Skip to main content

New Adoption Path

If you are approaching OSCAL to intially create your system security plan and do not have legacy documentaiton to convert, follow this path.

If you need to convert legacy documentation to OSCAL, follow the Retrofit Adoption Path.

THIS PAGE IS STILL UNDER DEVELOPMENT

Organizations adopting OSCAL for initial SSP creation must be mindful of OSCAL's relational dependencies to ensure efficient content population. The New Adoption Path starts with components and other core system details, then builds on those components in later phases to achieve highly normalized and complete SSP content.

This approach prioritzes data normalization from the start. It establishes foundational data elements on which later phases build. This ensures logical sequencing of activties and efficient progression of SSP detail.

SSP New Adoption Overview

The OSCAL Foundation recommends the following addoption path for new FedRAMP SSP creation.

New_Adoption_Path.png

CORE

  • MinimumProvide InformationOSCAL Required inContent anand OSCALBasic SSPCSP/CSO Details

    • metadata includes:

      • title, last-modified, version, oscal-version (required OSCAL fields)
      • roles: cloud-service-provider
      • parties: the CSP
      • responsible-parties: exactly one, linking the CSP party to the CSP rolerole.

    • system-characteristics includes:

      • system-id, system-name, system-name-short, description
      • system-information:(required exactlyOSCAL one entry with Appendix K pasted into the descriptionfields)
      • cloud-service-model and cloud-deployment-model props
      • system-information
      • security-sensitivity-level (fips-199-high, fips-199-moderate, fips-199-low)
      • status: Requiredset field.to Useoperational as-is(required OSCAL fields)
      • authorization-boundaryboundary/description: Only a brief description onlyis required.

  • FocusDefine on DefiningFoundational Components

    • system-implementation
      • components:
        • Exactly one "this system" component (type= this-system) (Represents the system as a whole.)
        • One for each technical componentelement (hardware, software, virtual appliance, service) used in the system
        • One for each required document (policies, procedures, plans, user guides, Rules of Behavior)
        • See [Section citation and link] for more information.

DETAIL

  • SSP-Required SSPRoles Rolesand Parties: See [Seciton citation and link]

  • Leveraged Authorizations

    : See [Seciton citation and link]

  • External Systems and Services

    : See [Seciton citation and link]

  • Services, Ports and Protocols

    : See [Seciton citation and link]

  • Separation of Duties: Matrix

    See [Seciton citation and link]

  • Cryptographic Modules

    : See [Seciton citation and link]
  • Diagrams:

    Diagrams

    See [Seciton citation and link] See [Seciton citation and link]
    • Boundary/Architecture Diagram and Narriative
    • Network Architecture Diagram and Narriative
    • Data Flow Diagram and Narriative

  • Information Types / FIPS-199 Categorization

  • Leveraged Authorizations and External Services (needed for Controls below.)

  • Components

    • this-system (Core OSCAL Mandatory)
    • technical components. Appropriate level of granularity for:
      • SSP control responses: If you need to reference an element of the system in a control response, there should be a defined OSCAL component.
      • normalizing inventory reporting: for any item appearing in the inventory, details about its vendor, product/service name, version or other details should be a defined component.
    • Document Components for Policies, Procedures, Plans, RoB, User Guides

CONTROLS

  • AssignAlign Components to Controls: See [Seciton citation and link]
  • ResponsesRespond atto theControls per-Component: Level
    • See
  • Derived[Seciton fromcitation includedand components:
    • Roles
    • Implementaiton Status
  • Add roles where they are not inherited from cited components
  • Override implementation status only where necessary. Examples:
    • Cited components don't represent all components.
    • Planned upgrades or replacement of components
    link]

TARGET

Advanced topics.

  • Cryptographic Module representation

  • Convert controls without modification, with all response statements in the "this-system" component.

    • control-implementation
      • implemented-requirement (AC-1, AC-2, etc.)
        • set-parameters: set parameters as needed
        • statement (part a, part b, etc.
          • by-component ("this system")
            • description: Content directly from legacy Word SSP (part a, part b, etc.)
            • implementation-status
            • responsible-roles: One entry per role. Use role-id. Must match metadata/roles/id.

  • Flat Inventory, converted directly from spreadsheet. No corrisponding components.

    • system-implementationComponent-Based Inventory Representation:
        See [Seciton citation and link]
      • inventory-itemsVerify/Adjust Control Origin and Aggregated Status: AllSee inventory[Seciton convertedcitation fromand Excel spreadsheetlink]
    • Add
      • Customer
    Responsibilities: See [Seciton citation and link]

Intermediate

  • Required attachments

    • Add direct links from the appropriate controls to identify relevant attachments

  • Required SSP roles

    • metadata/roles The roles required by SSP (System owner, ISSO, AO, etc.)
    • metada/parties: the people, teams and organizations responsible for the above roles
    • metadata/responsible-parties: links the above roles and parties

  • Information types

    • system-characteristics/system-information/information-types
      • a single entry for each row in appendix K.

  • leveraged authorizations

    • system-implementation/leveraged-authorizations:
      • one entry for leveraged authorization
      • corrisponding metadata/parties entry for each
      • corrisponding system-implementation/components for each.

  • Separation of Duties Matrix

    • system-implementation/users
      • one entry per row in Table 11.1
      • ./authorized-privilege/functions-performed: SSP Table 11.1 Duty Description (just one entry in the array)
      • ./authorized-privilege/title: Required by OSCAL, not by FedRAMP. Recommend duplicating the functions-performed content.
      • role-ids: links metadata/roles to functions-performed

  • Customer Responsibility and Inheritance:

    • Move customer responsibility statements to //by-components/export/responsibilities

Advanced

  • external systems and services

    • system-implementation/components entries for each

  • Transition to resources

    • Where practical, links entries use URI fragments to reference resources instead of direct links.

  • Components for Required Documents

    • policy components entries for each required policy
    • process-procedure components entries for each required process
    • plan components entries for each required plan
    • _useradd components for policies, processes, plans and other documents

Ideal

  • Services, Ports and Protocols

  • Cryptographic Modules (App Q table)

  • Migrateto component-based control responses

    • Add by-components entries to implemented-requirements for each relevant component
    • Add/move component-specific control responses to their associated by-components response.
    • Migrate slowly over time.
Back to top