diff --git a/.gitignore b/.gitignore
index 3c9568e..0ab9e91 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 working_dir/*
 templates/.trestle/cache/
 templates/.trestle/_trash/
+.venv
diff --git a/Dockerfile b/Dockerfile
index fe2aff8..6d19ad5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,9 +37,15 @@ RUN adduser \
 # RUN --mount=type=cache,target=/root/.cache/pip \
 #     --mount=type=bind,source=requirements.txt,target=requirements.txt \
 #     python -m pip install -r requirements.txt
-ARG TRESTLE_VERSION=3.4.0
+# ARG TRESTLE_VERSION=3.4.0
+# RUN --mount=type=cache,target=/root/.cache/pip \
+#     python -m pip install "compliance-trestle==${TRESTLE_VERSION}"
+# RUN apt-get update && apt-get install -y pandoc && apt-get clean
+# remove below and uncomment above once more-jinja-tags branch has been merged and released
+RUN apt-get update && apt-get install -y git pandoc && apt-get clean
 RUN --mount=type=cache,target=/root/.cache/pip \
-    python -m pip install "compliance-trestle==${TRESTLE_VERSION}"
+    python -m pip install git+https://github.com/gsa-tts/compliance-trestle.git@77a6d5d0
+RUN apt-get remove -y git
 
 # Switch to the non-privileged user to run the application.
 USER appuser
diff --git a/README.md b/README.md
index 36006ab..0720ea0 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,10 @@ This repository contains the source code for the `ghcr.io/gsa-tts/trestle` Docke
     1. Edit control statements within markdown files
     1. [Assemble markdown contents into a provisional OSCAL SSP](#assemble-ssp-json-from-markdown)
     1. Edit other sections of the SSPP within the smaller json files
+    1. [Check your progress](#check-control-status)
 1. [Assemble everything into a final OSCAL SSP (TODO: within a CI workflow)](#final-ssp-assembly)
+1. [Update non-OSCAL SSP sections](#update-non-oscal-ssp-files)
+1. [Render a human-readable SSPP (TODO: within a CI workflow)](#render-ssp)
 
 ### Pull down the trestle image and initialize a compliance trestle project
 
@@ -42,10 +45,29 @@ This step will create `system-security-plans/SYSTEM_NAME/system-security-plan.js
 
 This script should be given the same list of Component Definitions that were passed to `generate-ssp-markdown`
 
+### Check Control Status
+
+The `control-status` script will output a quick report of all of the `Implementation Status` lines for your controls. For instance, to report on the status of all controls except those marked as `implemented`:
+
+`control-status -i implemented`
+
+
 ### Final SSP Assembly
 
 `trestle assemble -n SYSTEM_NAME system-security-plan`
 
+### Update non-OSCAL SSP files.
+
+Edit the files within `ssp-markdown` to populate data for the rendered SSP that can't yet be pulled from OSCAL.
+
+*Hint:* Use [jinja templates](https://oscal-compass.github.io/compliance-trestle/trestle_author_jinja/#custom-jinja-tags) `md_clean_include` and `mdsection_include` to populate content from other existing documents your team is using.
+
+### Render SSP
+
+Output the SSP as a markdown file and html file, both within `ssp-render`
+
+`render-ssp`
+
 ### Import profile into working space:
 
 If you are using a `PROFILE_NAME` that does not ship with this docker container then you must first manually import it using:
diff --git a/scripts/copy-profile b/scripts/copy-profile
index 0b0deac..35bc50c 100755
--- a/scripts/copy-profile
+++ b/scripts/copy-profile
@@ -1,10 +1,17 @@
 #! /usr/bin/env bash
 
-set -e
-
 if [ "$1" = "" ]; then
     echo "Usage: $0 PROFILE_NAME"
     exit 1
 fi
 
 trestle import -f "/app/templates/profiles/$1/profile.json" -o "$1"
+
+set -e
+
+if [ -d "/app/templates/ssp-rendering/$1" ]; then
+    mkdir ssp-render
+    cp -r "/app/templates/ssp-rendering/$1/templates" ssp-render/
+    cp -r /app/templates/ssp-rendering/img ssp-render/
+    cp -r "/app/templates/ssp-rendering/$1/markdown" ssp-markdown
+fi
diff --git a/scripts/render-ssp b/scripts/render-ssp
new file mode 100755
index 0000000..c2a83af
--- /dev/null
+++ b/scripts/render-ssp
@@ -0,0 +1,76 @@
+#! /usr/bin/env bash
+
+usage="
+$0: generate a human-readable SSP document
+
+Usage:
+    $0 -h
+    $0 -t TEMPLATE_FILE [-o OUTPUT] [-n SYSTEM_NAME] [-p PROFILE_NAME]
+
+Options:
+-h: show help and exit
+-t: SSP Template file. Defaults to ssp-render/templates/gsa_template.md.jinja
+-o: Output markdown document. Defaults to ssp-render/SYSTEM_NAME_ssp.md
+-n: System Name. Defaults to 'system-name' value in trestle-config.yaml
+-p: Profile Name. Defaults to 'profile' value in trestle-config.yaml
+
+Notes:
+* Will load defaults from trestle-config.yaml file, if present
+"
+
+set -e
+
+source /app/bin/functions.sh
+system_name=$(yaml_parse_value 'trestle-config.yaml' 'system-name')
+profile=$(yaml_parse_value 'trestle-config.yaml' 'profile')
+template="ssp-render/templates/gsa_template.md.jinja"
+output=""
+
+while getopts "ht:o:n:p:" opt; do
+    case "$opt" in
+        t)
+            template=${OPTARG}
+            ;;
+        o)
+            output=${OPTARG}
+            ;;
+        p)
+            profile=${OPTARG}
+            ;;
+        n)
+            system_name=${OPTARG}
+            ;;
+        h)
+            echo "$usage"
+            exit 0
+            ;;
+    esac
+done
+
+if [ "$template" = "" ]; then
+    echo "$usage"
+    exit 1
+fi
+
+if [ "$profile" = "" ]; then
+    echo "$usage"
+    exit 1
+fi
+
+if [ "$system_name" = "" ]; then
+    echo "$usage"
+    exit 1
+fi
+
+if [ "$output" = "" ]; then
+    output="ssp-render/${system_name}_ssp.md"
+fi
+
+if [ ! -f "$template" ]; then
+    echo "The template file: $template could not be found"
+    exit 1
+fi
+
+trestle author jinja -i "$template" -ssp "$system_name" -p "$profile" -o "$output" -lut ssp-markdown/ssp_data.yaml -elp gsa -bf "[.]" -vap "$system_name Assigned:" -vnap "Assignment:"
+
+pandoc "$output" --from markdown -t html -s -o "$output.html" --metadata title="${system_name} SSP"
diff --git a/templates/component-definitions/devtools_cloud_gov/component-definition.json b/templates/component-definitions/devtools_cloud_gov/component-definition.json
index cd24315..56633e5 100644
--- a/templates/component-definitions/devtools_cloud_gov/component-definition.json
+++ b/templates/component-definitions/devtools_cloud_gov/component-definition.json
@@ -1,9 +1,9 @@
 {
   "component-definition": {
-    "uuid": "d8c6b192-f2c1-4434-8307-d8aed1826fe6",
+    "uuid": "6372eeac-753c-4d32-be21-9867a0f3e59a",
     "metadata": {
       "title": "Cloud.gov Best Practices for DevTools-based applications.",
-      "last-modified": "2024-08-15T01:28:29.538446+00:00",
+      "last-modified": "2024-08-28T17:13:07.537368+00:00",
       "version": "0.0.1",
       "oscal-version": "1.1.2"
     },
@@ -73,7 +73,9 @@
             "set-parameters": [
               {
                 "param-id": "gov.cloud.org-name",
-                "values": ["TODO - cloud.gov org name"]
+                "values": [
+                  "TODO - cloud.gov org name"
+                ]
               },
               {
                 "param-id": "gov.cloud.space-names",
@@ -98,7 +100,7 @@
                   {
                     "statement-id": "sc-7_smt.a",
                     "uuid": "7980db8d-2517-4c1d-a1ac-ab28bceefc35",
-                    "description": "SSH access to production spaces: {{ insert: param, gov.cloud.space-names }} within Cloud.gov organization {{ insert: param, gov.cloud.org-name }} has been disabled.",
+                    "description": "SSH access to production spaces has been disabled.",
                     "props": [
                       {
                         "name": "Rule_Id",
@@ -141,7 +143,7 @@
                   {
                     "statement-id": "si-4_smt.b",
                     "uuid": "30e83cb4-8214-491b-85d8-ce85b1a58e9d",
-                    "description": "SSH Access has been disabled to production spaces {{ insert: param, gov.cloud.space-names }} in organization {{ insert: param, gov.cloud.org-name }} to limit potential unauthorized use.",
+                    "description": "SSH Access has been disabled to production spaces to limit potential unauthorized use.",
                     "props": [
                       {
                         "name": "Rule_Id",
diff --git a/templates/profiles/lato/profile.json b/templates/profiles/lato/profile.json
index 1e35689..10d2b94 100644
--- a/templates/profiles/lato/profile.json
+++ b/templates/profiles/lato/profile.json
@@ -50,6 +50,9 @@
         ]
       }
     ],
+    "merge": {
+      "as-is": true
+    },
     "modify": {
       "set-parameters": [
         {
@@ -974,4 +977,4 @@
       "alters": []
     }
   }
-}
\ No newline at end of file
+}
diff --git a/templates/ssp-rendering/img/gsa_it_logo.png b/templates/ssp-rendering/img/gsa_it_logo.png
new file mode 100644
index 0000000..0664b92
Binary files /dev/null and b/templates/ssp-rendering/img/gsa_it_logo.png differ
diff --git a/templates/ssp-rendering/lato/markdown/aws.md b/templates/ssp-rendering/lato/markdown/aws.md
new file mode 100644
index 0000000..ee459a0
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/aws.md
@@ -0,0 +1,71 @@
+# 10.10.1 List of AWS Services Used
+<!--
+Instructions: List AWS services used in the system boundary in the table below.
