Search Results

UTF-8 Character Encoding OSCAL uses UTF-8 character encoding. JSON and YAML files are always UTF-8 character encoded, but XML files must include an explicit UTF-8 encoding. Other encodings are not allowed and could create unpredictable results in OSCAL tools. ...

The best way to adopt OSCAL for your system depends on your circumstances. The OSCAL Foundation defines two adoption strategies: Retrofit Adoption Path: Converting Legacy Documentation Native Adoption Path: Creating New Documentation Retrofit Adoption Path ...

If you are approaching OSCAL to intially create your system security plan and do not have legacy documentation to convert, follow this path. If you need to convert legacy documentation to OSCAL, follow the Retrofit Adoption Path. The FedRAMP PMO prefers new s...

Document Revision History The OSCAL revision history requires one FedRAMP extension to meet FedRAMP’s revision history requirements. The revision history’s author information is derived from FedRAMP’s party-uuid flag, which points to a metadata party UUID valu...

OSCAL component are the backbone of an OSCAL System Security Plan (SSP), enabling data normalization of inventory, control responses and other key concepts. Create an SSP component: to normalize inventory data Example: instead of listing the same OS and its ...

Validating OSCAL content is a tiered process that ensures data integrity from basic file structure to complex compliance requirements. For organizations following the Retrofit FedRAMP adoption path, validation requirements evolve as you move from initial MVP s...

See the FedRAMP Security Controls chapter.

There is no OSCAL construct for representing an acronyms list. Attach a document (e.g., Word, Excel, PDF) with acronyms using a back-matter, resources entry. See Attachments for details.

See Control Response: Policies and Procedures.

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The SA-5 (id=sa-5 control should have links entries to the user guide This is not normalized a...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The PL-4 (id=pl-4 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The CP-2 (id=cp-2 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The CM-9 (id=cm-9 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The IR-8 (id=ir-8 control should have links entries to the RoB This is not normalized and is o...

This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The CA-7 (id=ca-7 control should have links entries to the RoB This is not normalized and is o...

The FedRAMP Control Information Summary (CIS) and Customer Responsibility Matrix (CRM) are derived directly from the OSCAL control responses. There is no need to maintain a separate CIS/CRM artifact; however, this information must be properly represented in th...

Needs Work Content cleanup YAML Example For MVP: attach a Word or PDF document enumerating the applicable laws and regulations. For Normalized: Provide one back-matter/resources entry per applicable law or regulation that includes: a title with the tit...