Skip to main content

Attachments

Attachments

All OSCAL models handle attachments the same way. The following OSCALis representationused ofto attach files to OSCAL-based FedRAMP artifacts, such as when attaching policies and plans to a System Security Plan (SSP) or evidence to a Security Assessment Report (SAR).

Identifying attachments in an OSCAL FedRAMP SSPSSP, attachmentPOA&M, demonstratesSAP theor SAR requires:

  • a back-matter andobject as a child to the root element
    • a resourceresources approacharray, each resources entry includes:
      • a uuid (required)
      • a title (best practice)
      • a description (encouraged)
      • a props array with entries that mustcan beinclude: implemented
          for classic SSP attachments that are not machine-readable, such as policies, procedures, plans, guidance, and rules of behavior documents. For each attachment, an SSP should provide a publication date where possible. However, in some cases, a back matter attachment may not have a specific publication date. In that case, an SSP may define a last accessed property
        • name=type with a token value of(best apractice): datetimeIdentifies the attachment type. See below.
        • name=version with a string value (best practice if applicable): Identifies the attachment's publushed version number
        • name=published with an OSCAL date-time-with-timezone thatvalue represents(best whenpractice thatif resourceapplicable): wasIdentifies lastthe viewedattachment's publication date
      • either an rlinks array (strongly preferred) or referenced,base64 object
        • an rlinks array entry includes:
          • a href with a relative or absolute URI (required)
          • a media-type (best practice)
          • consider ignoring hashes at this time
        • a base64 object:
          • a filename field (encouraged)
          • a media-type field (best practice)
          • a value: Contains the Base 64 value thatof conformsthe withattachemnt. RFC3339'sWhile "full-date"OSCAL format.

            does not require this field, a base64 object has no significance without it.
Attachment Representation
system-security-plan
  back-matter:
    resources:

    - uuid: 11111111-2222-4000-8000-001000000001
      title: Attachment Title
      description: Linked attachment.
      props:
      - name: type
        value: policy
      rlinks:
      - href: ./attachments/policy.pdf
        media-type: application/pdf


    - uuid: 11111111-2222-4000-8000-001000000002
      title: Logo
      description: A Base 64 embeded logo.
      props:
      - name: type
        value: logo
      base64:
        filename: logo.png
        media-type: application/png
        value: '00000000'

Allowed Values

The type property value may only have one of the following allowed values: The value must be one of the following:

  • logo: Indicates the resource is an organization's logo.
  • image: Indicates the resource represents an image.
  • screen-shot: Indicates the resource represents an image of screen content.
  • law: Indicates the resource represents an applicable law.
  • regulation: Indicates the resource represents an applicable regulation.
  • standard: Indicates the resource represents an applicable standard.
  • external-guidance: Indicates the resource represents applicable guidance.
  • acronyms: Indicates the resource provides a list of relevant acronyms.
  • citation: Indicates the resource cites relevant information.
  • policy: Indicates the resource is a policy.
  • procedure: Indicates the resource is a procedure.
  • system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
  • users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
  • administrators-guide: Indicates the resource is guidance document a administrator's guide.
  • rules-of-behavior: Indicates the resource represents rules of behavior content.
  • plan: Indicates the resource represents a plan.
  • artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
  • evidence: Indicates the resource represents evidence, such as to support an assessment finding.
  • tool-output: Indicates the resource represents output from a tool.
  • raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
  • interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
  • questionnaire: Indicates the resource is a set of questions, possibly with responses.
  • report: Indicates the resource is a report.
  • agreement: Indicates the resource is a formal agreement between two or more parties.
Back to top