HomeGuidesAPI ReferenceChangelog
Guides

CSAM

Integration with the USG CSAM System

Suggest Edits

CSAM Integration

Reference: https://csam.dhs.gov/CSAM/api/docs/index.html

Prep work

The CSAM integration relies upon a number of custom fields within RegScale. The code checks for these and
exits if they are missing. The fields are (all in Security Plans):

  • Basic Tab:
    • acronym (text field)
    • FISMA Id (text field)
    • Authorization Expiration Date
    • Financial System (select - Yes, No)
    • FISMA Reportable (select - Yes, No)
    • Authorization Process (text field)
    • ATO Date (date)
    • Contractor System (select - Yes, No)
    • Critical Infrastructure (select - Yes, No)
    • Mission Essential (select - Yes, No)
    • HVA Identifier (text field)
    • CFO Designation (select - Yes, No)
    • CSAM Id (text field)
    • Classification (select - Sensitive But Unclassified, Unclassified, Secret, Top Secret)
    • uii Code (text field)
    • External Web Interface (select - Yes, No)
    • Law Enforcement Sensitive (select - Yes, No)
    • Financial Information (new tab)
  • Investment Name (text field)
    • Portfolio (text field)
    • Prior Fy Funding (dollar)
    • Current Fy Funding (dollar)
    • Next Fy Funding (dollar)
    • omb Exhibit (text field)
    • Funding Import Status (text field)
  • Privacy Details (new tab)
    • PIA Date (date)
    • PTA Date (date)
    • SORN Date (date)
    • SORN Id (text field)
  • Continuity and Incident Response (new tab)
    • BIA Date Complete - Business Impact Analysis (date)
    • BIA Due Date (date)
    • CP Date Complete - Contingency Plan (date)
    • CP Due Date (date)
    • CP Training Date Complete (date)
    • CP Training Due Date (date)
    • CP Test Date Complete (date)
    • CP Test Due Date (date)
    • IRP Date Complete - Incidence Response Plan (date)
    • IRP Due Date (date)
    • IRP Training Date Complete (date)
    • IRP Training Due Date (date)
    • IRP Test Date Complete (date)
    • IRP Test Due Date (date)
    • Maximum Tolerable Downtime (MTD) - (time)
    • Recovery Time Objective (RTO) - (time)
    • Recovery Point Objective (RPO) - (time)
    • Disaster Recovery Implemented (select - Yes, No)
    • Test Type: (select - Tabletop | Functional | Real-world | Call Tree)
    • Date Tested (date)
    • Outcome: (select - Success | Failure)
  • System Information
    • Certifying Official (user)
    • Alternate Information System Security Manager (user)
    • Alternate Information System Security Officer (user)
    • Community Cloud (checkbox)

init.yaml variables

csamToken: string example: "Bearer AAA..."

csamURL: URL example: "https://csam.abc.gov"

csamAgencyDefinedDataItems: Dict
Mapping of CSAM agency defined data items. CSAM Key names to RegScale fields (module.tabname.fieldname).
example

csamAgencyDefinedDataItems:
  AI/ML: securityplan.systeminfo.AI/ML

csamFilter: Dict

Valid keys:
id, name, acronym, organization, systemType, financialSystem, classification, contractorSystem, fismaReportable, criticalInfrastructure, missionCritical, uiiCode, portfolio, categorization, fundingStatus, operationalStatus

example:

csamFilter:
  organization: MGMT
  systemType: Major Application, General Support Service
  operationalStatus: Operational

Commands

test_csam

A utility for testing the connectivity with CSAM. No arguments. Returns a conneciton success if the configuration keys are correct and the network connectivity is in place.

Command:
regscale csam test_csam

import_csam_ssp

This is the main import for CSAM. It pulls the "systems" from CSAM and creates or updates Security Plans in RegScale.
With no filter, it imports all the plans in CSAM. Use csamFilter to limit this by key/value pair.

It pulls each system in the input file and read in.

The list of applicable systems is then compared to the list of existing RegScale security plans by CSAM Id.
Matching SSPs are updated. Missing SSPs are added.

Command:
regscale csam import_ssp

Updated about 7 hours ago