Skip to main content

Complete Development Snapshot XML Metaschema Reference

The following is a reference for the XML element and attribute types derived from this model’s metaschema.

Short name oscal-complete

XML namespace http://csrc.nist.gov/ns/oscal/1.0

Remarks

This format represents a combination of all of the OSCAL models.

action

assembly

Action

description An action applied by a role within a given party to the content.

Constraints (4)

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid

allowed value for ./system/@value

The value may be locally defined, or the following:

  • http://csrc.nist.gov/ns/oscal: This value identifies action types defined in the NIST OSCAL namespace.

allowed values for ./type[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@value

The value must be one of the following:

  • approval: An approval of a document instance's content.
  • request-changes: A request from the responisble party or parties to change the content.
Attributes (4):

uuid

uuid

[0 or 1]

Action Universally Unique Identifier

description A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.

date

date-time-with-timezone

[0 or 1]

Action Occurrence Date

description The date and time when the action occurred.

type

token

[0 or 1]

Action Type

description The type of action documented by the assembly, such as an approval.

system

uri

[0 or 1]

Action Type System

description Specifies the action type system used.

Remarks

Provides a means to segment the value space for the type, so that different organizations and individuals can assert control over the allowed action's type. This allows the semantics associated with a given type to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

Elements (4):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

activity

assembly

Activity

description Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.

Constraints (4)

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • method: The assessment method to use. This typically appears on parts with the name "assessment".

has cardinality for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method'] the cardinality of prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method'] is constrained: 1; maximum unbounded.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attribute (1):

uuid

uuid

[0 or 1]

Assessment Activity Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (8):

title

markup-line

[0 or 1]

Included Activity Title

description The title for this included activity.

description

markup-multiline

[1]

Included Activity Description

description A human-readable description of this included activity.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

step

assembly

[0 to ∞]

Step

description Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attribute (1):

uuid

uuid

[0 or 1]

Step Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (7):

title

markup-line

[0 or 1]

Step Title

description The title for this step.

description

markup-multiline

[1]

Step Description

description A human-readable description of this step.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

reviewed-controls

assembly

[0 or 1]

Reviewed Controls and Control Objectives

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

This can be optionally used to define the set of controls and control objectives that are assessed by this step.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

related-controls

assembly

[0 or 1]

Reviewed Controls and Control Objectives

use name related-controls

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

addr-line

string

Address line

description A single line of an address.

address

assembly

Address

description A postal address for the location.

Attribute (1):

type

token

[0 or 1]

Address Type

use name type

Elements (5):

addr-line

string

[0 to ∞]

Address line

city

string

[0 or 1]

City

description City, town or geographical region for the mailing address.

state

string

[0 or 1]

State

description State, province or analogous geographical region for a mailing address.

postal-code

string

[0 or 1]

Postal Code

description Postal or ZIP code for mailing address.

country

string

[0 or 1]

Country Code

description The ISO 3166-1 alpha-2 country code for the mailing address.

Constraint (1)

matches: a target (value) must match the regular expression '[A-Z]{2}'.

adjustment-justification

markup-multiline

Adjustment Justification

description If the selected security level is different from the base security level, this contains the justification for the change.

assessment-assets

assembly

Assessment Assets

description Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.

Constraint (1)

is unique for component: any target value must be unique (i.e., occur only once)

Elements (2):

component

assembly

[0 to ∞]

Component

use name component

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Used to add any components for tools used during the assessment. These are represented here to avoid mixing with system components.

The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.

assessment-platform

assembly

[1 to ∞]

Assessment Platform

description Used to represent the toolset used to perform aspects of the assessment.

Attribute (1):

uuid

uuid

[0 or 1]

Assessment Platform Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (5):

title

markup-line

[0 or 1]

Assessment Platform Title

description The title or name for the assessment platform.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

uses-component

assembly

[0 to ∞]

Uses Component

description The set of components that are used by the assessment platform.

Constraint (1)

is unique for responsible-party: any target value must be unique (i.e., occur only once)

Attribute (1):

component-uuid

uuid

[0 or 1]

Component Universally Unique Identifier Reference

description A machine-oriented identifier reference to a component that is implemented as part of an inventory item.

Elements (4):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

assessment-method

assembly

Assessment Method

description A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.

Attribute (1):

uuid

uuid

[0 or 1]

Assessment Method Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (5):

description

markup-multiline

[0 or 1]

Assessment Method Description

description A human-readable description of this assessment method.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

assessment-part

assembly

[1]

Assessment Part

use name part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

assessment-plan

assembly

Security Assessment Plan (SAP)

description An assessment plan, such as those provided by a FedRAMP assessor.

root name assessment-plan

Attribute (1):

uuid

uuid

[0 or 1]

Assessment Plan Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (9):

metadata

assembly

[1]

Document Metadata

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

import-ssp

assembly

[1]

Import System Security Plan

Remarks

Used by the SAP to import information about the system being assessed.

local-definitions

assembly

[0 or 1]

Local Definitions

description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

Constraints (2)

is unique for component: any target value must be unique (i.e., occur only once)

is unique for user: any target value must be unique (i.e., occur only once)

Elements (6):

component

assembly

[0 to ∞]

Component

use name component

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Used to add any components, not defined via the System Security Plan (AR->AP->SSP)

inventory-item

assembly

[0 to ∞]

Inventory Item

Remarks

Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)

user

assembly

[0 to ∞]

System User

use name user

Remarks

Permissible values to be determined closer to the application, such as by a receiving authority.

Used to add any users, not defined via the System Security Plan (AR->AP->SSP)

objectives-and-methods

assembly

[0 to ∞]

Assessment-Specific Control Objective

use name objectives-and-methods

activity

assembly

[0 to ∞]

Activity

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

terms-and-conditions

assembly

[0 or 1]

Assessment Plan Terms and Conditions

description Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.

Constraint (1)

allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • rules-of-engagement: Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment.
  • disclosures: Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure.
  • assessment-inclusions: Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment.
  • assessment-exclusions: Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment.
  • results-delivery: Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom.
  • assumptions: Defines any supposition made by the assessor. Has child 'item' parts for each assumption.
  • methodology: An explanation of practices, procedures, and rules used in the course of the assessment.
Elements (1):

assessment-part

assembly

[0 to ∞]

Assessment Part

use name part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

reviewed-controls

assembly

[1]

Reviewed Controls and Control Objectives

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

assessment-subject

assembly

[0 to ∞]

Subject of Assessment

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

assessment-assets

assembly

[0 or 1]

Assessment Assets

task

assembly

[0 to ∞]

Task

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

assessment-results

assembly

Security Assessment Results (SAR)

description Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.

root name assessment-results

Attribute (1):

uuid

uuid

[0 or 1]

Assessment Results Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (5):

metadata

assembly

[1]

Document Metadata

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

import-ap

assembly

[1]

Import Assessment Plan

Remarks

Used by the SAR to import information about the original plan for assessing the system.

local-definitions

assembly

[0 or 1]

Local Definitions

description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

Elements (3):

objectives-and-methods

assembly

[0 to ∞]

Assessment-Specific Control Objective

use name objectives-and-methods

activity

assembly

[0 to ∞]

Activity

use name activity

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

result

assembly

[1 to ∞]

Assessment Result

use name result

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

assessment-subject

assembly

Subject of Assessment

description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

Attribute (1):

type

token

[0 or 1]

Subject Type

description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
  • location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
  • user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (6):

description

markup-multiline

[0 or 1]

Include Subjects Description

description A human-readable description of the collection of subjects being included in this assessment.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

include-all

assembly

[1]

Include All

Remarks

This element provides an alternative to calling controls individually from a catalog.

include-subject

assembly

[1 to ∞]

Select Assessment Subject

use name include-subject

exclude-subject

assembly

[0 to ∞]

Select Assessment Subject

use name exclude-subject

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

assessment-subject-placeholder

assembly

Assessment Subject Placeholder

description Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

Attribute (1):

uuid

uuid

[0 or 1]

Assessment Subject Placeholder Universally Unique Identifier

description A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (5):

description

markup-multiline

[0 or 1]

Assessment Subject Placeholder Description

description A human-readable description of intent of this assessment subject placeholder.

source

assembly

[1 to ∞]

Assessment Subject Source

description Assessment subjects will be identified while conducting the referenced activity-instance.

Attribute (1):

task-uuid

uuid

[0 or 1]

Task Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

authorization-boundary

assembly

Authorization Boundary

description A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.

Constraint (1)

is unique for diagram: any target value must be unique (i.e., occur only once)

Elements (5):

description

markup-multiline

[1]

Authorization Boundary Description

description A summary of the system's authorization boundary.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

diagram

assembly

[0 to ∞]

Diagram

Remarks

A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.

A visual depiction of the system's authorization boundary.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

authorized-privilege

assembly

Privilege

description Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

Elements (3):

title

markup-line

[1]

Privilege Title

description A human readable name for the privilege.

description

markup-multiline

[0 or 1]

Privilege Description

description A summary of the privilege's purpose within the system.

function-performed

string

[1 to ∞]

Functions Performed

back-matter

assembly

Back matter

description A collection of resources that may be referenced from within the OSCAL document instance.

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

Constraint (1)

index for resource an index index-back-matter-resource shall list values returned by targets resource using keys constructed of key field(s) @uuid

Elements (1):

resource

assembly

[0 to ∞]

Resource

description A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.

Remarks

A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource.

Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

When a resource includes a citation, then the title and citation properties must both be included.

Constraints (6)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • type: Identifies the type of resource represented. The most specific appropriate type value SHOULD be used.
  • version: For resources representing a published document, this represents the version number of that document.
  • published: For resources representing a published document, this represents the publication date of that document.

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='published']/@value: the target value must match the lexical form of the 'dateTime-with-timezone' data type.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value

The value must be one of the following:

  • logo: Indicates the resource is an organization's logo.
  • image: Indicates the resource represents an image.
  • screen-shot: Indicates the resource represents an image of screen content.
  • law: Indicates the resource represents an applicable law.
  • regulation: Indicates the resource represents an applicable regulation.
  • standard: Indicates the resource represents an applicable standard.
  • external-guidance: Indicates the resource represents applicable guidance.
  • acronyms: Indicates the resource provides a list of relevant acronyms.
  • citation: Indicates the resource cites relevant information.
  • policy: Indicates the resource is a policy.
  • procedure: Indicates the resource is a procedure.
  • system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
  • users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
  • administrators-guide: Indicates the resource is guidance document a administrator's guide.
  • rules-of-behavior: Indicates the resource represents rules of behavior content.
  • plan: Indicates the resource represents a plan.
  • artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
  • evidence: Indicates the resource represents evidence, such as to support an assessment finding.
  • tool-output: Indicates the resource represents output from a tool.
  • raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
  • interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
  • questionnaire: Indicates the resource is a set of questions, possibly with responses.
  • report: Indicates the resource is a report.
  • agreement: Indicates the resource is a formal agreement between two or more parties.

has cardinality for rlink|base64 the cardinality of rlink|base64 is constrained: 1; maximum unbounded.

is unique for rlink: any target value must be unique (i.e., occur only once)

is unique for base64: any target value must be unique (i.e., occur only once)

A title is required when a citation is provided.
Attribute (1):

uuid

uuid

[0 or 1]

Resource Universally Unique Identifier

description A unique identifier for a resource.

Elements (8):

title

markup-line

[0 or 1]

Resource Title

description An optional name given to the resource, which may be used by a tool for display and navigation.

description

markup-multiline

[0 or 1]

Resource Description

description An optional short summary of the resource used to indicate the purpose of the resource.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

document-id

string

[0 to ∞]

Document Identifier

Remarks

A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.

A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.

Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.

An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.

citation

assembly

[0 or 1]

Citation

description An optional citation consisting of end note text using structured markup.

Elements (3):

text

markup-line

[1]

Citation Text

description A line of citation text.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

assembly

[0 to ∞]

Resource link

description A URL-based pointer to an external resource with an optional hash for verification and change detection.

Remarks

Multiple rlink objects can be included for a resource. In such a case, all provided rlink items are intended to be equivalent in content, but may differ in structure or format.

A media-type is used to identify the format of a given rlink, and can be used to differentiate items in a collection of rlinks. The media-type provides a hint to the OSCAL document consumer about the structure of the resource referenced by the rlink.

Attributes (2):

href

uri-reference

[0 or 1]

Hypertext Reference

description A resolvable URL pointing to the referenced resource.

Remarks

This value may be either:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or

media-type

string

[0 or 1]

Media Type

Remarks

The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

Elements (1):

hash

string

[0 to ∞]

Hash

description A hash of the resource identified by href, which can be used to verify the resource was not changed since it was hashed.

Remarks

The hash value can be used to confirm that the resource referenced by the href is the same resources that was hashed by retrieving the resource, calculating a hash, and comparing the result to this value.

base64

base64

[0 or 1]

Base64

description A resource encoded using the Base64 alphabet defined by RFC 2045.

Attributes (2):

filename

token

[0 or 1]

File Name

description Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.

media-type

string

[0 or 1]

Media Type

Remarks

The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

base

string

Base Level (Confidentiality, Integrity, or Availability)

description The prescribed base (Confidentiality, Integrity, or Availability) security impact level.

by-component

assembly

Component Control Implementation

description Defines how the referenced component implements a set of controls.

Remarks

Use of set-parameter in this context, sets the parameter for the control referenced in the containing implemented-requirement applied to the referenced component. If the by-component is used as a child of a statement, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the control-implementation or a specific implemented-requirement, then this by-component/set-parameter value will override the other value(s) in the context of the referenced component, control, and statement (if parent).

Constraints (5)

allowed value for link/@rel

The value may be locally defined, or the following:

  • imported-from: The hyperlink identifies a URI pointing to the component in a component-definition that originally described the component this component was based on.

allowed values for .//responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

is unique for set-parameter: any target value must be unique (i.e., occur only once)

allowed value for link/@rel

The value may be locally defined, or the following:

  • provided-by: A reference to the UUID of a control or statement by-component object that is used as evidence of implementation.

index has key for link[@rel='provided-by']this value must correspond to a listing in the index by-component-uuid using a key constructed of key field(s) @href

Attributes (2):

component-uuid

uuid

[0 or 1]

Component Universally Unique Identifier Reference

description A machine-oriented identifier reference to the component that is implemeting a given control.

uuid

uuid

[0 or 1]

By-Component Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (10):

description

markup-multiline

[1]

Control Implementation Description

description An implementation statement that describes how a control or a control statement is implemented within the referenced system component.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

set-parameter

assembly

[0 to ∞]

Set Parameter Value

implementation-status

assembly

[0 or 1]

Implementation Status

Remarks

The implementation-status is used to qualify the status value to indicate the degree to which the control is implemented.

export

assembly

[0 or 1]

Export

description Identifies content intended for external consumption, such as with leveraged organizations.

