Understand the OSCAL hierarchy: a System Security Plan (SSP) references a `profile` (control baseline), contains `system-characteristics`, and documents `control-implementation` statements per implemented control
Scaffold a minimal OSCAL SSP in JSON using the NIST OSCAL schema, populating `metadata`, `import-profile` pointing to e.g. NIST SP 800-53 rev5 LOW baseline, and `system-implementation` with `components`
For each relevant control (e.g., SI-2 Flaw Remediation), add an `implemented-requirement` entry linking it to a component (e.g., your CI pipeline) with a `description` of how it is satisfied
Validate the document with the OSCAL CLI: `oscal-cli ssp validate --file ssp.json`
Export the SSP to your GRC tool (if supported) or render it to human-readable format with `oscal-cli ssp render --file ssp.json --to markdown`
Known gotchas
OSCAL UUIDs are required on nearly every element and must be stable across revisions; regenerating UUIDs on every export breaks diff-based change tracking in GRC tools
Control baseline profiles must be resolved before SSPs referencing them can be validated; use `oscal-cli profile resolve` to produce a resolved catalog rather than referencing a remote profile URL from an air-gapped environment
OSCAL is a documentation framework, not an enforcement mechanism; auditors will still require evidence (logs, screenshots, test results) linked from the SSP's `remarks` or `links` to substantiate control implementation claims
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp