# Appendicies Overview

Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in FedRAMP baselines.

Where a legacy FedRAMP attachment is handled as machine-readable content, you have the option of attaching the legacy attachment or representing the content as machine-readable content.

See the [Document Attachments](/books/2-fedramp-common/page/attachments) section for general attachment patterns as OSCAL `resources`.

The following table describes how each attachment is handled:

|**Appendix Name** | **Machine Readable** | **How to Handle in OSCAL** |
| :-- | :---: | :-- |
| **Appendix A: FedRAMP Security Controls** | **Yes** | See the [FedRAMP Security Controls](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/chapter/fedramp-security-controls) section. |
| **Appendix B: Related Acronyms** | No | Attach using the `back-matter`, `resource` syntax.<br /><br />For Acronyms, resource must include a `prop` with `@ns="http://fedramp.gov/ns/oscal"`, `@name="type"`, and `@value="fedramp-acronyms"`. |
| **Appendix C: Security Policies and Procedures** | No | From each `-1` control (i.e. AC-1, IA-1) use `links` to identify the related policy and procedure attachments. |
| **Appendix D: User Guide** | No | From SA-5 (`id`=`sa-5`) use `links` to identify this attachment. |
| **Appendix E: Digital Identity Worksheet** | **Yes** | See the [Digital Identity Determination](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/appendix-e-digital-identity-level-dil-determination) section. |
| **Appendix F: Rules of Behavior** | No | From PL-4 (`id`=`pl-4`) use `links` to identify this attachment. |
| **Appendix G: Information System Contingency Plan (ISCP)** | No | From CP-2 (`id`=`cp-2`) use `links` to identify this attachment. |
| **Appendix H: Configuration Management Plan (CMP)** | No | From CM-9 (`id`=`cm-9`) use `links` to identify this attachment. |
| **Appendix I: Incident Response Plan (IRP)** | No | From IR-8 (`id`=`ir-8`) use `links` to identify this attachment. |
| **Appendix J: CIS and CRM Workbook** | Yes | This is generated from the content in the Security Controls section and does not need to be maintained separately nor attached. |
| **Appendix K: FIPS 199 Worksheet** | **Yes** | See the [Appendix K: FIPS-199 Worksheet](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/appendix-k-fips-199-worksheet) section. |
| **Appendix L: CSO-Specific Required Laws and Regulations** | No | Attach using the `back-matter`, `resource` syntax.<br /><br />For CSO-Specific Required Laws and Regulations, resource must include a `prop` with `@name=”type”` and `@value=”law”`. |
| **Appendix M: Integrated Inventory Workbook** | **Yes** | See the [Inventory Approaches](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/inventory-approaches) section. |
| **Appendix N: Continuous Monitoring Plan** | No | From CA-7 (`id`=`ca-7`) use `links` to identify this attachment. |
| **Appendix O: POA&M** | **Yes** | From CA-5 (`id`=`ca-5`) use `links` to identify this attachment.  |
| **Appendix P: Supply Chain Risk Management Plan (SCRMP)** | No | From SR-2 (`id`=`sr-2`) use `links` to identify this attachment. |
| **Appendix Q: Cryptographic Module Table** | **Yes** | See the [Appendix Q: Cryptographic Modules](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/appendix-q-cryptographic-modules) section. |

---