FedRAMP System Security Plan (SSP)

The best way to adopt OSCAL for your system depends on your circumstances. The OSCAL Foundation d...

If you need to convert legacy documentation to OSCAL, follow this path. If you are approaching OS...

If you are approaching OSCAL to intially create your system security plan and do not have legacy ...

FedRAMP no longer includes System Status in the SSP template; however core OSCAL requires the sy...

The SSP title page follows the Title Pages pattern.

Prepared By and Prepared For follow the Roles pattern, using the prepared-by and prepared-for ro...

SSP Approvals follow the Roles pattern, using the content-approver role. Defined Identifiers Re...

This entire chapter is FedRAMP PMO boilerplate and does not need to be represented in OSCAL conte...

This entire chapter is FedRAMP PMO boilerplate and does not need to be represented in OSCAL conte...

System Information CSP Name The cloud service provider (CSP) name and abbreviation are represent...

System Owner follows the Roles pattern, using the system-owner role. Defined Identifiers Requir...

Information System Security Officer (ISSO) follows the Roles pattern, using the information-syst...

The leveraged FedRAMP-Authorized services table is used to list both underlying leveraged authori...

FedRAMP authorized services should be used, whenever possible, since their risk is defined. Howe...

The Architecture, Network and Data Flow Diagramss are each represented using the same OSCAL patte...

Entries in the services, ports, and protocols table are represented as component assemblies, with...

This is address in Appendix Q: Cryptographic Modules.

The metadata / roles array must have one entry for each column an id with a token (use pre-defi...

Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in ...

See the FedRAMP Security Controls chapter.

There is no OSCAL construct for representing an acronyms list. Attach a document (e.g., Word, Exc...

See Control Response: Policies and Procedures.

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

The Digital Identity Level (DIL) is represented on the page below. Within system-characteristics...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

The FedRAMP Control Information Summary (CIS) and Customer Responsibility Matrix (CRM) are derive...

The system's overall FIPS-199 impact level is determined primarily by the sensitivity of the info...

Needs Work Content cleanup YAML Example For MVP: attach a Word or PDF document enumerating t...

See Inventory Approaches for guidance.

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

See the FedRAMP POA&M book.

This needs work that may have been completed elsewhere and nees to be moved into here. This ...

Cryptographic Modules Implemented for Data-in-Transit (DIT) OSCAL's component model treats indepe...

OSCAL makes two approaches available for depicting the system inventory: Flat Approach: Aligns ...

The flat approach to inventory is only intended as a starting point for service providers convert...

The normalized approach is prefered. Organizations starting new with no legacy inventory reportin...

OSCAL offers a great deal of flexibility for controls responses. To balance consistency, interope...

The flat approach to control responses is only intended as a starting point for service providers...

The normalized approach is prefered. Organizations starting new with no legacy SSP content should...

OSCAL references controls in baselines and catalogs. The statements are not duplicated into an O...

Every control should have one or more responsible roles identified. In OSCAL, there are three po...

Representation If a FedRAMP control has one or more parameters, add a set-parameters array Withi...

FedRAMP only accepts only one of five values for implementation-status: implemented, partial, pla...

FedRAMP accepts only one of five values for control-origination: sp-corporate, sp-system, custome...

OSCAL SSPs represent control responses in control-implementation / implemented-requirements / st...

Typically, the controls in the FedRAMP baselines have lettered parts (a., b., etc.). A few only h...

Most FedRAMP-required attachments derive their requirement from one or more NIST SP 800-53 contro...

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritanc...

OSCAL SSPs cite OSCAL baseline statement identifiers when representing control implementation res...