Control Response: Flat Approach
The flat approach to control responses is only intended as a starting point for service providers converting from a legacy FedRAMP SSP Word template.
If you are not converting a legacy SSP, use the Control Response: Normalized Approach.
With the flat approach, the entire statement-level response from a FedRAMP Word-based SSP is represented "as-is" in a single by-component assembly in OSCAL.
Retrofit Adoption Path: MVP
this system component, which represents the entire system.
When converting from a legacy Word-based SSP, the simpelest form of OSCAL adoption is to move the text from each control statement response into the "this system" component response.
Transition to Normalized
Over time, components can be added to the components array in system-characteristics. Some components will be added in order to represent SSP tables, such as leveraged authorizations, external services and cryptographic modules. Others may be added to support inventory normalization. Add any additional components you need to support or control responses.
At any time, additional by-components entries can be added to a statements entry, and linked to a component. This may occur one component at a time.
Example Transition
The legacy Word-Based SSP, response to AC-1, Statement a is:
Chapters 1 and 2 define purpose and scope, while chapter 3 defines roles. Chapters 4 - 8 define responsibilities and coordination, and chapter 9 confirms maangement commitment and potential penalties.
The Trust and Compliance Team devlopled, maintans and disseminates the XYZ Corporate Access Control Procedure, v4.2 dated February 18, 2025 to all management and administrators of the PDQ System.
The PDQ Information System Security Officer developed, maints and disseminates the PDQ Access Control Procedure, v 1.1 dated March 1, 2026, which addresses certain system specific access control details. The ISSO ensures all PDQ Cloud System managers and administrators receive a copy of this docuemnt.