+-->
+
+Table 10-5. AWS Services
+
+| AWS Service Name | Approval Status (FedRAMP and/or OCISO Approved) | Brief Description of Use(s) |
+| ---------------- | ----------------------------------------------- | --------------------------- |
+
+# 10.10.2 Identity and Access Control Management
+<!--
+Instructions: Describe the identity and access control design for AWS platform level access. It should include technology used for authentication and authorization such as federation, single sign-on and/or identity access management (IAM). Describe how MFA is achieved. Provide details on authentication and authorization for API access, how is MFA achieved for interactive API or command line access. Describe how least privilege is being implemented, what methods and tools are being utilized to develop and assign IAM policies to meet least privilege requirements.
+-->
+
+# 10.10.3 Separation of Workloads
+<!--
+Instructions: Describe the AWS account strategy for defining separation of workloads (e.g., Dev, Test, Prod are separate AWS Accounts). Describe the network segregation in place between these environments (e.g., All AWS Accounts are logically separated from each other with no mesh network or connectivity between them.). Describe how new code, features, enhancements, and fixes are promoted from lower environments to production environments.
+-->
+
+# 10.10.4 Cloud Network Design
+<!--
+Instructions: Describe the network's high availability strategy. For example:
+•	Web server fleet is behind elastic load balancers
+•	Utilizing multiple FedRAMP authorized regions
+•	Utilizing multiple availability zones
+•	Public websites are behind CloudFront
+•	Utilizing Web Application Firewalls to mitigate exploits and denial of service attacks
+•	Utilizing public and private subnets
+•	Utilizing private endpoints so traffic does not traverse public internet if it can stay internal to AWS.
+-->
+
+# 10.10.5 Network Security and Microsegmentation
+<!--
+Instructions: Describe the network's security group and network access control list (NACL) strategy. (e.g., wide permissions are not in place and each Security Group only allows the traffic it requires, 0.0.0.0/0 rules are not in place).
+-->
+
+# 10.10.6 Data Encryption in Transit
+<!--
+Instructions: Describe the network's encryption in transit strategy (e.g., Secure Sockets Layer/Transport Layer Security [SSL/TLS] is in use for public web servers, the SSL connections are terminated on the hosts instead of the load balancer to provide true end to end encryption, uses of other application layer encryption technology such as SSH, Secure File Transfer Protocol (SFTP), etc.).
+-->
+
+# 10.10.7 Data Encryption at Rest
+<!--
+Instructions: Describe the encryption at rest strategy. (e.g., all Elastic Block Store (EBS) Drives and Simple Storage Service (S3) Buckets have AES-256 Encryption Enabled, Relational Database Service (RDS) databases have force encryption parameters enabled, Simple Notification Service (SNS) Topics have encryption enabled, data encrypted in field, table, column level to protect sensitive data stored within the database, files and logs with sensitive information are encrypted before placing in buckets and file systems).
+-->
+
+# 10.10.8 S3 Bucket Security
+<!--
+Instructions: Describe the S3 Bucket Security Strategy. (e.g., all S3 Buckets have AES-256 encryption enabled, all S3 Buckets do not have public access enabled or is explicitly blocked from being public, least privilege access in place for each bucket, AWS config rules are monitoring changes to S3 Bucket posture and changes to provide operational assurance, no static websites are in use, Amazon Macie is enabled to monitor for sensitive information stored in S3).
+-->
+
+# 10.10.9 Key Management Service (KMS) Key Monitoring and Governance
+<!--
+Instructions: Describe the KMS and Key Management Strategy. (e.g., all AWS encryptable services that can utilize KMS Keys have KMS Keys in place, IAM policies are in place that only allow specific users to manage keys for such services, IAM policies are applied granularly per KMS Key, KMS Keys are rotated every 60 days, KMS activity is monitored in CloudTrail).
+-->
+
+# 10.10.10 Governance and Management of AWS Accounts
+<!--
+Instructions: Describe the AWS account provisioning and decommissioning strategy for all AWS accounts (e.g., production, test, development). Describe any governance, guardrails, or security inheritance achieved by using centralized AWS account provisioning, or by using AWS services such as AWS organization, Service Control Policies (SCPs), AWS Single Sign-On (SSO).
+-->
+
+# 10.10.11 Uses of Cloud Native Security Services
+<!--
+Instructions: Describe the Cloud Native Security Services utilized and how they are implemented. (e.g., Security Hub is enabled to validate meeting CIS Benchmarks, Guard Duty is enabled with flowlog monitoring, AWS Web Application Firewalls (WAFs) are in front of public Elastic Compute Cloud (EC2) servers, AWS Secret Manager is used for key/secret rotation, AWS Macie is enabled to identify and protect sensitive data in S3).
+-->
+
+# 10.10.12 Continuous Monitoring and Assessment of AWS Security Posture
+<!--
+Instructions: Describe how baseline AWS Security is implemented and monitored. (e.g., AWS Security Hub is enabled and meets CIS Benchmarks, AWS Config is used for continuous checks against best practices and deviation, third-party tools are used for continuous assessment of cloud posture, CloudTrail and CloudWatch logs are configured and shipped to the GSA Enterprise Logging Platform (ELP), automated alerts are in place for sensitive changes, Security Hub is periodically reviewed to validate compliance against CIS).
+-->
diff --git a/templates/ssp-rendering/lato/markdown/containers.md b/templates/ssp-rendering/lato/markdown/containers.md
new file mode 100644
index 0000000..1e990ab
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/containers.md
@@ -0,0 +1,49 @@
+# 10.9.1 Container Image Build and Management
+<!--
+Instructions: Describe how images for Containers are built, how a Continuous Integration/Continuous Delivery (CI/CD) pipeline is used to build and release container images, describe the steps involved in the CI/CD pipeline, describe security checks and tools used in the pipeline and describe how container images are protected.
+-->
+
+# 10.9.2 Container Image Scanning
+<!--
+Instructions: Describe how container images are scanned for security vulnerabilities. Which tools are used for container vulnerability scanning? How often are scans performed and how are images in the CI/CD pipeline scanned. Describe how vulnerabilities identified in containers are remediated. Note: GSA OCISO requires the use of Prisma Cloud for internal systems at GSA.
+-->
+
+# 10.9.3 Container Image Registry
+<!--
+Instructions: Describe which container registry is used (e.g., Amazon Elastic Container Registry [ECR], Docker Hub.). Describe what functions of the container registry are used. Describe if it is self-hosted or a managed service provided by a CSP. If it is an external provider, is the service FedRAMP compliant or approved by GSA? Describe the access control mechanisms and security control measures in place for the Container Registry.
+-->
+
+# 10.9.4 Dockerfile Usage
+<!--
+Instructions: Describe how Docker images are developed. Are the Docker images built from scratch or are base images from an external source used? If it is from scratch, explain any code quality mechanisms used, such as a linting tool. If images from an external source are used, explain the mechanisms in place to ensure this image can be trusted.
+-->
+
+# 10.9.5 Logs and Log Integration from Containers
+<!--
+Instructions: Describe how logs generated from containers are aggregated in a central log repository. Explain the tooling used to analyze logs and trigger action if needed.
+-->
+
+# 10.9.6 Hardening of Container Infrastructure
+<!--
+Instructions: Describe which Container Infrastructure is used. Is a fully managed or semi-managed container platform from a CSP used? Is the service FedRAMP compliant or approved by GSA? Has the cluster been hardened to security guidelines provided by Center for Internet Security (CIS) benchmarks or other similar benchmarks? Are underlying virtual machines run in the cluster hardened?
+-->
+
+# 10.9.7 Privilege Management in Cluster and Containers
+<!--
+Instructions: Describe how least privileges are applied to users or administrators that need access to a cluster. Is Role-Based Access Control (RBAC) used? Is a non-root user used to run the application with the container? Please explain the approach used to ensure least privilege both for the CSP and containers.