Constraints (2)

has cardinality for provided|responsibility the cardinality of provided|responsibility is constrained: 1; maximum unbounded.

index has key for responsibilitythis value must correspond to a listing in the index by-component-export-provided-uuid using a key constructed of key field(s) @provided-uuid

Elements (6):

description

markup-multiline

[0 or 1]

Control Implementation Export Description

description An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

provided

assembly

[0 to ∞]

Provided Control Implementation

description Describes a capability which may be inherited by a leveraging system.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attribute (1):

uuid

uuid

[0 or 1]

Provided Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (5):

description

markup-multiline

[1]

Provided Control Implementation Description

description An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

responsibility

assembly

[0 to ∞]

Control Implementation Responsibility

description Describes a control implementation responsibility imposed on a leveraging system.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Responsibility Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

provided-uuid

uuid

[0 or 1]

Provided UUID

Elements (5):

description

markup-multiline

[1]

Control Implementation Responsibility Description

description An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

A role defined at the by-component level takes precedence over the same role defined on the parent implemented-requirement or on the referenced component.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

inherited

assembly

[0 to ∞]

Inherited Control Implementation

description Describes a control implementation inherited by a leveraging system.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Inherited Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

provided-uuid

uuid

[0 or 1]

Provided UUID

Elements (4):

description

markup-multiline

[1]

Inherited Control Implementation Description

description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

satisfied

assembly

[0 to ∞]

Satisfied Control Implementation Responsibility

description Describes how this system satisfies a responsibility imposed by a leveraged system.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Satisfied Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

responsibility-uuid

uuid

[0 or 1]

Responsibility UUID

Elements (5):

description

markup-multiline

[1]

Satisfied Control Implementation Responsibility Description

description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

capability

assembly

Capability

description A grouping of other components and/or capabilities.

Constraint (1)

is unique for incorporates-component: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Capability Identifier

description Provides a globally unique means to identify a given capability.

name

string

[0 or 1]

Capability Name

description The capability's human-readable name.

Elements (6):

description

markup-multiline

[1]

Capability Description

description A summary of the capability.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

incorporates-component

assembly

[0 to ∞]

Incorporates Component

control-implementation

assembly

[0 to ∞]

Control Implementation Set

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

catalog

assembly

Catalog

description A structured, organized collection of control information.

root name catalog

Remarks

Catalogs may use one or more group objects to subdivide the control contents of a catalog.

Constraints (8)

allowed values for metadata/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • resolution-tool: The tool used to produce a resolved profile.
  • source-profile-uuid: The document-level uuid of the source profile from which the catalog was produced by profile resolution.

allowed values for metadata/link/@rel

The value may be locally defined, or one of the following:

  • source-profile: The profile from which the catalog was produced by profile resolution.
  • source-profile-uuid: The document-level uuid of the profile from which the catalog was produced by profile resolution.

index for //part an index catalog-parts shall list values returned by targets //part using keys constructed of key field(s) @id

index for //prop an index catalog-props shall list values returned by targets //prop using keys constructed of key field(s) @uuid

index for //(control|group|part) an index catalog-groups-controls-parts shall list values returned by targets //(control|group|part) using keys constructed of key field(s) @id

index for //control an index catalog-controls shall list values returned by targets //control using keys constructed of key field(s) @id

index for //param an index catalog-params shall list values returned by targets //param using keys constructed of key field(s) @id

index for //group an index catalog-groups shall list values returned by targets //group using keys constructed of key field(s) @id

Attribute (1):

uuid

uuid

[0 or 1]

Catalog Universally Unique Identifier

description Provides a globally unique means to identify a given catalog instance.

Elements (5):

metadata

assembly

[1]

Document Metadata

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

parameter

assembly

[0 to ∞]

Parameter

use name param

Remarks

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

control

assembly

[0 to ∞]

Control

Remarks

Each security or privacy control within the catalog is defined by a distinct control instance. Controls may be as complex or as simple as a catalog defines them. They may be decomposed or further specified into child control objects, for example to represent control enhancements or specific breakouts of control functionality, to be maintained as discrete requirements. Controls may also contain structured parts (using part) and they may be grouped together in families or classes with group.

Control structures in OSCAL will also exhibit regularities and rules that are not codified in OSCAL but in its applications or domains of application. For example, for catalogs describing controls as defined by NIST SP 800-53, a control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text. This organization supports addressability of this data content as long as, and only insofar as, it is consistently implemented across the control set. As given with these model definitions, constraints defined and assigned here can aid in ensuring this regularity; but other such constraints and other useful patterns of use remain to be discovered and described.

group

assembly

[0 to ∞]

Control Group

Remarks

Catalogs can use the catalog group construct to organize related controls into a single grouping, such as a family of controls or other logical organizational structure.

A group may have its own properties, statements, parameters, and references, which are inherited by all controls of that are a member of the group.

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

Back matter including references and resources.

characterization

assembly

Characterization

description A collection of descriptive data about the containing object from a specific origin.

Elements (4):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

origin

assembly

[1]

Origin

Remarks

metadata about the specific actor that generated this descriptive data.

facet

assembly

[1 to ∞]

Facet

description An individual characteristic that is part of a larger set produced by the same actor.

Constraints (30)

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • state: Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk).

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='state']/@value

The value must be one of the following:

  • initial: As first identified.
  • adjusted: Indicates that residual risk remains after some adjustments have been made.

allowed values for (.)[@system='http://csrc.nist.gov/ns/oscal']/@name

The value must be one of the following:

  • likelihood: General likelihood rating.
  • impact: General impact rating.
  • risk: General risk rating.
  • severity: General severity rating.

allowed values for (.)[@system=('http://fedramp.gov','http://fedramp.gov/ns/oscal')]/@name

The value must be one of the following:

  • likelihood: Likelihood as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.
  • impact: Impact as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.
  • risk: Risk as calculated according to FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.

allowed value for (.)[@system='http://cve.mitre.org']/@name

The value must be one of the following:

  • cve-id: An identifier managed by the CVE program (see https://cve.mitre.org/).

allowed values for (.)[@system='http://www.first.org/cvss/v2.0']/@name

The value must be one of the following:

  • access-vector: Base: Access Vector
  • access-complexity: Base: Access Complexity
  • authentication: Base: Authentication
  • confidentiality-impact: Base: Confidentiality Impact
  • integrity-impact: Base: Integrity Impact
  • availability-impact: Base: Availability Impact
  • exploitability: Temporal: Exploitability
  • remediation-level: Temporal: Remediation Level
  • report-confidence: Temporal: Report Confidence
  • collateral-damage-potential: Environmental: Collateral Damage Potential
  • target-distribution: Environmental: Target Distribution
  • confidentiality-requirement: Environmental: Confidentiality Requirement
  • integrity-requirement: Environmental: Integrity Requirement
  • availability-requirement: Environmental: Availability Requirement

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='access-vector']/@value

The value must be one of the following:

  • local: Local
  • adjacent-network: Network Adjacent
  • network: Network

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='access-complexity']/@value

The value must be one of the following:

  • high: High
  • medium: Medium
  • low: Low

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='authentication']/@value

The value must be one of the following:

  • multiple: Multiple
  • single: Single
  • none: None

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name=('confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value

The value must be one of the following:

  • none: None
  • partial: Partial
  • complete: Complete

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='exploitability']/@value

The value must be one of the following:

  • unproven: Unproven
  • proof-of-concept: Proof-of-Concept
  • functional: Functional
  • high: High
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='remediation-level']/@value

The value must be one of the following:

  • official-fix: Official Fix
  • temporary-fix: Temporary Fix
  • workaround: Workaround
  • unavailable: Unavailable
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='report-confidence']/@value

The value must be one of the following:

  • unconfirmed: Unconfirmed
  • uncorroborated: Uncorroborated
  • confirmed: Confirmed
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='collateral-damage-potential']/@value

The value must be one of the following:

  • none: None
  • low: Low (light loss)
  • low-medium: Low Medium
  • medium-high: Medium High
  • high: High (catastrophic loss)
  • not-defined: Not Defined

allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name=('target-distribution', 'confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value

The value must be one of the following:

  • none
  • low
  • medium
  • high
  • not-defined

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1')]/@name

The value must be one of the following:

  • attack-vector: Base: Attack Vector
  • access-complexity: Base: Attack Complexity
  • privileges-required: Base: Privileges Required
  • user-interaction: Base: User Interaction
  • scope: Base: Scope
  • confidentiality-impact: Base: Confidentiality Impact
  • integrity-impact: Base: Integrity Impact
  • availability-impact: Base: Availability Impact
  • exploit-code-maturity: Temporal: Exploit Code Maturity
  • remediation-level: Temporal: Remediation Level
  • report-confidence: Temporal: Report Confidence
  • modified-attack-vector: Environmental: Modified Attack Vector
  • modified-attack-complexity: Environmental: Modified Attack Complexity
  • modified-privileges-required: Environmental: Modified Privileges Required
  • modified-user-interaction: Environmental: Modified User Interaction
  • modified-scope: Environmental: Modified Scope
  • modified-confidentiality: Environmental: Modified Confidentiality
  • modified-integrity: Environmental: Modified Integrity
  • modified-availability: Environmental: Modified Availability
  • confidentiality-requirement: Environmental: Confidentiality Requirement Modifier
  • integrity-requirement: Environmental: Integrity Requirement Modifier
  • availability-requirement: Environmental: Availability Requirement Modifier

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-vector']/@value

The value must be one of the following:

  • network: Network
  • adjacent: Adjacent
  • local: Local
  • physical: Physical

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-complexity']/@value

The value must be one of the following:

  • high: High
  • low: Low

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('privileges-required', 'confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value

The value must be one of the following:

  • none: None
  • low: Low
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='user-interaction']/@value

The value must be one of the following:

  • none: None
  • required: Required

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='scope']/@value

The value must be one of the following:

  • unchanged: Unchanged
  • changed: Changed

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='exploit-code-maturity']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • unproven: Unproven
  • proof-of-concept: Proof-of-Concept
  • functional: Functional
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='remediation-level']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • official-fix: Official Fix
  • temporary-fix: Temporary Fix
  • workaround: Workaround
  • unavailable: Unavailable

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='report-confidence']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • unknown: Unknown
  • reasonable: Reasonable
  • confirmed: Confirmed

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value

The value must be one of the following:

  • not-defined: Not Defined
  • low: Low
  • medium: Medium
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-vector']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • network: Network
  • adjacent: Adjacent
  • local: Local
  • physical: Physical

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-complexity']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • high: High
  • low: Low

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('modified-privileges-required', 'modified-confidentiality', 'modified-integrity', 'modified-availability')]/@value

The value must be one of the following:

  • not-defined: Not Defined
  • none: None
  • low: Low
  • high: High

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-user-interaction']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • none: None
  • required: Required

allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-scope']/@value

The value must be one of the following:

  • not-defined: Not Defined
  • unchanged: Unchanged
  • changed: Changed
Attributes (3):

name

token

[0 or 1]

Facet Name

description The name of the risk metric within the specified system.

system

uri

[0 or 1]

Naming System

description Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • http://fedramp.gov: **deprecated** The FedRAMP naming system. This has been deprecated; use http://fedramp.gov/ns/oscal instead.
  • http://fedramp.gov/ns/oscal: The FedRAMP naming system.
  • http://csrc.nist.gov/ns/oscal
  • http://csrc.nist.gov/ns/oscal/unknown: The facet is from an unknown taxonomy. The meaning of the name is tool or organization specific.
  • http://cve.mitre.org
  • http://www.first.org/cvss/v2.0
  • http://www.first.org/cvss/v3.0
  • http://www.first.org/cvss/v3.1

value

string

[0 or 1]

Facet Value

description Indicates the value of the facet.

Elements (3):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

component-definition

assembly

Component Definition

description A collection of component descriptions, which may optionally be grouped by capability.

root name component-definition

Constraints (2)

index for component an index index-system-component-uuid shall list values returned by targets component using keys constructed of key field(s) @uuid

is unique for capability: any target value must be unique (i.e., occur only once)

Attribute (1):

uuid

uuid

[0 or 1]

Component Definition Universally Unique Identifier

description Provides a globally unique means to identify a given component definition instance.

Elements (5):

metadata

assembly

[1]

Document Metadata

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

import-component-definition

assembly

[0 to ∞]

Import Component Definition

component

assembly

[0 to ∞]

Component

use name component

Remarks

Components may be products, services, APIs, policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

A group of components may be aggregated into a capability. For example, an account management capability that consists of an account management process, and a Lightweight Directory Access Protocol (LDAP) software implementation.

Capabilities are expressed by combining one or more components.

capability

assembly

[0 to ∞]

Capability

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

control

assembly

Control

description A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.

Remarks

Each security or privacy control within the catalog is defined by a distinct control instance. Controls may be as complex or as simple as a catalog defines them. They may be decomposed or further specified into child control objects, for example to represent control enhancements or specific breakouts of control functionality, to be maintained as discrete requirements. Controls may also contain structured parts (using part) and they may be grouped together in families or classes with group.

Control structures in OSCAL will also exhibit regularities and rules that are not codified in OSCAL but in its applications or domains of application. For example, for catalogs describing controls as defined by NIST SP 800-53, a control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text. This organization supports addressability of this data content as long as, and only insofar as, it is consistently implemented across the control set. As given with these model definitions, constraints defined and assigned here can aid in ensuring this regularity; but other such constraints and other useful patterns of use remain to be discovered and described.

Constraints (11)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • alt-identifier: An alternate or aliased identifier for the parent context.
  • status: The status of a control. For example, a value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='status']/@value

The value must be one of the following:

  • withdrawn: The control is no longer used.
  • Withdrawn: **(deprecated)*** Use 'withdrawn' instead.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • reference: The link cites an external resource related to this control.
  • related: The link identifies another control with bearing to this control.
  • required: The link identifies another control that must be present if this control is present.
  • incorporated-into: The link identifies other control content where this control content is now addressed.
  • moved-to: The containing control definition was moved to the referenced control.

index has key for link[@rel=('related','required','incorporated-into','moved-to') and starts-with(@href,'#')]this value must correspond to a listing in the index catalog-groups-controls-parts using a key constructed of key field(s) @href

allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • overview: An introduction to a control or a group of controls.
  • statement: A set of implementation requirements or recommendations.
  • guidance: Additional information to consider when selecting, implementing, assessing, and monitoring a control.
  • example: An example of an implemented requirement or control statement.
  • assessment: **(deprecated)** Use 'assessment-method' instead.
  • assessment-method: The part describes a method-based assessment over a set of assessment objects.

allowed value for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='statement']//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • item: An individual item within a control statement.
  • Nested statement parts are "item" parts.

allowed values for .//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • objective: **(deprecated)** Use 'assessment-objective' instead.
  • assessment-objective: The part describes a set of assessment objectives.
  • Objectives can be nested.

allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • objects: **(deprecated)** Use 'assessment-objects' instead.
  • assessment-objects: Provides a listing of assessment objects.
  • Assessment objects appear on assessment methods.

allowed value for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • method: **(deprecated)** Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment-method".

allowed value for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name

The value must be one of the following:

  • method: The assessment method to use. This typically appears on parts with the name "assessment-method".

allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Attributes (2):

id

token

[0 or 1]

Control Identifier

description Identifies a control such that it can be referenced in the defining catalog and other OSCAL instances (e.g., profiles).

class

token

[0 or 1]

Control Class

description A textual label that provides a sub-type or characterization of the control.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (6):

title

markup-line

[1]

Control Title

description A name given to the control, which may be used by a tool for display and navigation.

parameter

assembly

[0 to ∞]

Parameter

use name param

Remarks

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

part

assembly

[0 to ∞]

Part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

control

assembly

[0 to ∞]

Control

Remarks

Each security or privacy control within the catalog is defined by a distinct control instance. Controls may be as complex or as simple as a catalog defines them. They may be decomposed or further specified into child control objects, for example to represent control enhancements or specific breakouts of control functionality, to be maintained as discrete requirements. Controls may also contain structured parts (using part) and they may be grouped together in families or classes with group.

