Overview
You can now use the Paramify MCP to import a System Security Plan (SSP) directly into Paramify. An AI Agent can create programs, build out your element inventory, fill in control implementation narratives, and set control parameters — all by reading your SSP and writing that content into Paramify on your behalf. This dramatically reduces the manual work of creating a new program from an existing SSP.
Who can use this
Users with an LLM (such as Claude, ChatGPT, etc) connected to the Paramify MCP server can take advantage of these capabilities. Simply ensure the Paramify API key you create has write permissions enabled for the resources you want the AI Agent to create or update.
What you can do
Set up a new program
You can ask the Agent to create a new program in your workspace. Once created, the AI Agent can look up which controls are available in your compliance profile and select the ones required by your SSP — so you start with the right control baseline already in place.
Build your element inventory
The MCP tools can check what elements (components, parties, roles, locations) already exist in your workspace, and create any that are missing. This means your element inventory can be populated from the SSP before any control implementations are written, so references are accurate from the start.
Fill in control implementation narratives
For each control in your SSP, the MCP tools can write the implementation narrative directly into Paramify. It supports the full multi-layer structure used in FedRAMP SSPs — provider, integrator, and end user layers — with originations and responsible roles set per layer. The MCP tools can also update responses it has already written if you need to revise them.
Set control parameters
Many controls include fill-in, single-select, or multi-select parameters (such as review frequencies or system categories). The AI Agent tools can read the available options for each parameter and fill them in based on your SSP, so your program reflects your actual system configuration rather than leaving parameters blank.
Getting started
1. Generate an API key with write access
In your workspace settings, create a Paramify API key and enable write permissions for Programs, Elements, and Control Implementations. Read permissions are included automatically.
2. Connect your LLM to the Paramify MCP server
Configure your AI LLM (e.g. Claude) to use the Paramify MCP server with your API key. Your AI Agent will then have access to all the tools needed to read from and write to your workspace.
3. Provide your SSP and let the AI Agent work
Give the AI Agent your SSP document and describe what you want to import. A typical run will have the MCP tool create the program, select controls, populate elements, write control narratives, and fill in parameters — checking in with you at key decision points along the way.
What to expect
The AI Agent works through the SSP section by section. For large compliance profiles, it processes controls in batches to stay within context limits — you may see it loop through controls in groups (e.g. AC controls, then IA controls) rather than all at once. Everything the MCP tool writes is immediately visible in Paramify, so you can review and adjust as it goes.
Custom Responses vs. Solution Capabilities
After your SSP is imported, your control implementation statements will be stored as Custom Responses. You can continue using Custom Responses or convert them to Solution Capabilities.
Three ways to respond to control requirements:
| Approach | 1) Paramify Intake Only | 2) Leveraging Existing SSP | 3) Intake + Existing SSP |
|---|---|---|---|
| Adopting Solution Capabilities | After you complete the intake process, review your Solution Capabilities with existing SSP in hand to add or modify context to those Risk Solutions that are specific to your environment | Populate Solution Capabilities via intake and custom responses via ingestion or copy/paste then review in Paramify to evaluate best use of content as Custom Responses (project specific) or Solution Capabilities (global). | |
| Using Just Custom Responses | Upload your existing SSP and allow the AI agent to work or copy and paste your own control implementation statements into Custom Responses for each control requirement |
Solution Capability Guiding Principles
What is a Solution Capability:
- Describes a security capability that addresses the who, what, how, and when
- Standardized language that is catalog-agnostic to fulfill multi-catalog set of requirements
- Flexible and agile to lift and replace the who, what, and when elements as the business evolves
- Defines shared risk ownership across the organization and leveraged third party providers
For more information about Risk Solutions and Solution Capabilities, see Risk Solutions Explained.
Why Adopt Solution Capabilities:
- Accuracy: Manually written SSPs are riddled with errors that slow down audits and authorizations. Our OSCAL-based Risk Solutions platform automatically maintains and updates the machine-readable OSCAL format to prevent human error.
- Efficiency: Your security requirements grow with your organization. Responding one by one to individual requirements is tedious and inefficient. A Solution Capability can map to multiple controls across any security catalog – allowing you to be flexible and agile as your security objectives increase.