+-->
+
+# 10.9.8 Container Network Security
+<!--
+Instructions: Describe how network security control is implemented for communication between cluster resources. Describe the network topology for the container infrastructure? How is network traffic monitored and restricted between containers? How is network traffic isolated from containers to managed services such as a Database or a Caching cluster? Explain the use of any additional tools for container network security and segmentation in a multi-application multi-tenant/multi-application environment.
+-->
+
+# 10.9.9 Container Orchestration (Elastic Container Service (ECS), Elastic Kubernetes Service (EKS), Fargate, Kubernetes, etc.)
+<!--
+Instructions: Describe the Container Orchestrator used. Is it supported or managed by a vendor? Is it FedRAMP compliant or GSA OCISO approved? Has the Orchestrator been hardened to security guidelines provided by the CIS benchmarks or other similar benchmarks?
+-->
+
+# 10.9.10 Monitoring and Alerting
+<!--
+Instructions: Describe how monitoring on Containerized applications is performed. Does the monitoring provide a holistic view across Containers, Cluster, Host machines, communication, and telemetry between containers? Describe how notifications are received when monitoring finds issues of interest.
+-->
diff --git a/templates/ssp-rendering/lato/markdown/devsecops.md b/templates/ssp-rendering/lato/markdown/devsecops.md
new file mode 100644
index 0000000..09dbd7b
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/devsecops.md
@@ -0,0 +1,49 @@
+# 10.8.1 Code Version Control and Code Management
+<!--
+Instructions: Describe how code is stored and maintained, the code repository branching strategy, the code review process, and the unit/integration test coverage and deployment strategy. Describe how code is tested, verified, and committed, including pre-commit checks, linting and code-scanning checks in the developer’s IDE. Identify the workflow steps and how code changes are linked to work items and change requests.
+-->
+
+# 10.8.2 Infrastructure-As-Code (IAC) Implementataion
+<!--
+Instructions: Describe how the infrastructure is maintained. Explain the steps taken to codify the infrastructure, how lower and higher environments are deployed from the same source code, the usage of a CI/CD pipeline regarding infrastructure-as-code implementation, security checks performed for misconfiguration and errors before IAC deployment.
+-->
+
+# 10.8.3 Pipeline Design
+<!--
+Instructions: Describe the pipeline used to deliver features. How is the CI environment isolated and secured? Explain the steps taken to include infrastructure and application code in the CI pipeline. Describe the process for performing blue-green deployments, if applicable.
+-->
+
+# 10.8.4 Code Scanning
+<!--
+Instructions: Describe how code is scanned for security issues during development. How are linting tools used? Explain how the code is checked for secrets. Describe the process for scanning 3rd party libraries and performing static analysis.
+-->
+
+# 10.8.5 Dependency Scanning
+<!--
+Instructions: Describe the process for running dependency scans and at what stages in development they are run. If there are vulnerabilities found, what is the process for handling these vulnerabilities? Describe the process of scanning dependency artifacts.
+-->
+
+# 10.8.6 Image Management
+<!--
+Instructions: Explain the process for building, updating, and republishing Amazon Machine Images (AMIs) or equivalent images. Describe what base operating systems image, packages and software are used to build images. What is the retention policy for images? Explain steps in image building, security check, and validation for gated release of images. Explain the process/permission control for creation, sharing and validation/release of approved images or Gold images.
+-->
+
+# 10.8.7 Secret and Key Management
+<!--
+Instructions: Describe how secrets are centralized and how hard coded and embedded secrets are eliminated. What is the process for rotating and auditing secrets? Describe the process for monitoring and generating alerts on improper uses/access of keys and secrets.
+-->
+
+# 10.8.8 Artifact Management
+<!--
+Instructions: Describe the process for maintaining artifacts. Describe scanning artifacts and how often this is performed. What authentication and authorization mechanisms are used to access artifact management tools? Describe the process for monitoring and notification of outdated libraries found in artifacts.
+-->
+
+# 10.8.9 Code Change and Release Management
+<!--
+Instructions: Describe how the process for handling all code changes and release management is standardized. Describe the sequence of steps or activities used for change management. Describe automation or tools used to improve security, speed and efficiency during code change and release management. What is the security review and approval process of each change/release?
+-->
+
+# 10.8.10 Serverless Design (if applicable)
+<!--
+Instructions: Describe the microservice-based architecture including API and API security. Describe the serverless functions' network security model including the perimeter. Describe the code review, scanning, and dependency scanning tool chain and processes.
+-->
diff --git a/templates/ssp-rendering/lato/markdown/ipv6.md b/templates/ssp-rendering/lato/markdown/ipv6.md
new file mode 100644
index 0000000..6971173
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/ipv6.md
@@ -0,0 +1,7 @@
+<!--
+Instructions: Describe how the system will transition to IPv6 as required in OMB Memo 21-07, "Completing the Transition to Internet Protocol Version 6 (1Pv6)”, and in accordance with GSA CIO Instructional Letter IL-21-01, Internet Protocol Version 6 (IPv6) Policy, and guidance from the GSA IPv6 Integrated Project Team (IPT).
+-->
+
+<!-- uncomment this block and delete this sentence if the app is hosted on cloud.gov
+Cloud.gov provides a front end interface for applications. Application itself resides in a private network address space.
+-->
diff --git a/templates/ssp-rendering/lato/markdown/ssp_data.yaml b/templates/ssp-rendering/lato/markdown/ssp_data.yaml
new file mode 100644
index 0000000..2887bbb
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/ssp_data.yaml
@@ -0,0 +1 @@
+system_type: "[Major Information System/Minor Application/Subsystem]"
diff --git a/templates/ssp-rendering/lato/markdown/system_data_nature.md b/templates/ssp-rendering/lato/markdown/system_data_nature.md
new file mode 100644
index 0000000..fabc2a4
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/system_data_nature.md
@@ -0,0 +1,8 @@
+<!--
+Instructions: Include a narrative on the nature of the data being stored and processed in the system. Ensure the following are incorporated into the narrative:
+•	The nature and type of data (regardless of if it is PII, PCI, or Authenticators).
+•	Is the data PII, PCI, or Authenticators? If so, how is it encrypted at a file level?
+•	Include details where the encryption keys are stored.
+•	Include details on how the keys are managed and protected.
+•	Include the algorithm being used to encrypt the data along with details on FIPS level.
+-->
diff --git a/templates/ssp-rendering/lato/markdown/system_environment_description.md b/templates/ssp-rendering/lato/markdown/system_environment_description.md
new file mode 100644
index 0000000..69fe9d3
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/system_environment_description.md
@@ -0,0 +1,6 @@
+<!--
+Instructions: In the space that follows, describe the technical system environment, and document the architecture requirements identified within Sections 9.1 through 9.3 of this document. Include information about all system environments that are used, (e.g., production, test, staging or QA environments). Ensure that the proposed software stack utilizes current and supported versions. The software stack, including operating system, application, database, etc. must be configured and hardened in accordance with GSA technical guidelines, NIST guidelines, Center for Internet Security guidelines, or industry best practice guidelines, as deemed appropriate by the GSA AO.
+The mechanisms for creating, storing, distributing, and signing any encryption keys or certificates in the system shall be fully documented in the security architecture. Additionally, all keys and certificates generated shall be reposed in a manner that assures Business Continuity Plan (BCP), Disaster Recovery (DR) and Continuity of Operations (COOP) consistent with NIST requirement per impact FIPS 199 impact level. For further details, see CIO-IT Security-09-43: Key Management.
+Systems that process Personally Identifiable Information (PII), Payment Card Industry (PCI) data, Authenticators (e.g., passwords, tokens, keys, certificates, hashes, etc.), and other sensitive data as determined by the AO, shall encrypt that data everywhere (i.e., at file level, database level, at rest, and in transit). For web services connections, implement end to end encryption terminating the connection at the web server; connections terminated at a load balancer, Firewall, and/or WAF shall employ re-encryption techniques to ensure end to end encryption.
+Encryption of GSA sensitive data (e.g., PII, PCI, Authenticators, other business sensitive data) at rest and in transit shall be with FIPS validated encryption modules wherever possible; exceptions require Acceptance of Risk (AOR) to be signed by the GSA CISO and AO.
+-->
diff --git a/templates/ssp-rendering/lato/markdown/table_10_1.md b/templates/ssp-rendering/lato/markdown/table_10_1.md
new file mode 100644
index 0000000..693feee
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_10_1.md
@@ -0,0 +1,9 @@
+<!--
+Instructions: For addressing the system’s virtual and physical inventory.
+-->
+
+Table 10-1. Asset Physical and Virtual Components
+
+| Component Name | OS/Make | Operational Environment | Location (Physical or Virtual) |
+| -------------- | ------- | ----------------------- | ------------------------------ |
+| <!-- Appname-app-1.gsa.gov EXAMPLE --> | <!-- MS Windows 2019 --> | <!-- Production --> | <!-- Virtual (AWS, us-east-1) --> |
diff --git a/templates/ssp-rendering/lato/markdown/table_10_2.md b/templates/ssp-rendering/lato/markdown/table_10_2.md
new file mode 100644
index 0000000..4273dcb
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_10_2.md
@@ -0,0 +1,43 @@
+<!--
+Instructions: In the table below, fill out the applicable details for any external services that integrate with the system. If non applicable, just state there are no external integrations. Use the following bullet list as guidance to accurately populate the services table for each external connection proposed for integration with the information system considered for Authorization to Operate (ATO) consideration.