Control structures in OSCAL will also exhibit regularities and rules that are not codified in OSCAL but in its applications or domains of application. For example, for catalogs describing controls as defined by NIST SP 800-53, a control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text. This organization supports addressability of this data content as long as, and only insofar as, it is consistently implemented across the control set. As given with these model definitions, constraints defined and assigned here can aid in ensuring this regularity; but other such constraints and other useful patterns of use remain to be discovered and described.

control-id

token

Control Identifier Reference

description A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).

control-implementation

assembly

Control Implementation Set

description Defines how the component or capability supports a set of controls.

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

Constraint (1)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Control Implementation Set Identifier

description Provides a means to identify a set of control implementations that are supported by a given component or capability.

source

uri-reference

[0 or 1]

Source Resource Reference

description A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
Elements (5):

description

markup-multiline

[1]

Control Implementation Description

description A description of how the specified set of controls are implemented for the containing component or capability.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

set-parameter

assembly

[0 to ∞]

Set Parameter Value

implemented-requirement

assembly

[1 to ∞]

Control Implementation

Remarks

Implemented requirements within a component or capability in a component definition provide a means for component suppliers to suggest possible control implementation details, which may be used by a different party (e.g., component consumers) when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.

Use of set-parameter in this context, sets the parameter for the referenced control and any associated statements.

control-implementation

assembly

Control Implementation

description Describes how the system satisfies a set of controls.

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

Constraints (2)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

index for implemented-requirement//by-component/export/provided an index by-component-export-provided-uuid shall list values returned by targets implemented-requirement//by-component/export/provided using keys constructed of key field(s) @uuid

Elements (3):

description

markup-multiline

[1]

Control Implementation Description

description A statement describing important things to know about how this set of control satisfaction documentation is approached.

set-parameter

assembly

[0 to ∞]

Set Parameter Value

implemented-requirement

assembly

[1 to ∞]

Control-based Requirement

Remarks

Use of set-parameter in this context, sets the parameter for the referenced control. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

data-flow

assembly

Data Flow

description A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.

Constraint (1)

is unique for diagram: any target value must be unique (i.e., occur only once)

Elements (5):

description

markup-multiline

[1]

Data Flow Description

description A summary of the system's data flow.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

diagram

assembly

[0 to ∞]

Diagram

Remarks

A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

date-authorized

date

System Authorization Date

description The date the system received its authorization.

defined-component

assembly

Component

description A defined component that can be part of an implemented system.

Remarks

Components may be products, services, APIs, policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

A group of components may be aggregated into a capability. For example, an account management capability that consists of an account management process, and a Lightweight Directory Access Protocol (LDAP) software implementation.

Capabilities are expressed by combining one or more components.

Constraints (14)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • depends-on: A reference to another component that this component has a dependency on.
  • validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
  • proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
  • baseline-template: A reference to the baseline template used to configure the asset.
  • uses-service: This service is used by the referenced component identifier.
  • system-security-plan: A link to the system security plan of the external system.
  • uses-network: This component uses the network provided by the identified network component.

allowed values for responsible-role/@role-id|control-implementation/implemented-requirement/responsible-role/@role-id|control-implementation/implemented-requirement/statement/responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value

The value may be locally defined, or one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value

The value must be one of the following:

  • yes: The component allows an authenticated scan.
  • no: The component does not allow an authenticated scan.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='virtual']/@value

The value must be one of the following:

  • yes: The component is virtualized.
  • no: The component is not virtualized.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='public']/@value

The value must be one of the following:

  • yes: The component is publicly accessible.
  • no: The component is not publicly accessible.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='implementation-point']/@value

The value must be one of the following:

  • internal: The component is implemented within the system boundary.
  • external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type='software']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

  • provided-by: This service is provided by the referenced component identifier.
  • used-by: This service is used by the referenced component identifier.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Component Identifier

description Provides a globally unique means to identify a given component.

type

string

[0 or 1]

Component Type

use name type

Elements (9):

title

markup-line

[1]

Component Title

description A human readable name for the component.

description

markup-multiline

[1]

Component Description

description A description of the component, including information about its function.

purpose

markup-line

[0 or 1]

Purpose

description A summary of the technological or business purpose of the component.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

protocol

assembly

[0 to ∞]

Service Protocol Information

Remarks

Used for service components to define the protocols supported by the service.

control-implementation

assembly

[0 to ∞]

Control Implementation Set

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

defined-component-type

string

Component Type

description A category describing the purpose of the component.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • interconnection: A connection to something outside this system.
  • software: Any software, operating system, or firmware.
  • hardware: A physical device.
  • service: A service that may provide APIs.
  • policy: An enforceable policy.
  • physical: A tangible asset used to provide physical protections or countermeasures.
  • process-procedure: A list of steps or actions to take to achieve some end result.
  • plan: An applicable plan.
  • guidance: Any guideline or recommendation.
  • standard: Any organizational or industry standard.
  • validation: An external assessment performed on some other component, that has been validated by a third-party.

diagram

assembly

Diagram

description A graphic that provides a visual representation the system, or some aspect of it.

Remarks

A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.

Constraints (4)

allowed value for link/@rel

The value may be locally defined, or the following:

  • diagram: A reference to the diagram image.

matches for link[@rel='diagram']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.

index has key for link[@rel='diagram' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for link[@rel='diagram']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.

Attribute (1):

uuid

uuid

[0 or 1]

Diagram ID

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (5):

description

markup-multiline

[0 or 1]

Diagram Description

description A summary of the diagram.

Remarks

This description is intended to be used as alternate text to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

caption

markup-line

[0 or 1]

Caption

description A brief caption to annotate the diagram.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

document-id

string

Document Identifier

description A document identifier qualified by an identifier scheme.

Remarks

A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.

A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.

Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.

An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.

Attribute (1):

scheme

uri

[0 or 1]

Document Identification Scheme

description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • http://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.

email-address

email-address

Email Address

description An email address as defined by RFC 5322 Section 3.4.1.

finding

assembly

Finding

description Describes an individual finding.

Attribute (1):

uuid

uuid

[0 or 1]

Finding Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (10):

title

markup-line

[1]

Finding Title

description The title for this finding.

description

markup-multiline

[1]

Finding Description

description A human-readable description of this finding.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

origin

assembly

[0 to ∞]

Origin

Remarks

Used to identify the individual and/or tool generated this finding.

target

assembly

[1]

Objective Status

use name target

implementation-statement-uuid

uuid

[0 or 1]

Implementation Statement UUID

description A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.

related-observation

assembly

[0 to ∞]

Related Observation

description Relates the finding to a set of referenced observations that were used to determine the finding.

Attribute (1):

observation-uuid

uuid

[0 or 1]

Observation Universally Unique Identifier Reference

description A machine-oriented identifier reference to an observation defined in the list of observations.

associated-risk

assembly

[0 to ∞]

Associated Risk

description Relates the finding to a set of referenced risks that were used to determine the finding.

Attribute (1):

risk-uuid

uuid

[0 or 1]

Risk Universally Unique Identifier Reference

description A machine-oriented identifier reference to a risk defined in the list of risks.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

finding-target

assembly

Objective Status

description Captures an assessor's conclusions regarding the degree to which an objective is satisfied.

Attributes (2):

type

string

[0 or 1]

Finding Target Type

description Identifies the type of the target.

Remarks

The target will always be a reference to: 1) a control statement, or 2) a control objective. In the former case, there is always a single top-level statement within a control. Thus, if the entire control is targeted, this statement identifier can be used.

Constraint (1)

allowed values

The value must be one of the following:

  • statement-id: A reference to a control statement identifier within a control.
  • objective-id: A reference to a control objective identifier within a control.

target-id

token

[0 or 1]

Finding Target Identifier Reference

description A machine-oriented identifier reference for a specific target qualified by the type.

Elements (7):

title

markup-line

[0 or 1]

Objective Status Title

description The title for this objective status.

description

markup-multiline

[0 or 1]

Objective Status Description

description A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

status

assembly

[1]

Objective Status

description A determination of if the objective is satisfied or not within a given system.

Attributes (2):

state

token

[0 or 1]

Objective Status State

description An indication as to whether the objective is satisfied or not.

Constraint (1)

allowed values

The value must be one of the following:

  • satisfied: The objective has been completely satisfied.
  • not-satisfied: The objective has not been completely satisfied, but may be partially satisfied.

reason

token

[0 or 1]

Objective Status Reason

description The reason the objective was given it's status.

Remarks

Reason may contain any value, and should be used to communicate additional information regarding the status.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • pass: The target system or system component satisfied all the conditions.
  • fail: The target system or system component did not satisfy all the conditions.
  • other: Some other event took place that is not a pass or a fail.
Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

implementation-status

assembly

[0 or 1]

Implementation Status

Remarks

The implementation-status is used to qualify the status value to indicate the degree to which the control was found to be implemented.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

function-performed

string

Functions Performed

description Describes a function performed for a given authorized privilege by this user class.

group

assembly

Control Group

description A group of controls, or of groups of controls.

Remarks

Catalogs can use the catalog group construct to organize related controls into a single grouping, such as a family of controls or other logical organizational structure.

A group may have its own properties, statements, parameters, and references, which are inherited by all controls of that are a member of the group.

Constraints (2)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • alt-identifier: An alternate or aliased identifier for the parent context.

allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • overview: An introduction to a control or a group of controls.
  • instruction: Information providing directions for a control or a group of controls.
Attributes (2):

id

token

[0 or 1]

Group Identifier

description Identifies the group for the purpose of cross-linking within the defining instance or from other instances that reference the catalog.

class

token

[0 or 1]

Group Class

description A textual label that provides a sub-type or characterization of the group.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (6):

title

markup-line

[1]

Group Title

description A name given to the group, which may be used by a tool for display and navigation.

parameter

assembly

[0 to ∞]

Parameter

use name param

Remarks

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

part

assembly

[0 to ∞]

Part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

group

assembly

[0 to ∞]

Control Group

Remarks

Catalogs can use the catalog group construct to organize related controls into a single grouping, such as a family of controls or other logical organizational structure.

A group may have its own properties, statements, parameters, and references, which are inherited by all controls of that are a member of the group.

control

assembly

[0 to ∞]

Control

Remarks

Each security or privacy control within the catalog is defined by a distinct control instance. Controls may be as complex or as simple as a catalog defines them. They may be decomposed or further specified into child control objects, for example to represent control enhancements or specific breakouts of control functionality, to be maintained as discrete requirements. Controls may also contain structured parts (using part) and they may be grouped together in families or classes with group.

Control structures in OSCAL will also exhibit regularities and rules that are not codified in OSCAL but in its applications or domains of application. For example, for catalogs describing controls as defined by NIST SP 800-53, a control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text. This organization supports addressability of this data content as long as, and only insofar as, it is consistently implemented across the control set. As given with these model definitions, constraints defined and assigned here can aid in ensuring this regularity; but other such constraints and other useful patterns of use remain to be discovered and described.

group

assembly

Control Group

description A group of (selected) controls or of groups of controls.

Remarks

This construct mirrors the same construct that exists in an OSCAL catalog.

Attributes (2):

id

token

[0 or 1]

Group Identifier

description Identifies the group.

Remarks

This optional data element is available to support hyperlinking to formal groups or families as defined in control catalogs, among other operations.

class

token

[0 or 1]

Group Class

description A textual label that provides a sub-type or characterization of the group.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (6):

title

markup-line

[1]

Group Title

description A name to be given to the group for use in display.

parameter

assembly

[0 to ∞]

Parameter

use name param

Remarks

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

part

assembly

[0 to ∞]

Part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

group

assembly

[0 to ∞]

Control Group

Remarks

This construct mirrors the same construct that exists in an OSCAL catalog.

insert-controls

assembly

[0 to ∞]

Insert Controls

Remarks

To be schema-valid, this element must contain either (but not both) a single include-all directive, or a sequence of include-controls directives.

If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.

description A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

Constraints (4)

matches for .[@algorithm=('SHA-224','SHA3-224')]: a target (value) must match the regular expression '^[0-9a-fA-F]{28}$'.

matches for .[@algorithm=('SHA-256','SHA3-256')]: a target (value) must match the regular expression '^[0-9a-fA-F]{32}$'.

matches for .[@algorithm=('SHA-384','SHA3-384')]: a target (value) must match the regular expression '^[0-9a-fA-F]{48}$'.

matches for .[@algorithm=('SHA-512','SHA3-512')]: a target (value) must match the regular expression '^[0-9a-fA-F]{64}$'.

Attribute (1):

algorithm

string

[0 or 1]

Hash algorithm

description The digest method by which a hash is derived.

Remarks

Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • SHA-224: The SHA-224 algorithm as defined by NIST FIPS 180-4.
  • SHA-256: The SHA-256 algorithm as defined by NIST FIPS 180-4.
  • SHA-384: The SHA-384 algorithm as defined by NIST FIPS 180-4.
  • SHA-512: The SHA-512 algorithm as defined by NIST FIPS 180-4.
  • SHA3-224: The SHA3-224 algorithm as defined by NIST FIPS 202.
  • SHA3-256: The SHA3-256 algorithm as defined by NIST FIPS 202.
  • SHA3-384: The SHA3-384 algorithm as defined by NIST FIPS 202.
  • SHA3-512: The SHA3-512 algorithm as defined by NIST FIPS 202.

impact

assembly

Impact Level

description The expected level of impact resulting from the described information.

Elements (5):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

base

string

[1]

Base Level (Confidentiality, Integrity, or Availability)

selected

string

[0 or 1]

Selected Level (Confidentiality, Integrity, or Availability)

adjustment-justification

markup-multiline

[0 or 1]

Adjustment Justification

implementation-status

assembly

Implementation Status

description Indicates the degree to which the a given control is implemented.

Attribute (1):

state

token

[0 or 1]

Implementation State

description Identifies the implementation status of the control or control objective.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • implemented: The control is fully implemented.
  • partial: The control is partially implemented.
  • planned: There is a plan for implementing the control as explained in the remarks.
  • alternative: There is an alternative implementation for this control as explained in the remarks.
  • not-applicable: This control does not apply to this system as justified in the remarks.
Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

implemented-requirement

assembly

Control Implementation

description Describes how the containing component or capability implements an individual control.

Remarks

Implemented requirements within a component or capability in a component definition provide a means for component suppliers to suggest possible control implementation details, which may be used by a different party (e.g., component consumers) when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.

Use of set-parameter in this context, sets the parameter for the referenced control and any associated statements.

Constraints (3)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for statement: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Control Implementation Identifier

description Provides a globally unique means to identify a given control implementation by a component.

control-id

token

[0 or 1]

Control Identifier Reference

Elements (7):

description

markup-multiline

[1]

Control Implementation Description

description A suggestion from the supplier (e.g., component vendor or author) for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

set-parameter

assembly

[0 to ∞]

Set Parameter Value

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

statement

assembly

[0 to ∞]

Control Statement Implementation

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

implemented-requirement

assembly

Control-based Requirement

description Describes how the system satisfies the requirements of an individual control.

