FRR-RSC-08: Machine-Readable Guidance
Applies to: Low, Moderate, High
Last Updated: 2025-11-25
Version: 1.0.0
Last Updated: 2025-11-25
Version: 1.0.0
Overview
FedRAMP Rev5 requires that secure configuration guidance be available in machine-readable formats to enable automation, integration with CI/CD pipelines, and programmatic consumption. This system provides multiple machine-readable formats for different use cases.
Machine Readable Formats
JSON (JavaScript Object Notation)
Description:
Structured data format for APIs and automation
Access Methods:
- api_endpoint: /api/guidance/all/json
- cli_download: curl https://your-instance:8080/api/guidance/all/json > guidance.json
- programmatic: import requests response = requests.get('https://your-instance:8080/api/guidance/all/json') guidance = response.json()
Structure Example:
{
"requirement": "FRR-RSC-01",
"title": "Top-Level Administrative Accounts Guidance",
"version": "1.0.0",
"applies_to": ["Low", "Moderate", "High"],
"guidance": {
"overview": "...",
"secure_access": {...},
"secure_configuration": {...}
}
}
YAML (YAML Ain't Markup Language)
Description:
Human-readable data serialization format
Access Methods:
- source_files: guidance/*.yaml
- download: Available in GitHub repository or S3 bucket
Structure Example:
version: "1.0.0"
requirement: FRR-RSC-01
title: "Top-Level Administrative Accounts Guidance"
applies_to:
- Low
- Moderate
- High
guidance:
overview: |
This guidance explains...
secure_access:
step1:
title: "Enable MFA"
instructions: |
1. Sign in...
AWS CloudFormation Templates
Description:
Infrastructure as Code templates for deploying secure configurations
Deployment Example:
# Deploy via CLI
aws cloudformation create-stack \
--stack-name fedramp-baseline \
--template-body file://fedramp-rsc-complete.yaml \
--capabilities CAPABILITY_IAM \
--parameters ParameterKey=Environment,ParameterValue=Production
# Deploy via boto3
import boto3
cfn = boto3.client('cloudformation')
with open('fedramp-rsc-complete.yaml', 'r') as f:
template = f.read()
cfn.create_stack(
StackName='fedramp-baseline',
TemplateBody=template,
Capabilities=['CAPABILITY_IAM']
)
Terraform HCL
Description:
HashiCorp Configuration Language for multi-cloud IaC
Example Module:
# modules/fedramp-iam/main.tf
resource "aws_iam_account_password_policy" "fedramp" {
minimum_password_length = 14
require_lowercase_characters = true
require_uppercase_characters = true
require_numbers = true
require_symbols = true
allow_users_to_change_password = true
max_password_age = 90
password_reuse_prevention = 24
}
resource "aws_cloudtrail" "fedramp" {
name = "fedramp-audit"
s3_bucket_name = aws_s3_bucket.cloudtrail.id
include_global_service_events = true
is_multi_region_trail = true
enable_log_file_validation = true
}
Usage:
# Use module
module "fedramp_baseline" {
source = "./modules/fedramp-iam"
}
# Apply
terraform init
terraform plan
terraform apply
AWS Config Conformance Pack
Description:
Collection of Config rules for compliance monitoring
Deployment Example:
# Deploy conformance pack aws configservice put-conformance-pack \ --conformance-pack-name fedramp-rsc \ --template-body file://fedramp-rsc-conformance-pack.yaml # Check compliance aws configservice describe-conformance-pack-compliance \ --conformance-pack-name fedramp-rsc
OSCAL (Open Security Controls Assessment Language)
Description:
NIST standard for security control information
Structure Example:
{
"component-definition": {
"uuid": "...",
"metadata": {
"title": "AWS FedRAMP RSC Implementation",
"version": "1.0.0"
},
"components": [
{
"uuid": "...",
"type": "service",
"title": "AWS IAM",
"description": "Identity and Access Management",
"control-implementations": [...]