+•	System Name:  Name of external system (SaaS or Corporate Service, etc.)
+•	Connection Type:  Describe the type of connection flow as unidirectional incoming, unidirectional outgoing, bi-directional, or none. (Incoming, Outgoing, Bi-directional, none)
+•	Data Description:  Provide a description of the data content and classification associated with the connection. Does the data contain government data, PII, CUI, etc.? (Yes/No, (Gov. Data, CUI, Proprietary, etc.)).
+•	Data Sensitivity:  Describe the sensitivity of the data (Low, Moderate, High). Include a brief description of how this data was categorized (i.e., FIPS 199, internal corporate processes, etc.).
+•	Level of Vendor Dependency: Describe the level of dependency (Low, Moderate, High) on the vendor regarding configuration of support and security control implementation. Include decision logic and how difficult it would be to migrate to an alternative if not approved for use.
+•	Alternative Exists:  Does an alternate service exist which performs the same functionality? (Yes/No) If yes, describe the alternate service.
+•	Is API over HTTPS: (Yes/No).
+•	API Connection Security: (OAuth 2.0, HTTP, Digital Certificates/ TLS Client, SAML, HMAC)
+•	API Connection Type:  It is important to recognize that vendors are inconsistent in their use of the term “API key”. It is often used as a stand-in for “tokens”, “codes”, “customer identifiers” depending on the product and usage. The following bullets cover the scenarios:
+  ‒	Inbound: An external system uses an API key to communicate with the CSP Infrastructure/Platform API to obtain information about or data from the vendor resources. This scenario is only applicable to external systems requiring connectivity inbound to the CSP.
+  ‒	Outbound: A CSP system uses an integration token to communicate with an external system. Sometimes the vendors refer to these as “API Keys”, but this is not an accurate description because they are simply a customer identifier.
+  ‒	Sync: An external system uses an API key to communicate with another external system
+•	Authentication and Authorization:  Describe how the service authenticates to the system. For example:  User ID and password, Secure Shell (SSH) key, token, SAML federation, etc.  (UID, PW, Key, Token, Federated, User ID + token, etc.).
+•	MFA:  Does the service connection require MFA? (Yes/No) If yes, which MFA vendor is being used?
+•	Role Based Access Control:  Is Role-based access control implemented for authentication? (Yes/No)
+•	Audit Logs Available:  Does the external system provide the capability to generate audit logs that are available to the consumer? (Yes/No)
+•	Encryption in Transit:  Is data encrypted during transit (Yes/No)? If yes, what type of encryption is used (i.e., TLS 1.2).
+•	Encryption in Storage:  Is the data encrypted at rest (Yes/No). If yes, what type of encryption is being used (i.e., AES 256)? Are the encryption modules FIPS Validated?
+
+Note:  Make a copy of the table and populate for each external service
+-->
+
+Table 10-2. External Service
+
+| Service Element | Response |
+| --------------- | -------- |
+| System Name | |
+| Connection Type | |
+| Data Description | |
+| Data Sensitivity | |
+| Level of Vendor Dependency | |
+| Alternative Exists? | |
+| Is API over HTTPS? | |
+| API Connection Security | |
+| API Connection Type | |
+| Authentication and Authorization | |
+| MFA | |
+| Role-based Access Control | |
+| Audit Logs Available | |
+| Encryption in Transit | |
+| Encryption in Storage | |
diff --git a/templates/ssp-rendering/lato/markdown/table_10_3.md b/templates/ssp-rendering/lato/markdown/table_10_3.md
new file mode 100644
index 0000000..b2f90d3
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_10_3.md
@@ -0,0 +1,8 @@
+<!--
+Instructions: Populate the following table with the major Operating Systems and Applications within the system boundary. The full name of the software should be used (i.e., Red Hat 6 vs Linux.)
+-->
+
+Table 10-3. Software Components
+
+| Software Component/Name | Function | Version | Patch Level | Virtual (Yes/No) |
+| ----------------------- | -------- | ------- | ----------- | ---------------- |
diff --git a/templates/ssp-rendering/lato/markdown/table_10_4.md b/templates/ssp-rendering/lato/markdown/table_10_4.md
new file mode 100644
index 0000000..3440702
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_10_4.md
@@ -0,0 +1,10 @@
+<!--
+Instructions: In the column labeled “Purpose” indicate the purpose for the service (e.g., system logging, HTTP redirector, load balancing). This table should be consistent with CM-06. Add more rows as needed. Ensure any ports used to support BOT functions are included and the support of BOTs is explicitly stated in Purpose.
+-->
+
+The table below lists the Ports, Protocols, and Serivces enabled in this information system. TCP ports are indicated with a T and UDP prots are indicated with a U.
+
+Table 10-4. Ports, Protocols, and Services
+
+| Direction (Inbound, Outbound, or Bi-Directional) | Boundary Crossings (Y/N) | Source | Destination | Ports (T or U) | Protocols | Services | Purpose | Encrypted (Y/N) | Data Sensitivity |
+| ------------------------------------------------ | ------------------------ | ------ | ----------- | -------------- | --------- | -------- | ------- | --------------- | ---------------- |
diff --git a/templates/ssp-rendering/lato/markdown/table_11_1.md b/templates/ssp-rendering/lato/markdown/table_11_1.md
new file mode 100644
index 0000000..026e42a
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_11_1.md
@@ -0,0 +1,8 @@
+<!--
+Table 11-1 documents high level information for ALL system interconnections. If an IEA/ISA/MOA is not required place N/A in both the Agreement Type and Date of Agreement columns.
+-->
+
+Table 11-1. System Interconnections
+
+| System Name | Organization | Type of System (Major Information System/Minor Application/Subsystem) | Agreement Type (ISA,MOU) | Date of Agreement | FIPS 199 Security Category of System | A&A Status of System | Name and Title of AO |
+| ----------- | ------------ | --------------------------------------------------------------------- | ------------------------ | ----------------- | ------------------------------------ | -------------------- | -------------------- |
diff --git a/templates/ssp-rendering/lato/markdown/table_11_2.md b/templates/ssp-rendering/lato/markdown/table_11_2.md
new file mode 100644
index 0000000..2bc159c
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_11_2.md
@@ -0,0 +1,8 @@
+<!--
+Table 11-2 documents detailed information for ALL system interconnections. This data is vital to understanding the nature of the interconnection between the systems. Provide sufficient information (e.g., System Name, component IP address and interface identifier) connecting to this system. Name the organization and the POC for the external system. For Connection Security indicate how the connection is being secured. For Data Direction, indicate which direction the packets are flowing. For Information Being Transmitted, describe what type of data is being transmitted. If a dedicated telecom line is used, indicate the circuit number.
+-->
+
+Table 11-2. Connection Details of Interconnected Systems
+
+| System Name | Organization | Point of Contact and Phone Number | Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer, etc.) | Data Direction (incoming, outgoing, or both) | Information Being Transmitted | Prots or Circuit # |
+| ----------- | ------------ | --------------------------------- | ------------------------------------------------------------------------------ | -------------------------------------------- | ----------------------------- | ------------------ |
diff --git a/templates/ssp-rendering/lato/markdown/table_8_2.md b/templates/ssp-rendering/lato/markdown/table_8_2.md
new file mode 100644
index 0000000..d9820d0
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_8_2.md
@@ -0,0 +1,12 @@
+<!--
+This data cannot be pulled from OSCAL (yet), so if this is applicable to your system you must maintain the list here.
+
+Enter "NA" in all columns of a single row if this is Not Applicable
+-->
+
+Table 8-2. Systems Receiving Controls
+
+| Receiving System Name (FISMA System Identifier) | Receiving System Owner | Control Identifier, Name | Common/Hybrid |
+| --------------------- | ---------------------- | ------------------------ | ------------- |
+| <!-- Example: GSA Beta (GSA-B) --> | <!-- Mark Taylor --> | <!-- AC-02, Account Management --> | <!-- Hybrid --> |
+| | | | |
diff --git a/templates/ssp-rendering/lato/markdown/table_9_1.md b/templates/ssp-rendering/lato/markdown/table_9_1.md
new file mode 100644
index 0000000..50355ac
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_9_1.md
@@ -0,0 +1,9 @@
+<!--
+This data cannot be pulled from OSCAL (yet), so if this is applicable to your system you must maintain the list here.