Remarks

Use of set-parameter in this context, sets the parameter for the referenced control. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

Constraints (10)

allowed value for (.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • control-origination: Identifies the source of the implemented control. Any control-origination prop defined in a child context will override the parent value.

allowed values for (.|statement|.//by-component)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='control-origination']/@value

The value must be one of the following:

  • organization: The control is implemented by the organization owning the system, but is not specific to the system itself.
  • system-specific: The control is implemented specifically to this system.
  • customer-configured: The control is provided by the system, but must be configured by the customer.
  • customer-provided: The control must be implemented by the customer.
  • inherited: This control is inherited from an underlying system.

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.

index has key for responsible-role|statement/responsible-role|.//by-component//responsible-rolethis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-role|statement/responsible-role|.//by-component//responsible-rolethis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid

has cardinality for .//by-component the cardinality of .//by-component is constrained: 1; maximum unbounded.

is unique for set-parameter: any target value must be unique (i.e., occur only once)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for statement: any target value must be unique (i.e., occur only once)

is unique for by-component: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Control Requirement Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

control-id

token

[0 or 1]

Control Identifier Reference

Elements (7):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

set-parameter

assembly

[0 to ∞]

Set Parameter Value

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

statement

assembly

[0 to ∞]

Specific Control Statement

by-component

assembly

[0 to ∞]

Component Control Implementation

Remarks

Use of set-parameter in this context, sets the parameter for the control referenced in the containing implemented-requirement applied to the referenced component. If the by-component is used as a child of a statement, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the control-implementation or a specific implemented-requirement, then this by-component/set-parameter value will override the other value(s) in the context of the referenced component, control, and statement (if parent).

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

import

assembly

Import Resource

description Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.

Remarks

The contents of the import element indicate which controls from the source will be included. Controls from the source catalog or profile may be either selected, using the include-all or include-controls directives, or de-selected (using an exclude-controls directive).

Attribute (1):

href

uri-reference

[0 or 1]

Catalog or Profile Reference

description A resolvable URL reference to the base catalog or profile that this profile is tailoring.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
Elements (2):

include-all

assembly

[1]

Include All

Remarks

This element provides an alternative to calling controls individually from a catalog.

Identifies that all controls are to be included from the imported catalog or profile.

include-controls

assembly

[1 to ∞]

Select Control

use name include-controls

Remarks

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

If with-child-controls is yes on the call to a control, any controls appearing within it (child controls) will be selected, with no additional call directives required. This flag provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

exclude-controls

assembly

[0 to ∞]

Select Control

use name exclude-controls

Remarks

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

Identifies which controls to exclude, or eliminate, from the set of included controls by control identifier or match pattern.

import-ap

assembly

Import Assessment Plan

description Used by assessment-results to import information about the original plan for assessing the system.

Attribute (1):

href

uri-reference

[0 or 1]

Assessment Plan Reference

description A resolvable URL reference to the assessment plan governing the assessment activities.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

import-component-definition

assembly

Import Component Definition

description Loads a component definition from another resource.

Attribute (1):

href

uri-reference

[0 or 1]

Hyperlink Reference

description A link to a resource that defines a set of components and/or capabilities to import into this collection.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).

import-profile

assembly

Import Profile

description Used to import the OSCAL profile representing the system's control baseline.

Attribute (1):

href

uri-reference

[0 or 1]

Profile Reference

description A resolvable URL reference to the profile or catalog to use as the system's control baseline.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).

If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL profile resolution specification to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.

While it is possible to reference a previously resolved OSCAL profile as a catalog, this practice is discouraged since the unresolved form of the profile communicates more information about selections and changes to the underlying catalog. Furthermore, the underlying catalog can be maintained separately from the profile, which also has maintenance advantages for distinct maintainers, ensuring that the best available information is produced through profile resolution.

Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

import-ssp

assembly

Import System Security Plan

description Used by the assessment plan and POA&M to import information about the system.

Attribute (1):

href

uri-reference

[0 or 1]

System Security Plan Reference

description A resolvable URL reference to the system security plan for the system being assessed.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

include-all

assembly

Include All

description Include all controls from the imported catalog or profile resources.

Remarks

This element provides an alternative to calling controls individually from a catalog.

incorporates-component

assembly

Incorporates Component

description The collection of components comprising this capability.

Attribute (1):

component-uuid

uuid

[0 or 1]

Component Reference

description A machine-oriented identifier reference to a component.

Elements (1):

description

markup-multiline

[1]

Component Description

description A description of the component, including information about its function.

insert-controls

assembly

Insert Controls

description Specifies which controls to use in the containing context.

Remarks

To be schema-valid, this element must contain either (but not both) a single include-all directive, or a sequence of include-controls directives.

If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.

Attribute (1):

order

token

[0 or 1]

Order

description A designation of how a selection of controls in a profile is to be ordered.

Constraint (1)

allowed values

The value must be one of the following:

  • keep
  • ascending
  • descending
Elements (2):

include-all

assembly

[1]

Include All

Remarks

This element provides an alternative to calling controls individually from a catalog.

include-controls

assembly

[1 to ∞]

Select Control

use name include-controls

Remarks

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

exclude-controls

assembly

[0 to ∞]

Select Control

use name exclude-controls

Remarks

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

Identifies which controls to exclude, or eliminate, from the set of matching includes.

inventory-item

assembly

Inventory Item

description A single managed inventory item within the system.

Constraints (9)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • ipv4-address: The Internet Protocol v4 Address of the asset.
  • ipv6-address: The Internet Protocol v6 Address of the asset.
  • fqdn: The full-qualified domain name (FQDN) of the asset.
  • uri: A Uniform Resource Identifier (URI) for the asset.
  • serial-number: A serial number for the asset.
  • netbios-name: The NetBIOS name for the asset.
  • mac-address: The media access control (MAC) address for the asset.
  • physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
  • is-scanned: is the asset subjected to network scans? (yes/no)
  • hardware-model: The model number of the hardware used by the asset.
  • os-name: The name of the operating system used by the asset.
  • os-version: The version of the operating system used by the asset.
  • software-name: The software product name used by the asset.
  • software-version: The software product version used by the asset.
  • software-patch-level: The software product patch level used by the asset.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value

The value may be locally defined, or one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • vendor-name: The name of the company or organization

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='is-scanned']/@value

The value must be one of the following:

  • yes: The asset is included in periodic vulnerability scanning.
  • no: The asset is not included in periodic vulnerability scanning.

allowed value for link/@rel

The value may be locally defined, or the following:

  • baseline-template: A reference to the baseline template used to configure the asset.

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid

is unique for responsible-party: any target value must be unique (i.e., occur only once)

Attribute (1):

uuid

uuid

[0 or 1]

Inventory Item Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (6):

description

markup-multiline

[1]

Inventory Item Description

description A summary of the inventory item stating its purpose within the system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

implemented-component

assembly

[0 to ∞]

Implemented Component

description The set of components that are implemented in a given system inventory item.

Constraints (4)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

has cardinality for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id'] the cardinality of prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id'] is constrained: 1; maximum unbounded.

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.

is unique for responsible-party: any target value must be unique (i.e., occur only once)

Attribute (1):

component-uuid

uuid

[0 or 1]

Component Universally Unique Identifier Reference

description A machine-oriented identifier reference to a component that is implemented as part of an inventory item.

Elements (4):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

This construct is used to either: 1) associate a party or parties to a role defined on the component using the responsible-role construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing inventory-item.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

last-modified

date-time-with-timezone

Last Modified Timestamp

description The date and time the document was last stored for later retrieval.

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification. Ideally, this field will be managed by the editing tool or service used to make modifications when storing the modified document.

The intent of the last modified timestamp is to distinguish between significant change milestones when the document may be accessed by multiple entities. This allows a given entity to differentiate between mutiple document states at specific points in time. It is possible to make multiple modifications to the document without storing these changes. In such a case, the last modified timestamp might not be updated until the document is finally stored.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the last modification time of the OSCAL document instance, not the source material.

link

assembly

Link

description A reference to a local or remote resource, that has a specific relation to the containing object.

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4) A local reference SHOULD NOT have a media-type. Since both link and back-matter/resource both allow specification of a media-type, the media-type on link may conflict with the any media-type entries on a resource's rlink or base64 objects. This constraint prevents this from occurring.

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Attributes (4):

href

uri-reference

[0 or 1]

Hypertext Reference

description A resolvable URL reference to a resource.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.

rel

token

[0 or 1]

Link Relation Type

description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

media-type

string

[0 or 1]

Media Type

Remarks

The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

resource-fragment

string

[0 or 1]

Resource Fragment

description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Elements (1):

text

markup-line

[0 or 1]

Link Text

description A textual label to associate with the link, which may be used for presentation in a tool.

local-definitions

assembly

Local Definitions

description Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.

Constraint (1)

is unique for component: any target value must be unique (i.e., occur only once)

Elements (4):

component

assembly

[0 to ∞]

Component

use name component

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Used to add any components, not defined via the System Security Plan (AR->AP->SSP)

inventory-item

assembly

[0 to ∞]

Inventory Item

Remarks

Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)

assessment-assets

assembly

[0 or 1]

Assessment Assets

Remarks

Specifies components or assessment-platforms used in the assessment.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

local-objective

assembly

Assessment-Specific Control Objective

description A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.

Constraints (5)

allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • objective: **(deprecated)** Use 'assessment-objective' instead.
  • assessment: **(deprecated)** Use 'assessment-method' instead.
  • assessment-objective: The part defines an assessment objective.
  • assessment-method: The part defines an assessment method.

has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')] the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')] is constrained: 0; maximum 1.

has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method'] the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method'] is constrained: 1; maximum 1.

has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objects','assessment-objects')] the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objects','assessment-objects')] is constrained: 1; maximum 1.

has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method-id'] the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method-id'] is constrained: 1; maximum unbounded.

Attribute (1):

control-id

token

[0 or 1]

Control Identifier Reference

Remarks

The specified control-id must be a valid value within the baseline identified by the target system's SSP via the import-profile statement.

Elements (5):

description

markup-multiline

[0 or 1]

Objective Description

description A human-readable description of this control objective.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

part

assembly

[1 to ∞]

Part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

location-type

token

Address Type

description Indicates the type of address.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home address.
  • work: A work address.

location-uuid

uuid

Location Universally Unique Identifier Reference

description Reference to a location by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) .

location-uuid

uuid

Location Universally Unique Identifier Reference

description Reference to a location by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) .

logged-by

assembly

Logged By

description Used to indicate who created a log entry in what role.

Attributes (2):

party-uuid

uuid

[0 or 1]

Party UUID Reference

description A machine-oriented identifier reference to the party who is making the log entry.

role-id

token

[0 or 1]

Actor Role

description A point to the role-id of the role in which the party is making the log entry.

matching

assembly

Match Controls by Pattern

description Selecting a set of controls by matching their IDs with a wildcard pattern.

Attribute (1):

media-type

string

Media Type

description A label that indicates the nature of a resource, as a data serialization or format.

Remarks

The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

merge

assembly

Merge Controls

description Provides structuring directives that instruct how controls are organized after profile resolution.

Elements (2):

combine

assembly

[0 or 1]

Combination Rule

description A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID).

Attribute (1):

method

string

[0 or 1]

Combination Method

description Declare how clashing controls should be handled.

Constraint (1)

allowed values

The value must be one of the following:

  • use-first: Use the first definition - the first control with a given ID is used; subsequent ones are discarded
  • merge: **(deprecated)** **(unspecified)** Merge - controls with the same ID are combined
  • keep: Keep - controls with the same ID are kept, retaining the clash

flat

assembly

[1]

Flat Without Grouping

description Directs that controls appear without any grouping structure.

as-is

boolean

[1]

Group As-Is

description Indicates that the controls selected should retain their original grouping as defined in the import source.

custom

assembly

[1]

Custom Grouping

description Provides an alternate grouping structure that selected controls will be placed in.

Remarks

The custom element represents a custom arrangement or organization of controls in the resolution of a catalog. This structuring directive gives the profile author the ability to define an entirely different organization of controls as compared to their source catalog(s).

Elements (2):

group

assembly

[0 to ∞]

Control Group

Remarks

This construct mirrors the same construct that exists in an OSCAL catalog.

insert-controls

assembly

[0 to ∞]

Insert Controls

Remarks

To be schema-valid, this element must contain either (but not both) a single include-all directive, or a sequence of include-controls directives.

If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.

metadata

assembly

Document Metadata

description Provides information about the containing document, and defines concepts that are shared across the document.

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

Constraints (14)

index for role an index index-metadata-role-ids shall list values returned by targets role using keys constructed of key field(s) @id

is unique for document-id: any target value must be unique (i.e., occur only once)

is unique for prop: any target value must be unique (i.e., occur only once)

index for .//prop an index index-metadata-property-uuid shall list values returned by targets .//prop using keys constructed of key field(s) @uuid

is unique for link: any target value must be unique (i.e., occur only once)

index for role an index index-metadata-role-id shall list values returned by targets role using keys constructed of key field(s) @id

index for location an index index-metadata-location-uuid shall list values returned by targets location using keys constructed of key field(s) @uuid

index for party an index index-metadata-party-uuid shall list values returned by targets party using keys constructed of key field(s) @uuid

index for party[@type='organization'] an index index-metadata-party-organizations-uuid shall list values returned by targets party[@type='organization'] using keys constructed of key field(s) @uuid

is unique for responsible-party: any target value must be unique (i.e., occur only once)

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • creator: Indicates the person or organization that created this content.
  • prepared-by: Indicates the person or organization that prepared this content.
  • prepared-for: Indicates the person or organization for which this content was created.
  • content-approver: Indicates the person or organization responsible for all content represented in the "document".
  • contact: Indicates the person or organization to contact for questions or support related to this content.

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • keywords: The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • canonical: The link identifies the authoritative location for this resource. Defined by RFC 6596.
  • alternate: The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard
  • latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
  • predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.

is unique for document-id: any target value must be unique (i.e., occur only once)

Elements (15):

title

markup-line

[1]

Document Title

description A name given to the document, which may be used by a tool for display and navigation.

published

date-time-with-timezone

[0 or 1]

Publication Timestamp

Remarks

Typically, this date value will be machine-generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material provided in a different format. In such a case, the published value should indicate when the OSCAL document instance was last published, not the source material.

last-modified

date-time-with-timezone

[1]

Last Modified Timestamp

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification. Ideally, this field will be managed by the editing tool or service used to make modifications when storing the modified document.

The intent of the last modified timestamp is to distinguish between significant change milestones when the document may be accessed by multiple entities. This allows a given entity to differentiate between mutiple document states at specific points in time. It is possible to make multiple modifications to the document without storing these changes. In such a case, the last modified timestamp might not be updated until the document is finally stored.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the last modification time of the OSCAL document instance, not the source material.

version

string

[1]

Document Version

Remarks

A version may be a release number, sequence number, date, or other identifier sufficient to distinguish between different document revisions.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as the version format. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A version is typically set by the document owner or by the tool used to maintain the content.

oscal-version

string

[1]

OSCAL Version

Remarks

Indicates the version of the OSCAL model to which the document conforms, for example 1.1.0 or 1.0.0-milestone1. That can be used as a hint for a tool indicating which version of the OSCAL XML or JSON schema to use for validation.

