Identify the FedRAMP baseline applicable to your system (Low, Moderate, or High) and download the corresponding control spreadsheet or OSCAL-formatted template from FedRAMP.gov
For each control, determine whether the implementation status is Implemented, Partially Implemented, Planned, Alternative Implementation, Not Applicable, or Not Implemented
Collect evidence artifacts: configuration screenshots, audit log exports, scan results, and policy documents; tag each artifact with the control ID(s) it satisfies
Use OSCAL (Open Security Controls Assessment Language) to represent the SSP in machine-readable format; NIST provides schemas and validation tools, and FedRAMP provides OSCAL constraints
Automate evidence export from cloud providers (AWS Config, GCP Security Command Center, Azure Policy compliance reports) on a schedule and map findings to NIST 800-53 control families
Review the assembled SSP with your Authorized Third-Party Assessment Organization (3PAO) before submission; ensure continuous monitoring deliverables (monthly and annual) align with the ATO boundary
Known gotchas
FedRAMP control tailoring (parameter values and organization-defined parameters) must be completed for each control; leaving parameters as placeholders is a common deficiency in initial submissions
Evidence timestamps matter; screenshots or log exports older than the evidence collection window specified in the SSP may be rejected by the 3PAO or FedRAMP PMO
OSCAL validation is required for digital submissions as of recent FedRAMP guidance; validate your OSCAL SSP against the FedRAMP-specific constraints (not just NIST baseline schemas) before submission
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp