Required Attachments
FedRAMP SSP attachments include a mix of items. Some lend well to machine-readable format, while others do not.
Machine-readable content is typically addressed within the OSCAL-based FedRAMP SSP syntax, while policies, procedures, plans, guidance, and the rules of behavior documents are still treated as attachments within an OSCAL SSP.
See the Document Attachments section for general attachment patterns as OSCAL resources.
For reqluired FedRAMP SSP attachments, the resource title and description must provide a human-readable indicator the attachment being referenced. OSCAL extensions are also used to identify required FedRAMP attachments, which aids automated completeness checks and workflows.
The following table describes how each attachment is handled:
| Appendix Name | Machine Readable | How to Handle in OSCAL |
|---|---|---|
| Appendix A: FedRAMP Security Controls | Yes | This is generated from the content in the Security Controls section and is not maintained as a separate attachment in an OSCAL SSP. |
| Appendix B: Related Acronyms | No | Attach using the back-matter, resource syntax.For Acronyms, resource must include a prop with @ns="http://fedramp.gov/ns/oscal", @name="type", and @value="fedramp-acronyms". |
| Appendix C: Security Policies and Procedures | No | Attach using the back-matter, resource syntax.For Policies, resource must include a prop with @name=”type”, @value=”policy”, and @class=”control-family”.For Procedures, resource must include a prop with @name=”type”, @value=”procedure”, and @class=”control-family”. |
| Appendix D: User Guide | No | Attach using the back-matter, resource syntax.For User Guides, resource must include a prop with @name=”type” and @value=”users-guide”. |
| Appendix E: Digital Identity Worksheet | Yes | See the Digital Identity Determination section. |
| Appendix F: Rules of Behavior | No | Attach using the back-matter, resource syntax.For Rules of Behavior, resource must include a prop with @name=”type” and @value="rules-of-behavior". |
| Appendix G: Information System Contingency Plan (ISCP) | No | Attach using the back-matter, resource syntax.For ISCP, resource must include a prop with @name=”type”, @value="plan", and @class="information-system-contingency-plan". |
| Appendix H: Configuration Management Plan (CMP) | No | Attach using the back-matter, resource syntax.For CMP, resource must include a prop with @name=”type”, @value="plan", and @class="configuration-management-plan". |
| Appendix I: Incident Response Plan (IRP) | No | Attach using the back-matter, resource syntax.For IRP, resource must include a prop with @name=”type”, @value="plan", and @class="incident-response-plan". |
| Appendix J: CIS and CRM Workbook | Yes | This can be generated from the content in the Security Controls section and does not need to be maintained separately or attached. |
| Appendix K: FIPS 199 Worksheet | Yes | See the System Sensitivity Level (FIPS-199) section. |
| Appendix L: CSO-Specific Required Laws and Regulations | No | Attach using the back-matter, resource syntax.For CSO-Specific Required Laws and Regulations, resource must include a prop with @name=”type” and @value=”law”. |
| Appendix M: Integrated Inventory Workbook | Yes | See the System Inventory section. |
| Appendix N: Continuous Monitoring Plan | No | Attach using the back-matter, resource syntax.For ConMon, resource must include a prop with @name=”type”, @value="plan", and @class="continuous-monitoring-plan". |
| Appendix O: POA&M | Yes | This is maintained separately in an OSCAL POA&M but can be attached using the back-matter, resource syntax.For POA&M, resource must include a prop with @name=”type”, @value="plan", and @class="poam". |
| Appendix P: Supply Chain Risk Management Plan (SCRMP) | No | Attach using the back-matter, resource syntax.For SCRMP, resource must include a prop with @name=”type”, @value="plan", and @class="scrmp". |
| Appendix Q: Cryptographic Module Table | Yes | See the Cryptographic Modules section dealing with components. |
Attachments
The following OSCAL representation of a FedRAMP SSP attachment demonstrates the back-matter and resource approach that must be implemented for classic SSP attachments that are not machine-readable, such as policies, procedures, plans, guidance, and rules of behavior documents. For each attachment, an SSP should provide a publication date where possible. However, in some cases, a back matter attachment may not have a specific publication date. In that case, an SSP may define a last accessed property with a value of a datetime with a timezone that represents when that resource was last viewed or referenced, with a value that conforms with RFC3339's "full-date" format.
Attachment Representation
<!-- cut -->
<back-matter>
<resource uuid="uuid-value-1">
<title>Document Title</title>
<description>Policy document</description>
<prop name="type" ns="http://fedramp.gov/ns/oscal" value="policy"/>
<!--For this resource, a property of published is used to define the published date-->
<prop name="published" ns="http://fedramp.gov/ns/oscal" value="2021-01-01Z"/>
<prop name="version" ns="http://fedramp.gov/ns/oscal" value="1.2"/>
<!-- Add rlink with relative path or embed with base64 encoding -->
<base64>00000000</base64>
</resource>
<resource uuid="uuid-value-2">
<title>Document Title</title>
<description>Policy document</description>
<prop name="type" ns="http://fedramp.gov/ns/oscal" value="policy"/>
<!--For this resource, a property of "last-accessed" is defined, with a value of a datetime with a timezone in RFC3339's "full-date" format-->
<prop name="last-accessed" ns="http://fedramp.gov/ns/oscal" value="2024-12-23T14:30:00-05:00"/>
<prop name="version" ns="http://fedramp.gov/ns/oscal" value="1.2"/>
<!-- Add rlink with relative path or embed with base64 encoding -->
<base64>00000000</base64>
</resource>
<!-- cut: policies 3 - 13 -->
<resource uuid="uuid-value" />
<resource uuid="uuid-value" />
<!-- cut: procedure 2 - 13 -->
</back-matter>
XPath Queries
The Number of Policies Attached:
count(/*/back-matter/resource/prop[@name="type"][@ns="http://fedramp.gov/ns/oscal"][string(./@value)="policy"])
Attachment (Embedded Base64 encoded):
/*/back-matter/resource[@id="att-policy-1"]/base64
OR (Relative Link):
/*/back-matter/resource[@id="att-policy-1"]/rlink/@href
Title of First Policy Document:
/*/back-matter/resource/prop[@name="type"][@ns="http://fedramp.gov/ns/oscal"][string(.)="policy"][1]/../prop[@name="title"][@ns="http://fedramp.gov/ns/oscal"]