Advanced Search
Search Results
107 total results found
Appendix M: Integrated Inventory Workbook
See Inventory Approaches for guidance.
Appendix O: POA&M
See the FedRAMP POA&M book.
Appendix P: Supply Chain Risk Management Plan (SCRMP)
This needs work that may have been completed elsewhere and nees to be moved into here. This needs MVP and Normalized content examples MVP Key Points Include: The SR-2 (id=sr-2 control should have links entries to the user guide This is not normalized a...
Control Response: Approaches
OSCAL offers a great deal of flexibility for controls responses. To balance consistency, interoperability and ease of adoption, the OSCAL Foundation recommends two approaches: Flat Approach: Aligns with FedRAMP's SSP Word template where control responses are ...
Control Response: Normalized Approach
The normalized approach is prefered. Organizations starting new with no legacy SSP content should use this. For organizations converting from a legacy FedRAMP SSP Word template, consider starting with the Control Response: Flat Approach and migrating to the no...
Control Response: Flat Approach
The flat approach to control responses is only intended as a starting point for service providers converting from a legacy FedRAMP SSP Word template. If you are not converting a legacy SSP, use the Control Response: Normalized Approach. With the flat approach...
Welcome
The goal of the OSCAL Patterns Library is to maximize interoperability across OSCAL tools. The library accomplishes this by defining the recommended OSCAL representation for specific use cases. Recommendations are based on the consensus of participating Founda...
Overview
This includes overview topics of the OSCAL Foundation Patterns Library
Validating FedRAMP Content with OSCAL CLI
Get Started The oscal-cli is an open source command-line utility designed to help developers and security professionals interact with OSCAL. To get started, follow the installation instructions from the OSCAL-CLI GitHub "README" page. Once installed, you can u...
Validating Content
The adoption of standardized, machine-readable security data requires a rigorous approach to ensuring data integrity across various layers of complexity. By implementing a systematic validation framework, organizations can transition from manual document revie...
Reports
Comments Summary
:root { --accent: #2d6be4; --accent-dim: #e8effe; --border: #dde1e9; --surface2: #f0f2f5; --muted: #6b7280; --tag-open: #16a34a; --tag-arc: #92400e; --radius: 6px; --mono: "JetBrains Mono", "Fira Mono", monospace; } .cr-meta { font-size: .8rem; color: var(--mu...
Parties and Locations
Individuals, teams, corporations and government agencies are represented in OSCAL metadata using the parties array. Location information can be included within a party's information or defined separately for sharing. Locations Define a common location to be as...
Citing Control Statements
OSCAL SSPs cite OSCAL baseline statement identifiers when representing control implementation responses. Citing the identifiers correctly is critical to machine processing. Within OSCAL baselines, identifiers are assigned to statement parts and item parts for ...
FedRAMP 20x
Metaschema Authoring Principles
The original OSCAL Technical Team had normalized on several guiding principles for authoring metaschema content that were not captured. Going forward, as topics come up, they will be added here as suggested principles and/or to capture historic guiding princip...
Defining Allowed Values
This page is still under development. The <allowed-values> assembly provides a consistent and unambiguous list of machine-readable tokens to be used as data for an identified OSCAL field or flag values. Human readability is coincidental and not their intended...