The OSCAL version serves a different purpose from the document version and is used to represent a different concept. If both have the same value, this is coincidental.

revision

assembly

[0 to ∞]

Revision History Entry

description An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).

wrapper element revisions

Remarks

While published, last-modified, and oscal-version are not required, values for these entries should be provided if the information is known. A link with a rel of source should be provided if the information is known.

Constraint (1)

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • canonical: The link identifies the authoritative location for this resource. Defined by RFC 6596.
  • alternate: The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard
  • predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • version-history: This link identifies a resource containing the version history of this document. Defined by RFC 5829.
Elements (8):

title

markup-line

[0 or 1]

Document Title

description A name given to the document revision, which may be used by a tool for display and navigation.

published

date-time-with-timezone

[0 or 1]

Publication Timestamp

Remarks

Typically, this date value will be machine-generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material provided in a different format. In such a case, the published value should indicate when the OSCAL document instance was last published, not the source material.

last-modified

date-time-with-timezone

[0 or 1]

Last Modified Timestamp

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification. Ideally, this field will be managed by the editing tool or service used to make modifications when storing the modified document.

The intent of the last modified timestamp is to distinguish between significant change milestones when the document may be accessed by multiple entities. This allows a given entity to differentiate between mutiple document states at specific points in time. It is possible to make multiple modifications to the document without storing these changes. In such a case, the last modified timestamp might not be updated until the document is finally stored.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the last modification time of the OSCAL document instance, not the source material.

version

string

[1]

Document Version

Remarks

A version may be a release number, sequence number, date, or other identifier sufficient to distinguish between different document revisions.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as the version format. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A version is typically set by the document owner or by the tool used to maintain the content.

oscal-version

string

[0 or 1]

OSCAL Version

Remarks

Indicates the version of the OSCAL model to which the document conforms, for example 1.1.0 or 1.0.0-milestone1. That can be used as a hint for a tool indicating which version of the OSCAL XML or JSON schema to use for validation.

The OSCAL version serves a different purpose from the document version and is used to represent a different concept. If both have the same value, this is coincidental.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

document-id

string

[0 to ∞]

Document Identifier

Remarks

A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.

A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.

Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.

An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

role

assembly

[0 to ∞]

Role

description Defines a function, which might be assigned to a party in a specific situation.

Remarks

Permissible values to be determined closer to the application (e.g. by a receiving authority).

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

Attribute (1):

id

token

[0 or 1]

Role Identifier

description A unique identifier for the role.

Elements (6):

title

markup-line

[1]

Role Title

description A name given to the role, which may be used by a tool for display and navigation.

short-name

string

[0 or 1]

Role Short Name

description A short common name, abbreviation, or acronym for the role.

description

markup-multiline

[0 or 1]

Role Description

description A summary of the role's purpose and associated responsibilities.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

location

assembly

[0 to ∞]

Location

description A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.

Remarks

An address might be sensitive in nature. In such cases a title, mailing address, email-address, and/or phone number may be used instead.

Constraints (5)

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • type: Characterizes the kind of location.

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value

The value must be one of the following:

  • data-center: A location that contains computing assets. A class can be used to indicate the sub-type of data-center as primary or alternate.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type' and @value='data-center']/@class

The value must be one of the following:

  • primary: The location is a data-center used for normal operations.
  • alternate: The location is a data-center used for fail-over or backup operations.

has cardinality for address the cardinality of address is constrained: 1; maximum unbounded.

has cardinality for title|address|email-address|telephone-number the cardinality of title|address|email-address|telephone-number is constrained: 1; maximum unbounded.

Attribute (1):

uuid

uuid

[0 or 1]

Location Universally Unique Identifier

description A unique ID for the location, for reference.

Elements (8):

title

markup-line

[0 or 1]

Location Title

description A name given to the location, which may be used by a tool for display and navigation.

address

assembly

[0 or 1]

Address

Remarks

The physical address of the location, which will provided for physical locations. Virtual locations can omit this data item.

email-address

email-address

[0 to ∞]

Email Address

Remarks

A contact email associated with the location.

telephone-number

string

[0 to ∞]

Telephone Number

Remarks

A phone number used to contact the location.

url

uri

[0 to ∞]

Location URL

deprecated as of 1.1.0

description The uniform resource locator (URL) for a web site or other resource associated with the location.

Remarks

This data field is deprecated in favor of using a link with an appropriate relationship.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

party

assembly

[0 to ∞]

Party

description An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.

Remarks

A party can be optionally associated with either an address or a location. While providing a meaningful location for a party is desired, there are some cases where it might not be possible to provide an exact location or even any location.

Constraint (1)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • mail-stop: A mail stop associated with the party.
  • office: The name or number of the party's office.
  • job-title: The formal job title of a person.
Attributes (2):

uuid

uuid

[0 or 1]

Party Universally Unique Identifier

description A unique identifier for the party.

type

string

[0 or 1]

Party Type

description A category describing the kind of party the object describes.

Constraint (1)

allowed values

The value must be one of the following:

  • person: A human being regarded as an individual.
  • organization: An organized group of one or more person individuals with a specific purpose.
Elements (10):

name

string

[0 or 1]

Party Name

description The full name of the party. This is typically the legal name associated with the party.

short-name

string

[0 or 1]

Party Short Name

description A short common name, abbreviation, or acronym for the party.

external-id

string

[0 to ∞]

Party External Identifier

description An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).

Attribute (1):

scheme

uri

[0 or 1]

External Identifier Schema

description Indicates the type of external identifier.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • http://orcid.org/: The identifier is Open Researcher and Contributor ID (ORCID).

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

email-address

email-address

[0 to ∞]

Email Address

Remarks

This is a contact email associated with the party.

telephone-number

string

[0 to ∞]

Telephone Number

Remarks

A phone number used to contact the party.

address

assembly

[0 to ∞]

Address

location-uuid

uuid

[0 to ∞]

Location Universally Unique Identifier Reference

member-of-organization

uuid

[0 to ∞]

Organizational Affiliation

description A reference to another party by UUID, typically an organization, that this subject is associated with.

Remarks

Since the reference target of an organizational affiliation must be another party (whether further qualified as person or organization) as inidcated by its uuid. As a machine-oriented identifier with uniqueness across document and trans-document scope, this uuid value is sufficient to reference the data item locally or globally across related documents, e.g., in an imported OSCAL instance.

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-organizations-uuid using a key constructed of key field(s) .

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

action

assembly

[0 to ∞]

Action

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

modify

assembly

Modify Controls

description Set parameters or amend controls in resolution.

Constraint (1)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

Elements (2):

set-parameter

assembly

[0 to ∞]

Parameter Setting

description A parameter setting, to be propagated to points of insertion.

Attributes (3):

param-id

token

[0 or 1]

Parameter ID

description An identifier for the parameter.

class

token

[0 or 1]

Parameter Class

description A textual label that provides a characterization of the parameter.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

depends-on

token

[0 or 1]

Depends On

deprecated as of 1.0.1

description **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.

Elements (7):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

label

markup-line

[0 or 1]

Parameter Label

description A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

Remarks

The label value should be suitable for inline display in a rendered catalog.

usage

markup-multiline

[0 or 1]

Parameter Usage Description

description Describes the purpose and use of a parameter.

constraint

assembly

[0 to ∞]

Constraint

use name constraint

guideline

assembly

[0 to ∞]

Guideline

use name guideline

value

string

[0 to ∞]

Parameter Value

use name value

Remarks

Used to (re)define a parameter value.

select

assembly

[0 or 1]

Selection

use name select

Remarks

A set of parameter value choices, that may be picked from to set the parameter value.

alter

assembly

[0 to ∞]

Alteration

description Specifies changes to be made to an included control when a profile is resolved.

Remarks

Use @control-id to indicate the scope of alteration.

It is an error for two alter elements to apply to the same control. In practice, multiple alterations can be applied (together), but it creates confusion.

At present, no provision is made for altering many controls at once (for example, to systematically remove properties or add global properties); extending this element to match multiple control IDs could provide for this.

Attribute (1):

control-id

token

[0 or 1]

Control Identifier Reference

Elements (2):

remove

assembly

[0 to ∞]

Removal

description Specifies objects to be removed from a control based on specific aspects of the object that must all match.

Remarks

Use by-name, by-class, by-id or by-item-name to indicate class tokens or ID reference, or the formal name, of the component to be removed or erased from a control, when a catalog is resolved. The control affected is indicated by the pointer on the removal's parent (containing) alter element.

To change an element, use remove to remove the element, then add to add it back again with changes.

Attributes (5):

by-name

token

[0 or 1]

Reference by (assigned) name

description Identify items remove by matching their assigned name.

by-class

token

[0 or 1]

Reference by class

description Identify items to remove by matching their class.

by-id

token

[0 or 1]

Reference by ID

description Identify items to remove indicated by their id.

by-item-name

token

[0 or 1]

Item Name Reference

description Identify items to remove by the name of the item's information object name, e.g. title or prop.

Constraint (1)

allowed values

The value must be one of the following:

  • param: A descendant parameter and all of its descendants.
  • prop: A descendant property and all of its descendants.
  • link: A descendant link and all of its descendants.
  • part: A descendant parameter and all of its descendants.
  • mapping: A descendant mapping and all of its descendants.
  • map: A descendant mapping entry (map) and all of its descendants.

by-ns

token

[0 or 1]

Item Namespace Reference

description Identify items to remove by the item's ns, which is the namespace associated with a part, or prop.

add

assembly

[0 to ∞]

Addition

description Specifies contents to be added into controls, in resolution.

Remarks

When no by-id is given, the addition is inserted into the control targeted by the alteration at the start or end as indicated by position. Only position values of "starting" or "ending" are permitted when there is no by-id.

by-id, when given, should indicate, by its ID, an element inside the control to serve as the anchor point for the addition. In this case, position value may be any of the permitted values.

Constraint (1)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • alt-identifier: An alternate or aliased identifier for the parent context.
Attributes (2):

position

token

[0 or 1]

Position

description Where to add the new content with respect to the targeted element (beside it or inside it).

Constraint (1)

allowed values

The value must be one of the following:

  • before: Preceding the by-id target
  • after: Following the by-id target
  • starting: Inside the control or by-id target, at the start
  • ending: Inside the control or by-id target, at the end

by-id

token

[0 or 1]

Reference by ID

description Target location of the addition.

Elements (5):

title

markup-line

[0 or 1]

Title Change

description A name given to the control, which may be used by a tool for display and navigation.

parameter

assembly

[0 to ∞]

Parameter

use name param

Remarks

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

part

assembly

[0 to ∞]

Part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

network-architecture

assembly

Network Architecture

description A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.

Constraint (1)

is unique for diagram: any target value must be unique (i.e., occur only once)

Elements (5):

description

markup-multiline

[1]

Network Architecture Description

description A summary of the system's network architecture.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

diagram

assembly

[0 to ∞]

Diagram

Remarks

A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

objective-id

token

Objective ID

description Points to an assessment objective.

observation

assembly

Observation

description Describes an individual observation.

Attribute (1):

uuid

uuid

[0 or 1]

Observation Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (12):

title

markup-line

[0 or 1]

Observation Title

description The title for this observation.

description

markup-multiline

[1]

Observation Description

description A human-readable description of this assessment observation.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

method

string

[1 to ∞]

Observation Method

description Identifies how the observation was made.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • EXAMINE: An inspection was performed.
  • INTERVIEW: An interview was performed.
  • TEST: A manual or automated test was performed.
  • UNKNOWN: This is only for use when converting historic content to OSCAL, where the conversion process cannot initially identify the appropriate method(s).

type

token

[0 to ∞]

Observation Type

description Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • ssp-statement-issue: A difference between the SSP implementation statement, and actual implementation.
  • control-objective: An observation about the status of a the associated control objective.
  • mitigation: A mitigating factor was identified.
  • finding: An assessment finding. Used for observations made by tools, penetration testing, and other means.
  • historic: An observation from a past assessment, which was converted to OSCAL at a later date.

origin

assembly

[0 to ∞]

Origin

Remarks

Used to identify the individual and/or tool that gathered the evidence resulting in the observation identification.

subject

assembly

[0 to ∞]

Identifies the Subject

use name subject

Remarks

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

Tools should check look for the ID in every file imported directly or indirectly.

Identifies who was interviewed, or what was tested or inspected.

relevant-evidence

assembly

[0 to ∞]

Relevant Evidence

description Links this observation to relevant evidence.

Attribute (1):

href

uri-reference

[0 or 1]

Relevant Evidence Reference

description A resolvable URL reference to relevant evidence.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
Elements (4):

description

markup-multiline

[1]

Relevant Evidence Description

description A human-readable description of this evidence.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

collected

date-time-with-timezone

[1]

Collected Field

description Date/time stamp identifying when the finding information was collected.

expires

date-time-with-timezone

[0 or 1]

Expires Field

description Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

origin

assembly

Origin

description Identifies the source of the finding, such as a tool, interviewed person, or activity.

Elements (2):

actor

assembly

[1 to ∞]

Originating Actor

use name actor

related-task

assembly

[0 to ∞]

Task Reference

origin-actor

assembly

Originating Actor

description The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

Attributes (3):

type

token

[0 or 1]

Actor Type

description The kind of actor.

Constraint (1)

allowed values

The value must be one of the following:

  • tool: A reference to a tool component defined with the assessment assets.
  • assessment-platform: A reference to an assessment-platform defined with the assessment assets.
  • party: A reference to a party defined within the document metadata.

actor-uuid

uuid

[0 or 1]

Actor Universally Unique Identifier Reference

description A machine-oriented identifier reference to the tool or person based on the associated type.

role-id

token

[0 or 1]

Actor Role

description For a party, this can optionally be used to specify the role the actor was performing.

Elements (2):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

oscal-version

string

OSCAL Version

description The OSCAL model version the document was authored against and will conform to as valid.

Remarks

Indicates the version of the OSCAL model to which the document conforms, for example 1.1.0 or 1.0.0-milestone1. That can be used as a hint for a tool indicating which version of the OSCAL XML or JSON schema to use for validation.

The OSCAL version serves a different purpose from the document version and is used to represent a different concept. If both have the same value, this is coincidental.

param

assembly

Parameter

description Parameters provide a mechanism for the dynamic assignment of value(s) in a control.

use name param

Remarks

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

Constraints (2)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • alt-identifier: An alternate or aliased identifier for the parent context.
  • alt-label: An alternate to the value provided by the parameter's label. This will typically be qualified by a class.

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name

The value must be one of the following:

  • aggregates: The parent parameter provides an aggregation of two or more other parameters, each described by this property.
depends-on is deprecated
Attributes (3):

id

token

[0 or 1]

Parameter Identifier

description A unique identifier for the parameter.

class

token

[0 or 1]

Parameter Class

description A textual label that provides a characterization of the type, purpose, use or scope of the parameter.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

depends-on

token

[0 or 1]

Depends on

deprecated as of 1.0.1

description (deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.