+-->
+
+Table 9-1. System Locations
+
+| Primary | Secondary (if applicable) |
+| ------- | ------------------------- |
+| cloud.gov | |
diff --git a/templates/ssp-rendering/lato/markdown/table_9_2.md b/templates/ssp-rendering/lato/markdown/table_9_2.md
new file mode 100644
index 0000000..c18858b
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_9_2.md
@@ -0,0 +1,11 @@
+<!--
+You can fill in additional rows for this table directly after `endfor`
+-->
+
+Table 9-2. System Assets
+
+| Asset Type | Description of Function or Service Provided |
+| ---------- | ------------------------------------------- |
+{% for component in ssp.system_implementation.components %}
+| {{ component.title }} | {{ component.description }} |
+{% endfor %}
diff --git a/templates/ssp-rendering/lato/markdown/table_9_3.md b/templates/ssp-rendering/lato/markdown/table_9_3.md
new file mode 100644
index 0000000..99c77ea
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_9_3.md
@@ -0,0 +1,8 @@
+<!--
+Instructions: List all URLs associated with the information system including the system component; application URL; if it is internal, external, or both; and the multi-factor authentication (MFA) authentication method used. Please specify the tool or technology used to support MFA.
+-->
+
+Table 9-3. System URLs
+
+| System Component | Application URL | Internal, External, or Both | MFA Authentication Method |
+| ---------------- | --------------- | --------------------------- | ------------------------- |
diff --git a/templates/ssp-rendering/lato/markdown/table_9_4.md b/templates/ssp-rendering/lato/markdown/table_9_4.md
new file mode 100644
index 0000000..189184c
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/table_9_4.md
@@ -0,0 +1,10 @@
+<!--
+Instructions: For an External User, please write “Not Applicable” in the Sensitivity Level Column. Please include systems administrators and database administrators as role types. (Include web server administrators, network administrators, and firewall administrators if these individuals have the ability to configure a device or host). Add additional rows if necessary. For MFA Authentication please specify the tool or technology used to support MFA. Personnel who support the system but do not login to the system do not need to be listed.
+-->
+
+Table 9-4. User Roles and Privileges
+
+| Role | Internal or External | Privileged (P), Non-Privileged (NP), or No Logical Access (NLA) | Sensitivity Level | Authorized Privileges | Functions Performed | MFA Authentication Method |
+| ---- | -------------------- | --------------------------------------------------------------- | ----------------- | --------------------- | ------------------- | ------------------------- |
+
+**Note:** User roles typically align with Active Directory, LDAP, Role-based Access Controls (RBAC), NIS, UNIX groups, and/or UNIX netgroups.
diff --git a/templates/ssp-rendering/lato/markdown/user_access_descriptions.md b/templates/ssp-rendering/lato/markdown/user_access_descriptions.md
new file mode 100644
index 0000000..4af9d94
--- /dev/null
+++ b/templates/ssp-rendering/lato/markdown/user_access_descriptions.md
@@ -0,0 +1,14 @@
+# Privileged User Access
+<!--
+Instructions: Provide a brief description of the authentication process for a privileged user. The description should clearly show authentication from an administrative laptop/workstation to the privileged access point or points. This should capture the access for the backend and frontend as applicable. The description should include the technologies (i.e., MFA software, Active Directory, Jumpbox, etc.). The description should capture all privileged access points (i.e., shell/remote desktop protocol (RDP) remote sessions, administrative graphical user interface (GUI), database, etc.). The description should include all credentials used at all authentication points.
+-->
+
+# Non-Privileged User Access
+<!--
+Instructions: Provide a brief description of the authentication process for a non-privileged user. The description should clearly show authentication from a non-privileged user laptop/workstation to system or application access point. This should capture the access for backend and frontend as applicable. The description should include the technologies (i.e., MFA software, Jumpbox, etc.). The description should include all credentials used at all authentication points.
+-->
+
+# Vendor Considerations
+<!--
+Instructions: If a vendor system, include a narrative on how the corporate network is demarcated to the authorization boundary. Also include other measures in place to isolate the corporate networks logically and physically from the ATO boundary.
+-->
diff --git a/templates/ssp-rendering/lato/templates/approvals.md b/templates/ssp-rendering/lato/templates/approvals.md
new file mode 100644
index 0000000..b4c3d41
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/approvals.md
@@ -0,0 +1,49 @@
+
+# Approvals
+
+**System Owner**
+<br>
+<br>
+<br>
+<br>
+<div style="width:400px"><hr style="border-top:solid 2px #333 !important;color:#333;background-color:#333;" /></div>
+{% set owners = ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "system-owner") | list %}
+{% if owners | count > 0 %}
+{{ owners[0].name }}
+{% else %}
+[Name]
+{% endif %}
+<br>
+System Owner
+
+**Information System Security Officer**
+<br>
+<br>
+<br>
+<br>
+<div style="width:400px"><hr style="border-top:solid 2px #333 !important;color:#333;background-color:#333;" /></div>
+{% set isso = ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-officer") | list %}
+{% if isso | count > 0 %}
+{{ isso[0].name }}
+{% else %}
+[Name]
+{% endif %}
+<br>
+Information System Security Officer
+
+**Information System Security Manager**
+<br>
+<br>
+<br>
+<br>
+<div style="width:400px"><hr style="border-top:solid 2px #333 !important;color:#333;background-color:#333;" /></div>
+{% set issm = ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-manager") | list %}
+{% if issm | count > 0 %}
+{{ issm[0].name }}
+{% else %}
+[Name]
+{% endif %}
+<br>
+Information System Security Manager
+
+<div class="pagebreak"></div>
diff --git a/templates/ssp-rendering/lato/templates/frontmatter.md b/templates/ssp-rendering/lato/templates/frontmatter.md
new file mode 100644
index 0000000..91d41b5
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/frontmatter.md
@@ -0,0 +1,46 @@
+<center>
+
+# U.S. General Services Administration
+
+# {{ ssp.system_characteristics.system_name }} ({{ ssp.system_characteristics.system_name_short }})
+# Lightweight Security Authorization Process
+# System Security and Privacy Plan (SSPP)
+# {% md_datestamp format='%B %d, %Y' %}
+
+![GSAIT Logo](./img/gsa_it_logo.png)
+
+</center>
+
+<div class="pagebreak"></div>
+
+Document Prepared By
+<table>
+<tbody>
+{% for party in ssp_interface.get_parties_for_role(ssp.metadata.responsible_parties, "prepared-by") %}
+<tr>
+<th scope="row">{{ party.type.value.title() }} Name</th><td>{{ party.name }}</td>
+</tr>
+<tr>
+{% set address = ssp_interface.first_array_entry(party.addresses) %}
+{% set addr_lines = ssp_interface.safe_retrieval(address, "addr_lines", []) %}
+<th scope="row">Address Line 1</th><td>{{ addr_lines[0] }}</td>
+</tr>
+<tr>
+<th scope="row">Address Line 2</th><td>{{ addr_lines[1] }}</td>
+</tr>
+<tr>
+<th scope="row">City, State Zip</th><td>{{ ssp_interface.safe_retrieval(address, "city") }}, {{ ssp_interface.safe_retrieval(address, "state") }} {{ ssp_interface.safe_retrieval(address, "postal_code") }}</td>
+</tr>
+{% endfor %}
+</tbody>
+</table>
+
+<div class="pagebreak"></div>
+
+Document Revision History
+
+| Date | Comments | Version | Author |
+| ---- | -------- | ------- | ------ |
+| | | | |
+
+<div class="pagebreak"></div>
diff --git a/templates/ssp-rendering/lato/templates/gsa_template.md.jinja b/templates/ssp-rendering/lato/templates/gsa_template.md.jinja
new file mode 100644
index 0000000..5d3c60d
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/gsa_template.md.jinja
@@ -0,0 +1,76 @@
+<style>
+  @media print {
+    .pagebreak {
+      break-after: page
+    }
+  }
+</style>
+
+{% md_clean_include 'ssp-render/templates/frontmatter.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/guidance.md' %}
+
+# Table of Contents
+
+<TableOfContents />
+
+<div class="pagebreak"></div>
+
+{% md_clean_include 'ssp-render/templates/approvals.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_1.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_2.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_3.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_4.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_5.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_6.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_7.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_8.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_9.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_10.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_11.md' heading_level=1 %}
+
+{% md_clean_include 'ssp-render/templates/section_12.md' heading_level=1 %}
+
+# 13 Minimum Security Controls
+
+<!-- This iterates over the controls in a resolved catalog and prints out the control statement, summary table,
+and implemented requirements in a format similar to a FedRAMP .docx
+
+The groups are sorted by id and the controls are sorted within each group by sort-id if defined for the control.
+
+The control tables for parameters are output with the param_id in the first column followed either by a single
+'Values' column, or two columns: 'Values' and 'Label or Choice'.  In the one-column case, values are listed if available
+and if not the descriptive label is shown, unless the parameter has a Select defined, in which case the choice options
+are shown.
+
+In the two-column case the Values column is empty if no values are defined, and the Label or Choice column is either the
+list of optional choices if the parameter has a Select defined, else just the descriptive label for the parameter.
+
+To choose the one- or two- column option, specify false or true, respectively, as the final parameter in
+get_fedramp_control_tables().
