Skip to main content

Parameter Assignments

SSP Template Security Control Parameter Assignments

Representation

If a FedRAMP control has one or more parameters, add a set-parameters array Within an implemented-requirements entry. There must be one set-parameters entry for each parameter in the control as follows:

  • a param-id set to the parameter value from the OSCAL-based FedRAMP baselines
  • a values array with:
    • one string entry per response
    • If the response is list, such as a list of user types to receive a procedure, add one entry per list item.
Only set parameters at the `implemented-requirements` level. While OSCAL also supports the ability to set parameters within `by-components` entries, this does not align with FedRAMP's handling of parameters and should not be used. 

system-security-plan:
  control-implementation:
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      set-parameters:

      - param-id: ac-01_odp.01
        values:
        - all managers, administrators and users of the system

      - param-id: ac-01_odp.02
        values:
        - all managers and administrators of the system

      - param-id: ac-01_odp.03
        values:
        - System-level

      - param-id: ac-01_odp.04
        values:
        - System Architect

      - param-id: ac-01_odp.05
        values:
        - at least every 3 years
      
      - param-id: ac-01_odp.06
        values:
        - change in organizational legal status or ownership

      - param-id: ac-01_odp.07
        values:
        - at least annually

      - param-id: ac-01_odp.08
        values:
        - change in policy or a security incident involving a failure of access control
          mechanisms

Selection Parameters and Nested Parameters

Some select parameters contain one or more assignment parameters. In this instance, simply provide the final selection value within the set-parameters entry for the select and omit any set-parameters entries related to the assignment.

Example

AC-7_ part (b) has three assignment parameters nested within a single selection parameter. Line breaks and bullets have been added below to better illustrate the nesting.

Automatically

  • [Selection (one or more):
    • lock the account or node for an [Assignment: organization-defined time period];
    • lock the account or node until released by an administrator;
    • delay next logon prompt per [Assignment: organization-defined delay algorithm];
    • notify system administrator;
    • take other [Assignment: organization-defined action]]

when the maximum number of unsuccessful attempts is exceeded.

Although the OSCAL controls will have four parameters, only the final value for the selection parameter is assigned in the SSP. The other parameters are ignored.

If more than one choice is is applicable, add each as a separate entry in the values array. For example if the final choices are:

  • lock the account or node for an [Assignment: 30 minutes];
  • lock the account or node until released by an administrator;

The set-parameters array would be:


system-security-plan:
  control-implementation:
    implemented-requirements:
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-7
      set-parameters:

      - param-id: ac-07_odp.03
        values:
        - lock the account or node for 30 minutes; 
        - lock the account or node until released by an administrator;

Parameters ac-07_odp.01 and ac-07_odp.02 belong to part (a). They would normally be included and are only omitted for the example.

Parameters ac-07_odp.04, ac-07_odp.05 and ac-07_odp.06 are part of ac-07_odp.03 and are omitted.

Back to top