Elements (8):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

label

markup-line

[0 or 1]

Parameter Label

description A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

Remarks

The label value is intended use when rendering a parameter in generated documentation or a user interface when a parameter is referenced. Note that labels are not required to be distinctive, which means that parameters within the same control may have the same label.

usage

markup-multiline

[0 or 1]

Parameter Usage Description

description Describes the purpose and use of a parameter.

constraint

assembly

[0 to ∞]

Constraint

use name constraint

guideline

assembly

[0 to ∞]

Guideline

use name guideline

value

string

[0 to ∞]

Parameter Value

use name value

Remarks

A set of values provided in a catalog can be redefined in OSCAL's profile or system-security-plan models.

select

assembly

[0 or 1]

Selection

use name select

Remarks

A set of parameter value choices, that may be picked from to set the parameter value.

The OSCAL parameter value construct can be used to prescribe a specific parameter value in a catalog or profile. In cases where a prescriptive value is not possible in a catalog or profile, it may be possible to constrain the set of possible values to a few options. Use of select in a parameter instead of value is a way of defining value options that may be set.

A set of allowed parameter values expressed as a set of options which may be selected. These options constrain the permissible values that may be selected for the containing parameter. When the value assignment is made, such as in an OSCAL profile or system security plan, the actual selected value can be examined to determine if it matches one of the permissible choices for the parameter value.

When the value of how-many is set to "one-or-more", multiple values may be assigned reflecting more than one choice.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

param-id

token

Parameter ID

description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.

parameter-constraint

assembly

Constraint

description A formal or informal expression of a constraint or test.

Elements (2):

description

markup-multiline

[0 or 1]

Constraint Description

description A textual summary of the constraint to be applied.

test

assembly

[0 to ∞]

Constraint Test

description A test expression which is expected to be evaluated by a tool.

Elements (2):

expression

string

[1]

Constraint test

description A formal (executable) expression of a constraint.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

parameter-guideline

assembly

Guideline

description A prose statement that provides a recommendation for the use of a parameter.

Elements (1):

(unwrapped)

markup-multiline

[1]

Guideline Text

description Prose permits multiple paragraphs, lists, tables etc.

parameter-selection

assembly

Selection

description Presenting a choice among alternatives.

Remarks

A set of parameter value choices, that may be picked from to set the parameter value.

Attribute (1):

how-many

token

[0 or 1]

Parameter Cardinality

description Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.

Constraint (1)

allowed values

The value must be one of the following:

  • one: Only one value is permitted.
  • one-or-more: One or more values are permitted.
Elements (1):

choice

markup-line

[0 to ∞]

Choice

description A value selection among several such options.

parameter-value

string

Parameter Value

description A parameter value or set of values.

part

assembly

Part

description An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

Constraint (1)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • alt-identifier: An alternate or aliased identifier for the parent context.
Attributes (4):

id

token

[0 or 1]

Part Identifier

description A unique identifier for the part.

Remarks

While a part is not required to have an id, it is often desirable for an identifier to be provided, which allows the part to be referenced elsewhere in OSCAL document instances. For this reason, it is RECOMMENDED to provide a part identifier.

name

token

[0 or 1]

Part Name

description A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.

ns

uri

[0 or 1]

Part Namespace

description An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

class

token

[0 or 1]

Part Class

description An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.

Remarks

One use of this flag is to distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns (since even within a given namespace it can be useful to overload a name).

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (5):

title

markup-line

[0 or 1]

Part Title

description An optional name given to the part, which may be used by a tool for display and navigation.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

(unwrapped)

markup-multiline

[0 or 1]

Part Text

description Permits multiple paragraphs, lists, tables etc.

part

assembly

[0 to ∞]

Part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

part

assembly

Assessment Part

description A partition of an assessment plan or results or a child of another part.

use name part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

Constraints (3)

allowed value for .[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • method: The assessment method to use. This typically appears on parts with the name "objective".

has cardinality for .[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method'] the cardinality of .[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method'] is constrained: 1; maximum unbounded.

allowed values for .[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value

The value must be one of the following:

  • INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
  • EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
  • TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Attributes (4):

uuid

uuid

[0 or 1]

Part Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

name

token

[0 or 1]

Part Name

description A textual label that uniquely identifies the part's semantic type.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • asset: An assessment asset.
  • method: An assessment method.
  • objective: Describes a set of control objectives.

ns

uri

[0 or 1]

Part Namespace

description A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

class

token

[0 or 1]

Part Class

description A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (5):

title

markup-line

[0 or 1]

Part Title

description A name given to the part, which may be used by a tool for display and navigation.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

(unwrapped)

markup-multiline

[0 or 1]

Part Text

description Permits multiple paragraphs, lists, tables etc.

assessment-part

assembly

[0 to ∞]

Assessment Part

use name part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

party-uuid

uuid

Party Universally Unique Identifier Reference

description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

pattern

string

Pattern

description A glob expression matching the IDs of one or more controls to be selected.

plan-of-action-and-milestones

assembly

Plan of Action and Milestones (POA&M)

description A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.

root name plan-of-action-and-milestones

Remarks

Either an OSCAL-based SSP must be imported, or a unique system-id must be specified. Both may be present.

Attribute (1):

uuid

uuid

[0 or 1]

POA&M Universally Unique Identifier

description A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (9):

metadata

assembly

[1]

Document Metadata

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

import-ssp

assembly

[0 or 1]

Import System Security Plan

Remarks

Used by the POA&M to import information about the system.

system-id

string

[0 or 1]

System Identification

local-definitions

assembly

[0 or 1]

Local Definitions

observation

assembly

[0 to ∞]

Observation

risk

assembly

[0 to ∞]

Identified Risk

finding

assembly

[0 to ∞]

Finding

poam-item

assembly

[1 to ∞]

POA&M Item

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

poam-item

assembly

POA&M Item

description Describes an individual POA&M item.

Attribute (1):

uuid

uuid

[0 or 1]

POA&M Item Universally Unique Identifier

description A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (9):

title

markup-line

[1]

POA&M Item Title

description The title or name for this POA&M item .

description

markup-multiline

[1]

POA&M Item Description

description A human-readable description of POA&M item.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

origin

assembly

[0 to ∞]

Origin

description Identifies the source of the finding, such as a tool or person.

Remarks

Used to identify the individual and/or tool generated this poam-item.

Elements (1):

actor

assembly

[1 to ∞]

Originating Actor

use name actor

related-finding

assembly

[0 to ∞]

Related Finding

description Relates the poam-item to referenced finding(s).

Attribute (1):

finding-uuid

uuid

[0 or 1]

Finding Universally Unique Identifier Reference

description A machine-oriented identifier reference to a finding defined in the list of findings.

related-observation

assembly

[0 to ∞]

Related Observation

description Relates the poam-item to a set of referenced observations that were used to determine the finding.

Attribute (1):

observation-uuid

uuid

[0 or 1]

Observation Universally Unique Identifier Reference

description A machine-oriented identifier reference to an observation defined in the list of observations.

associated-risk

assembly

[0 to ∞]

Associated Risk

description Relates the finding to a set of referenced risks that were used to determine the finding.

Attribute (1):

risk-uuid

uuid

[0 or 1]

Risk Universally Unique Identifier Reference

description A machine-oriented identifier reference to a risk defined in the list of risks.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

port-range

assembly

Port Range

description Where applicable this is the IPv4 port range on which the service operates.

Remarks

To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.

Attributes (3):

description Indicates the starting port number in a port range

Remarks

Should be a number within a permitted range

description Indicates the ending port number in a port range

Remarks

Should be a number within a permitted range

transport

token

[0 or 1]

Transport

description Indicates the transport type.

Constraint (1)

allowed values

The value must be one of the following:

  • TCP: Transmission Control Protocol
  • UDP: User Datagram Protocol

profile

assembly

Profile

description Each OSCAL profile is defined by a profile element.

root name profile

Remarks

An OSCAL document that describes a tailoring of controls from one or more catalogs, with possible modification of multiple controls. It provides mechanisms by which controls may be selected (import), merged or (re)structured (merge), and amended (modify). OSCAL profiles may select subsets of controls, set parameter values for them in application, and even adjust the representation of controls as given in and by a catalog. They may also serve as sources for further modification in and by other profiles, that import them.

Attribute (1):

uuid

uuid

[0 or 1]

Profile Universally Unique Identifier

description Provides a globally unique means to identify a given profile instance.

Elements (5):

metadata

assembly

[1]

Document Metadata

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

import

assembly

[1 to ∞]

Import Resource

Remarks

The contents of the import element indicate which controls from the source will be included. Controls from the source catalog or profile may be either selected, using the include-all or include-controls directives, or de-selected (using an exclude-controls directive).

merge

assembly

[0 or 1]

Merge Controls

modify

assembly

[0 or 1]

Modify Controls

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

prop

assembly

Property

description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Attributes (6):

name

token

[0 or 1]

Property Name

description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

description A unique identifier for a property.

ns

uri

[0 or 1]

Property Namespace

description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[0 or 1]

Property Value

description Indicates the value of the attribute, characteristic, or quality.

class

token

[0 or 1]

Property Class

description A textual label that provides a sub-type or characterization of the property's name.

Remarks

This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.

group

token

[0 or 1]

Property Group

description An identifier for relating distinct sets of properties.

Remarks

Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

protocol

assembly

Service Protocol Information

description Information about the protocol used to provide a service.

Attributes (2):

uuid

uuid

[0 or 1]

Service Protocol Information Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

name

string

[0 or 1]

Protocol Name

description The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.

Remarks

The short name of the protocol (e.g., https).

Elements (2):

title

markup-line

[0 or 1]

Protocol Title

description A human readable name for the protocol (e.g., Transport Layer Security).

port-range

assembly

[0 to ∞]

Port Range

Remarks

To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.

provided-uuid

uuid

Provided UUID

description A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.

published

date-time-with-timezone

Publication Timestamp

description The date and time the document was last made available.

Remarks

Typically, this date value will be machine-generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material provided in a different format. In such a case, the published value should indicate when the OSCAL document instance was last published, not the source material.

related-task

assembly

Task Reference

description Identifies an individual task for which the containing object is a consequence of.

Constraint (1)

is unique for responsible-party: any target value must be unique (i.e., occur only once)

Attribute (1):

task-uuid

uuid

[0 or 1]

Task Universally Unique Identifier Reference

description A machine-oriented identifier reference to a unique task.

Elements (6):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Identifies the person or organization responsible for performing a specific role defined by the activity.

subject

assembly

[0 to ∞]

Subject of Assessment

use name subject

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task was performed against.

identified-subject

assembly

[0 or 1]

Identified Subject

description Used to detail assessment subjects that were identfied by this task.

Attribute (1):

subject-placeholder-uuid

uuid

[0 or 1]

Assessment Subject Placeholder Universally Unique Identifier Reference

description A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.

Elements (1):

subject

assembly

[1 to ∞]

Subject of Assessment

use name subject

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

description Additional commentary about the containing object.

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

response

assembly

Risk Response

description Describes either recommended or an actual plan for addressing the risk.

Constraints (2)

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • type

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value

The value must be one of the following:

  • avoid: The risk will be eliminated.
  • mitigate: The risk will be reduced.
  • transfer: The risk will be transferred to another organization or entity.
  • accept: The risk will continue to exist without further efforts to address it. (Sometimes referred to as "Operationally required")
  • share: The risk will be partially transferred to another organization or entity.
  • contingency: Plans will be made to address the risk impact if the risk occurs. (This is a form of mitigation.)
  • none: No response, such as when the identified risk is found to be a false positive.
Attributes (2):

uuid

uuid

[0 or 1]

Remediation Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

lifecycle

token

[0 or 1]

Remediation Intent

description Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • recommendation: Recommended remediation.
  • planned: The actions intended to resolve the risk.
  • completed: This remediation activities were performed to address the risk.
Elements (8):

title

markup-line

[1]

Response Title

description The title for this response activity.

description

markup-multiline

[1]

Response Description

description A human-readable description of this response plan.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

origin

assembly

[0 to ∞]

Origin

Remarks

Used to identify the individual and/or tool that generated this recommended or planned response.

required-asset

assembly

[0 to ∞]

Required Asset

description Identifies an asset required to achieve remediation.

Attribute (1):

uuid

uuid

[0 or 1]

Required Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (6):

subject

assembly

[0 to ∞]

Identifies the Subject

use name subject

Remarks

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

Tools should check look for the ID in every file imported directly or indirectly.

Identifies an asset associated with this requirement, such as a party, system component, or inventory-item.

title

markup-line

[0 or 1]

Title for Required Asset

description The title for this required asset.

description

markup-multiline

[1]

Description of Required Asset

description A human-readable description of this required asset.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

task

assembly

[0 to ∞]

Task

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

responsibility-uuid

uuid

Responsibility UUID

description A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.

responsible-party

assembly

Responsible Party

description A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

Attribute (1):

role-id

token

[0 or 1]

Responsible Role

description A reference to a role performed by a party.

Elements (4):

party-uuid

uuid

[1 to ∞]

Party Universally Unique Identifier Reference

description Specifies one or more parties responsible for performing the associated role.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

responsible-role

assembly

Responsible Role

description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Attribute (1):

role-id

token

[0 or 1]

Responsible Role ID

description A human-oriented identifier reference to a role performed.

Elements (4):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

party-uuid

uuid

[0 to ∞]

Party Universally Unique Identifier Reference

description Specifies zero or more parties responsible for performing the associated role.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

result

assembly

Assessment Result

description Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.

Attribute (1):

uuid

uuid

[0 or 1]

Results Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (14):

title

markup-line

[1]

Results Title

description The title for this set of results.

description

markup-multiline

[1]

Results Description

description A human-readable description of this set of test results.

description Date/time stamp identifying the start of the evidence collection reflected in these results.

description Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

local-definitions

assembly

[0 or 1]

Local Definitions

description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

Constraints (2)

is unique for component: any target value must be unique (i.e., occur only once)

is unique for user: any target value must be unique (i.e., occur only once)

Elements (5):

component

assembly

[0 to ∞]

Component

use name component

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Used to add any components, not defined via the System Security Plan (AR->AP->SSP)

inventory-item

assembly

[0 to ∞]

Inventory Item

Remarks

Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)

user

assembly

[0 to ∞]

System User

use name user

Remarks

Permissible values to be determined closer to the application, such as by a receiving authority.

Used to add any users, not defined via the System Security Plan (AR->AP->SSP)

assessment-assets

assembly

[0 or 1]

Assessment Assets

Remarks

This needs to be defined in the results if an assessment platform used is different from the one described in the assessment plan. Else the platform(s) defined in the plan may be referenced within the results.

assessment-task

assembly

[0 to ∞]

Task

use name assessment-task

reviewed-controls

assembly

[1]

Reviewed Controls and Control Objectives

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

The Assessment Results control-selection ignores any control selection in the Assessment Plan and re-selects controls from the baseline identified by the SSP.

The Assessment Results control-objective-selection ignores any control objective selection in the Assessment Plan and re-selects control objectives from the baseline identified by the SSP.

Any additional control objectives defined in the Assessment Plan local-definitions do not need to be re-defined in the Assessment Results local-definitions; however, if they were explicitly referenced with an Assessment Plan control-objective-selection, they need to be selected again in the Assessment Results control-objective-selection.

attestation

assembly

[0 to ∞]

Attestation Statements

description A set of textual statements, typically written by the assessor.

Constraint (1)

is unique for responsible-party: any target value must be unique (i.e., occur only once)

Elements (2):

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

part

assembly

[1 to ∞]

Assessment Part

use name part

use name part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

assessment-log

assembly

[0 or 1]

Assessment Log

description A log of all assessment-related actions taken.

