# Control Response: Normalized Approach

The normalized approach is prefered. Organizations starting new with no legacy SSP content should use this.

For organizations converting from a legacy FedRAMP SSP Word template, consider starting with the [Control Response: Flat Approach](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/control-response-flat-approach) and migrating to the normalized approach over time.

---

With the normalized approach, system elements are first defined as OSCAL `components`. Relvant components are then associated with control statements via `statements`/`by-components` entries. Control responses are then provided in the approrpiate `by-component` entry.

[![controls-normalized.png](https://patterns.rufrisk.com/uploads/images/gallery/2026-04/scaled-1680-/controls-normalized.png)](https://patterns.rufrisk.com/uploads/images/gallery/2026-04/controls-normalized.png)


```yaml
system-security-plan:

```

---