Search Results

Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in FedRAMP baselines. Where a legacy FedRAMP attachment is handled as machine-readable content, you have the option of attaching the legacy attachment or representing...

OSCAL makes two approaches available for depicting the system inventory: Flat Approach: Aligns with today's FedRAMP Integrated inventory workbook where all of the information on a spreadsheet row is captured in a single assembly. Normalized Approach: Commo...

The flat approach to inventory is only intended as a starting point for service providers converting from a legacy FedRAMP inventory spreadsheet template. If you are not converting legacy inventory, use the Inventory: Normalized Approach. With the flat approa...

The normalized approach is prefered. Organizations starting new with no legacy inventory reporting should use this. For organizations converting from a legacy FedRAMP inventory spreadsheet template, consider starting with the Inventory: Flat Approach and migra...

Every control should have one or more responsible roles identified. In OSCAL, there are three possible sources for responsible roles: By Control: (Retrofit MVP only) assign responsible roles to the implemented-requirement for the entire control By Component ...

Representation If a FedRAMP control has one or more parameters, add a set-parameters array Within an implemented-requirements entry. There must be one set-parameters entry for each parameter in the control as follows: a param-id set to the parameter value fr...

FedRAMP only accepts only one of five values for implementation-status: implemented, partial, planned, alternative, and not-applicable. A control may be marked "partial" and "planned" (using two separate implementation-status fields). All other choices are mut...

FedRAMP accepts only one of five values for control-origination: sp-corporate, sp-system, customer-configured, customer-provided, and inherited. Hybrid choices are expressed by identifying more than one control-origination, each in a separate prop field. For c...

OSCAL SSPs represent control responses in control-implementation / implemented-requirements / statements. See Control Implementation Statements to understand how to associate control responses with specific baseline controls and control statements. Within sta...

Most FedRAMP-required attachments derive their requirement from one or more NIST SP 800-53 controls. With an OSCAL SSP, the attachment is linked directly from the control. This is how tools know which attachment satisfies each requirement. Control ID Artifa...

Typically, the controls in the FedRAMP baselines have lettered parts (a., b., etc.). A few only have a top-level statement with no parts. Current FedRAMP templates expect responses at the lettered part level when present and at the top-level otherwise. OSCAL S...

OSCAL references controls in baselines and catalogs. The statements are not duplicated into an OSCAL SSP the way they are with a Word SSP. Conrol baseline requirements are imported by an OSCAL SSP and referenced as needed. Importing a Baseline Import the appr...

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritance details as well as customer responsibilities (referred to as consumer responsibilities by NIST). OSCAL is designed to enable leveraged and leveraging system SSP ...

This content uses YAML for examples. All examples are derived from complete example OSCAL content, which is available in all three OSCAL formats and published in the OSCAL Foundation's fedramp-resources GitHub repository: FedRAMP OSCAL Artifact Status ...