Skip to main content

Inventory Approaches

OSCAL makes two approaches available for depicting the system inventory:

  • Flat Approach: Similar to today's FedRAMP Integrated inventory workbook where all of the information on a spreadsheet row is captured in a single assembly.

  • Normalized Approach: Common information is normalized as OSCAL components. inventory-items point to components for common information. For example, a router is defined once as an OSCAL component with its vendor and model information. All six inventory instances cite the one router component.

MVP

If you have an existing FedRAMP authorization and are using the FedRAMP inventory spreadsheet template, start with the flat approach, and migrate over time to the component-based approach.

With the flat approach, all content on a spreadsheet row appears in a single OSCAL inventory-item assembly. This results in a great deal of redundant information but is a simple transition from the current spreadsheet approach.

See Inventory: Flat Approach for more information.

Retrofit Adoption Path: MVP

If you have an existing FedRAMP authorization and are using the FedRAMP inventory spreadsheet template, start with the flat approach, and migrate over time to the normalized approach.

With the Normalized approach, common information is captured once in a component assembly. Each instance of that component has its own inventory-item assembly, which cites the relevant component and only includes information unique to that instance.

See Inventory: Normalized Approach for more information.

New Adoption Path: Core

If you adopting OSCAL at the beginning of your FedRAMP journey, are creating inventory have an existing FedRAMP authorization and are using the FedRAMP inventory spreadsheet template, start with the flat approach, and migrate over time to the component-based approach.

Example

The same Linux operating system is used as the platform for all database and web servers. Most details about operating system are captured once as a component, including OS name, version number, and patch level.

If four Linux instances are used, each instance is an inventory item with a unique IP address and MAC address. Only those unique pieces are captured at the inventory level. All four inventory-items are linked to the component.

Back to top