{"id":"9f9b9f21-07bd-4833-9d81-ad45d2366a43","task":"Author and evaluate OSCAL system security plan components to document security control implementation","domain":"pages.nist.gov/OSCAL","steps":["Understand the OSCAL hierarchy: a System Security Plan (SSP) references a `profile` (control baseline), contains `system-characteristics`, and documents `control-implementation` statements per implemented control","Scaffold a minimal OSCAL SSP in JSON using the NIST OSCAL schema, populating `metadata`, `import-profile` pointing to e.g. NIST SP 800-53 rev5 LOW baseline, and `system-implementation` with `components`","For each relevant control (e.g., SI-2 Flaw Remediation), add an `implemented-requirement` entry linking it to a component (e.g., your CI pipeline) with a `description` of how it is satisfied","Validate the document with the OSCAL CLI: `oscal-cli ssp validate --file ssp.json`","Export the SSP to your GRC tool (if supported) or render it to human-readable format with `oscal-cli ssp render --file ssp.json --to markdown`"],"gotchas":["OSCAL UUIDs are required on nearly every element and must be stable across revisions; regenerating UUIDs on every export breaks diff-based change tracking in GRC tools","Control baseline profiles must be resolved before SSPs referencing them can be validated; use `oscal-cli profile resolve` to produce a resolved catalog rather than referencing a remote profile URL from an air-gapped environment","OSCAL is a documentation framework, not an enforcement mechanism; auditors will still require evidence (logs, screenshots, test results) linked from the SSP's `remarks` or `links` to substantiate control implementation claims"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/9f9b9f21-07bd-4833-9d81-ad45d2366a43"}