Appendicies Overview Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in FedRAMP baselines. Where a legacy FedRAMP attachment is handled as machine-readable content, you have the option of attaching the legacy attachment or representing the content as machine-readable content. See the Document Attachments section for general attachment patterns as OSCAL resources . The following table describes how each attachment is handled: Appendix Name Machine Readable How to Handle in OSCAL Appendix A: FedRAMP Security Controls Yes See the FedRAMP Security Controls section. Appendix B: Related Acronyms No Attach using the back-matter , resource syntax. For Acronyms, resource must include a prop with @ns="http://fedramp.gov/ns/oscal" , @name="type" , and @value="fedramp-acronyms" . Appendix C: Security Policies and Procedures No From each -1 control (i.e. AC-1, IA-1) use links to identify the related policy and procedure attachments. Appendix D: User Guide No From SA-5 ( id = sa-5 ) use links to identify this attachment. Appendix E: Digital Identity Worksheet Yes See the Digital Identity Determination section. Appendix F: Rules of Behavior No From PL-4 ( id = pl-4 ) use links to identify this attachment. Appendix G: Information System Contingency Plan (ISCP) No From CP-2 ( id = cp-2 ) use links to identify this attachment. Appendix H: Configuration Management Plan (CMP) No From CM-9 ( id = cm-9 ) use links to identify this attachment. Appendix I: Incident Response Plan (IRP) No From IR-8 ( id = ir-8 ) use links to identify this attachment. Appendix J: CIS and CRM Workbook Yes This is generated from the content in the Security Controls section and does not need to be maintained separately nor attached. Appendix K: FIPS 199 Worksheet Yes See the Appendix K: FIPS-199 Worksheet section. Appendix L: CSO-Specific Required Laws and Regulations No Attach using the back-matter , resource syntax. For CSO-Specific Required Laws and Regulations, resource must include a prop with @name=”type” and @value=”law” . Appendix M: Integrated Inventory Workbook Yes See the Inventory Approaches section. Appendix N: Continuous Monitoring Plan No From CA-7 ( id = ca-7 ) use links to identify this attachment. Appendix O: POA&M Yes From CA-5 ( id = ca-5 ) use links to identify this attachment. Appendix P: Supply Chain Risk Management Plan (SCRMP) No From SR-2 ( id = sr-2 ) use links to identify this attachment. Appendix Q: Cryptographic Module Table Yes See the Appendix Q: Cryptographic Modules section.