FedRAMP System Security Plan (SSP)

The best way to adopt OSCAL for your system depends on your circumstances. The OSCAL Foundation d...

If you need to convert legacy documentation to OSCAL, follow this path. If you are approaching OS...

If you are approaching OSCAL to intially create your system security plan and do not have legacy ...

FedRAMP no longer includes System Status in the SSP template; however core OSCAL requires the sy...

The SSP title page follows the Title Pages pattern.

"Prepared by" and "Prepared for" follow the Roles pattern, using the prepared-by and prepared-fo...

SSP Approvals follow the Roles pattern, using the content-approver role. Defined Identifiers Re...

This entire chapter is FedRAMP PMO boilerplate and does not need to be represented in OSCAL conte...

This entire chapter is FedRAMP PMO boilerplate and does not need to be represented in OSCAL conte...

System Information CSP Name The cloud service provider (CSP) name and abbreviation are represent...

System Owner follows the Roles pattern, using the system-owner role. Defined Identifiers Requir...

Information System Security Officer (ISSO) follows the Roles pattern, using the information-syst...

The leveraged FedRAMP-Authorized services table is used to list both underlying leveraged authori...

FedRAMP authorized services should be used, whenever possible, since their risk is defined. Howe...

The Architecture, Network and Data Flow Diagramss are each represented using the same OSCAL patte...

Entries in the services, ports, and protocols table are represented as component assemblies, with...

This is address in Appendix Q: Cryptographic Modules.

Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in ...

See [Controls citation and link]

There is no OSCAL construct for representing an acronyms list. Attach a document (e.g., Word, Exc...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

The Digital Identity Level (DIL) is represented on the page below. Within system-characteristics...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

The FedRAMP Control Information Summary (CIS) and Customer Responsibility Matrix (CRM) are derive...

The system's overall FIPS-199 impact level is determined primarily by the sensitivity of the info...

Needs Work Content cleanup YAML Example For MVP: attach a Word or PDF document enumerating t...

See Inventory Approaches for guidance.

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

See the FedRAMP POA&M book.

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

Cryptographic Modules Implemented for Data-in-Transit (DIT) This page needs work: The examples ...

OSCAL makes two approaches available for depicting the system inventory: Flat Approach: Aligns ...

The flat approach to inventory is only intended as a starting point for service providers convert...

The normalized approach is prefered. Organizations starting new with no legacy inventory reportin...

OSCAL offers a great deal of flexibility for controls responses. To balance consistency, interope...

The flat approach to control responses is only intended as a starting point for service providers...

The normalized approach is prefered. Organizations starting new with no legacy SSP content should...

Conrol definitions are imported by an OSCAL SSP and referenced as needed. Importing a Baseline I...

Every control should have one or more responsible roles identified. In OSCAL, there are three op...

Need rework and to cover aggregated parameters Every applicable control must have at least one re...

FedRAMP only accepts only one of five values for implementation-status: implemented, partial, pla...

FedRAMP accepts only one of five values for control-origination: sp-corporate, sp-system, custome...

Within the OSCAL-based FedRAMP baselines, control statements and control objectives are tagged w...

Implementation Statements: General Organization: Multi-Part Statements There must be one statemen...

The first control in each NIST SP 800-53 control family is a policy and procedure control. These ...

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritanc...

Within each of the statement assemblies, all responses appear in one or more by-component assembl...