Skip to main content

Control Response: Policies, Procedures, Plans, RoB, and Guides

Most FedRAMP-required attachments derive their requirement from one or more NIST SP 800-53 controls. With an OSCAL SSP, the attachment is linked directly from the control. This is how tools know which attachment satisfies each requirement.

Control ID Artifact to Link Expected
Each -1 Policy 1
Each -1 Procedure(s) 1+
SA-5 (id=sa-5) Appendix D: User Guide 1
PL-4 (id=pl-4) Rules of Behavior 1
CP-2 (id=cp-2) Information System Contingency Plan (ISCP) 1
CM-9 (id=cm-9) Configuration Management Plan (CMP) 1
IR-8 (id=ir-8) Incident Response Plan (IRP) 1
CA-7 (id=ca-7) Continuous Monitoring Plan 1
SR-2 (id=sr-2) Supply Chain Risk Management Plan (SCRMP) 1

Retrofit MVP

For Retrofit MVP, simply use a links array in the implemented-requirements entry for each "-1" control.

system-security-plan:
  control-implementation:
    description: There is one control in this example. Follow this pattern for each
      additional control.
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      links:
      - href: ./AC_Policy.docx
        rel: policy
        media-type: application/docx
      - href: ./AC_Procedure.docx
        rel: procedure
        media-type: application/docx

Normalized

For Retrofit Advanced, and all New adoption:

  • Attach each document as back-matter / resources entries
  • Create components for each document in system-implementation / components
  • Add implemented-requirements / statements / by-components entry for each
system-security-plan:


  system-implementation:
    components:
    - uuid: 11111111-2222-4000-8000-009000600001
      type: policy
      title: Access Control and Identity Management Policy
      description: 'This is a corporate AC policy used for the system.'
      props:
      - name: implementation-point
        value: external
        class: corporate
      links:
      - href: '#11111111-2222-4000-8000-001000000005'
        rel: attachment
      status:
        state: operational


  control-implementation:
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      statements:
      - statement-id: ac-1_smt.a
        uuid: 11111111-2222-4000-8000-012000010100
        by-components:
        - component-uuid: 11111111-2222-4000-8000-009000600001
          uuid: 11111111-2222-4000-8000-012000010102
          description: Describe how this policy satisfies part a.
          implementation-status:
            state: implemented
          responsible-roles:
          - role-id: information-system-security-officer
            party-uuids:
            - 11111111-2222-4000-8000-004000000008
          remarks: This is the \"policy\" component, which represents the Access Control
            and Identity Management Policy.        

  back-matter:
    resources:
    - uuid: 11111111-2222-4000-8000-001000000005
      title: Access Control and Identity Management Policy
      description: A single policy that addresses both the AC and IA families.
      props:
      - name: type
        value: policy
      - name: published
        value: '2023-01-01T00:00:00Z'
      - name: version
        value: '1.2'
      rlinks:
      - href: ./attachments/policies/sample_AC_and_IA_policy.pdf
        media-type: application/pdf
Back to top