Control Definitions
Conrol definitions are imported by an OSCAL SSP and referenced as needed.
Importing a Baseline
Import the appropriate FedRAMP Baseline, either as an OSCAL profile or as an OSCAL reserved profile catalog.
system-security-plan:
import-profile:
href: https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml
The OSCAL Foundation makes the FedRAMP baselines available as OSCAL _profiles_ and _resolved profile catalogs_ [on GitHub](https://github.com/OSCAL-Foundation/fedramp-resources/tree/main/baselines/rev5).
See Baselines for more information about those files.
Referencing Controls
With the approprate baseline imported above, OSCAL SSP control responses simply cite the control id from the baseline.
For each control in the imported baseline there MUST be exactly one implemented-requirements entry that includes:
- a
uuid - a
control-idwith a value that matches a control in the imported baseline - a
set-parametersarray, only if the control has one or more parameters that don't already have theirvalueestablished in the baseline. See [Cite and link to Parameters page when ready] for more information. - a
statementsarray. See [Cite and link to Statements page when ready] for more information.
system-security-plan:
control-implementation:
description: 'This description field is required by OSCAL.'
implemented-requirements:
- uuid: 11111111-2222-4000-8000-012000010000
control-id: ac-1
set-parameters:
[content cut]
statements:
[content cut]
- uuid: 11111111-2222-4000-8000-012000010001
control-id: ac-2
[content cut]
- uuid: 11111111-2222-4000-8000-012000010002
control-id: ac-2.1
[content cut]