Which artifact includes roles and responsibilities?

Roles and responsibilities are defined in the System Security Plan. The Roles and Responsibilities section lays out who is responsible for each security task—such as the system owner, information system security officer, common control providers, security control assessors, and the authorizing official—and what those responsibilities entail (implementing controls, monitoring, approving changes, incident response, contingency planning, etc.). This makes the SSP the right artifact for documenting who does what in the security program. The other artifacts have different purposes: the Risk Management Plan describes how risks will be identified and mitigated, the Security Assessment Report records assessment findings, and the ATO Memo captures the authorization decision.