Control Response: Policies, Procedures, Plans, RoB, and Guides

Most FedRAMP-required attachments derive their requirement from one or more NIST SP 800-53 controls. With an OSCAL SSP, the attachment is linked directly from the control. This is how tools know which attachment satisfies each requirement.

Control ID	Artifact to Link	Expected
Each `-1`	Policy	1
Each `-1`	Procedure(s)	1+
SA-5 (`id`=`sa-5`)	Appendix D: User Guide	1
PL-4 (`id`=`pl-4`)	Rules of Behavior	1
CP-2 (`id`=`cp-2`)	Information System Contingency Plan (ISCP)	1
CM-9 (`id`=`cm-9`)	Configuration Management Plan (CMP)	1
IR-8 (`id`=`ir-8`)	Incident Response Plan (IRP)	1
CA-7 (`id`=`ca-7`)	Continuous Monitoring Plan	1
SR-2 (`id`=`sr-2`)	Supply Chain Risk Management Plan (SCRMP)	1

Retrofit MVP

For Retrofit MVP, simply use a links array in the implemented-requirements entry for each "-1" control.

system-security-plan:
  control-implementation:
    description: There is one control in this example. Follow this pattern for each
      additional control.
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      links:
      - href: ./AC_Policy.docx
        rel: policy
        media-type: application/docx
      - href: ./AC_Procedure.docx
        rel: procedure
        media-type: application/docx

Normalized

For Retrofit Advanced, and all New adoption:

Attach the document as a back-matter resource.
Create a component that represents the document
Specify the component in the control response

Attach Document

Attach each document as back-matter / resources entries and include a props array with:

name set to type
value set to policy, procedure, plan, users-guide or rules-of-behavior


system-security-plan:

  back-matter:
    resources:
    - uuid: 11111111-2222-4000-8000-001000000005
      title: Access Control and Identity Management Policy
      description: A single policy that addresses both the AC and IA families.
      props:
      - name: type
        value: policy
      - name: published
        value: '2023-01-01T00:00:00Z'
      - name: version
        value: '1.2'
      rlinks:
      - href: ./attachments/policies/sample_AC_and_IA_policy.pdf
        media-type: application/pdf

Create Component

Create a component for each document in system-implementation / components and include:

a props array with one entry:
- name set to implementation-point
- value set to internal if the document is system-specific; or
- value set to external and class set to corporate if the document is Corporate
a links array with one entry:
- href contains a URI fragment that cites the back-matter resource
  - a hashtag (#) followed by the UUID of the back-matter resource.
- rel contains attachment

All other fields depicted in the example are required by OSCAL to be present.


system-security-plan:

  system-implementation:
    components:
    - uuid: 11111111-2222-4000-8000-009000600001
      type: policy
      title: Access Control and Identity Management Policy
      description: 'This is a corporate AC policy used for the system.'
      props:
      - name: implementation-point
        value: external
        class: corporate
      links:
      - href: '#11111111-2222-4000-8000-001000000005'
        rel: attachment
      status:
        state: operational

Control Response

Use implemented-requirements / statements / by-components entries in every control response that cites the document.


system-security-plan:

  control-implementation:
  
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      
      statements:
      - statement-id: ac-1_smt.a
        uuid: 11111111-2222-4000-8000-012000010100
        
        by-components:
        - component-uuid: 11111111-2222-4000-8000-009000600001
          uuid: 11111111-2222-4000-8000-012000010102
          description: Describe how this policy satisfies part a.
          implementation-status:
            state: implemented

SSP Adoption Strategies

Retrofit Adoption Path

Native Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Responding to Control Baselines

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Responding By Component

Control Implementation Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Inheritence and Customer Responsibilities

Citing Control Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Retrofit MVP

Normalized

Attach Document

Create Component

Control Response