Elements (1):

entry

assembly

[1 to ∞]

Assessment Log Entry

description Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.

Attribute (1):

uuid

uuid

[0 or 1]

Assessment Log Entry Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (9):

title

markup-line

[0 or 1]

Action Title

description The title for this event.

description

markup-multiline

[0 or 1]

Action Description

description A human-readable description of this event.

description Identifies the start date and time of an event.

description Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

logged-by

assembly

[0 to ∞]

Logged By

related-task

assembly

[0 to ∞]

Task Reference

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

observation

assembly

[0 to ∞]

Observation

risk

assembly

[0 to ∞]

Identified Risk

finding

assembly

[0 to ∞]

Finding

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

reviewed-controls

assembly

Reviewed Controls and Control Objectives

description Identifies the controls being assessed and their control objectives.

Remarks

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

When resolving the selection of controls and control objectives, the following processing will occur:

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

Elements (6):

description

markup-multiline

[0 or 1]

Control Objective Description

description A human-readable description of control objectives.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

control-selection

assembly

[1 to ∞]

Assessed Controls

description Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.

Remarks

The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.

Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.

Elements (6):

description

markup-multiline

[0 or 1]

Assessed Controls Description

description A human-readable description of in-scope controls specified for assessment.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

include-all

assembly

[1]

Include All

Remarks

This element provides an alternative to calling controls individually from a catalog.

include-control

assembly

[1 to ∞]

Select Control

use name include-control

Remarks

Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.

exclude-control

assembly

[0 to ∞]

Select Control

use name exclude-control

Remarks

Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

control-objective-selection

assembly

[0 to ∞]

Referenced Control Objectives

description Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.

Remarks

The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.

Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.

Elements (6):

description

markup-multiline

[0 or 1]

Control Objectives Description

description A human-readable description of this collection of control objectives.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

include-all

assembly

[1]

Include All

Remarks

This element provides an alternative to calling controls individually from a catalog.

include-objective

assembly

[1 to ∞]

Select Objective

use name include-objective

Remarks

Used to select a control objective for inclusion by the control objective's identifier.

exclude-objective

assembly

[0 to ∞]

Select Objective

use name exclude-objective

Remarks

Used to select a control objective for exclusion by the control objective's identifier.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

risk

assembly

Identified Risk

description An identified risk.

Constraints (2)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • false-positive: The risk has been confirmed to be a false positive.
  • accepted: The risk has been accepted. No further action will be taken.
  • risk-adjusted: The risk has been adjusted.
  • priority: A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='priority']/@value: the target value must match the lexical form of the 'integer' data type.

Attribute (1):

uuid

uuid

[0 or 1]

Risk Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (14):

title

markup-line

[1]

Risk Title

description The title for this risk.

description

markup-multiline

[1]

Risk Description

description A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.

statement

markup-multiline

[1]

Risk Statement

description An summary of impact for how the risk affects the system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

status

token

[1]

Risk Status

use name status

origin

assembly

[0 to ∞]

Origin

Remarks

Used to identify the individual and/or tool that identified this risk.

threat-id

uri

[0 to ∞]

Threat ID

characterization

assembly

[0 to ∞]

Characterization

mitigating-factor

assembly

[0 to ∞]

Mitigating Factor

description Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.

Attributes (2):

uuid

uuid

[0 or 1]

Mitigating Factor Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

implementation-uuid

uuid

[0 or 1]

Implementation UUID

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (4):

description

markup-multiline

[1]

Mitigating Factor Description

description A human-readable description of this mitigating factor.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

subject

assembly

[0 to ∞]

Identifies the Subject

use name subject

Remarks

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

Tools should check look for the ID in every file imported directly or indirectly.

Links identifiable elements of the system to this mitigating factor, such as an inventory-item or component.

deadline

date-time-with-timezone

[0 or 1]

Risk Resolution Deadline

description The date/time by which the risk must be resolved.

response

assembly

[0 to ∞]

Risk Response

risk-log

assembly

[0 or 1]

Risk Log

description A log of all risk-related tasks taken.

Elements (1):

entry

assembly

[1 to ∞]

Risk Log Entry

description Identifies an individual risk response that occurred as part of managing an identified risk.

Constraints (2)

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • type: The type of remediation tracking entry. Can be multi-valued.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value

The value may be locally defined, or one of the following:

  • vendor-check-in: Contacted vendor to determine the status of a pending fix to a known vulnerability.
  • status-update: Information related to the current state of response to this risk.
  • milestone-complete: A significant step in the response plan has been achieved.
  • mitigation: An activity was completed that reduces the likelihood or impact of this risk.
  • remediated: An activity was completed that eliminates the likelihood or impact of this risk.
  • closed: The risk is no longer applicable to the system.
  • dr-submission: A deviation request was made to the authorizing official.
  • dr-updated: A previously submitted deviation request has been modified.
  • dr-approved: The authorizing official approved the deviation.
  • dr-rejected: The authorizing official rejected the deviation.
Attribute (1):

uuid

uuid

[0 or 1]

Risk Log Entry Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (10):

title

markup-line

[0 or 1]

Title

description The title for this risk log entry.

description

markup-multiline

[0 or 1]

Risk Task Description

description A human-readable description of what was done regarding the risk.

description Identifies the start date and time of the event.

description Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

logged-by

assembly

[0 to ∞]

Logged By

status-change

token

[0 or 1]

Risk Status

use name status-change

Remarks

Identifies a change in risk status made resulting from the task described by this risk log entry. This allows the risk's status history to be captured as a sequence of risk log entries.

related-response

assembly

[0 to ∞]

Risk Response Reference

description Identifies an individual risk response that this log entry is for.

Attribute (1):
response-uuid

uuid

[0 or 1]

Response Universally Unique Identifier Reference

description A machine-oriented identifier reference to a unique risk response.

Elements (4):
property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

related-task

assembly

[0 to ∞]

Task Reference

Remarks

This is used to identify the task(s) that this log entry was generated for.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

related-observation

assembly

[0 to ∞]

Related Observation

description Relates the finding to a set of referenced observations that were used to determine the finding.

Attribute (1):

observation-uuid

uuid

[0 or 1]

Observation Universally Unique Identifier Reference

description A machine-oriented identifier reference to an observation defined in the list of observations.

risk-status

token

Risk Status

description Describes the status of the associated risk.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • open: The risk has been identified.
  • investigating: The identified risk is being investigated. (Open risk)
  • remediating: Remediation activities are underway, but are not yet complete. (Open risk)
  • deviation-requested: A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)
  • deviation-approved: A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)
  • closed: The risk has been resolved.

role-id

token

Role Identifier Reference

description Reference to a role by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) .

security-impact-level

assembly

Security Impact Level

description The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.

Elements (3):

security-objective-confidentiality

string

[1]

Security Objective: Confidentiality

description A target-level of confidentiality for the system, based on the sensitivity of information within the system.

security-objective-integrity

string

[1]

Security Objective: Integrity

description A target-level of integrity for the system, based on the sensitivity of information within the system.

security-objective-availability

string

[1]

Security Objective: Availability

description A target-level of availability for the system, based on the sensitivity of information within the system.

select-control-by-id

assembly

Select Control

description Select a control or controls from an imported control set.

Remarks

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

Attribute (1):

with-child-controls

token

[0 or 1]

Include Contained Controls with Control

Elements (2):

with-id

token

[0 to ∞]

Match Controls by Identifier

matching

assembly

[0 to ∞]

Match Controls by Pattern

select-control-by-id

assembly

Select Control

description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Attribute (1):

control-id

token

[0 or 1]

Control Identifier Reference

Elements (1):

statement-id

token

[0 to ∞]

Include Specific Statements

description Used to constrain the selection to only specificity identified statements.

select-objective-by-id

assembly

Select Objective

description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Attribute (1):

objective-id

token

[0 or 1]

Objective ID

select-subject-by-id

assembly

Select Assessment Subject

description Identifies a set of assessment subjects to include/exclude by UUID.

Attributes (2):

subject-uuid

uuid

[0 or 1]

Subject Universally Unique Identifier Reference

type

token

[0 or 1]

Subject Universally Unique Identifier Reference Type

use name type

Elements (3):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

selected

string

Selected Level (Confidentiality, Integrity, or Availability)

description The selected (Confidentiality, Integrity, or Availability) security impact level.

set-parameter

assembly

Set Parameter Value

description Identifies the parameter that will be set by the enclosed value.

Attribute (1):

param-id

token

[0 or 1]

Parameter ID

Elements (2):

value

string

[1 to ∞]

Parameter Value

description A parameter value or set of values.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

statement

assembly

Control Statement Implementation

description Identifies which statements within a control are addressed.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

statement-id

token

[0 or 1]

Control Statement Reference

Remarks

A reference to the specific implemented statement associated with a control.

uuid

uuid

[0 or 1]

Control Statement Reference Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Elements (5):

description

markup-multiline

[1]

Statement Implementation Description

description A summary of how the containing control statement is implemented by the component or capability.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

statement

assembly

Specific Control Statement

description Identifies which statements within a control are addressed.

Constraints (3)

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for by-component: any target value must be unique (i.e., occur only once)

Attributes (2):

statement-id

token

[0 or 1]

Control Statement Reference

Remarks

A reference to the specific implemented statement associated with a control.

uuid

uuid

[0 or 1]

Control Statement Reference Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Elements (5):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

by-component

assembly

[0 to ∞]

Component Control Implementation

Remarks

Use of set-parameter in this context, sets the parameter for the control referenced in the containing implemented-requirement applied to the referenced component. If the by-component is used as a child of a statement, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the control-implementation or a specific implemented-requirement, then this by-component/set-parameter value will override the other value(s) in the context of the referenced component, control, and statement (if parent).

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

statement-id

token

Control Statement Reference

description A human-oriented identifier reference to a control statement.

status

assembly

Status

description Describes the operational status of the system.

Remarks

If 'other' is selected, a remark must be included to describe the current state.

Attribute (1):

state

string

[0 or 1]

State

description The current operating status.

Constraint (1)

allowed values

The value must be one of the following:

  • operational: The system is currently operating in production.
  • under-development: The system is being designed, developed, or implemented
  • under-major-modification: The system is undergoing a major change, development, or transition.
  • disposition: The system is no longer operational.
  • other: Some other state.
Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

subject-reference

assembly

Identifies the Subject

description A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

Remarks

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

Tools should check look for the ID in every file imported directly or indirectly.

Attributes (2):

subject-uuid

uuid

[0 or 1]

Subject Universally Unique Identifier Reference

type

token

[0 or 1]

Subject Universally Unique Identifier Reference Type

use name type

Elements (4):

title

markup-line

[0 or 1]

Subject Reference Title

description The title or name for the referenced subject.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

subject-type

token

Subject Universally Unique Identifier Reference Type

description Used to indicate the type of object pointed to by the uuid-ref within a subject.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • component: Component
  • inventory-item: Inventory Item
  • location: Location
  • party: Interview Party
  • user: User
  • resource: Resource or Artifact

subject-uuid

uuid

Subject Universally Unique Identifier Reference

description A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.

system-characteristics

assembly

System Characteristics

description Contains the characteristics of the system, such as its name, purpose, and security impact level.

Constraints (7)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • identity-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
  • authenticator-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
  • federation-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.

allowed values for prop[@name=('identity-assurance-level','authenticator-assurance-level','federation-assurance-level')]/@value

The value must be one of the following:

  • 1: As defined by SP 800-63-3.
  • 2: As defined by SP 800-63-3.
  • 3: As defined by SP 800-63-3.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • cloud-deployment-model: The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other.
  • cloud-service-model: The associated value is one of: saas, paas, iaas, or other.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-deployment-model']/@value

The value must be one of the following:

  • public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • community-cloud: The community cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • hybrid-cloud: The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing.
  • government-only-cloud: A specific type of community-cloud for use only by government services.
  • other: Any other type of cloud deployment model that is exclusive to the other choices.
  • The hybrid cloud deployment model, as defined by The NIST Definition of Cloud Computing, can be supported by selecting two or more of the existing deployment models.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-service-model']/@value

The value must be one of the following:

  • saas: Software as a service (SaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
  • paas: Platform as a service (PaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
  • iaas: Infrastructure as a service (IaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
  • other: Any other type of cloud service model that is exclusive to the other choices.

is unique for responsible-party: any target value must be unique (i.e., occur only once)

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • authorizing-official: The authorizing official for this system.
  • authorizing-official-poc: The authorizing official's designated point of contact (POC) for this system.
  • system-owner: The executive ultimately accountable for the system.
  • system-poc-management: The primary management-level point of contact (POC) for the system.
  • system-poc-technical: The primary technical point of contact (POC) for the system.
  • system-poc-other: Other point of contact (POC) for the system that is not the management or technical POC.
  • information-system-security-officer: The primary role responsible for ensuring the organization operates the system securely.
  • privacy-poc: The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present.
Elements (16):

system-id

string

[1 to ∞]

System Identification

system-name

string

[1]

System Name - Full

description The full name of the system.

system-name-short

string

[0 or 1]

System Name - Short

description A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.

Remarks

Since system-name-short is optional, if the system-name-short is not provided, the system-name can be used as a substitute.

description

markup-multiline

[1]

System Description

description A summary of the system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

date-authorized

date

[0 or 1]

System Authorization Date

security-sensitivity-level

string

[0 or 1]

Security Sensitivity Level

description The overall information system sensitivity categorization, such as defined by FIPS-199.

Remarks

Often, organizations require the security sensitivity level to correspond with the highest confidentiality, integrity, or availability level identified by security-impact-level.

system-information

assembly

[1]

System Information

security-impact-level

assembly

[0 or 1]

Security Impact Level

status

assembly

[1]

Status

Remarks

If 'other' is selected, a remark must be included to describe the current state.

authorization-boundary

assembly

[1]

Authorization Boundary

network-architecture

assembly

[0 or 1]

Network Architecture

data-flow

assembly

[0 or 1]

Data Flow

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

system-component

assembly

Component

description A defined component that can be part of an implemented system.

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Constraints (24)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • implementation-point: Relative placement of component ('internal' or 'external') to the system.
  • leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
  • inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.
  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • depends-on: A reference to another component that this component has a dependency on.
  • validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
  • proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
  • baseline-template: A reference to the baseline template used to configure the asset.
  • uses-service: This service is used by the referenced component identifier.
  • system-security-plan: A link to the system security plan of the external system.
  • uses-network: This component uses the network provided by the identified network component.
  • imported-from: The hyperlink identifies a URI pointing to the component in a component-definition that originally defined the component.

