# Responding to Control Baselines

<img class="page-image" src="/uploads/images/gallery/2026-02/ssp-figure-31.png" alt="system security plan control definitions page image" />

OSCAL references controls in baselines and catalogs. The statements are not duplicated into an OSCAL SSP the way they are with a Word SSP. 

Conrol baseline requirements are [imported](#bkmrk-importing-a-baseline) by an OSCAL SSP and [referenced](#bkmrk-referencing-controls) as needed. 

## Importing a Baseline

Import the appropriate FedRAMP Baseline, either as an OSCAL _profile_ or as an OSCAL _reserved profile catalog_. 

```yaml
system-security-plan:
  import-profile:
    href: https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.yaml
```

<div class="callout">
  The OSCAL Foundation makes the FedRAMP baselines available as OSCAL _profiles_ and _resolved profile catalogs_ [on GitHub](https://github.com/OSCAL-Foundation/fedramp-resources/tree/main/baselines/rev5).

  See [Baselines](https://patterns.rufrisk.com/books/supporting-resources-and-valid-content/page/baselines) for more information about those files.
  
</div>

## Referencing Controls

With the approprate baseline imported above, OSCAL SSP control responses simply cite the control `id` from the baseline. 

For each control in the imported baseline there MUST be exactly one `implemented-requirements` entry that includes:
- a `uuid`
- a `control-id` with a value that matches a control in the imported baseline
- a `set-parameters` array, only if the control has one or more parameters that don't already have their `value` established in the baseline. See _[Parameter Assignments](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/parameter-assignments)_ for more information.
- a `statements` array contains the control responses. See _[Control Implementation Statements](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/control-implementation-statements)_ for more information.


```yaml
system-security-plan:
  control-implementation:
    description: 'This description field is required by OSCAL, but ignored by FedRAMP.'
    implemented-requirements:
    
    - uuid: 11111111-2222-4000-8000-012000010000
      control-id: ac-1
      set-parameters:
        [content cut]
      statements:
        [content cut]
        
    - uuid: 11111111-2222-4000-8000-012000010001
      control-id: ac-2
      [content cut]
      
    - uuid: 11111111-2222-4000-8000-012000010002
      control-id: ac-2.1
      [content cut]

```



---