Components and Component Definitions should indicate that AWS is the responsible party. Need to figure out the best way to do this. One approach is shown in this example CDef published by NIST (excerpt below), which defines the 'provider' role. Ideally, OSCAL would define a pattern for vendors to adopt, which tool vendors could rely on to determine who is responsible for content, the entities modeled within the content, etc.
{
"component-definition": {
"uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b",
"metadata": {
"title": "MongoDB Component Definition Example",
"last-modified": "2024-02-01T13:57:28.355446-04:00",
"version": "20231012",
"oscal-version": "1.1.2",
"roles": [
{
"id": "provider",
"title": "Provider"
}
],
"parties": [
{
"uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1",
"type": "organization",
"name": "MongoDB",
"links": [
{
"href": "https://www.mongodb.com",
"rel": "website"
}
]
}
]
},
...
Components and Component Definitions should indicate that AWS is the responsible party. Need to figure out the best way to do this. One approach is shown in this example CDef published by NIST (excerpt below), which defines the 'provider' role. Ideally, OSCAL would define a pattern for vendors to adopt, which tool vendors could rely on to determine who is responsible for content, the entities modeled within the content, etc.
{ "component-definition": { "uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b", "metadata": { "title": "MongoDB Component Definition Example", "last-modified": "2024-02-01T13:57:28.355446-04:00", "version": "20231012", "oscal-version": "1.1.2", "roles": [ { "id": "provider", "title": "Provider" } ], "parties": [ { "uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1", "type": "organization", "name": "MongoDB", "links": [ { "href": "https://www.mongodb.com", "rel": "website" } ] } ] }, ...