Problem Statement In the SSP/Statements/By Component structure, there are some inconsistencies across docs. If one looks at the schema page: https://pages.nist.gov/OSCAL/reference/latest/system-security-plan/json-reference/#/system-security-plan/control-implementation/implemented-requirements/statements/by-components …it references that here you “Define how the referenced component implements a set of controls.” If the system has a Firewall Appliance component, then the SSP/Statements/By Component->”this system” will have the SC-7 implemented by the respective component Firewall and can document so, and then the SSP/Statements/By Component->”firewall appliance” component of the same SSP will describe the controls the appliance implements, like AC-3 needed to secure the appliance.