Appendicies Overview
Most attachments required by FedRAMP are called out in the NIST SP 800-53 controls appearning in FedRAMP baselines.
Where a legacy FedRAMP attachment is handled as machine-readable content, you have the option of attaching the legacy attachment or representing the content as machine-readable content.
See the Document Attachments section for general attachment patterns as OSCAL resources.
The following table describes how each attachment is handled:
| Appendix Name | Machine Readable | How to Handle in OSCAL |
|---|---|---|
| Appendix A: FedRAMP Security Controls | Yes | This is generated from the content in the Security Controls section and is not maintained as a separate attachment in an OSCAL SSP. |
| Appendix B: Related Acronyms | No | Attach using the back-matter, resource syntax.For Acronyms, resource must include a prop with @ns="http://fedramp.gov/ns/oscal", @name="type", and @value="fedramp-acronyms". |
| Appendix C: Security Policies and Procedures | No | From each -1 control (i.e. AC-1, IA-1) use links to identify the related policy and procedure attachments. |
| Appendix D: User Guide | No | From SA-5 (id=sa-5) use links to identify this attachment. |
| Appendix E: Digital Identity Worksheet | Yes | See the Digital Identity Determination section. |
| Appendix F: Rules of Behavior | No | From PL-4 (id=pl-4) use links to identify this attachment. |
| Appendix G: Information System Contingency Plan (ISCP) | No | From CP-2 (id=cp-2) use links to identify this attachment. |
| Appendix H: Configuration Management Plan (CMP) | No | From CM-9 (id=cm-9) use links to identify this attachment. |
| Appendix I: Incident Response Plan (IRP) | No | From IR-8 (id=ir-8) use links to identify this attachment. |
| Appendix J: CIS and CRM Workbook | Yes | This can be generated from the content in the Security Controls section and does not need to be maintained separately or attached. |
| Appendix K: FIPS 199 Worksheet | Yes | See the System Sensitivity Level (FIPS-199) section. |
| Appendix L: CSO-Specific Required Laws and Regulations | No | Attach using the back-matter, resource syntax.For CSO-Specific Required Laws and Regulations, resource must include a prop with @name=”type” and @value=”law”. |
| Appendix M: Integrated Inventory Workbook | Yes | See the System Inventory section. |
| Appendix N: Continuous Monitoring Plan | No | From CA-7 (id=ca-7) use links to identify this attachment. |
| Appendix O: POA&M | Yes | This is maintained separately in an OSCAL POA&M but can be attached using the back-matter, resource syntax.For POA&M, resource must include a prop with @name=”type”, @value="plan", and @class="poam". |
| Appendix P: Supply Chain Risk Management Plan (SCRMP) | No | From Sr-2 (id=sr-2) use links to identify this attachment. |
| Appendix Q: Cryptographic Module Table | Yes | See the Cryptographic Modules section dealing with components. |