+-->
+
+{% for group in catalog_interface.get_all_groups_from_catalog() +%}
+## {{ group.title }} {{ group.class }} \({{ group.id|upper }}\)
+
+{% for control in catalog_interface.get_sorted_controls_in_group(group.id) %}
+{{ ssp_md_writer.get_control_statement(control.id, 2) }}
+
+#### {{ control_interface.get_label(control) }} Summary information
+{{ ssp_md_writer.get_fedramp_control_tables(control.id, 2, true) }}
+
+#### What is the solution and how is it implemented?
+{{ ssp_md_writer.get_control_response(control.id, 3, true)}}
+{% endfor %}
+{% endfor %}
diff --git a/templates/ssp-rendering/lato/templates/guidance.md b/templates/ssp-rendering/lato/templates/guidance.md
new file mode 100644
index 0000000..815206d
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/guidance.md
@@ -0,0 +1,32 @@
+<!--
+
+# Guidance
+
+In addition to the instructions found throughout the template the following guidance is provided to assist personnel in preparing System Security and Privacy Plans (SSPPs) for General Services Administration (GSA) systems. The SSPP is one of the key documents of an information system’s security package. Once completed, the SSPP provides detailed descriptions of (1) all a system's security control implementations; (2) the system’s purpose, function, and operations, including inventories of its components and services; and (3) detailed depictions of the system’s data flows, architecture, and authorization boundary.
+
+The GSA Office of the Chief Information Security Officer (OCISO) expectations for specific areas in the SSPP are listed below.
+
+*	The latest GSA OCISO SSPP template is to be used by the System Owner (or by proxy) and the system’s Information System Security Officer (ISSO) for documenting each assigned information system’s security and privacy requirements. The completed SSPP must be signed by the following roles for final approval:
+    *	GSA System Owner
+    *	GSA ISSO
+    *	Provider/Vendor ISSO (if applicable)
+    *	GSA Information System Security Manager (ISSM)
+*	The System Owner and ISSO must ensure all technologies utilized by the information system are included and described thoroughly in Sections 1-12. Each technology and its purpose supporting the information system should be detailed in the General System Description and System Environment section.
+*	As part of preparing the SSPP the following documents and subject areas must be completed, reviewed, and approved, or meet the requirements identified.
+    *	Privacy determination – a Privacy Threshold Assessment, and a Privacy Impact Assessment, if applicable, must accurately identify if Personally Identifiable Information (PII) is in play.
+    *	Security Categorization – a Federal Information Processing Standards 199 template must be completed which identifies all the information types pertinent to the system and the final security categorization with justification if any security impact levels for any information type have been adjusted.
+    *	Digital Identity Acceptance Statement (DIAS) – a GSA DIAS must be completed in accordance with the National Institute of Standards and Technology 800-63 series of documents.
+    *	Security Architecture Review – GSA OCISO’s Security Engineering Division (ISE) must have approved the security architecture after reviewing it as described in CIO-IT Security-19-95: Security Engineering Architecture Reviews.
+    *	The following Authorization to Operate (ATO) Showstoppers must be fully satisfied with implementation details provided for the controls listed. Additional details are provided in the instructions at the beginning of Section 13 of the SSPP.
+        *	Multifactor Authentication for Privileged and User-Level Access - IA-02(01) and IA-02(02)
+        *	Remediation of Critical and High Vulnerabilities – SI-02
+        *	Remote Code Execution Vulnerabilities – SI-02
+        *	Usage of End-of-Life Software – SA-22
+        *	System Architecture Review – PL-08
+        *	Encryption of Sensitive Data (PII, Payment Card Industry [PCI], Authenticators, business sensitive data) everywhere – SC-08, SC-08(01), SC-28, SC-28(01)
+        *	Integration with GSA’s Security Stack (Federal Systems)
+        *	Compliance with the Cybersecurity and Infrastructure Security Agency’s Binding Operation Directives and Emergency Directives (BODs/EDs).
+*	Control implementation details in Section 13 of the SSPP must provide detailed implementation descriptions across groups of assets/devices within the security authorization boundary.
+*	Per CIO-IT-Security 06-30: Managing Enterprise Cybersecurity Risk, the OCISO will review the SSPP to determine if it is complete, consistent, and addresses the security requirements for the information system. Based on the results of the review, the SSPP may require further updating, or may be approved.
+
+-->
diff --git a/templates/ssp-rendering/lato/templates/partials/poc_contact_table.md b/templates/ssp-rendering/lato/templates/partials/poc_contact_table.md
new file mode 100644
index 0000000..1d3ebe7
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/partials/poc_contact_table.md
@@ -0,0 +1,30 @@
+<table>
+<tbody>
+<tr>
+<th scope="row">Name</th><td>{{ party.name }}</td>
+</tr>
+<tr>
+<th scope="row">Title</th><td>{{ control_interface.get_prop(party, 'title') }}</td>
+</tr>
+<tr>
+{% set organization = ssp_interface.get_party_by_uuid(ssp_interface.first_array_entry(party.member_of_organizations)) %}
+<th scope="row">Organization</th><td>{{ ssp_interface.safe_retrieval(organization, "name") }}</td>
+</tr>
+<tr>
+<th scope="row">Address</th><td>
+{% if organization and organization.addresses %}
+{% set address = ssp_interface.first_array_entry(organization.addresses) %}
+{% if address %}
+{{ ssp_interface.safe_retrieval(address, 'addr_lines', []) | join(' ') }} {{ address.city }}, {{ address.state }} {{ address.postal_code }}
+{% endif %}
+{% endif %}
+</td>
+</tr>
+<tr>
+<th scope="row">Phone Number</th><td>{{ ssp_interface.first_array_entry(party.telephone_numbers, "number") }}</td>
+</tr>
+<tr>
+<th scope="row">Email Address</th><td>{{ ssp_interface.first_array_entry(party.email_addresses, "__root__") }}</td>
+</tr>
+</tbody>
+</table>
diff --git a/templates/ssp-rendering/lato/templates/section_1.md b/templates/ssp-rendering/lato/templates/section_1.md
new file mode 100644
index 0000000..a4ddbff
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_1.md
@@ -0,0 +1,12 @@
+# 1 Information System Name
+
+This System Security and Privacy Plan (SSPP) provides an overview of the security requirements for the {{ ssp.system_characteristics.system_name }} ({{ ssp.system_characteristics.system_name_short }}) and describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed, or stored by the system.
+
+The security safeguards implemented for the {{ ssp.system_characteristics.system_name_short }} meet the policy and control requirements as set forth in this SSPP. All systems are subject to monitoring consistent with applicable laws, regulations, agency policies, procedures, and practices.
+
+
+Table 1-1. Information System Name
+
+| Information System Name | Information System Abbreviation |
+| ----------------------- | ------------------------------- |
+| {{ ssp.system_characteristics.system_name }} | {{ ssp.system_characteristics.system_name_short }} |
diff --git a/templates/ssp-rendering/lato/templates/section_10.md b/templates/ssp-rendering/lato/templates/section_10.md
new file mode 100644
index 0000000..d5d55af
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_10.md
@@ -0,0 +1,65 @@
+# 10 System Environment
+
+{% md_clean_include "ssp-markdown/system_environment_description.md" heading_level=2 %}
+
+## 10.1 Asset Inventory
+
+The following table identifies the virtual and physical components of the {{ ssp.system_characteristics.system_name_short }}.
+
+{% md_clean_include "ssp-markdown/table_10_1.md" heading_level=3 %}
+
+## 10.2 External Services
+
+The following table(s) identifies the external services supporting {{ ssp.system_characteristics.system_name_short }}.
+
+{% md_clean_include "ssp-markdown/table_10_2.md" heading_level=3 %}
+
+## 10.3 Software Inventory
+
+The following table lists the principal software components (e.g., operating system, database, web software, etc.) for {{ ssp.system_characteristics.system_name_short }}.
+
+{% md_clean_include "ssp-markdown/table_10_3.md" heading_level=3 %}
+
+## 10.4 Data Flow
+
+<!--
+Instructions: In this section describe the flow of data in and out of system boundaries and insert a data flow diagram. If necessary, include multiple data flow diagrams.
+Ensure the following elements are incorporated into the data flow diagrams and narratives:
+•	Indicate source and destination of data (Is communication crossing DMZs, subnets, to another authorization boundary, external service, internet, etc. Also include whether it is one way inbound, one way outbound, or bi-directional).
+•	Identify the ports and protocols planned for use and whether the flows are encrypted.
+•	Note any access control mechanisms in place to restrict the flow of authorized traffic between defined and approved endpoints.
+•	Clearly identify anywhere Federal data is to be processed, stored, or transmitted
+•	Document any data flow through approved external or internal Continuous Integration systems (CI) and code repositories in flow narratives and SSPP diagrams. Clearly identify data flows for privileged, non-privileged, and customer access.
+•	Include data flows associated with BOTs, as applicable, to ensure data flows used by BOTS are depicted.
+-->
+
+The Data Flow Diagram (DFD) below maps out the flow of information traveling within an information system and between infrormation systems.