- Collaboration: Solution Capabilities provide a platform to drive shared risk adoption across the organization. Security becomes a collective organizational effort that’s not owned only by the GRC team
Paramify's Recommendation
Your organization likely spent a boatload of money already creating an SSP. This is why some Paramify users who already have ATO packages hesitate to adopt our Solution Capability platform.
And yes, Paramify will still improve and simplify your organization’s SSP creation and management processes without Solution Capabilities. But, you’ll get the most accurate OSCAL SSPs and reduce your daily headache significantly when you adopt Solution Capabilities.
Your previous efforts are not a sunk cost when you adopt Solution Capabilities. We can use your existing SSP to create custom Solution Capabilities to meet your specific control requirements. With Solution Capabilities, your SSP becomes more accurate, your GRC org can work more efficiently and your teams can collaborate better.
Below are key considerations from a Paramify feature perspective to keep in mind as you decide.
| Paramify Feature | Solution Capability | Custom Response | Comments |
|---|---|---|---|
| Response Mapping to Control Requirement | Global capabilities that can be mapped to multiple projects and multiple control requirements to minimize input and maximize deliverable outputs | Project and control requirement specific mapping | |
| Collaborator functionality (Solution Owners) | Capability or solution owner is given restricted access to view and/or edit their Solution Capabilities as the approach or the people, places, and things change. The Review status is automatically updated to "Not reviewed" so the GRC Admin or ISSO can review the changes, make updates as needed, and mark the latest version of the Solution Capability as "Reviewed". | N/A | |
| Appendix A Generation | Each capability will have a distinct origination and implementation status. The overall control implementation status will be the least of all applicable Solutions. | Each custom response will have a distinct implementation status but can have multiple originations. The custom response should include all applicable originations or be comprehensive across custom responses. The overall control implementation status will be the least of all applicable custom responses. | Appendix A SSPs can be imported into Paramify in .docx (Word) or OSCAL format. |
| Policies | N/A | N/A | Control Parameters are the only input — all other details are hardcoded. |
| Procedures | Capability describes how things are done so it can be leveraged to produce the procedure document. | Reads as a control response rather than how the capability is performed. | |
| CIS | Each capability will have a distinct origination and implementation status. The overall control implementation status will be the least of all applicable Solution Capabilities. | Each custom response will have a distinct implementation status but can have multiple originations. The custom response should include all applicable originations or be comprehensive across custom responses. The overall control implementation status will be the least of all applicable custom responses. | |
| CRM | Not Specific | Not Specific | A single Solution Capability or custom response can be used but there must be two narratives: 1) Internal role responsibility and 2) Customer Managed role responsibility. Origination for the relevant custom response or Solution Capability should be Configured by Customer or Provided by Customer. |
| Automatic Mode (Project Overview: User Summary Table, Interconnections, System Ports, Protocols, & Services, and Leveraged Authorizations) | Not Specific | Not Specific | When an element is mentioned in the Solution Capability or custom response and automatic mode is enabled, the Project Overview section will limit the elements documented in the SSP to those mentioned components. |
| Review | Reviewed in the Solution Capability view. Overall Review progress for Risk Solutions is available in the Implementation Dashboard. | Reviewed in the control implementation view. Review status is only available control by control — there is no overall review status dashboard. | |
| Organization by Family & Subfamily | Solution Capabilities can be organized by family and subfamily. The Solution Capability may be mapped to multiple control families. | Custom responses are control requirement specific, so they would only be assigned a family and subfamily upon conversion to a Solution Capability. The custom response will be specific to the control family for which the control requirement is relevant. | |
| FedRAMP Rev 4 to Rev 5 Automated Transition | Paramify's Solution Capabilities cover both Rev 4 and Rev 5 control requirements, enabling a Rev 4 project to be converted to a Rev 5 project with the click of a button. | Custom responses are specific to the control requirement. Paramify has automated the Rev 4 to Rev 5 mapping, but new control requirements for Rev 5 will need to be addressed via Solution Capabilities or new custom responses. | |
| Crosswalk | Crosswalk is mapped by Solution Capabilities. | Custom responses by design are specific to a control requirement within a framework. | |
| Mentions | Not Specific | Not Specific | Links custom responses and Solution Capabilities to elements; enables Automatic Mode deliverables. |
Comments
0 comments
Please sign in to leave a comment.