Skip to main content

Control Definitions

system security plan control definitions page image

AllConrol controldefinitions definitionare informationimported isby importedan fromOSCAL SSP and referenced as needed.

Importing a Baseline

Import the appropriate FedRAMP baselineBaseline, (either as an OSCAL profile)profile or as an OSCAL reserved profile catalog.

This
system-security-plan:
  includesimport-profile:
    href: https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml
The OSCAL Foundation makes the originalFedRAMP NISTbaselines controlavailable definitionas OSCAL _profiles_ and parameter labels as well as any FedRAMP control guidance and parameter constraints.

Interpreting and presenting_resolved profile contentcatalogs_ is[on outGitHub](https://github.com/OSCAL-Foundation/fedramp-resources/tree/main/baselines/rev5). of

See the scope of this documentation. Please refer to the NIST OSCAL Profile and Catalog schema referencesBaselines for more information:information about those files.

  • Referencing Controls

    ProfileWith Model

    the
    • approprate
  • baseline

    Catalogimported Reference

    above,
    • OSCAL SSP

    Onlycontrol responses simply cite the control implementationid informationfrom isthe presentbaseline.

    within

    For an OSCAL-based SSP. Eacheach control in the FedRAMPimported baseline mustthere haveMUST be exactly one implemented-requirements entry that includes:

    • a uuid
    • a control-id with a correspondingvalue implemented-requirementthat assemblymatches a control in the imported baseline
    • a control-implementationset-parameters assembly.

      array,
      Representation
      only if the control has one or more parameters that don't already have their value established in the baseline. See [Cite and link to Parameters page when ready] for more information.
    • a statements array. See [Cite and link to Statements page when ready] for more information.
    <!--system-security-plan:
  metadatacontrol-implementation:
    -->description: <import-profile href="https://path/to/xml/FedRAMP_MODERATE-baseline_profile.xml"/>
    <!-- system-characteristics -->
    <!-- system-implementation -->
    <control-implementation>
        <description>
            <p>'This description field is required by OSCAL, but may be left blank.</p>
            <p>FedRAMP requires no specific content here.</p>
        </description>
        
        <!-- oneOSCAL.'
    implemented-requirement assembly for each required control -->
        <implemented-requirement uuid="uuid-value" control-id="ac-1">
            <!-- Control content cutrequirements:
    
    - Seeuuid: next pages for detail -->
        </implemented-requirement>
        <implemented-requirement uuid="uuid-value"11111111-2222-4000-8000-012000010000
      control-id="id: ac-2">1
      <!--set-parameters:
        Control [content cutcut]
      statements:
        [content cut]
        
    - Seeuuid: next pages for detail -->
        </implemented-requirement>
        <implemented-requirement uuid="uuid-value"11111111-2222-4000-8000-012000010001
      control-id="id: ac-2.1">2
      <!-- Control [content cutcut]
      
    - Seeuuid: next11111111-2222-4000-8000-012000010002
      pagescontrol-id: forac-2.1
      detail[content -->
        </implemented-requirement>
        
    </control-implementation>
    <!-- back-matter -->cut]
    XPath Queries
    URI to Profile:
    /*/import-profile/@href
  CSP's Control Implementation Information
    /*/control-implementation/implemented-requirement[@control-id="ac-1"]

    NOTE: FedRAMP tools check to ensure there is one implemented-requirement assembly for each control identified in the applicable FedRAMP baseline.

    Back to top