HomeGuidesAPI ReferenceChangelog
Guides

CSAM

Integration with the USG CSAM System

Suggest Edits

CSAM Integration

Reference: DoJ CSAM

Prep work

The CSAM integration relies upon a number of custom fields within RegScale. The code checks for these and
exits if they are missing. The fields are (all in Security Plans):

  • Basic Tab:

    • acronym (text field)
    • FISMA Id (text field)
    • CSAM Id (text field)
    • Classification (select - Sensitive But Unclassified, Unclassified, Secret, Top Secret)
    • Contractor System (select - Yes, No)
    • FISMA Reportable (select - Yes, No)
    • Critical Infrastructure (select - Yes, No)
    • Mission Essential (select - Yes, No)

  • Agency Defined Data Items (new tab)

    • (Create Custom Fields corresponding to the values in init.yaml csamAgencyDefinedDataItems)

  • Financial Information (new tab)

    • Financial System (select - Financial, Non-Financial)
    • omb Exhibit (text field)
    • uii Code (text field)
    • Investment Name (text field)
    • Portfolio (text field)
    • Prior Fy Funding (dollar)
    • Current Fy Funding (dollar)
    • Next Fy Funding (dollar)
    • Funding Import Status (text)

  • Status and Archive (new tab)

    • Risk Assessment Completed (date)
    • Risk Assessment Next Due Date (date
    • Risk Assessment Expiration Date (date
    • SSP Completed (date)
    • SSP Next Due Date (date)
    • CM Completed (date)
    • CM Next Due Date (date)

  • Recovery Targets and Outcomes (new tab)

    • MTD (text)
    • RTO (text)
    • RPO (text)

  • Privacy Details (new tab)

    • PIA Date (date)
    • PII (text)
    • PTA Date (date)
    • SORN Date (date)
    • SORN Status (text)
    • SORN Id (text)

  • Authorization (new tab)

    • Authorization Process (text)
    • Initial Authorization Date (date)
    • ATO Date (date)
    • Authorization Next Due Date (date)

  • Continuity and Incident Response (new tab)

    • BIA Completed (date)
    • BIA Next Due Date (date)
    • CP Completed (date)
    • CP Next Due Date (date)
    • CP Training Completed (date)
    • CP Training Next Due Date (date)
    • CP Test Next Due Date (date)
    • IRP Completed (date)
    • IRP Next Due Date (date)
    • IRP Training Completed (date)
    • IRP Training Due Date (date)
    • IRP Test Next Due Date (date)
    • CPR Completed (date)
    • CPR Next Due Date (date)
    • CPR Expiration Date (date)
    • Doc Review Completed (date)
    • Doc Review Next Due Date (date)
    • Doc Review Expiration Date (date)

  • Continuity Tests (new tab)

    • CP Test Type (select - TableTop | Functional | Real-world | Call Tree)
    • CP Date Tested (date)
    • CP Test Outcome (select - Success, Failure)
    • CP RPO Achieved (text)
    • CP RTO Achieved (text)
    • IRP Test Type (select - TableTop | Functional | Real-world | Call Tree)
    • IRP Date Tested (date)
    • IRP Test Outcome (select - Success, Failure)
    • IRP RPO Achieved (text)
    • IRP RTO Achieved (text)

  • Points of Contact (new tab)

    • Certifying Official (user)
    • Risk Executive (user)
    • Senior Information Security Officer (user)
    • Alternate Information System Security Officer (user)
    • Chief Information Security Officer (user)
    • Senior Information Systems Security Officer (user)
    • Technical Advisor (user)

init.yaml variables

csamToken: string example: "Bearer AAA..."
csamURL: URL example: "https://csam.abc.gov"
csamAgencyDefinedDataItems: Dict
Mapping of CSAM agency defined data items. CSAM Key names to RegScale Custom Field Name.

NOTE: The Agency Defined Data Items: "High Value Asset", "Cloud System", and "Cloud Service Model" are built in and do not require inclusion in this list nor creation of custom fields.

example

csamAgencyDefinedDataItems:
  AI/ML Component: AI-ML Component

csamFilter: Dict

Valid keys:
id, name, acronym, organization, systemType, financialSystem, classification, contractorSystem, fismaReportable, criticalInfrastructure, missionCritical, uiiCode, portfolio, categorization, fundingStatus, operationalStatus

example:

csamFilter:
  organization: MGMT
  systemType: Major Application, General Support Service
  operationalStatus: Operational

csamFrameworkCatalog: Dict
Mapping of the CSAM Control Frameworks to RegScale Catalog Ids.
example:

csamFrameworkCatalog:
  800-53r5: 5
  800-53r4: 3

Commands

test_csam

A utility for testing the connectivity with CSAM. No arguments. Returns a conneciton success if the configuration keys are correct and the network connectivity is in place.

Command:
regscale csam test_csam

import_ssp

This is the main import for CSAM. It pulls the "systems" from CSAM and creates or updates Security Plans in RegScale.
With no filter, it imports all the plans in CSAM. Use csamFilter to limit this by key/value pair.

It pulls each system in the input file and read in.

The list of applicable systems is then compared to the list of existing RegScale security plans by CSAM Id.
Matching SSPs are updated. Missing SSPs are added.

Command:
regscale csam import_ssp

import_poam

This command Imports Plans of Actions and Milestones (POA&Ms) from CSAM into RegScale. For each plan in RegScale, it will retrieve the POA&Ms from CSAM and add them as Issues in RegScale marked as POA&M.

Command:

regscale csam import_poam

Updated 5 days ago