FedRAMP Security Controls

Control Response: Approaches

OSCAL offers a great deal of flexibility for controls responses. To balance consistency, interope...

Control Response: Flat Approach

The flat approach to control responses is only intended as a starting point for service providers...

Control Response: Normalized Approach

The normalized approach is prefered. Organizations starting new with no legacy SSP content should...

Responding to Control Baselines

OSCAL references controls in baselines and catalogs. The statements are not duplicated into an O...

Responsible Roles

Every control should have one or more responsible roles identified. In OSCAL, there are three po...

Parameter Assignments

Representation If a FedRAMP control has one or more parameters, add a set-parameters array Withi...

Implementaiton Status

FedRAMP only accepts only one of five values for implementation-status: implemented, partial, pla...

Control Origination

FedRAMP accepts only one of five values for control-origination: sp-corporate, sp-system, custome...

Responding By Component

OSCAL SSPs represent control responses in control-implementation / implemented-requirements / st...

Control Implementation Statements

Typically, the controls in the FedRAMP baselines have lettered parts (a., b., etc.). A few only h...

Control Response: Policies, Procedures, Plans, RoB, and Guides

Most FedRAMP-required attachments derive their requirement from one or more NIST SP 800-53 contro...

Inheritence and Customer Responsibilities

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritanc...

Citing Control Statements

OSCAL SSPs cite OSCAL baseline statement identifiers when representing control implementation res...

SSP Adoption Strategies

Retrofit Adoption Path

Native Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Responding to Control Baselines

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Responding By Component

Control Implementation Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Inheritence and Customer Responsibilities

Citing Control Statements

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Responding to Control Baselines

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Responding By Component

Control Implementation Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Inheritence and Customer Responsibilities

Citing Control Statements

Search Results