Required Attachments

Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in FedRAMP baselines.

Where a legacy FedRAMP attachment is handled as machine-readable content, you have the option of attaching the legacy attachment or representing the content as machine-readable content.

FedRAMP SSP attachments include a mix of items. Some lend well to machine-readable format, while others do not.

Machine-readable content is typically addressed within the OSCAL-based FedRAMP SSP syntax, while policies, procedures, plans, guidance, and the rules of behavior documents are still treated as attachments within an OSCAL SSP.

See the Document Attachments section for general attachment patterns as OSCAL resources.

For reqluired FedRAMP SSP attachments, the resource title and description must provide a human-readable indicator the attachment being referenced. OSCAL extensions are also used to identify required FedRAMP attachments, which aids automated completeness checks and workflows.

The following table describes how each attachment is handled:

Appendix Name	Machine Readable	How to Handle in OSCAL
Appendix A: FedRAMP Security Controls	Yes	This is generated from the content in the Security Controls section and is not maintained as a separate attachment in an OSCAL SSP.
Appendix B: Related Acronyms	No	Attach using the `back-matter`, `resource` syntax. For Acronyms, resource must include a `prop` with `@ns="http://fedramp.gov/ns/oscal"`, `@name="type"`, and `@value="fedramp-acronyms"`.
Appendix C: Security Policies and Procedures	No	~~Attach~~From ~~using~~each `-1` control (i.e. AC-1, IA-1) use `links` to identify the `back-matter`,related `resource` ~~syntax.~~ ~~For Policies, resource must include a~~ `prop` ~~with~~ `@name=”type”`, `@value=”policy”`,policy and `@class=”control-family”`. ~~For~~procedure ~~Procedures, resource must include a~~ `prop` ~~with~~ `@name=”type”`, `@value=”procedure”`~~, and~~ `@class=”control-family”`.attachments.
Appendix D: User Guide	No	~~Attach~~From ~~using~~SA-5 ~~the~~(`id`=`sa-5`) use `back-matter`, `resourcelinks` ~~syntax.~~ ~~For~~to ~~User~~identify ~~Guides,~~this ~~resource must include a~~ `prop` ~~with~~ `@name=”type”` ~~and~~ `@value=”users-guide”`.attachment.
Appendix E: Digital Identity Worksheet	Yes	See the Digital Identity Determination section.
Appendix F: Rules of Behavior	No	~~Attach~~From ~~using~~PL-4 ~~the~~(`id`=`pl-4`) use `back-matter`, `resourcelinks` ~~syntax.~~ ~~For~~to ~~Rules~~identify ofthis ~~Behavior, resource must include a prop with~~ `@name=”type”` ~~and~~ `@value="rules-of-behavior"`.attachment.
Appendix G: Information System Contingency Plan (ISCP)	No	~~Attach~~From ~~using~~CP-2 ~~the~~(`id`=`cp-2`) use `back-matter`, `resourcelinks` ~~syntax.~~ ~~For~~to ~~ISCP,~~identify ~~resource~~this ~~must include a~~ `prop` ~~with~~ `@name=”type”`, `@value="plan"`~~, and~~ `@class="information-system-contingency-plan"`.attachment.
Appendix H: Configuration Management Plan (CMP)	No	~~Attach~~From ~~using~~CM-9 ~~the~~(`id`=`cm-9`) use `back-matter`, `resourcelinks` ~~syntax.~~ ~~For~~to ~~CMP,~~identify ~~resource~~this ~~must include a~~ `prop` ~~with~~ `@name=”type”`, `@value="plan"`~~, and~~ `@class="configuration-management-plan"`.attachment.
Appendix I: Incident Response Plan (IRP)	No	~~Attach~~From ~~using~~IR-8 ~~the~~(`id`=`ir-8`) use `back-matter`, `resourcelinks` ~~syntax.~~ ~~For~~to ~~IRP,~~identify ~~resource~~this ~~must include a~~ `prop` ~~with~~ `@name=”type”`, `@value="plan"`~~, and~~ `@class="incident-response-plan"`.attachment.
Appendix J: CIS and CRM Workbook	Yes	This can be generated from the content in the Security Controls section and does not need to be maintained separately or attached.
Appendix K: FIPS 199 Worksheet	Yes	See the System Sensitivity Level (FIPS-199) section.
Appendix L: CSO-Specific Required Laws and Regulations	No	Attach using the `back-matter`, `resource` syntax. For CSO-Specific Required Laws and Regulations, resource must include a `prop` with `@name=”type”` and `@value=”law”`.
Appendix M: Integrated Inventory Workbook	Yes	See the System Inventory section.
Appendix N: Continuous Monitoring Plan	No	~~Attach~~From ~~using~~CA-7 ~~the~~(`id`=`ca-7`) use `back-matter`, `resourcelinks` ~~syntax.~~ ~~For~~to ~~ConMon,~~identify ~~resource~~this ~~must include a~~ `prop` ~~with~~ `@name=”type”`, `@value="plan"`~~, and~~ `@class="continuous-monitoring-plan"`.attachment.
Appendix O: POA&M	Yes	This is maintained separately in an OSCAL POA&M but can be attached using the `back-matter`, `resource` syntax. For POA&M, resource must include a `prop` with `@name=”type”`, `@value="plan"`, and `@class="poam"`.
Appendix P: Supply Chain Risk Management Plan (SCRMP)	No	~~Attach~~From ~~using~~Sr-2 ~~the~~(`id`=`sr-2`) use `back-matter`, `resourcelinks` ~~syntax.~~ ~~For~~to ~~SCRMP,~~identify ~~resource~~this ~~must include a~~ `prop` ~~with~~ `@name=”type”`, `@value="plan"`~~, and~~ `@class="scrmp"`.attachment.
Appendix Q: Cryptographic Module Table	Yes	See the Cryptographic Modules section dealing with components.