Implementing FedRAMP SSP workflow

The FedRAMP SSP Automation Robot helps streamline the generation of the System Security Plan (SSP) by extracting structured data from a Diligent One project and exporting it into the official FedRAMP SSP Word template.

Learn about the FedRAMP SSP workflow in this section.

What is SSP?

The System Security Plan (SSP) is the compliance document that cloud service providers (CSPs) must prepare and maintain for FedRAMP authorization. It outlines the provider’s program, authorization status, security boundaries, and detailed controls required to meet federal standards. The SSP also includes system ownership, responsibilities, network architecture, separation of duties, and leveraged systems. Its main sections present organizational and system details in standardized tables, while Appendix A documents hundreds of security controls with implementation specifics, roles, and status. Required for initial authorization, annual reviews, and major system changes, the CSPs must regularly update SSP and submit to regulators, providing assessors with auditable evidence of effective security safeguards.

The CSP creates and submits SSP documentation during the initial authorization approval process and annual review cycle.

Roles and prerequisites for SSP

  • System Admins are responsible for installing the toolkit, configuring robot tasks, and managing permissions.

  • Project owners and security professionals populate project fields, update control evidence, and manage attachments.

  • Subscription to the IT Compliance – Federal Contracting Compliance Toolkit bundle.

  • Access to Diligent One Projects, Results, and Robots apps.

  • Availability of FedRAMP Rev. 5 controls and compatible templates.

Where do I implement SSP

You can implement the SSP workflow using Robots, Projects, Results, and Reports apps in Diligent One.

  • Robots automate the extraction of data from Projects and populate the required SSP templates in human-readable (Word) and machine-readable (OSCAL) formats.

  • Projects serve as a centralized hub for collecting, organizing, and storing all SSP-related data, including system details and control implementation.

  • Results provide a structured inventory of vulnerabilities. You can link these to controls and associate them with ongoing compliance evidence, especially when integrating POAM and SSP reports.

  • Reports use standardized templates to generate SSP. You can also attach supporting evidence as needed.

Steps

Create FedRAMP project

The FedRAMP Reporting Project Type in Diligent One is preconfigured to meet FedRAMP requirements and is compatible with automation robots. This project type includes prebuilt attributes and sections tailored for FedRAMP. It includes:

  • System-level SSP data (sections 1 through 12)

  • Control-level implementation data (Appendix A)

Set up System Security Plan tab

In a newly created FedRAMP project, the System Security Plan tab, also referred to as the System Security Plan Information tab, provides structured fields for entering required SSP section data. Relevant sample tables are added to each section to support consistent formatting. You can capture structured data that maps directly to sections 1 through 12 of the FedRAMP SSP template.

These tables help ensure that automation robots can accurately import and map project data into the SSP template. Required fields and tables include the following:

Field Details
Prepared By Includes preparer and organization info
System Information Basic system details
System Owner Contact details
ISSO Point of Contact InfoSec contact
Leveraged FedRAMP Systems and External Systems Systems inside and outside authorization boundaries
Services, Ports, and Protocols Technical details
Separation of Duties Role-based access and responsibilities
SSP Attachments Appendix documents (for example, architecture diagrams)

SSP Attachment tab

FedRAMP mandates cloud service providers (CSPs) to submit several appendices and supplemental documents along with the main SSP. These supporting materials typically include:

  • Architecture diagrams

  • Network boundary illustrations

  • Policy documents

  • System component inventories

  • Other technical or procedural artifacts

The SSP Attachments tab provides a structured way to:

  • Upload these documents directly into the project.

  • Reference them in the SSP export.

  • Indicate whether each attachment is included in the current version of the SSP.

Each entry in the tab includes the following fields:

  • Name/title of the attachment

  • System Security Plan ID

  • Include attachments in the current version of SSP

  • Attachment Type

  • Attachment #1 URL

  • Attachment #2 URL

After entering the required details, the actual attachment file, such as a PDF, Word document, or image, is uploaded. This approach supports centralized access and version control within the project.

Import controls

The FedRAMP Reporting Project workflow in Diligent One ensures that the correct FedRAMP Rev. 5 security controls are included and properly referenced for automation. These controls must already exist within the organization’s Compliance Map or Framework before project setup. In a FedRAMP Reporting Project, the controls can be imported or defined, with accurate mapping and formatting required to meet FedRAMP specifications and support automation.

The baseline used in the FedRAMP Reporting Project is selected based on system categorization, with details sourced from the FedRAMP Rev. 5 Security Controls Toolkit. After the appropriate baseline, such as Moderate or High, is identified, the relevant control families are added to the project to support accurate mapping and automation.

Add control details

Control parameters and implementation steps are required for each control to enable FedRAMP reporting robots to generate a complete SSP report. Preparing the project to produce a human-readable and OSCAL-format SSP involves ensuring that these fields are correctly entered and structured according to FedRAMP expectations:

  • Control parameters On the Control tab, the preformatted parameter tables with correct parameter names for that control are added.

  • Control implementation (Walkthrough) table On the Walkthrough tab, add an implementation steps table noting what the solution is and how it is implemented. Each control may have differing numbers or names of steps.

    Note

    Some controls include only one implementation step, while others may not require any parameters. For controls without parameters, the corresponding step is not applicable and can be omitted without affecting report generation.

  • Additional control attributes Each control includes:

    • Control ID

    • Responsible Role

    • Control Parameters

    • Implementation Steps

    • Implementation Status

    • Control Origination and inherited details

    • Remarks

    Note

    Do not edit parameter or step names; standardized names are required for successful export. Errors or mismatches will be flagged in robot logs.

Upload FedRAMP SSP templates to robot

To automate and explore the FedRAMP System Security Plan using the Diligent One Reporting Automation Toolkit, you must first upload the following templates to the Working data tab of the System Security Plan Automation Robot in the Diligent One platform:

  • FedRAMP SSP template that covers sections 1 through 12

  • Appendix A template that covers all security controls

Note

Both templates must be in .docx format, and their file names must match exactly in the parameters section of the SSP Automation robot. The robot uses these names to correctly populate the SSP template. This is especially critical in Appendix A, where each control may have multiple parameters and implementation steps.

The robot parses the template to find specific fields and match them to corresponding entries in the project. If names do not match (for example, Parameter A in the template versus Param A in the project), the robot fails to make the connection. This scenario results in:

  • Missing data in the output.

  • Error messages in the generated document.

  • Trace log entries indicating unmatched fields.

Set up and run SSP robot

In the robot’s Tasks > SSP Automation section, the parameters include:

  • The project ID from which the data is pulled.

  • The filenames of the uploaded SSP and Appendix A templates.

  • API token, which initiates the SSP automation process.

After configuration, the robot imports project data and populates the selected template, generating two output files that are ready for submission. You can download these output files from Task run details of the SSP Automation robot.

If required data is missing, error messages appear in the output document and trace logs, helping identify incomplete or incorrectly formatted sections. This feedback supports a checklist-style approach to completing all necessary fields for successful report generation.

Setup and run OSCAL robot

The OSCAL Robot, part of the FedRAMP Reporting Toolkit, exports SSP data into machine-readable Open Security Controls Assessment Language (OSCAL) format, following standards defined by NIST and FedRAMP.

To begin, you can access the Robots app, select the SSP OSCAL Export Robot, and upload the SSP templates to the Working data tab. On the robot’s parameters screen, you enter the following details:

  • Project ID The identifier for your completed FedRAMP project.

  • Diligent One API token The HCL token used for authentication.

After you complete the configuration, the OSCAL Robot aggregates all relevant project data and attachments to generate the machine-readable OSCAL SSP file.