Control Response: Approaches
OSCAL offers a great deal of flexibility for controls responses. To balance consistency, interoperability and ease of adoption, the OSCAL Foundation recommends two approaches:
- Flat Approach: Aligns with FedRAMP's SSP Word template where control responses are at the statement level, and the narriative alone distinguishes between compoents within the response.
- Normalized Approach: Control responses are decomposed to align with relevant components.
With the flat approach, the entire statement-level response from a FedRAMP Word-based SSP is represented "as-is" in a single by-component assembly in OSCAL.
See Controls: Flat Approach for more information.
Retrofit Adoption Path: MVP
If you have an existing FedRAMP authorization with an existing Word-based FedRAMP SSP, start with the flat approach and migrate over time to the normalized approach.
With the normalized approach, components are associated with control response statements. Responses are possible either for the whole statement or assocaited with a specific component relative to the statement response.
See Controls: Normalized Approach for more information.
New Adoption Path: Core
If you are adopting OSCAL at the beginning of your FedRAMP journey, respond to control statements at the component level as much as practical. Define OSCAL components ahead of time, and be prepared to add components as needed for control response authoring.