# Attachments ### Attachments All OSCAL models handle attachments the same way. The following is used to attach files to OSCAL-based FedRAMP artifacts, such as when attaching policies and plans to a System Security Plan (SSP) or evidence to a Security Assessment Report (SAR). Identifying attachments in an OSCAL FedRAMP SSP, POA&M, SAP or SAR requires: - a `back-matter` object as a child to the root element - a `resources` array, each `resources` entry includes: - a `uuid` (required) - a `title` (best practice) - a `description` (encouraged) - a `props` array with entries that can include: - `name`=`type` with a token `value` (best practice): Identifies the attachment type. See below. - `name`=`version` with a string `value` (best practice if applicable): Identifies the attachment's publushed version number - `name`=`published` with an OSCAL [date-time-with-timezone](https://pages.nist.gov/metaschema/specification/datatypes/#date-time-with-timezone) `value` (best practice if applicable): Identifies the attachment's publication date - either an `rlinks` array (strongly preferred) or `base64` object - an `rlinks` array entry includes: - a `href` with a relative or absolute URI (required) - a `media-type` (best practice) - consider ignoring `hashes` at this time - a `base64` object: - a `filename` field (encouraged) - a `media-type` field (best practice) - a `value`: Contains the Base 64 value of the attachemnt. While OSCAL does not require this field, a `base64` object has no significance without it. ##### Attachment Representation ```yaml system-security-plan back-matter: resources: - uuid: 11111111-2222-4000-8000-001000000001 title: Attachment Title description: Linked attachment. props: - name: type value: policy rlinks: - href: ./attachments/policy.pdf media-type: application/pdf - uuid: 11111111-2222-4000-8000-001000000002 title: Logo description: A Base 64 embeded logo. props: - name: type value: logo base64: filename: logo.png media-type: application/png value: '00000000' ```
### Allowed Values The `type` property `value` may only have one of the following allowed values: The value must be one of the following: - `logo`: Indicates the resource is an organization's logo. - `image`: Indicates the resource represents an image. - `screen-shot`: Indicates the resource represents an image of screen content. - `law`: Indicates the resource represents an applicable law. - `regulation`: Indicates the resource represents an applicable regulation. - `standard`: Indicates the resource represents an applicable standard. - `external-guidance`: Indicates the resource represents applicable guidance. - `acronyms`: Indicates the resource provides a list of relevant acronyms. - `citation`: Indicates the resource cites relevant information. - `policy`: Indicates the resource is a policy. - `procedure`: Indicates the resource is a procedure. - `system-guide`: Indicates the resource is guidance document related to the subject system of an SSP. - `users-guide`: Indicates the resource is guidance document a user's guide or administrator's guide. - `administrators-guide`: Indicates the resource is guidance document a administrator's guide. - `rules-of-behavior`: Indicates the resource represents rules of behavior content. - `plan`: Indicates the resource represents a plan. - `artifact`: Indicates the resource represents an artifact, such as may be reviewed by an assessor. - `evidence`: Indicates the resource represents evidence, such as to support an assessment finding. - `tool-output`: Indicates the resource represents output from a tool. - `raw-data`: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation. - `interview-notes`: Indicates the resource represents notes from an interview, such as may be collected during an assessment. - `questionnaire`: Indicates the resource is a set of questions, possibly with responses. - `report`: Indicates the resource is a report. - `agreement`: Indicates the resource is a formal agreement between two or more parties.
---