Approaches

System Inventory Approach

~~{{< figure src="/img/ssp-figure-24.png" title="FedRAMP SSP template Integrated Inventory Workbook." alt="Screenshot of the Integrated Inventory Workbook in the FedRAMP SSP template." >}}~~

OSCAL makes two approaches available for depicting the system inventory:

Flat-File Approach: Similar to today's FedRAMP Integrated inventory workbook where all of the information on a spreadsheet row is captured in a single assembly.
Component-Based Approach: A component is defined once with as much known detail as possible, and inventory-items point to components for common information.

If you have an existing FedRAMP ~~prefers~~authorization and are using the FedRAMP inventory spreadsheet template, start with the flat file approach, and migrate over time to the component-based ~~approach but accepts the flat-file approach to aid CSPs who are converting their existing MS-Excel based FedRAMP Integrated Inventory Workbook to OSCAL.~~ ~~FedRAMP SSP tools must support both approaches.~~approach.

{{< figure src="/img/ssp-figure-25.png" title="FedRAMP OSCAL flat-file inventory approach." alt="Figure illustrating the 'flat-file' inventory approach where each inventory spreadsheet row is represented as a single OSCAL inventory-item." >}}

With the flat-file approach, all content on a spreadsheet row appears in a single OSCAL inventory-item assembly. This results in a great deal of redundant information but is a simple transition from the current spreadsheet approach.

~~{{<~~See ~~figure~~Legacy ~~src="/img/ssp-figure-26.png"~~Approach ~~title="FedRAMP~~for ~~OSCAL~~more component-based inventory approach." alt="Figure illustrating the 'component-based' inventory approach where common information is captured once in a component, and each instance of that component has its own inventory-item." >}}information.

With the component-based approach, common information is captured once in a component assembly. Each instance of that component has its own inventory-item assembly, which cites the relevant component and only includes information unique to that instance.

~~For~~See ~~example,~~Preferred ifApproach ~~the~~for more information.

Example

The same Linux operating system is used as the platform for all database and web ~~servers,~~servers. ~~most of the~~Most details about ~~the Linux~~ operating system ~~can be~~are captured once as a ~~component.~~component, ~~This~~including ~~includes information such as vendor~~OS name, version number, and patch level.

If four Linux instances are used, each instance is an inventory item with a unique IP address and MAC address. Only those unique pieces are captured at the inventory level. All four inventory-items ~~point~~are ~~back~~linked to the ~~component for vendor name, version number, and patch level.~~component.