Search Results

Information System Security Officer (ISSO) follows the Roles pattern, using the information-system-security-officer role. Defined Identifiers Required Role ID: information-system-security-officer

This is address in Appendix Q: Cryptographic Modules.

All OSCAL artifacts must have the following content in metadata: title: The artifact's title last-modified: The date/timestamp of the last modification to any content in the artifact. This is an date-time-with-timezone format. version: The version of the cont...

If you need to convert legacy documentation to OSCAL, follow this path. If you are approaching OSCAL to intially create your system security plan and do not have legacy documentation to convert, follow the Native Adoption Path. Organizations with existing Wor...

The best way to adopt OSCAL for your system depends on your circumstances. The OSCAL Foundation defines two adoption strategies: Retrofit Adoption Path: Converting Legacy Documentation Native Adoption Path: Creating New Documentation Retrofit Adoption Path ...

If you are approaching OSCAL to intially create your system security plan and do not have legacy documentation to convert, follow this path. If you need to convert legacy documentation to OSCAL, follow the Retrofit Adoption Path. The FedRAMP PMO prefers new s...

OSCAL component are the backbone of an OSCAL System Security Plan (SSP), enabling data normalization of inventory, control responses and other key concepts. Create an SSP component: to normalize inventory data Example: instead of listing the same OS and its ...

See the FedRAMP Security Controls chapter.

There is no OSCAL construct for representing an acronyms list. Attach a document (e.g., Word, Excel, PDF) with acronyms using a back-matter, resources entry. See Attachments for details.

See Control Response: Policies and Procedures.

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The SA-5 (id=sa-5 control should have links entries to the user guide This is not normalized a...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The PL-4 (id=pl-4 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The CP-2 (id=cp-2 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The CM-9 (id=cm-9 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The IR-8 (id=ir-8 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The CA-7 (id=ca-7 control should have links entries to the RoB This is not normalized and is o...

The FedRAMP Control Information Summary (CIS) and Customer Responsibility Matrix (CRM) are derived directly from the OSCAL control responses. There is no need to maintain a separate CIS/CRM artifact; however, this information must be properly represented in th...

Needs Work Content cleanup YAML Example For MVP: attach a Word or PDF document enumerating the applicable laws and regulations. For Normalized: Provide one back-matter/resources entry per applicable law or regulation that includes: a title with the tit...