Control Implementation Statements

Typically, the controls in the FedRAMP baselines have lettered parts (a., b., etc.). A few only have a top-level statement with no parts. Current FedRAMP templates expect responses at the lettered part level when present and at the top-level otherwise.

OSCAL SSPs cite controls and control requirement statements in responses.

Within the OSCAL FedRAMP baselines, each control statement is assigned an identifier. Any lettered parts are also assigned identifiers.

Citing statement identifiers correctly is critical to automated processing.
See Citing Control Statements for important information.

Typical

Most FedRAMP controls have two or more lettered parts. FedRAMP expects control responses at this level.

Within the control-implementation / implemented-requirements array, each entry includes:

a required uuid field
a required control-id field that cites the control using its id from the baseline.
a required statements array. Each array entry includes:
- a statement-id field that cites the control statement using its id from the baseline.
- a by-components array
  - See Responding By Component for more information.

Multi-Part Statement Representation

system-security-plan:
  control-implementation:
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      statements:
      - statement-id: ac-1_smt.a
        uuid: 11111111-2222-4000-8000-012000010100
        by-components:
          [content cut]

Non-Typical

If there are no lettered parts in the control definition, such as with AC-2 (1), there must be exactly one statement assembly.

Single-Statement Representation

A single-statement representation is identical to a typical multi-part statement representation, except for the following:

there is only one entry in the statements array
the statement-id value cites the baseline ID for the statement part itself instead of one of its child parts.


system-security-plan:
  control-implementation:
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-2.1
      statements:
      - statement-id: ac-2.1_smt
        uuid: 11111111-2222-4000-8000-012000010100
        by-components:
          [content cut]

SSP Adoption Strategies

Retrofit Adoption Path

Native Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Responding to Control Baselines

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Responding By Component

Control Implementation Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Inheritence and Customer Responsibilities

Citing Control Statements

Control Implementation Statements

Typical

Multi-Part Statement Representation

Non-Typical

Single-Statement Representation