Search Results

FedRAMP only accepts only one of five values for implementation-status: implemented, partial, planned, alternative, and not-applicable. A control may be marked "partial" and "planned" (using two separate implementation-status fields). All other choices are mut...

FedRAMP accepts only one of five values for control-origination: sp-corporate, sp-system, customer-configured, customer-provided, and inherited. Hybrid choices are expressed by identifying more than one control-origination, each in a separate prop field. For c...

Within the OSCAL-based FedRAMP baselines, control statements and control objectives are tagged with a response-point FedRAMP Extension. Every control statement with a designated response-point in the baseline must have a statement with the control's implement...

The first control in each NIST SP 800-53 control family is a policy and procedure control. These are sometimes refered to as "the dash one controls". (AC-1, AT-1, AU-1, etc.) FedRAMP does not permit these controls to be inherited. As a result, every one of the...

Implementation Statements: General Organization: Multi-Part Statements There must be one statement assembly for each lettered part, such as with AC-2, parts a, b, c, etc. Multi-Part Statement Representation <!-- system-implementation --> <control-implementatio...

Conrol definitions are imported by an OSCAL SSP and referenced as needed. Importing a Baseline Import the appropriate FedRAMP Baseline, either as an OSCAL profile or as an OSCAL reserved profile catalog. system-security-plan: import-profile: href: https...

Within each of the statement assemblies, all responses appear in one or more by-component assemblies. Each by-component assembly references a component defined in the system-implementation assembly. Representation <system-implementation> <!-- leveraged-au...

For systems that may be leveraged, OSCAL enables a robust mechanism for providing both inheritance details as well as customer responsibilities (referred to as consumer responsibilities by NIST). OSCAL is designed to enable leveraged and leveraging system SSP ...

This content uses YAML for examples. All examples are derived from complete example OSCAL content, which is available in all three OSCAL formats and published in the OSCAL Foundation's fedramp-resources GitHub repository: FedRAMP OSCAL Artifact Status ...

The OSCAL Foundation's FedRAMP Technical Focus Group (TFG) is enabling FedRAMP stakeholders to adopt OSCAL for FedRAMP package deliverables. The following is our plan of work: Milestones Phase 0 Establish Resources and Form Team [Complete] Phase 1 MVP FedRAMP...

The SSP title page follows the Title Pages pattern.

Core OSCAL requires somne content to be present all OSCAL artifacts. This is crtical to consistent processing. Root Element and Root-Level Universally Unique Identifier The root element must be one of the case-sensitive OSCAL model names: catalog profile mapp...

FedRAMP no longer includes System Status in the SSP template; however core OSCAL requires the system status to be identified. The system statys is represented in system-characteristics. A status entry that includes: state field set to one of the allowed val...

Every FedRAMP assessment package must identify the party (individual, team or organization) responsible for pre-defined roles, such as system owner and information system security officer (ISSO). Representing this information in OSCAL requires four important e...

Attachments All OSCAL models handle attachments the same way. The following is used to attach files to OSCAL-based FedRAMP artifacts, such as when attaching policies and plans to a System Security Plan (SSP) or evidence to a Security Assessment Report (SAR). I...

This entire chapter is FedRAMP PMO boilerplate and does not need to be represented in OSCAL content.

This entire chapter is FedRAMP PMO boilerplate and does not need to be represented in OSCAL content.