# 8. Illustratred Architecture and Narratives

The Architecture, Network and Data Flow Diagramss are each represented using the same OSCAL patterns, with only the top level assemby name changing.


### Authorization Boundary

The OSCAL approach to this type of diagram is to treat the image data as either a linked or base64-encoded `resource` in the `back-matter` section of the OSCAL file, then reference the diagram using the `link` field. The narrative describing the system architecture must be provided in the `description` field of the `authorization-boundary` assembly.


<img class="page-image" src="/uploads/images/gallery/2026-02/ssp-08-1-architecture.png" alt="system security plan architecture page image" />


#### OSCAL Representation
```yaml
system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  system-characteristics:
    authorization-boundary:
      description: A holistic, top-level explanation of the FedRAMP authorization boundary.
      diagrams:
      - uuid: 11111111-2222-4000-8000-007000000001
        description: A diagram-specific explanation.
        links:
        - href: '#11111111-2222-4000-8000-001000000054'
          rel: diagram
        caption: Authorization Boundary Diagram

  back-matter:
    resources:
    - uuid: 11111111-2222-4000-8000-001000000054
      title: Boundary Diagram
      description: The primary authorization boundary diagram.
      props:
      - name: type
        value: image
        class: authorization-boundary
      rlinks:
      - href: ./attachments/diagrams/boundary.png
```

To represent the **Authorization Boundary** from the legacy SSP in an OSCAL-based System Security Plan, the data is centered within the `system-characteristics` section under the `authorization-boundary` element. 

The following elements and structures are used to capture the boundary definition:

* **Boundary Narrative:** An `overall-description` is used to provide a high-level technical and functional summary of the system's limits.
* **Visual Documentation:** The model tracks the total number of boundary diagrams present to ensure compliance with the minimum requirement of at least one visual representation.
* **Diagram Linking:** Each diagram is referenced via a `link` containing a unique identifier or path. This link either points to an external URI or a local reference within the OSCAL document.
* **Resource Storage:** The actual image data or file location for a diagram is stored in the `back-matter` section. This is handled as a `resource` which can either contain the raw `base64` encoded image data or a remote link (`rlink`) to the hosted file.
* **Contextual Details:** Individual diagrams can also include their own specific `description` to clarify the components, data flows, or sub-networks depicted in that particular view.



When multiple diagrams are required to show different perspectives of the boundary, each is listed as a sequential entry within the authorization boundary array.

---
### Network Architecture

The network architecture diagram follows the same patter as the [*Authorization Boundary*](#authorization-boundary) diagram, except the content is placed under `network-architecture` instead of `authorization-boundary`.

#### OSCAL Representation
```yaml
system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  system-characteristics:
    network-architecture:
      description: A holistic, top-level explanation of the network architecture.
      diagrams:
      - uuid: 11111111-2222-4000-8000-007000000002
        description: A diagram-specific explanation.
        links:
        - href: '#11111111-2222-4000-8000-001000000055'
          rel: diagram
        caption: Network Diagram

  back-matter:
    resources:
    - uuid: 11111111-2222-4000-8000-001000000055
      title: Network Diagram
      description: The primary network diagram.
      props:
      - name: type
        value: image
        class: network-architecture
      rlinks:
      - href: ./attachments/diagrams/network.png
```



---
### Data Flow

The data flow diagram follows the same pattern as the [*Authorization Boundary*](#authorization-boundary) diagram, except the content is placed under `data-flow` instead of `authorization-boundary`.



#### OSCAL Representation
```yaml
system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  system-characteristics:
    data-flow:
      description: A holistic, top-level explanation of the system's data flows.
      diagrams:
      - uuid: 11111111-2222-4000-8000-007000000003
        description: A diagram-specific explanation.
        links:
        - href: '#11111111-2222-4000-8000-001000000056'
          rel: diagram
        caption: Data Flow Diagram

  back-matter:
    resources:
    - uuid: 11111111-2222-4000-8000-001000000056
      title: Data Flow Diagram
      description: The primary data flow diagram.
      props:
      - name: type
        value: image
        class: data-flow
      rlinks:
      - href: ./attachments/diagrams/dataflow.png
```