinks":[{"href":"./attachments/diagrams/network.png"}]},{"uuid":"11111111-2222-4000-8000-001000000056","title":"Data Flow Diagram","rlinks":[{"href":"./attachments/diagrams/dataflow.png"}]}]}}}