Responding to Control Baselines
OSCAL references controls in baselines and catalogs. The statements are not duplicated into an OSCAL SSP the way they are with a Word SSP.
Conrol baseline requirements are imported by an OSCAL SSP and referenced as needed.
Importing a Baseline
Import the appropriate FedRAMP Baseline, either as an OSCAL profile or as an OSCAL reserved profile catalog.
system-security-plan:
import-profile:
href: https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.yaml
The OSCAL Foundation makes the FedRAMP baselines available as OSCAL _profiles_ and _resolved profile catalogs_ [on GitHub](https://github.com/OSCAL-Foundation/fedramp-resources/tree/main/baselines/rev5).
See Baselines for more information about those files.
Referencing Controls
With the approprate baseline imported above, OSCAL SSP control responses simply cite the control id from the baseline.
For each control in the imported baseline there MUST be exactly one implemented-requirements entry that includes:
- a
uuid - a
control-idwith a value that matches a control in the imported baseline - a
set-parametersarray, only if the control has one or more parameters that don't already have theirvalueestablished in the baseline. See Parameter Assignments for more information. - a
statementsarray contains the control responses. See Control Responses for more information.
system-security-plan:
control-implementation:
description: 'This description field is required by OSCAL, but ignored by FedRAMP.'
implemented-requirements:
- uuid: 11111111-2222-4000-8000-012000010000
control-id: ac-1
set-parameters:
[content cut]
statements:
[content cut]
- uuid: 11111111-2222-4000-8000-012000010001
control-id: ac-2
[content cut]
- uuid: 11111111-2222-4000-8000-012000010002
control-id: ac-2.1
[content cut]