Required Attachments
FedRAMP SSP attachments include a mix of items. Some lend well to machine-readable format, while others do not.
Machine-readable content is typically addressed within the OSCAL-based FedRAMP SSP syntax, while policies, procedures, plans, guidance, and the rules of behavior documents are still treated as attachments within an OSCAL SSP.
See the Document Attachments section for general attachment patterns as OSCAL resources.
For reqluired FedRAMP SSP attachments, the resource title and description must provide a human-readable indicator the attachment being referenced. OSCAL extensions are also used to identify required FedRAMP attachments, which aids automated completeness checks and workflows.
The following table describes how each attachment is handled:
| Appendix Name | Machine Readable | How to Handle in OSCAL |
|---|---|---|
| Appendix A: FedRAMP Security Controls | Yes | This is generated from the content in the Security Controls section and is not maintained as a separate attachment in an OSCAL SSP. |
| Appendix B: Related Acronyms | No | Attach using the back-matter, resource syntax.For Acronyms, resource must include a prop with @ns="http://fedramp.gov/ns/oscal", @name="type", and @value="fedramp-acronyms". |
| Appendix C: Security Policies and Procedures | No | Attach using the back-matter, resource syntax.For Policies, resource must include a prop with @name=”type”, @value=”policy”, and @class=”control-family”.For Procedures, resource must include a prop with @name=”type”, @value=”procedure”, and @class=”control-family”. |
| Appendix D: User Guide | No | Attach using the back-matter, resource syntax.For User Guides, resource must include a prop with @name=”type” and @value=”users-guide”. |
| Appendix E: Digital Identity Worksheet | Yes | See the Digital Identity Determination section. |
| Appendix F: Rules of Behavior | No | Attach using the back-matter, resource syntax.For Rules of Behavior, resource must include a prop with @name=”type” and @value="rules-of-behavior". |
| Appendix G: Information System Contingency Plan (ISCP) | No | Attach using the back-matter, resource syntax.For ISCP, resource must include a prop with @name=”type”, @value="plan", and @class="information-system-contingency-plan". |
| Appendix H: Configuration Management Plan (CMP) | No | Attach using the back-matter, resource syntax.For CMP, resource must include a prop with @name=”type”, @value="plan", and @class="configuration-management-plan". |
| Appendix I: Incident Response Plan (IRP) | No | Attach using the back-matter, resource syntax.For IRP, resource must include a prop with @name=”type”, @value="plan", and @class="incident-response-plan". |
| Appendix J: CIS and CRM Workbook | Yes | This can be generated from the content in the Security Controls section and does not need to be maintained separately or attached. |
| Appendix K: FIPS 199 Worksheet | Yes | See the System Sensitivity Level (FIPS-199) section. |
| Appendix L: CSO-Specific Required Laws and Regulations | No | Attach using the back-matter, resource syntax.For CSO-Specific Required Laws and Regulations, resource must include a prop with @name=”type” and @value=”law”. |
| Appendix M: Integrated Inventory Workbook | Yes | See the System Inventory section. |
| Appendix N: Continuous Monitoring Plan | No | Attach using the back-matter, resource syntax.For ConMon, resource must include a prop with @name=”type”, @value="plan", and @class="continuous-monitoring-plan". |
| Appendix O: POA&M | Yes | This is maintained separately in an OSCAL POA&M but can be attached using the back-matter, resource syntax.For POA&M, resource must include a prop with @name=”type”, @value="plan", and @class="poam". |
| Appendix P: Supply Chain Risk Management Plan (SCRMP) | No | Attach using the back-matter, resource syntax.For SCRMP, resource must include a prop with @name=”type”, @value="plan", and @class="scrmp". |
| Appendix Q: Cryptographic Module Table | Yes | See the Cryptographic Modules section dealing with components. |