# Control Response: Policies, Procedures, Plans, RoB, and Guides Most FedRAMP-required attachments derive their requirement from one or more NIST SP 800-53 controls. With an OSCAL SSP, the attachment is linked directly from the control. This is how tools know which attachment satisfies each requirement. |**Control ID** | **Artifact to Link** | **Expected** | | :---: | :-- | :--: | | Each `-1` | **Policy** | 1 | | Each `-1` | **Procedure(s)** | 1+ | | SA-5 (`id`=`sa-5`) | **Appendix D: User Guide** | 1 | | PL-4 (`id`=`pl-4`) | **Rules of Behavior** | 1 | | CP-2 (`id`=`cp-2`) | **Information System Contingency Plan (ISCP)** | 1 | | CM-9 (`id`=`cm-9`) | **Configuration Management Plan (CMP)** | 1 | | IR-8 (`id`=`ir-8`) | **Incident Response Plan (IRP)** | 1 | | CA-7 (`id`=`ca-7`) | **Continuous Monitoring Plan** | 1 | | SR-2 (`id`=`sr-2`) | **Supply Chain Risk Management Plan (SCRMP)** | 1 | ## Retrofit MVP For Retrofit MVP, simply use a `links` array in the `implemented-requirements` entry for each "-1" control. ```yaml system-security-plan: control-implementation: description: There is one control in this example. Follow this pattern for each additional control. implemented-requirements: - uuid: 11111111-2222-4000-8000-012000010000 control-id: ac-1 links: - href: ./AC_Policy.docx rel: policy media-type: application/docx - href: ./AC_Procedure.docx rel: procedure media-type: application/docx ``` ## Normalized For Retrofit Advanced, and all New adoption: - Attach the document as a back-matter resource. - Create a component that represents the document - Specify the component in the control response #### Attach Document [Attach each document](https://patterns.rufrisk.com/books/fedramp-common/page/attachments) as `back-matter` / `resources` entries and include a `props` array with: - `name` set to `type` - `value` set to `policy`, `procedure`, `plan`, `users-guide` or `rules-of-behavior` ```yaml system-security-plan: back-matter: resources: - uuid: 11111111-2222-4000-8000-001000000005 title: Access Control and Identity Management Policy description: A single policy that addresses both the AC and IA families. props: - name: type value: policy - name: published value: '2023-01-01T00:00:00Z' - name: version value: '1.2' rlinks: - href: ./attachments/policies/sample_AC_and_IA_policy.pdf media-type: application/pdf ``` #### Create Component [Create a component](https://patterns.rufrisk.com/books/system-security-plans/page/components) for each document in `system-implementation` / `components` and include: - a `props` array with one entry: - `name` set to `implementation-point` - `value` set to `internal` if the document is system-specific; or - `value` set to `external` and `class` set to `corporate` if the document is Corporate - a `links` array with one entry: - `href` contains a URI fragment that cites the back-matter resource - a hashtag (`#`) followed by the UUID of the back-matter resource. - `rel` contains `attachment` All other fields depicted in the example are required by OSCAL to be present. ```yaml system-security-plan: system-implementation: components: - uuid: 11111111-2222-4000-8000-009000600001 type: policy title: Access Control and Identity Management Policy description: 'This is a corporate AC policy used for the system.' props: - name: implementation-point value: external class: corporate links: - href: '#11111111-2222-4000-8000-001000000005' rel: attachment status: state: operational ``` #### Control Response Use `implemented-requirements` / `statements` / `by-components` entries in every control response that cites the document. ```yaml system-security-plan: control-implementation: implemented-requirements: - uuid: 11111111-2222-4000-8000-012000010000 control-id: ac-1 statements: - statement-id: ac-1_smt.a uuid: 11111111-2222-4000-8000-012000010100 by-components: - component-uuid: 11111111-2222-4000-8000-009000600001 uuid: 11111111-2222-4000-8000-012000010102 description: Describe how this policy satisfies part a. implementation-status: state: implemented ``` ---