Responding By Component
Retrofit Adoption Path MVP
When converting a Word-based FedRAMP SSP to OSCAL, move all control responses to the this-system component.
Every OSCAL SSP must have a this-system component defined. It is the only required component.
system-security-plan:
system-implementation:
components:
- uuid: 11111111-2222-4000-8000-009000000000
type: this-system
title: This System
description: 'Represents the entire authorization boundary'
status:
state: operational
Every statements / by-components array has exactly one entry that references the this-system component and includes the content from the Word-based SSP.
Each statements array entry includes:
- a required
uuidfield - a required
by-componentsarray. Each array entry includes:- a required
component-uuidfield that cites thethis-sytemcomponent from above. - a required
uuidfield - a required
descriptionfield that contains the content from the Word-based SSP control response. - a required
implementation-statuselement with:- a required
statefield with a value of ofimplemented.
- a required
- a required
system-security-plan:
control-implementation:
description: n/a.
implemented-requirements:
- uuid: 11111111-2222-4000-8000-012000010000
control-id: ac-1
statements:
- statement-id: ac-1_smt.a
uuid: 11111111-2222-4000-8000-012000010100
by-components:
- component-uuid: 11111111-2222-4000-8000-009000000000
uuid: 11111111-2222-4000-8000-012000010101
description: Word-based SSP AC-1, statement a response.
implementation-status:
state: implemented
- statement-id: ac-1_smt.b
uuid: 11111111-2222-4000-8000-012000010200
by-components:
- component-uuid: 11111111-2222-4000-8000-009000000000
uuid: 11111111-2222-4000-8000-012000010201
description: Word-based SSP AC-1, statement b response.
- statement-id: ac-1_smt.c
uuid: 11111111-2222-4000-8000-012000010300
by-components:
- component-uuid: 11111111-2222-4000-8000-009000000000
uuid: 11111111-2222-4000-8000-012000010301
description: Word-based SSP AC-1, statement c response.
implementation-status:
state: implemented
Native Adoption Path
When creating an SSP from scratch, ensure appropriate components are defined before authoring a control response. The this-system component must always be present. Other components are present baed on their use within the sytem. See Components for more information.
system-security-plan:
system-implementation:
components:
- uuid: 11111111-2222-4000-8000-009000000000
type: this-system
title: This System
description: 'Represents the entire authorization boundary'
status:
state: operational
- uuid: 11111111-2222-4000-8000-009000500001
type: service
title: Service A
description: 'An authorized service from a leveraged CSO.'
status:
state: operational
- uuid: 11111111-2222-4000-8000-009000600001
type: policy
title: Access Control and Identity Management Policy
description: 'A corporate policy used for the system.'
status:
state: operational
Every statements / by-components array has one or more entries that reference components describes how that component is satisfying that control requirement statement.
The "This System" Component
There must always be a "This System" component in the SSP. This is used in several ways:
-
Holistic Overview: The SSP author may wish to provide a more holistic overview of how several components work together, even if details are provided individually in other
by-componentassemblies. -
Catch-all: Any control response that does not cleanly align with another system component may be described in the "This System" component.
-
Legacy SSP Conversion: When converting a legacy SSP to OSCAL, the legacy control response statements may initially be associated with the "This System" component until the SSP author is able to provide responses for individual components.
---