Inventory Approaches

OSCAL makes two approaches available for depicting the system inventory:

Flat-File Approach: Similar to today's FedRAMP Integrated inventory workbook where all of the information on a spreadsheet row is captured in a single assembly.
Component-Based Approach: A component is defined once with as much known detail as possible, and inventory-items point to components for common information.

If you have an existing FedRAMP authorization and are using the FedRAMP inventory spreadsheet template, start with the flat file approach, and migrate over time to the component-based approach.

With the flat-file approach, all content on a spreadsheet row appears in a single OSCAL inventory-item assembly. This results in a great deal of redundant information but is a simple transition from the current spreadsheet approach.

See Legacy Approach for more information.

With the component-based approach, common information is captured once in a component assembly. Each instance of that component has its own inventory-item assembly, which cites the relevant component and only includes information unique to that instance.

See Preferred Approach for more information.

Example

The same Linux operating system is used as the platform for all database and web servers. Most details about operating system are captured once as a component, including OS name, version number, and patch level.

If four Linux instances are used, each instance is an inventory item with a unique IP address and MAC address. Only those unique pieces are captured at the inventory level. All four inventory-items are linked to the component.