Responding to Control Baselines

system security plan control definitions page image

OSCAL references controls in baselines and catalogs. The statements are not duplicated into an OSCAL SSP the way they are with a Word SSP.

Conrol baseline requirements are imported by an OSCAL SSP and referenced as needed.

Importing a Baseline

Import the appropriate FedRAMP Baseline, either as an OSCAL profile or as an OSCAL reserved profile catalog.

system-security-plan:
  import-profile:
    href: https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.yaml

The OSCAL Foundation makes the FedRAMP baselines available as OSCAL _profiles_ and _resolved profile catalogs_ [on GitHub](https://github.com/OSCAL-Foundation/fedramp-resources/tree/main/baselines/rev5).

See Baselines for more information about those files.

Referencing Controls

With the approprate baseline imported above, OSCAL SSP control responses simply cite the control id from the baseline.

For each control in the imported baseline there MUST be exactly one implemented-requirements entry that includes:

a uuid
a control-id with a value that matches a control in the imported baseline
a set-parameters array, only if the control has one or more parameters that don't already have their value established in the baseline. See Parameter Assignments for more information.
a statements array contains the control responses. See Control Implementation Statements for more information.

system-security-plan:
  control-implementation:
    description: 'This description field is required by OSCAL, but ignored by FedRAMP.'
    implemented-requirements:
    
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      set-parameters:
        [content cut]
      statements:
        [content cut]
        
    - uuid: 11111111-2222-4000-8000-012000010001
      control-id: ac-2
      [content cut]
      
    - uuid: 11111111-2222-4000-8000-012000010002
      control-id: ac-2.1
      [content cut]

SSP Adoption Strategies

Retrofit Adoption Path

Native Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Responding to Control Baselines

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Responding By Component

Control Implementation Statements

Control Response: Policies, Procedures, Plans, RoB, and Guides

Inheritence and Customer Responsibilities

Citing Control Statements

Responding to Control Baselines

Importing a Baseline

Referencing Controls