Skip to main content

Citing Control Statements

Typically, the controls in the FedRAMP baselines have lettered parts (a., b., etc.). A few only have a top-level statement with no parts.

Within the FedRAMP baselines, each control statement is assigned an identifier. Any lettered parts are also assigned an identifier.

Citing Control Statement Identifiers Correctly

OSCAL SSPs cite OSCAL baseline statement identifiers when representing control implementation responses. Citing the identifiers correctly is critical to machine processing.

The correct identifiers are assigned to statement parts and item parts.

Each control in the FedRAMP OSCAL baselines has a parts array at the root of the control. Each parts entry includes:

  • a required id
  • a required name.

For each control, exactly one parts entry has a name with a value of statement. This statement part has:

  • a required id representing the control statement as a whole
  • either a prose or a nested parts array. Sometimes both.
    • If a prose field is present, it includes any portion of the control statement that is not broken down into lettered parts.
    • a nested parts array exists IF the control has lettered parts. The nested array includes:
      • a required id
      • a name with a value of item
      • prose containing the actual control requirement statement from the FedRAMP baseline
      • a props array with a label property that includes the part citation ("a.", "b.", etc.)

For SSP authoring, ignore any parts entry in the baseline outside of the statement part and its child parts. Other part types are for control assessments.

catalog:
  groups:
    controls:
    - id: ac-1
      title: Policy and Procedures
      parts:
      - id: ac-1_smt
        name: statement
        parts:
        - id: ac-1_smt.a
          name: item
          props:
          - name: label
            value: 'a.'
          prose: 'Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:'



      - id: ac-2.1
        title: Automated System Account Management
        parts:
        - id: ac-2.1_smt
          name: statement
          prose: 'Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.'

Response Point Properties


      - id: ac-2.1
        title: Automated System Account Management
        parts:
        - id: ac-2.1_smt
          name: statement
          props:
          - name: response-point
            ns: http://fedramp.gov/ns/oscal
            value: You must fill in this response point.
          prose: 'Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.'
Back to top