# Responsible Roles
Every control should have one or more responsible roles identified.
[](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/ssp-r5-control.png)
In OSCAL, there are three possible sources for responsible roles:
- **By Control**: (Retrofit MVP only) assign responsible roles to the `implemented-requirement` for the entire control
- **By Component (Implied)**: infer responsible roles from the components cited in the `by-component` array
- **By Component (Explicit)**: assign responsible roles to the `statement`/`by-component` array
### Retrofit Adoption Path: MVP
When initially converting a Word-based FedRAMP SSP to OSCAL, assign all roles _by control_ to the `implemented-requirements`/`responsible-roles` array. This aligns with the FedRAMP Word-based SSP template.
As the SSP is migrated to a normalized approach using components, the assignment of roles is moved from the entire control to statement-level, component responses.
With fully normalized OSCAL content, responsible roles are inferred via the components associated with a control via `statements`/`by-components`. Each assocaited component SHOULD have `owner` and `administrator` responsible roles and linked to specific parties (teams or individuals).
If additional roles need to be cited, they are explicilty assigned to `by-components`/`responsible-roles`. If an explicitly needed role does not associate cleanly to a specific component, it is assigned to the `by-components`/`responsible-roles` entry for _this system_ (component `type`=`this-system`).
# WORKING HERE
##### Representation
```yaml
```
---