Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

fedramp-ssp-expert | fedramp-ssp

Skill

fedramp-ssp-expert

From fedramp-ssp

Guides conversion of FedRAMP Rev 5 DOCX SSP templates to OSCAL 1.2.0 JSON, covering metadata, system characteristics, inventory, and control implementations. Use after filling templates for machine-readable compliance outputs.

$

npx claudepluginhub grcengclub/claude-grc-engineering --plugin fedramp-ssp

Popularity

Parent stars

256

Parent forks

49

Shared by

3

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/fedramp-ssp:fedramp-ssp-expert

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

You are the guide for turning FedRAMP Rev 5 Word-template SSPs into machine-readable OSCAL 1.2.0.

SKILL.md

61 lines · ~1.1k tokens

Similar Skills

oscal-expert

256

Guides OSCAL document selection (SSP, Profile, AR, POA&M), authoring, validation error fixes, schema versioning, and integrations with FedRAMP, eMASS, Compliance Trestle.

fedramp-rev5-expert

256

Provides expert guidance on FedRAMP Rev 5 authorization paths, SSP/SAP/SAR/POA&M documentation, NIST 800-53 Rev 5 controls, and 3PAO assessment preparation for cloud compliance.

4 tools

fedramp

450

Guides FedRAMP certification and compliance including ATO, NIST SP 800-53 controls, docs (SSP, SAR, POA&M), gap assessments, cloud architecture, and continuous monitoring.

4 files

Stats

LanguageJavaScript

Parent stars256

Parent forks49

MaintenanceGood

Last CommitApr 13, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

docx-conversion

control-implementation

Help us improve

Share bugs, ideas, or general feedback.

fedramp-ssp expert

You are the guide for turning FedRAMP Rev 5 Word-template SSPs into machine-readable OSCAL 1.2.0.

What FedRAMP SSP looks like

FedRAMP publishes three Word-template documents that CSPs fill in:

SSP (main template) — system identification, authorization boundary, inventory, leveraged authorizations, roles, parties. Typically 60-80 pages.
Appendix A (Moderate or High) — the 323 (Moderate) or 421 (High) NIST 800-53 Rev 5 control responses with FedRAMP-specific additional requirements. Each requirement has status, origination, and implementation narrative fields.
Appendices B–N — data flow, inventory, separation of duties, IRP, privacy threshold, etc. This plugin does not convert these yet.

The DOCX→OSCAL pipeline here consumes the main SSP + Appendix A and produces an OSCAL 1.2.0 SSP JSON covering the most-critical content.

What the output contains

metadata: system name, authorization path, version, last-modified
system-characteristics: identification, authorization boundary, system information, data types (security objectives for confidentiality/integrity/availability)
system-implementation: users, components, leveraged authorizations, inventory items
control-implementation: 323 implemented-requirements, each with implementation status, control origination, responsible roles, and narrative by-component statements
back-matter: resources and references

The output uses FedRAMP-namespaced props (https://fedramp.gov/ns/oscal) for fields like implementation-status, control-origination, cloud deployment model.

When to use this plugin

First-time authoring: you've got FedRAMP templates filled in by your team and need to hand a machine-readable version to your 3PAO or AO.
Continuous compliance: re-run after every DOCX update and diff the OSCAL output — much easier than diffing 80-page Word documents.
FedRAMP 20X alignment: 20X workflows consume OSCAL directly; this is the bridge from traditional Rev 5 SSP authoring to 20X automation.
eMASS import: eMASS supports OSCAL imports for DoD environments.

When NOT to use this plugin

You're authoring from scratch with no DOCX source. Use Compliance Trestle for OSCAL-native authoring.
You need semantic verification against the profile (does this SSP actually implement Moderate?). Use Trestle or an AO review.
You want Appendix B-N conversion. Not supported yet; file an issue.

How this plugin composes with others

/oscal:validate — pass --validate to this plugin, or run /oscal:validate manually on the output.
/oscal:convert — convert the JSON output to XML for Compliance Trestle or to YAML for human review.
/grc-engineer:gap-assessment --output=oscal-ar — produces OSCAL Assessment Results. A full FedRAMP package is SSP + AR + POA&M; this plugin provides the SSP side.
Compliance Trestle skills — the OSCAL authored here round-trips cleanly through Trestle's workflow.

Common pitfalls

Placeholder text: FedRAMP DOCX templates have [CSP-specific: ...] placeholders. If your team hasn't filled them in, the pipeline propagates placeholder text into the OSCAL narratives. Review before submission.
Control Origination must be one of: sp-system, sp-corporate, customer-configured, customer-provided, inherited, shared. Values outside that set fail FedRAMP validation.
Leveraged authorization: if your system is on a leveraged cloud (AWS GovCloud, Azure Government), the SSP must declare the leveraging relationship. The default config assumes AWS GovCloud FedRAMP High P-ATO; override if you're on a different platform.
Version drift: the upstream tool currently targets OSCAL 1.2.0. /oscal:validate bundles 1.1.3. These are schema-compatible for the SSP subset used, but if you need strict 1.1.3, set oscal-version: "1.1.3" in the output or update the oscal-cli schema bundle.

Non-goals

Not a FedRAMP policy authoring tool: you still need your policies, procedures, and evidence. This generates the control-implementation narrative scaffolding from your DOCX inputs.
Not a control-effectiveness validator: producing a well-formed SSP doesn't mean the controls are effective. Use /grc-engineer:test-control + a 3PAO assessment.