Required Attachments
Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in FedRAMP baselines.
Where a legacy FedRAMP attachment is handled as machine-readable content, you have the option of attaching the legacy attachment or representing the content as machine-readable content.
FedRAMP SSP attachments include a mix of items. Some lend well to
machine-readable format, while others do not.
Machine-readable content is typically addressed within the OSCAL-based FedRAMP SSP syntax, while policies, procedures, plans, guidance, and the rules of behavior documents are still treated as attachments within an OSCAL SSP.
See the Document Attachments section for general attachment patterns as OSCAL resources.
For reqluired FedRAMP SSP attachments, the resource title and description must provide a
human-readable indicator the attachment being referenced. OSCAL extensions are also used to identify required FedRAMP attachments, which aids automated completeness checks and workflows.
The following table describes how each attachment is handled:
| Appendix Name | Machine Readable | How to Handle in OSCAL |
|---|---|---|
| Appendix A: FedRAMP Security Controls | Yes | This is generated from the content in the Security Controls section and is not maintained as a separate attachment in an OSCAL SSP. |
| Appendix B: Related Acronyms | No | Attach using the back-matter, resource syntax.For Acronyms, resource must include a prop with @ns="http://fedramp.gov/ns/oscal", @name="type", and @value="fedramp-acronyms". |
| Appendix C: Security Policies and Procedures | No | From each -1 control (i.e. AC-1, IA-1) use links to identify the related policy and procedure attachments. |
| Appendix D: User Guide | No | From SA-5 (id=sa-5) use links to identify this attachment. |
| Appendix E: Digital Identity Worksheet | Yes | See the Digital Identity Determination section. |
| Appendix F: Rules of Behavior | No | From PL-4 (id=pl-4) use links to identify this attachment. |
| Appendix G: Information System Contingency Plan (ISCP) | No | From CP-2 (id=cp-2) use links to identify this attachment. |
| Appendix H: Configuration Management Plan (CMP) | No | From CM-9 (id=cm-9) use links to identify this attachment. |
| Appendix I: Incident Response Plan (IRP) | No | From IR-8 (id=ir-8) use links to identify this attachment. |
| Appendix J: CIS and CRM Workbook | Yes | This can be generated from the content in the Security Controls section and does not need to be maintained separately or attached. |
| Appendix K: FIPS 199 Worksheet | Yes | See the System Sensitivity Level (FIPS-199) section. |
| Appendix L: CSO-Specific Required Laws and Regulations | No | Attach using the back-matter, resource syntax.For CSO-Specific Required Laws and Regulations, resource must include a prop with @name=”type” and @value=”law”. |
| Appendix M: Integrated Inventory Workbook | Yes | See the System Inventory section. |
| Appendix N: Continuous Monitoring Plan | No | From CA-7 (id=ca-7) use links to identify this attachment. |
| Appendix O: POA&M | Yes | This is maintained separately in an OSCAL POA&M but can be attached using the back-matter, resource syntax.For POA&M, resource must include a prop with @name=”type”, @value="plan", and @class="poam". |
| Appendix P: Supply Chain Risk Management Plan (SCRMP) | No | From Sr-2 (id=sr-2) use links to identify this attachment. |
| Appendix Q: Cryptographic Module Table | Yes | See the Cryptographic Modules section dealing with components. |