Select the relevant NIST SP 800-53 or equivalent control catalog as the baseline for your system security plan
Create an OSCAL component-definition document that describes each software or service component and maps it to the controls it satisfies
Create an OSCAL system-security-plan document referencing the component definitions and describing the system boundary, data flows, and responsible roles
For each control, provide an implementation statement in the by-component section describing how the control is satisfied
Validate both documents against the OSCAL JSON or XML schema using the official OSCAL tools
Commit the OSCAL documents to version control so changes to the security posture are tracked alongside code
Known gotchas
OSCAL UUIDs must be stable and unique across documents; regenerating UUIDs on every export breaks cross-document references and makes diff-based review impossible
Control implementation statements must reference a specific control ID from the declared import profile; misspelled or missing control IDs fail schema validation silently in some tooling
OSCAL documents can grow very large for complex systems; modularize using the component-definition import mechanism rather than embedding everything in a single SSP file
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp