Export OSCAL SSP

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • From the Authorization package overview record page, generate zip files and export the record's mapped content details in OSCAL format. To generate OSCAL SSP, the selected Authorization package must be in implemented state or after that. This action enables you to export your authorization package from CAM.

    Before you begin

    Role required:
    • sn_irm_cont_auth.admin
    • sn_irm_cont_auth.system_owner
    • sn_irm_cont_auth.authorization_official
    • sn_irm_cont_auth.info_system_sec_manager
    • sn_irm_cont_auth.info_system_sec_officer

    Procedure

    1. Navigate to Workspaces > CAM Workspace.
    2. In the CAM Workspace, select the List icon (List).
    3. Select Authorization packages from the RMF list.
    4. From the list view, select the authorization package record for which to generate SSP files.
      Note:
      The authorization package must be in the Implement, Assess, Authorize, or Monitor state to generate OSCAL SSP.
    5. Select Generate OSCAL.

      A banner appears with the message: "The files are being generated. Please refresh the page after some time, then click 'Download OSCAL Files' to download the OSCAL files."

      The system starts generating OSCAL files asynchronously. This process takes a few minutes depending on package complexity. The Download OSCAL Files button appears when the process is complete.

    6. After the process is complete, select Download OSCAL Files.
      Note:
      Verify that the pop-up blocker is turned off for the URL so that the ZIP file is automatically downloaded to your local machine.

      A ZIP file is downloaded containing the following OSCAL files:

      • Catalog JSON file
      • Profile JSON file
      • SSP JSON file
      • Assessment Plan (AP) JSON file (one per engagement)
      • Assessment Results (AR) JSON file (one per engagement)
      • Overlay Catalog JSON file (if overlays are configured. Also includes overlays from associated control tailoring requests)
      • POA&M JSON file (included if POA&M items exist)

      Additionally, if any diagrams attached to the respective fields and boundary for the package are linked to it, then they’re also available in the contents of the zip. The diagrams can be a catalog dataflow diagram, network architecture diagram, or an authorization boundary diagram, available as png files in the zip.

      You can validate these files using the OSCAL CLI validator and import them into other systems or share them with external auditors for assessment planning.

      To customize the OSCAL behavior for export, see the OSCAL Model customization support [KB1650397] article in the Now Support Knowledge Base.

      For more information on OSCAL import error, see the OSCAL Import [KB1794095] article in the Now Support Knowledge Base.