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value

The value may be locally defined, or one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value

The value must be one of the following:

  • yes: The component allows an authenticated scan.
  • no: The component does not allow an authenticated scan.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='public']/@value

The value must be one of the following:

  • yes: The component is publicly accessible.
  • no: The component is not publicly accessible.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='virtual']/@value

The value must be one of the following:

  • yes: The component is virtualized.
  • no: The component is not virtualized.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='implementation-point']/@value

The value must be one of the following:

  • internal: The component is implemented within the system boundary.
  • external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • vendor-name: The name of the company or organization

allowed value for (.)[@type='validation']/link/@rel

The value may be locally defined, or the following:

  • validation-details: A link to an online information provided by the authorizing body.

allowed value for (.)[@type='software']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

  • provided-by: This service is provided by the referenced component identifier.
  • used-by: This service is used by the referenced component identifier.

allowed values for (.)[@type='interconnection']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • isa-title: Title of the Interconnection Security Agreement (ISA).
  • isa-date: Date of the Interconnection Security Agreement (ISA).
  • isa-remote-system-name: The name of the remote interconnected system.
  • ipv4-address: An Internet Protocol Version 4 interconnection address
  • ipv6-address: An Internet Protocol Version 6 interconnection address
  • direction: An Internet Protocol Version 6 interconnection address

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('ipv4-address','ipv6-address')]/@class

The value must be one of the following:

  • local: The identified IP address is for this system.
  • remote: The identified IP address is for the remote system to which this system is connected.

allowed value for (.)[@type='interconnection']/link/@rel

The value may be locally defined, or the following:

  • isa-agreement: A link to the system interconnection agreement.

allowed values for (.)[@type='interconnection']/responsible-role/@role-id

The value may be locally defined, or one of the following:

  • isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
  • isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
  • isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
  • isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='isa-date']/@value: the target value must match the lexical form of the 'dateTime' data type.

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='ipv4-address']/@value: the target value must match the lexical form of the 'ip-v4-address' data type.

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='ipv6-address']/@value: the target value must match the lexical form of the 'ip-v6-address' data type.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='direction']/@value

The value must be one of the following:

  • incoming: Data from the remote system flows into this system.
  • outgoing: Data from this system flows to the remote system.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Component Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

type

string

[0 or 1]

Component Type

use name type

Elements (9):

title

markup-line

[1]

Component Title

description A human readable name for the system component.

description

markup-multiline

[1]

Component Description

description A description of the component, including information about its function.

purpose

markup-line

[0 or 1]

Purpose

description A summary of the technological or business purpose of the component.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

status

assembly

[1]

Status

description Describes the operational status of the system component.

Attribute (1):

state

token

[0 or 1]

State

description The operational status.

Constraint (1)

allowed values

The value must be one of the following:

  • under-development: The component is being designed, developed, or implemented.
  • operational: The component is currently operational and is available for use in the system.
  • disposition: The component is no longer operational.
  • other: Some other state.
Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

protocol

assembly

[0 to ∞]

Service Protocol Information

Remarks

Used for service components to define the protocols supported by the service.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

system-component-type

string

Component Type

description A category describing the purpose of the component.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • this-system: The system as a whole.
  • system: An external system, which may be a leveraged system or the other side of an interconnection.
  • interconnection: A connection to something outside this system.
  • software: Any software, operating system, or firmware.
  • hardware: A physical device.
  • service: A service that may provide APIs.
  • policy: An enforceable policy.
  • physical: A tangible asset used to provide physical protections or countermeasures.
  • process-procedure: A list of steps or actions to take to achieve some end result.
  • plan: An applicable plan.
  • guidance: Any guideline or recommendation.
  • standard: Any organizational or industry standard.
  • validation: An external assessment performed on some other component, that has been validated by a third-party.
  • network: A physical or virtual network.

system-id

string

System Identification

description A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.

Attribute (1):

identifier-type

uri

[0 or 1]

Identification System Type

description Identifies the identification system from which the provided identifier was assigned.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • https://fedramp.gov: **deprecated** The identifier was assigned by FedRAMP. This has been deprecated; use http://fedramp.gov/ns/oscal instead.
  • http://fedramp.gov/ns/oscal: The identifier was assigned by FedRAMP.
  • https://ietf.org/rfc/rfc4122: **deprecated** A Universally Unique Identifier (UUID) as defined by RFC4122. This value has been deprecated; use http://ietf.org/rfc/rfc4122 instead.
  • http://ietf.org/rfc/rfc4122: A Universally Unique Identifier (UUID) as defined by RFC4122.

system-implementation

assembly

System Implementation

description Provides information as to how the system is implemented.

Constraints (13)

index for leveraged-authorization an index index-system-implementation-leveraged-authorization-uuid shall list values returned by targets leveraged-authorization using keys constructed of key field(s) @uuid

index has key for component/prop[@name='leveraged-authorization-uuid']this value must correspond to a listing in the index index-system-implementation-leveraged-authorization-uuid using a key constructed of key field(s) @value

index for component an index index-system-implementation-component-uuid shall list values returned by targets component using keys constructed of key field(s) @uuid

index has key for component/link[@rel='depends-on']this value must correspond to a listing in the index index-system-implementation-component-uuid using a key constructed of key field(s) @href

index for component[@type='validation'] an index index-system-implementation-component-uuid-validation shall list values returned by targets component[@type='validation'] using keys constructed of key field(s) @uuid

index has key for component/link[@rel='validated-by']this value must correspond to a listing in the index index-system-implementation-component-uuid-validation using a key constructed of key field(s) @href

index has key for component/link[@rel='proof-of-compliance']this value must correspond to a listing in the index index-system-implementation-component-uuid-validation using a key constructed of key field(s) @href

index for component[@type='service'] an index index-system-implementation-component-uuid-service shall list values returned by targets component[@type='service'] using keys constructed of key field(s) @uuid

index has key for component/link[@rel='uses-service']this value must correspond to a listing in the index index-system-implementation-component-uuid-service using a key constructed of key field(s) @href

index for component[@type='service'] an index index-system-implementation-component-uuid-software shall list values returned by targets component[@type='service'] using keys constructed of key field(s) @uuid

index has key for component[@type='service']/link[@rel='provided-by']this value must correspond to a listing in the index index-system-implementation-component-uuid-software using a key constructed of key field(s) @href

allowed values for (component | inventory-item)/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value

The value must be one of the following:

  • yes: The component allows an authenticated scan.
  • no: The component does not allow an authenticated scan.

is unique for user: any target value must be unique (i.e., occur only once)

Elements (7):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

leveraged-authorization

assembly

[0 to ∞]

Leveraged Authorization

description A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.

Constraints (4)

allowed value for link/@rel

The value may be locally defined, or the following:

  • system-security-plan: A reference to the system security plan for the leveraged authorization.

matches for link[@rel='system-security-plan']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.

index has key for link[@rel='system-security-plan' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for link[@rel='system-security-plan']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.

Attribute (1):

uuid

uuid

[0 or 1]

Leveraged Authorization Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (6):

title

markup-line

[1]

title field

description A human readable name for the leveraged authorization in the context of the system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

party-uuid

uuid

[1]

party-uuid field

description A machine-oriented identifier reference to the party that manages the leveraged system.

date-authorized

date

[1]

System Authorization Date

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

user

assembly

[1 to ∞]

System User

use name user

Remarks

Permissible values to be determined closer to the application, such as by a receiving authority.

component

assembly

[1 to ∞]

Component

use name component

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

inventory-item

assembly

[0 to ∞]

Inventory Item

Remarks

A set of inventory-item entries that represent the managed inventory instances of the system.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

system-information

assembly

System Information

description Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.

Constraints (7)

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • privacy-designation: Is this a privacy sensitive system? yes or no

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='privacy-designation']/@value

The value must be one of the following:

  • yes: The system is privacy sensitive.
  • no: The system is not privacy sensitive.

allowed value for link/@rel

The value may be locally defined, or the following:

  • privacy-impact-assessment: A link to the privacy impact assessment.

matches for link[@rel='privacy-impact-assessment']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.

index has key for link[@rel='privacy-impact-assessment' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for link[@rel='privacy-impact-assessment']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.

allowed values for information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)

The value may be locally defined, or one of the following:

  • fips-199-low: A 'low' sensitivity level as defined in FIPS-199.
  • fips-199-moderate: A 'moderate' sensitivity level as defined in FIPS-199.
  • fips-199-high: A 'high' sensitivity level as defined in FIPS-199.
  • FIPS-199 taxonomy is provided here as a starting point. We will provide other taxonomies based on community requests.
Elements (3):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

information-type

assembly

[1 to ∞]

Information Type

description Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.

Attribute (1):

uuid

uuid

[0 or 1]

Information Type Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (8):

title

markup-line

[1]

title field

description A human readable name for the information type. This title should be meaningful within the context of the system.

description

markup-multiline

[1]

Information Type Description

description A summary of how this information type is used within the system.

categorization

assembly

[0 to ∞]

Information Type Categorization

description A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.

Attribute (1):

system

uri

[0 or 1]

Information Type Identification System

description Specifies the information type identification system used.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • http://doi.org/10.6028/NIST.SP.800-60v2r1: Based on the section identifiers in NIST Special Publication 800-60 Volume II Revision 1.
Elements (1):

information-type-id

string

[0 to ∞]

Information Type Systematized Identifier

description A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

confidentiality-impact

assembly

[0 or 1]

Impact Level

description The expected level of impact resulting from the unauthorized disclosure of the described information.

use name confidentiality-impact

integrity-impact

assembly

[0 or 1]

Impact Level

description The expected level of impact resulting from the unauthorized modification of the described information.

use name integrity-impact

availability-impact

assembly

[0 or 1]

Impact Level

description The expected level of impact resulting from the disruption of access to or use of the described information or the information system.

use name availability-impact

system-security-plan

assembly

System Security Plan (SSP)

description A system security plan, such as those described in NIST SP 800-18.

root name system-security-plan

Constraint (1)

index for control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component an index by-component-uuid shall list values returned by targets control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component using keys constructed of key field(s) @uuid

Attribute (1):

uuid

uuid

[0 or 1]

System Security Plan Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (6):

metadata

assembly

[1]

Document Metadata

Remarks

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

import-profile

assembly

[1]

Import Profile

system-characteristics

assembly

[1]

System Characteristics

system-implementation

assembly

[1]

System Implementation

control-implementation

assembly

[1]

Control Implementation

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

system-user

assembly

System User

description A type of user that interacts with the system based on an associated role.

Remarks

Permissible values to be determined closer to the application, such as by a receiving authority.

Constraints (4)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • type: The type of user, such as internal, external, or general-public.
  • privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value

The value must be one of the following:

  • internal: A user account for a person or entity that is part of the organization who owns or operates the system.
  • external: A user account for a person or entity that is not part of the organization who owns or operates the system.
  • general-public: A user of the system considered to be outside

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='privilege-level']/@value

The value must be one of the following:

  • privileged: This role has elevated access to the system, such as a group or system administrator.
  • non-privileged: This role has typical user-level access to the system without elevated access.
  • no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.

allowed values for role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
Attribute (1):

uuid

uuid

[0 or 1]

User Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (8):

title

markup-line

[0 or 1]

User Title

description A name given to the user, which may be used by a tool for display and navigation.

short-name

string

[0 or 1]

User Short Name

description A short common name, abbreviation, or acronym for the user.

description

markup-multiline

[0 or 1]

User Description

description A summary of the user's purpose within the system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

role-id

token

[0 to ∞]

Role Identifier Reference

authorized-privilege

assembly

[0 to ∞]

Privilege

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

task

assembly

Task

description Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

Attributes (2):

uuid

uuid

[0 or 1]

Task Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

type

token

[0 or 1]

Task Type

description The type of task.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • milestone: The task represents a planned milestone.
  • action: The task represents a specific assessment action to be performed.
Elements (11):

title

markup-line

[1]

Task Title

description The title for this task.

description

markup-multiline

[0 or 1]

Task Description

description A human-readable description of this task.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

timing

assembly

[0 or 1]

Event Timing

description The timing under which the task is intended to occur.

Elements (1):

on-date

assembly

[1]

On Date Condition

description The task is intended to occur on the specified date.

Attribute (1):

date

date-time-with-timezone

[0 or 1]

On Date Condition

description The task must occur on the specified date.

within-date-range

assembly

[1]

On Date Range Condition

description The task is intended to occur within the specified date range.

Attributes (2):

start

date-time-with-timezone

[0 or 1]

Start Date Condition

description The task must occur on or after the specified date.

end

date-time-with-timezone

[0 or 1]

End Date Condition

description The task must occur on or before the specified date.

at-frequency

assembly

[1]

Frequency Condition

description The task is intended to occur at the specified frequency.

Attributes (2):

period

positive-integer

[0 or 1]

Period

description The task must occur after the specified period has elapsed.

unit

string

[0 or 1]

Time Unit

description The unit of time for the period.

Constraint (1)

allowed values

The value must be one of the following:

  • seconds: The period is specified in seconds.
  • minutes: The period is specified in minutes.
  • hours: The period is specified in hours.
  • days: The period is specified in days.
  • months: The period is specified in calendar months.
  • years: The period is specified in calendar years.

dependency

assembly

[0 to ∞]

Task Dependency

description Used to indicate that a task is dependent on another task.

Attribute (1):

task-uuid

uuid

[0 or 1]

Task Universally Unique Identifier Reference

description A machine-oriented identifier reference to a unique task.

Elements (1):

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

task

assembly

[0 to ∞]

Task

associated-activity

assembly

[0 to ∞]

Associated Activity

description Identifies an individual activity to be performed as part of a task.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attribute (1):

activity-uuid

uuid

[0 or 1]

Activity Universally Unique Identifier Reference

description A machine-oriented identifier reference to an activity defined in the list of activities.

Elements (5):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Identifies the person or organization responsible for performing a specific role defined by the activity.

subject

assembly

[1 to ∞]

Subject of Assessment

use name subject

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

subject

assembly

[0 to ∞]

Subject of Assessment

use name subject

Remarks

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

The assessment subjects that the activity was performed against.

responsible-role

assembly

[0 to ∞]

Responsible Role

Remarks

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Identifies the person or organization responsible for performing a specific role related to the task.

remarks

markup-multiline

[0 or 1]

Remarks

Remarks

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

telephone-number

string

Telephone Number

description A telephone service number as defined by ITU-T E.164.

Constraint (1)

matches: a target (value) must match the regular expression '^[0-9]{3}[0-9]{1,12}$'.

Attribute (1):

type

string

[0 or 1]

type flag

description Indicates the type of phone number.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home phone number.
  • office: An office phone number.
  • mobile: A mobile phone number.

threat-id

uri

Threat ID

description A pointer, by ID, to an externally-defined threat.

Attributes (2):

system

uri

[0 or 1]

Threat Type Identification System

description Specifies the source of the threat information.

Remarks

This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • http://fedramp.gov: **deprecated** The value conforms to FedRAMP definitions. This value has been deprecated; use http://fedramp.gov/ns/oscal instead.
  • http://fedramp.gov/ns/oscal: The value conforms to FedRAMP definitions.

href

uri-reference

[0 or 1]

Threat Information Resource Reference

description An optional location for the threat data, from which this ID originates.

Remarks

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).

version

string

Document Version

description Used to distinguish a specific revision of an OSCAL document from other previous and future versions.

Remarks

A version may be a release number, sequence number, date, or other identifier sufficient to distinguish between different document revisions.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as the version format. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A version is typically set by the document owner or by the tool used to maintain the content.

with-child-controls

token

Include Contained Controls with Control

description When a control is included, whether its child (dependent) controls are also included.

Constraint (1)

allowed values

The value must be one of the following:

  • yes: Include child controls with an included control.
  • no: When importing a control, only include child controls that are also explicitly called.

with-id

token

Match Controls by Identifier

description Selecting a control by its ID given as a literal.

This page was last updated on January 1, 0001.