FedRAMP OSCAL SSP

The following guidelines describe how to apply the OSCAL models, along with some FedRAMP-specific data requirements and extensions, to express a FedRAMP System Security Plan (SSP) in OSCAL. This includes:

• An overview of using the OSCAL SSP model to represent a FedRAMP SSP.
• Guidance on representing FedRAMP SSP template information in OSCAL.
• Information about SSP appendices and attachments, including how to represent some attachment information in the OSCAL SSP.
• Guidance on representing control implementation statements in an OSCAL SSP for FedRAMP.
• Using the OSCAL SSP for generating other content artifacts.

FedRAMP extensions and allowed values are cited in relevant portions of this documentation.