Responding to Control Baselines
OSCAL references controls in baselines and catalogs. The statements are not duplicated into an OSCAL SSP the way they are with a Word SSP.
Conrol definitionsbaseline requirements are imported by an OSCAL SSP and referenced as needed.
Importing a Baseline
Import the appropriate FedRAMP Baseline, either as an OSCAL profile or as an OSCAL reserved profile catalog.
system-security-plan:
import-profile:
href: https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/xml/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xmlyaml
The OSCAL Foundation makes the FedRAMP baselines available as OSCAL _profiles_ and _resolved profile catalogs_ [on GitHub](https://github.com/OSCAL-Foundation/fedramp-resources/tree/main/baselines/rev5).
See Baselines for more information about those files.
Referencing Controls
With the approprate baseline imported above, OSCAL SSP control responses simply cite the control id from the baseline.
For each control in the imported baseline there MUST be exactly one implemented-requirements entry that includes:
- a
uuid - a
control-idwith a value that matches a control in the imported baseline - a
set-parametersarray, only if the control has one or more parameters that don't already have theirvalueestablished in the baseline. See[CiteParameterand link to Parameters page when ready]Assignments for more information. - a
statementsarray.array contains the control responses. See[CiteControland link to Statements page when ready]Responses for more information.
system-security-plan:
control-implementation:
description: 'This description field is required by OSCAL.OSCAL, but ignored by FedRAMP.'
implemented-requirements:
- uuid: 11111111-2222-4000-8000-012000010000
control-id: ac-1
set-parameters:
[content cut]
statements:
[content cut]
- uuid: 11111111-2222-4000-8000-012000010001
control-id: ac-2
[content cut]
- uuid: 11111111-2222-4000-8000-012000010002
control-id: ac-2.1
[content cut]