}
]
}
}
Integration Examples
CI/CD Pipeline Integration
Description:
Validate infrastructure against guidance in deployment pipeline
Example Github Actions:
name: Validate Infrastructure
on: [push]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download FedRAMP Guidance
run: |
curl -o guidance.json https://your-instance/api/guidance/all/json
- name: Validate CloudFormation
run: |
python scripts/validate_template.py \
--template infrastructure.yaml \
--guidance guidance.json
- name: Check Compliance
run: |
cfn-lint infrastructure.yaml
checkov -f infrastructure.yaml
Example Jenkins:
pipeline {
agent any
stages {
stage('Download Guidance') {
steps {
sh 'curl -o guidance.json https://your-instance/api/guidance/all/json'
}
}
stage('Validate') {
steps {
sh 'python validate.py --guidance guidance.json'
}
}
}
}
Configuration Management Tools
Description:
Use guidance with Ansible, Chef, Puppet
Example Ansible:
---
- name: Apply FedRAMP IAM Configuration
hosts: localhost
connection: local
tasks:
- name: Download guidance
uri:
url: https://your-instance/api/guidance/rsc01_root_account_guidance/json
return_content: yes
register: guidance
- name: Set IAM password policy
community.aws.iam_password_policy:
min_pw_length: "{{ guidance.json.guidance.password_policy.minimum_length }}"
require_symbols: yes
require_numbers: yes
require_uppercase: yes
require_lowercase: yes
max_pw_age: 90
Automated Compliance Scanning
Description:
Compare actual configurations against guidance
Example Python:
import boto3
import requests
import json
# Download guidance
guidance = requests.get('https://your-instance/api/guidance/all/json').json()
# Check IAM password policy
iam = boto3.client('iam')
policy = iam.get_account_password_policy()['PasswordPolicy']
required_length = guidance['rsc01']['guidance']['password_policy']['minimum_length']
actual_length = policy['MinimumPasswordLength']
if actual_length < required_length:
print(f"FAIL: Password length {actual_length} < required {required_length}")
else:
print(f"PASS: Password length compliant")
Policy as Code (OPA, Sentinel)
Description:
Enforce guidance using policy engines
Example Opa:
# policy.rego
package aws.iam
import data.fedramp.guidance
deny[msg] {
input.resource_type == "aws_iam_account_password_policy"
input.minimum_password_length < guidance.rsc01.password_policy.minimum_length
msg := sprintf("Password length must be at least %d", [guidance.rsc01.password_policy.minimum_length])
}
Api Endpoints
- endpoint: /api/guidance/all/json
method: GET
description: Complete guidance in JSON format
response_format: JSON object with all requirements - endpoint: /api/guidance/
/json
method: GET
description: Specific requirement guidance
example: /api/guidance/rsc01_root_account_guidance/json
response_format: JSON object for single requirement - endpoint: /cloudformation/
method: GET
description: CloudFormation templates
example: /cloudformation/fedramp-rsc-complete.yaml
response_format: YAML CloudFormation template - endpoint: /config/fedramp-rsc-conformance-pack.yaml
method: GET
description: AWS Config conformance pack
response_format: YAML conformance pack definition - endpoint: /oscal/
method: GET
description: OSCAL format files
example: /oscal/fedramp-rsc-catalog.json
response_format: JSON OSCAL document
Best Practices
- Use JSON for programmatic access and automation
- Use YAML for human-readable documentation
- Use CloudFormation/Terraform for infrastructure deployment
- Use Config conformance packs for continuous monitoring
- Use OSCAL for FedRAMP authorization packages
- Version control all downloaded guidance
- Cache guidance locally to reduce API calls
- Validate guidance schema before processing
- Use ETags or checksums to detect changes
References
- name: JSON Specification
url: https://www.json.org/ - name: YAML Specification
url: https://yaml.org/ - name: CloudFormation Documentation
url: https://docs.aws.amazon.com/cloudformation/ - name: Terraform Documentation
url: https://www.terraform.io/docs - name: NIST OSCAL
url: https://pages.nist.gov/OSCAL/