Attachments

All OSCAL models handle attachments the same way. The following is used to attach files to OSCAL-based FedRAMP artifacts, such as when attaching policies and plans to a System Security Plan (SSP) or evidence to a Security Assessment Report (SAR).

Identifying attachments in an OSCAL FedRAMP SSP, POA&M, SAP or SAR requires:

a back-matter object as a child to the root element
- a resources array, each resources entry includes:
  - a uuid (required)
  - a title (best practice)
  - a description (encouraged)
  - a props array with entries that can include:
    - name=type with a token value (best practice): Identifies the attachment type. See below.
    - name=version with a string value (best practice if applicable): Identifies the attachment's publushed version number
    - name=published with an OSCAL date-time-with-timezone value (best practice if applicable): Identifies the attachment's publication date
  - either an rlinks array (strongly preferred) or base64 object
    - an rlinks array entry includes:
      - a href with a relative or absolute URI (required)
      - a media-type (best practice)
      - consider ignoring hashes at this time
    - a base64 object:
      - a filename field (encouraged)
      - a media-type field (best practice)
      - a value: Contains the Base 64 value of the attachemnt. While OSCAL does not require this field, a base64 object has no significance without it.

Attachment Representation

system-security-plan
  back-matter:
    resources:

    - uuid: 11111111-2222-4000-8000-001000000001
      title: Attachment Title
      description: Linked attachment.
      props:
      - name: type
        value: policy
      rlinks:
      - href: ./attachments/policy.pdf
        media-type: application/pdf


    - uuid: 11111111-2222-4000-8000-001000000002
      title: Logo
      description: A Base 64 embeded logo.
      props:
      - name: type
        value: logo
      base64:
        filename: logo.png
        media-type: application/png
        value: '00000000'

Allowed Values

The type property value may only have one of the following allowed values: The value must be one of the following:

logo: Indicates the resource is an organization's logo.
image: Indicates the resource represents an image.
screen-shot: Indicates the resource represents an image of screen content.
law: Indicates the resource represents an applicable law.
regulation: Indicates the resource represents an applicable regulation.
standard: Indicates the resource represents an applicable standard.
external-guidance: Indicates the resource represents applicable guidance.
acronyms: Indicates the resource provides a list of relevant acronyms.
citation: Indicates the resource cites relevant information.
policy: Indicates the resource is a policy.
procedure: Indicates the resource is a procedure.
system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
administrators-guide: Indicates the resource is guidance document a administrator's guide.
rules-of-behavior: Indicates the resource represents rules of behavior content.
plan: Indicates the resource represents a plan.
artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
evidence: Indicates the resource represents evidence, such as to support an assessment finding.
tool-output: Indicates the resource represents output from a tool.
raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
questionnaire: Indicates the resource is a set of questions, possibly with responses.
report: Indicates the resource is a report.
agreement: Indicates the resource is a formal agreement between two or more parties.