Citing Control Statements
Typically, the controls in the FedRAMP baselines have lettered parts (a., b., etc.). A few only have a top-level statement with no parts.
Within the FedRAMP baselines, each control statement is assigned an identifier. Any lettered parts are also assigned an identifier.
Citing Control Statement Identifiers Correctly
OSCAL SSPs cite OSCAL baseline statement identifiers when representing control implementation responses. Citing the identifiers correctly is critical to machine processing.
TheWithin correctOSCAL baselines, identifiers are assigned to statement parts and item parts for reference by SSPs.
The statement Part
All OSCal parts entries have:
- a required
idfield; and - a required
namefield.
For every control in the FedRAMP baselines there is exactly one parts entry where name = statement. This is the statement part.
- id: ac-2.1
title: Automated System Account Management
parts:
- id: ac-2.1_smt
name: statement
Simple Controls
For simple controls, the statement part has a prose field that includes the control requirement statement.
- id: ac-2.1
title: Automated System Account Management
parts:
- id: ac-2.1_smt
name: statement
prose: 'Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.'
The id value for the statement part (i.e. ac-2.1_smt) is cited by the SSP's statements array when responding to this control.
Controls with Child Statements
For a control with child statements (a., b., etc.), the statement part includes a nested parts array. Every element in the nested parts array has:
- a required
idfield; and - a required
namefield. Always with a value ofitem. - a
prosefield that includes this part of the control requirement statement. - an additional nested
partsarray IF this part has child parts.
Each control in the FedRAMP OSCAL baselines has a parts array at the root of the control. Each parts entry includes:
- a required
id - a required
name.
For each control, exactly one parts entry has a name with a value of statement. This statement part has:
a requiredidrepresenting the control statement as a wholeeither aproseor a nestedpartsarray. Sometimes both.If aprosefield is present, it includes any portion of the control statement that is not broken down into lettered parts.a nestedpartsarray existsIFthe control has lettered parts. The nested array includes:a requiredidanamewith a value ofitemprose containing the actual control requirement statement from the FedRAMP baselineapropsarray with alabelproperty that includes the part citation ("a.", "b.", etc.)
For SSP authoring, ignore any parts entry in the baseline outside of the statement part and its child parts. Other part types are for control assessments.
catalog:
groups:
controls:
- id: ac-1
title: Policy and Procedures
parts:
- id: ac-1_smt
name: statement
parts:
- id: ac-1_smt.a
name: item
props:
- name: label
value: 'a.'
prose: 'Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:'
For SSP authoring, ignore any
parts-entryid: ac-2.1 title: Automated System Account Management parts: - id: ac-2.1_smt name: statement prose: 'Supportin themanagementbaseline outside ofsystemtheaccountsstatementusingpart{{andinsert:itsparam,childac-02.01_odpparts.}}.'Other part types are for control assessments.Response Point Properties
A
response-pointproperty appears in thepropsarray and includes:
- a
nameset toresponse-point - a
nsset tohttp://fedramp.gov/ns/oscal - a
valuewith a value that is any string and can be ignored.
- id: ac-2.1
title: Automated System Account Management
parts:
- id: ac-2.1_smt
name: statement
props:
- name: response-point
ns: http://fedramp.gov/ns/oscal
value: You must fill in this response point.
prose: 'Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.'
When an SSP tool encounters a parts entry that contains this property, it should be presented to users of SSP authoring tools as the expected level of response for that control.