Citing Control Statements

OSCAL SSPs cite OSCAL baseline statement identifiers when representing control implementation responses. Citing the identifiers correctly is critical to machine processing.

Within OSCAL baselines, identifiers are assigned to statement parts and item parts for reference by SSPs.

The `statement` Part

All OSCal parts entries have:

a required id field; and
a required name field.

For every control in the FedRAMP baselines there is exactly one parts entry where name = statement. This is the statement part.


      - id: ac-2.1
        title: Automated System Account Management
        parts:
        - id: ac-2.1_smt
          name: statement

Simple Controls

For simple controls, the statement part has a prose field that includes the control requirement statement.


      - id: ac-2.1
        title: Automated System Account Management
        parts:
        - id: ac-2.1_smt
          name: statement
          prose: 'Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.'

The id value for the statement part (i.e. ac-2.1_smt) is cited by the SSP's statements array when responding to this control.

Controls with Child Statements

For a control with child statements (a., b., etc.), the statement part includes a nested parts array. Every element in the nested parts array has:

a required id field; and
a required name field. Always with a value of item.
a prose field that includes this part of the control requirement statement.
an additional nested parts array IF this part has child parts.

Each control in the FedRAMP OSCAL baselines has a parts array at the root of the control. Each parts entry includes:

a required id
a required name.

catalog:
  groups:
    controls:
    - id: ac-1
      title: Policy and Procedures
      parts:
      - id: ac-1_smt
        name: statement
        parts:
        - id: ac-1_smt.a
          name: item
          props:
          - name: label
            value: 'a.'
          prose: 'Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:'

For SSP authoring, ignore any parts entry in the baseline outside of the statement part and its child parts. Other part types are for control assessments.

Response Point Properties

To aid SSP authoring tools in identifying the required statement level at which to respond, response-point properties are included in the FedRAMP baselines.

SSP authoring tools should limit the scope of response-point property searches to the statement part and its child parts. Ignore response-point properties in the parts related to assessments.

A response-point property appears in the props array and includes:

a name set to response-point
a ns set to http://fedramp.gov/ns/oscal
a value with a value that is any string and can be ignored.


      - id: ac-2.1
        title: Automated System Account Management
        parts:
        - id: ac-2.1_smt
          name: statement
          props:
          - name: response-point
            ns: http://fedramp.gov/ns/oscal
            value: You must fill in this response point.
          prose: 'Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.'

When an SSP tool encounters a parts entry that contains this property, it should be presented to users of SSP authoring tools as the expected level of response for that control.

SSP Adoption Strategies

Retrofit Adoption Path

Native Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Responding to Control Baselines

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Responding By Component

Control Implementation Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Inheritence and Customer Responsibilities

Citing Control Statements

Citing Control Statements

The statement Part

Simple Controls

Controls with Child Statements

Response Point Properties

The `statement` Part