oscal-component.yaml

component-definition:
  uuid: 500a0666-9b1d-4392-b2c3-d0b9002b5663
  metadata:
    title: UDS Capability Nexus
    last-modified: "2023-12-06T16:34:06Z"
    version: "20231206"
    oscal-version: 1.1.1
    parties:
      - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3
        type: organization
        name: Defense Unicorns
        links:
          - href: https://defenseunicorns.com
            rel: website
  components:
    - uuid: 5e295b82-3abd-4a65-99b7-17f8814e133c
      type: software
      title: Nexus
      description: |
        Nexus Repository is a powerful and versatile repository manager that supports a variety of package formats and enables the procurement, organization, and distribution of software components. It is widely used 
        in software development for efficiently managing both public and private dependencies, and for facilitating the storage, exchange, and management of software artifacts at scale.
      purpose: Provides users with secure DevSecOps pipelines, storage of software components, storage of software artifacts, and CI/CD capabilities.
      responsible-roles:
        - role-id: provider
          party-uuids:
            - f3cf70f8-ba44-4e55-9ea3-389ef24847d3
      control-implementations:
        - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
          source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
          description: Controls implemented by Nexus for inheritance by applications that adheres to FedRAMP High Baseline and DoD IL 6.
          implemented-requirements:
            - uuid: a966a557-6d76-4274-9666-b1a7d2fd8b07
              control-id: au-2
              description: >-
                Nexus logs event logs for authentication, account logon, account management events, admin events, data deletions, data changes, and permission changes.
            - uuid: c5d66b4a-5336-45b0-afb3-80f76fa189ea
              control-id: au-3
              description: >-
                Nexus logs type of event, time of the even, location of the event, source of the event, outcome of the event, and subjects/objects involved in the event.
            - uuid: 46ed69cf-52c5-4fc0-a609-c5500d98b8a0
              control-id: au-3.1
              description: >-
                Nexus additionally logs the identity, object, or resource that is being acted upon.
            - uuid: bea2d1dd-89d3-42b3-8414-9eab8dbe3c7e
              control-id: au-8
              description: >-
                Nexus event logs contain NIST compliant timestamps.
            - uuid: bddf0206-1401-4b50-bf2a-bf81012a78b9
              control-id: au-10
              description: >-
                Nexus event logs contain the unique user or process id that takes the addition, modification, approval, sending, or relieving of data actions.
            - uuid: 0371be31-08ca-4d89-a6df-3d6af06f05b3
              control-id: au-12
              description: >-
                Nexus logs event logs for authentication, account logon, account management events, admin events, data deletions, data changes, and permission changes.
            - uuid: 5d6cd34a-40e9-4a75-968d-af933b76160a
              control-id: cm-3.1
              description: >-
                Nexus provides change control via automated notification, prohibition of changes, validation, documentation of changes, automated change implementation, and security and privacy representatives through versioning of components and artifacts.
            - uuid: 4b90d68f-c4c8-4a6f-8e41-f6df8df7dbf3
              control-id: cm-3.2
              description: >-
                Nexus provides change control testing via automated notification, prohibition of changes, testing, validation, documentation of changes, automated change implementation, and security and privacy representatives through versioning of components and artifacts.
            - uuid: c1fcab43-a011-4d6c-ba40-d65e4c684f0f
              control-id: cm-3.6
              description: >-
                Nexus utilizes the underlying istio for FIPs encryption in transit. Nexus stores data in an encrypted Redis, PostgreSQL, and KMS backed S3 Buckets.
            - uuid: 1c4af88f-12b8-407a-a1a9-7dfd8fa37336
              control-id: cm-8.2
              description: >-
                Nexus maintains the currency, completeness, accuracy, and the inventory of system components within in the system as all parts are stored and deployed through Nexus's CI/CD process.
            - uuid: 033d181c-31cb-477f-93f5-51ec90f28625
              control-id: sa-4.1
              description: >-
                Nexus provides description of the functional properties, components, and services within the system.
            - uuid: 9f7d164e-be45-4ba7-b1c3-e2c5339d65ee
              control-id: sa-4.2
              description: >-
                Nexus contains the source code for the system and system components.
            - uuid: 6321cf2f-2a6f-4647-bb1e-8a234f8d8730
              control-id: sa-4.5
              description: >-
                Nexus provides the default configurations for the system, components, or services that are implemented.
            - uuid: 0dfb95e2-6dbd-41af-ae45-03671df9e418
              control-id: sa-4.9
              description: >-
                Nexus provides the functions, ports, protocols, and services, for the system and system components within the source code.
            - uuid: 332491cd-8096-4e0a-9d24-a79fb5172800
              control-id: sc-13
              description: >-
                Nexus utilized Istio Network for FIPs encryption in transit. FIPs encryption for data at rest is handled by PostgreSQL, Redis, and AWS S3 backed by KMS.
  back-matter:
    resources:
      - uuid: 701a6239-1ec0-4fd1-bd62-7d1dde7e8078
        title: UDS Capability Nexus
        rlinks:
          - href: https://github.com/defenseunicorns/uds-capability-Nexus