Control Implementation Statements

Implementation
Typically, Statements:the General

controls in the FedRAMP baselines have lettered parts (a., b., etc.). A few only have a top-level statement with no parts. Current FedRAMP templates expect responses at the lettered part level when present and at the top-level otherwise.

OSCAL SSPs cite controls and control requirement statements in responses.

Within the OSCAL FedRAMP baselines, each control statement is assigned an identifier. Any lettered parts are also assigned identifiers.

Citing statement identifiers correctly is critical to automated processing.
See Citing Control Statements for important information.

Typical

Organization:
Most Multi-PartFedRAMP Statements

controls have two or more lettered parts. FedRAMP expects control responses at this level.

~~There~~Within ~~must~~the becontrol-implementation ~~one~~/ implemented-requirements array, each entry includes:

a required uuid field

a required control-id field that cites the control using its id from the baseline.

a required statements array. Each array entry includes:
- a statement-id field that cites the control statement ~~assembly~~using its id from the baseline.
- a by-components array
  - See Responding By Component for ~~each~~more ~~lettered~~information.
  ~~such~~
~~with~~

~~AC-2, parts a, b, c, etc.~~

Multi-Part Statement Representation

<!-system-security-plan:
  control-implementation:
    implemented-requirements:
    - system-implementationuuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      statements:
      -->
<control-implementation>
    <!-- cut -->
    <implemented-requirement uuid="uuid-value" control-id="ac-2">
        <statement statement-id="id: ac-2_smt.a"><!--1_smt.a
        cutuuid: --></statement>11111111-2222-4000-8000-012000010100
        <!--by-components:
          repeat[content for b, c, d, e, f, g, h, i, j -->
        <statement statement-id="ac-2_smt.k"><!-- cut --></statement>
    </implemented-requirement>
</control-implementation>cut]

Organization: Single StatementNon-Typical

If there are no lettered parts in the control definition, such as with AC-2 (1), there must be exactly one statement assembly.

Single-Statement Representation

A single-statement representation is identical to a typical multi-part statement representation, except for the following:

there is only one entry in the statements array

the statement-id value cites the baseline ID for the statement part itself instead of one of its child parts.

<!-
system-security-plan:
  control-implementation:
    implemented-requirements:
    - system-implementationuuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-2.1
      statements:
      --> <control-implementation>statement-id: <!-- cut -->
    <implemented-requirement control-id="ac-2.1">1_smt
        <statementuuid: statement-id="ac-2.1_smt"><!--11111111-2222-4000-8000-012000010100
        cutby-components:
          --></statement>[content </implemented-requirement>
</control-implementation>cut]