+
+{% for diagram in ssp_interface.safe_retrieval(ssp.system_characteristics.data_flow, 'diagrams', []) %}
+![{{diagram.caption}}]({{ ssp_interface.get_diagram_href(diagram) }})
+<br/>Figure 10-{{loop.index}}. Data Flow Diagram
+{% endfor %}
+
+## 10.5 System Data Nature
+
+{% md_clean_include "ssp-markdown/system_data_nature.md" heading_level=3 %}
+
+## 10.6 Ports, Protocols, and Services
+
+{% md_clean_include "ssp-markdown/table_10_4.md" heading_level=3 %}
+
+## 10.7 Transition to IPv6
+
+{% md_clean_include "ssp-markdown/ipv6.md" heading_level=3 %}
+
+## 10.8 DevOps/DevSecOps Management
+
+{% md_clean_include "ssp-markdown/devsecops.md" heading_level=3 %}
+
+## 10.9 Container-Based Workload Management
+
+{% md_clean_include "ssp-markdown/containers.md" heading_level=3 %}
+
+## 10.10 AWS Management
+
+{% md_clean_include "ssp-markdown/aws.md" heading_level=3 %}
diff --git a/templates/ssp-rendering/lato/templates/section_11.md b/templates/ssp-rendering/lato/templates/section_11.md
new file mode 100644
index 0000000..ca6e782
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_11.md
@@ -0,0 +1,9 @@
+# System Interconnections
+<!--
+Instructions: List data covering all interconnected systems in the two tables in this section as described below. Add additional rows as needed. A system interconnection is the direct connection of two or more IT systems for the purpose of sharing information resources (data or services). CIO-IT Security-24-125: Managing Information Exchange Agreements documents the type of agreements required when information is exchanged between systems, including when an Information Exchange Agreement (IEA)/Memorandum of Agreement (MOA) or Interconnection Security Agreement (ISA)/MOA is required. Any IEA/MOA or ISA/MOA between GSA and external entities including off-site contractors or Federal agency/departments must be approved by the GSA CISO.
+
+Note: For system interconnections with an IEA/ISA/MOU, additional information regarding connection may be found in the associated IEA/ISA/MOU.
+-->
+
+{% md_clean_include "ssp-markdown/table_11_1.md" heading_level=2 %}
+{% md_clean_include "ssp-markdown/table_11_2.md" heading_level=2 %}
diff --git a/templates/ssp-rendering/lato/templates/section_12.md b/templates/ssp-rendering/lato/templates/section_12.md
new file mode 100644
index 0000000..43f65f1
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_12.md
@@ -0,0 +1,3 @@
+# 12 Applicable Laws and Regulations
+
+See Appendix B, References.
diff --git a/templates/ssp-rendering/lato/templates/section_2.md b/templates/ssp-rendering/lato/templates/section_2.md
new file mode 100644
index 0000000..5b6fedc
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_2.md
@@ -0,0 +1,46 @@
+# 2 Information System Categorization
+
+The overall FIPS 199 information system security categorization is {{ ssp.system_characteristics.security_sensitivity_level }}
+
+<!--
+Instructions: A GSA FIPS 199 Security Categorization document must be completed and submitted as an Attachment to this SSPP. A template is available on the [GSA IT Security Forms and Aids page](https://insite.gsa.gov/node/166914)
+-->
+
+## 2.1 Information Types
+The following table identifies the information types and impact levels that are input, stored, processed, and/or output from the {{ ssp.system_characteristics.system_name_short }} environment. The security impact levels for confidentiality, integrity, and availability for each of the information types are expressed as low, moderate, or high. The security impact levels are based on the potential impact definitions for each of the security objectives (i.e., confidentiality, integrity, and availability) discussed in NIST SP 800-60 and FIPS 199 (Note: The information types found in NIST SP 800-60, Volumes I and II, Revision 1 are the same information types found in the Federal Enterprise Architecture (FEA) Consolidated Reference Model). Refer to Attachment 2 of this System Security and Privacy Plan for the detailed FIPS 199 Analysis supporting the summary determinations below.
+
+Table 2-1. Information Types
+
+| Information Type | Confidentiality | Integrity | Availability |
+| ---------------- | --------------- | --------- | ------------ |
+{% for info_type in ssp.system_characteristics.system_information.information_types %}
+| {{ info_type.title }} | {{ info_type.confidentiality_impact.selected.__root__ }} | {{ info_type.integrity_impact.selected.__root__ }} | {{ info_type.availability_impact.selected.__root__ }} |
+{% endfor %}
+
+## 2.2 Potential Impacts of Security Objectives
+
+Based on the information provided above, the potential impacts for each security objective, per FIPS 199, for the {{ ssp.system_characteristics.system_name_short }} environment is summarized in the table below.
+
+Table 2-2. Security Objective Impacts
+
+| Security Objective | Impact Level |
+| ------------------ | ------------ |
+| Confidentiality    | {{ ssp.system_characteristics.security_impact_level.security_objective_confidentiality }} |
+| Integrity          | {{ ssp.system_characteristics.security_impact_level.security_objective_integrity }} |
+| Availability       | {{ ssp.system_characteristics.security_impact_level.security_objective_availability }} |
+
+## 2.3 Digital Identity Acceptance Statement
+
+<!--
+Instructions: A GSA Digital Identity Acceptance Statement document must be completed and submitted as an Attachment to this SSPP. A template is available on the [GSA IT Security Forms and Aids page](https://insite.gsa.gov/node/166914). Record the summary information below based on the completed template.
+-->
+
+Refer to Attachment 3 of this System Security and Privacy Plan for the completed GSA Digital Identity Acceptance Statement form supporting the summary determinations below.
+
+Table 2-3. Digital Identity Acceptance Statement Assurance Level Summary
+
+| Assurance Levels | Implemented Assurance Level |
+| ---------------- | --------------------------- |
+| Identity Assurance Level (IAL) | IAL{{ control_interface.get_prop(ssp.system_characteristics, 'identity-assurance-level') }} |
+| Authentication Assurance Level (AAL) | AAL{{ control_interface.get_prop(ssp.system_characteristics, 'authenticator-assurance-level') }} |
+| Federation Assurance Level (FAL) | FAL{{ control_interface.get_prop(ssp.system_characteristics, 'federation-assurance-level') }} |
diff --git a/templates/ssp-rendering/lato/templates/section_3.md b/templates/ssp-rendering/lato/templates/section_3.md
new file mode 100644
index 0000000..b987e70
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_3.md
@@ -0,0 +1,7 @@
+# 3 Information System Owner
+
+The following individual is identified as the System Owner for this system.
+
+{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "system-owner") %}
+{% include "ssp-render/templates/partials/poc_contact_table.md" +%}
+{% endfor +%}
diff --git a/templates/ssp-rendering/lato/templates/section_4.md b/templates/ssp-rendering/lato/templates/section_4.md
new file mode 100644
index 0000000..41c6b44
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_4.md
@@ -0,0 +1,7 @@
+# 4 Authorizing Official
+
+The Authorizing Official (AO) for this information system is identified below.
+
+{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "authorizing-official") %}
+{% include "ssp-render/templates/partials/poc_contact_table.md" +%}
+{% endfor +%}
diff --git a/templates/ssp-rendering/lato/templates/section_5.md b/templates/ssp-rendering/lato/templates/section_5.md
new file mode 100644
index 0000000..cf3c7a8
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_5.md
@@ -0,0 +1,13 @@
+# 5 Assignment of Security Responsibility
+
+The Information System Security Manager (ISSM) has been appointed and is identified below.
+
+{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-manager") %}
+{% include "ssp-render/templates/partials/poc_contact_table.md" +%}
+{% endfor +%}
+
+The Information System Security Officer (ISSO) has been appointed and is identified below.
+
+{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-officer") %}
+{% include "ssp-render/templates/partials/poc_contact_table.md" +%}
+{% endfor +%}
diff --git a/templates/ssp-rendering/lato/templates/section_6.md b/templates/ssp-rendering/lato/templates/section_6.md
new file mode 100644
index 0000000..3527881
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_6.md
@@ -0,0 +1,7 @@
+# 6 Other Designated Contacts
+
+The individual(s) identified below possess in-depth knowledge of this system and/or its functions and operation.
+
+{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "system-poc-technical") %}
+{% include "ssp-render/templates/partials/poc_contact_table.md" +%}
+{% endfor +%}
diff --git a/templates/ssp-rendering/lato/templates/section_7.md b/templates/ssp-rendering/lato/templates/section_7.md
new file mode 100644
index 0000000..11418f9
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_7.md
@@ -0,0 +1,12 @@
+# 7 Information System Operational Status
+
+The system is currently in the life-cycle phase noted in the following table.
