Search Results

Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in FedRAMP baselines. Where a legacy FedRAMP attachment is handled as machine-readable content, you have the option of attaching the legacy attachment or representing...

OSCAL makes two approaches available for depicting the system inventory: Flat Approach: Aligns with today's FedRAMP Integrated inventory workbook where all of the information on a spreadsheet row is captured in a single assembly. Normalized Approach: Commo...

The flat approach to inventory is only intended as a starting point for service providers converting from a legacy FedRAMP inventory spreadsheet template. If you are not converting legacy inventory, use the Inventory: Normalized Approach. With the flat approa...

The normalized approach is prefered. Organizations starting new with no legacy inventory reporting should use this. For organizations converting from a legacy FedRAMP inventory spreadsheet template, consider starting with the Inventory: Flat Approach and migra...

Every control should have one or more responsible roles identified. In OSCAL, there are three options for identifying responsible roles: By Control: (Retrofit MVP only) assign responsible roles to the implemented-requirement for the entire control By Compone...

Need rework and to cover aggregated parameters Every applicable control must have at least one responsible-role defined. There must be a separate responsible-role assembly for each responsible role. OSCAL requires the specified role-id to be valid in the defin...

FedRAMP only accepts only one of five values for implementation-status: implemented, partial, planned, alternative, and not-applicable. A control may be marked "partial" and "planned" (using two separate implementation-status fields). All other choices are mut...

FedRAMP accepts only one of five values for control-origination: sp-corporate, sp-system, customer-configured, customer-provided, and inherited. Hybrid choices are expressed by identifying more than one control-origination, each in a separate prop field. For c...

Within the OSCAL-based FedRAMP baselines, control statements and control objectives are tagged with a response-point FedRAMP Extension. Every control statement with a designated response-point in the baseline must have a statement with the control's implement...

The first control in each NIST SP 800-53 control family is a policy and procedure control. These are sometimes refered to as "the dash one controls". (AC-1, AT-1, AU-1, etc.) FedRAMP does not permit these controls to be inherited. As a result, every one of the...

Implementation Statements: General Organization: Multi-Part Statements There must be one statement assembly for each lettered part, such as with AC-2, parts a, b, c, etc. Multi-Part Statement Representation <!-- system-implementation --> <control-implementatio...

Conrol definitions are imported by an OSCAL SSP and referenced as needed. Importing a Baseline Import the appropriate FedRAMP Baseline, either as an OSCAL profile or as an OSCAL reserved profile catalog. system-security-plan: import-profile: href: https...

Within each of the statement assemblies, all responses appear in one or more by-component assemblies. Each by-component assembly references a component defined in the system-implementation assembly. Representation <system-implementation> <!-- leveraged-au...

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritance details as well as customer responsibilities (referred to as consumer responsibilities by NIST). OSCAL is designed to enable leveraged and leveraging system SSP ...

This content uses YAML for examples. All examples are derived from complete example OSCAL content, which is available in all three OSCAL formats and published in the OSCAL Foundation's fedramp-resources GitHub repository: FedRAMP OSCAL Artifact Status ...