+
+Table 7-1. System Operational Status
+
+| System Operational Status | Status Description |
+| ------------------------- | ------------------ |
+| {{"☒" if ssp.system_characteristics.status.state.value == "operational" else "☐"}} Operational | The system is operating and in production |
+| {{"☒" if ssp.system_characteristics.status.state.value == "under-development" else "☐"}} Under Development | The system is being designed, developed, or implemented. |
+| {{"☒" if ssp.system_characteristics.status.state.value == "under-major-modification" else "☐"}} Major Modification | The system is undergoing a major change, development, or transition. |
+| {{"☒" if ssp.system_characteristics.status.state.value == "other" else "☐"}} Other | Explain: {{ "Edit the section_7.md template to explain the status" if ssp.system_characteristics.status.state.value == "other" else "" }} |
diff --git a/templates/ssp-rendering/lato/templates/section_8.md b/templates/ssp-rendering/lato/templates/section_8.md
new file mode 100644
index 0000000..a7d8ec1
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_8.md
@@ -0,0 +1,33 @@
+# 8 Information System Type
+
+The {{ ssp.system_characteristics.system_name_short }} is a {{ gsa.system_type }}
+
+<!--
+Instructions: The terms General Support System (GSS) and Major Application are no longer used by NIST. Minor Applications/Subsystems are typically authorized to operate under the authorization of a larger Major Application and do not have a standalone authorization to operate. Systems previously considered a GSS or Major Application should be classified as a Major Information System. Contact ISP at ispcompliance@gsa.gov if there are any questions.
+-->
+
+## 8.1 Systems Providing Controls to {{ ssp.system_characteristics.system_name_short }}
+
+<!--
+Instructions: List all systems providing controls, the controls they provide, and identify if it is provided as a Common or Hybrid control. Ensure that the interconnections for systems providing controls are included in the network architecture diagram.
+
+Note: Systems can only inherit controls from systems that have a current ATO.
+-->
+
+The systems identified in the following table provide controls (common or hybrid) to {{ ssp.system_characteristics.system_name_short }}. List all systems providing controls, the controls they provide, and identify if it is provided as a Common or Hybrid control.
+
+Table 8-1. Systems Providing Controls
+
+| Providing System Name (FISMA System Identifier) | Providing System Owner | Control Identifier, Name | Common/Hybrid |
+| --------------------- | ---------------------- | ------------------------ | ------------- |
+{% for component in ssp.system_implementation.components %}
+{% if component.type != "this-system" %}
+| {{ component.title }} | | See section 13 | |
+{% endif %}
+{% endfor %}
+
+## 8.2 Systems Receiving Controls from {{ ssp.system_characteristics.system_name_short }}
+
+{{ ssp.system_characteristics.system_name_short }} provides the controls (common or hybrid) listed to the systems identified in the following table. List any controls provided to any systems and identify if it is provided as a Common or Hybrid control.
+
+{% md_clean_include 'ssp-markdown/table_8_2.md' heading_level=3 %}
diff --git a/templates/ssp-rendering/lato/templates/section_9.md b/templates/ssp-rendering/lato/templates/section_9.md
new file mode 100644
index 0000000..41f2e14
--- /dev/null
+++ b/templates/ssp-rendering/lato/templates/section_9.md
@@ -0,0 +1,65 @@
+# 9 General System Description
+
+<!--
+Instructions: The general information system description must consist of the following:
+*	How the system is commensurate with the essential characteristics of secure systems defined in NIST SP 800-53 Revision 5, other applicable NIST guidance and standards, and Federal laws and regulations. In addition, the description shall describe the service model and deployment model.
+*	Convey the who, what, when, where, and how regarding the system function and purpose across the entire technology stack and all users.
+-->
+
+{{ ssp.system_characteristics.description }}
+
+## 9.1 Information System Locations
+
+Physically, the {{ ssp.system_characteristics.system_name_short }} environment resides at the locations identified below.
+
+{% md_clean_include "ssp-markdown/table_9_1.md" heading_level=3 %}
+
+## 9.2 Information System Components and Boundaries
+
+<!--
+Instructions: In the space that follows, describe the information system’s major components, interconnections, and boundaries in sufficient detail that accurately depicts the authorization boundary for the information system. The desired architecture boundary for an information system should be inclusive of all functions and services necessary to secure, operate, and administer the information system - these include all components and supporting information system components (e.g., logging platform, monitoring solutions, ticketing solutions, vulnerability scanning, authentication solutions, etc.). A system is typically deployed in a logically or physically separated environment situated behind a firewall, with only necessary ingress/egress port openings to facilitate required operations. Integration with assets/device outside of the protected enclave supporting the information system contemplated for an Authorization to Operate (ATO) including but not limited to 1) shared assets, 2) corporate networks, or 3) third party services (e.g., cloud service provider (CSP) offerings) are a function of risk. The latter is allowed if the connecting CSP offering is also Federal Risk and Authorization Management Program (FedRAMP)-authorized. In all cases, integrations with assets/devices outside of the ATO boundary are not guaranteed for approval and reviewed/permitted on a case-by-case basis after a complete understanding of the associated risks. Please ensure that the discussion on boundaries is consistent with the network diagram shown in Section 9.5. For further details, please reference [CIO-IT Security-19-95](https://insite.gsa.gov/node/166494): Security Engineering Architecture Reviews.
+-->
+
+The components of the {{ ssp.system_characteristics.system_name_short }} environment can be broken down into the following groups of asset types. The assets are also portrayed in the network diagram in Section 9.5.
+
+The controls described in Section 13 of this document may apply to some or all of these asset types.
+
+{% md_clean_include "ssp-markdown/table_9_2.md" %}
+
+## 9.3 Information System Web Site URL Addresses
+
+The following table lists the web site URL addresses for {{ ssp.system_characteristics.system_name_short }}.
+
+{% md_clean_include "ssp-markdown/table_9_3.md" heading_level=3 %}
+
+## 9.4 Types of Users
+
+{% md_clean_include "ssp-markdown/table_9_4.md" heading_level=3 %}
+
+{% md_clean_include "ssp-markdown/user_access_descriptions.md" heading_level=3 %}
+
+## 9.5 Network Architecture
+
+The following section provides a written description of the network architecture of {{ ssp.system_characteristics.system_name_short }}.
+
+<!--
+Instructions: The architecture diagram must fully and clearly define the authorization boundary through both pictorial diagram(s) and written descriptions.
+Ensure the following elements are incorporated into the architecture diagrams and narratives:
+The network architecture must follow the criteria listed in CIO-IT Security-19-95: Security Engineering Architecture Reviews. The GSA Security Engineering team can provide architectural templates for reference - contact seceng@gsa.gov.
+• 	The diagram(s) and narratives should include ALL assets, services, devices, and software, both physical and virtual, which constitute the information system. These shall include all physical and virtual resources. The diagram(s) and narratives should also include any COOP/DR site integrations as well as any test/development environments that are in the boundary.
+• 	If shared assets or services are used, including corporate shared services, they must be appropriately defined and documented as a shared service within the ATO boundary of the system or within the corresponding ATO boundary of a relevant, authorized system. All components must be accounted for within an ATO boundary.
+• 	If on-premise or cloud services are used to support operation, maintenance, management, or security of the services in scope of the ATO, be sure they are reflected in the network architecture with related flows. If integrated with the GSA security stack indicate that integration in the network diagram. Depending on the nature and type of integration and sensitivity of the data, these dependent systems may also need to have an ATO; usage considered for risk acceptance; or, if not risk accepted, potentially removed from the architecture. All SaaS, IaaS or PaaS leveraged to support delivery of the system must have an ATO, approved by GSA or FedRAMP. For public facing systems, integration with external systems including but not limited to other cloud assets via Application Programming Interfaces (APIs) or third-party enablers shall be appropriately secured.
+• 	Ensure all authentication points (this includes but is not limited to Amazon Web Services (AWS) console, jump, machine resources, network devices, application, API, enablers, etc. (as applicable)), are defined. At all FIPS 199 levels MFA is required for privileged, non-privileged and/or Internet accessible logins.
+• 	The system boundary contains all components, devices, services, communication paths (VPNs, API calls, etc.). Diagram(s) should be sufficiently detailed and identify flows with source/destination, ports/protocols, or whether the related traffic is encrypted or not. References to ports/protocols table(s) are acceptable (for large sets of ports). Please be sure the tables identifying ports reflect whether they are encrypted or not. Tables should easily track to the architecture diagram.
+• 	All access control mechanisms, such as firewalls, router ACLs, subnets, proxies, and cloud-based analogs such as firewalls and network access controls configurations shall be fully documented in terms of specific access control rules, specifying source, destination, protocol, and other relevant attributes, as necessary.
+• 	The diagram must include a predominant border drawn around all system components and services included in the authorization boundary. Separate borders around protected enclaves, subnets, and DMZs are also advisable.
+-->
+
+{{ ssp.system_characteristics.authorization_boundary.description }}
+
+The following architectural diagram provides a visual depiction of the major hardware components of the {{ ssp.system_characteristics.system_name_short }}.
+
+{% for diagram in ssp_interface.safe_retrieval(ssp.system_characteristics.authorization_boundary, 'diagrams', []) %}
+![{{diagram.caption}}]({{ ssp_interface.get_diagram_href(diagram) }})
+<br/>Figure 9-{{loop.index}}. Network Diagram
+{% endfor %}