Skip to main content

Shared Responsibility Model prototype-shared-responsibility-model JSON Format Reference

The following is the JSON format reference for this model, which is organized hierarchically. Each entry represents the corresponding JSON property in the model’s JSON format, and provides details about the semantics and use of the property. The JSON Format Outline provides a streamlined, hierarchical representation of this model’s JSON format which can be used along with this reference to better understand the JSON representation of this model.


This is a prototype OSCAL Shared Responsibility Model for evaluation purposes, based on a copy of the OSCAL Component Definition Model.This prototype may contain assemblies that are not intended in this context.The most important assemblies to consider within this current version are: provided, responsibilities, inherited, and satisfied.

Description A collection of components or capabilities provided by a leveraged system and which can be inherited by a leveraging system.

Constraint (1)

index for control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component an index by-component-uuid shall list values returned by targets control-implementation/implemented-requirement//by-component|doc(system-implementation/leveraged-authorization/link[@rel='system-security-plan']/@href)/system-security-plan/control-implementation/implemented-requirement//by-component using keys constructed of key field(s) @uuid

Properties (5)




Shared Responsibility Universally Unique Identifier

Description Provides a globally unique means to identify a given component definition instance.

Description Provides information about the containing document, and defines concepts that are shared across the document.


All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

Constraints (14)

index for role an index index-metadata-role-ids shall list values returned by targets role using keys constructed of key field(s) @id

is unique for document-id: any target value must be unique (i.e., occur only once)

is unique for prop: any target value must be unique (i.e., occur only once)

index for .//prop an index index-metadata-property-uuid shall list values returned by targets .//prop using keys constructed of key field(s) @uuid

is unique for link: any target value must be unique (i.e., occur only once)

index for role an index index-metadata-role-id shall list values returned by targets role using keys constructed of key field(s) @id

index for location an index index-metadata-location-uuid shall list values returned by targets location using keys constructed of key field(s) @uuid

index for party an index index-metadata-party-uuid shall list values returned by targets party using keys constructed of key field(s) @uuid

index for party[@type='organization'] an index index-metadata-party-organizations-uuid shall list values returned by targets party[@type='organization'] using keys constructed of key field(s) @uuid

is unique for responsible-party: any target value must be unique (i.e., occur only once)

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • creator: Indicates the person or organization that created this content.
  • prepared-by: Indicates the person or organization that prepared this content.
  • prepared-for: Indicates the person or organization for which this content was created.
  • content-approver: Indicates the person or organization responsible for all content represented in the "document".
  • contact: Indicates the person or organization to contact for questions or support related to this content.

allowed value for prop[has-oscal-namespace('')]/@name

The value must be one of the following:

  • keywords: The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • canonical: The link identifies the authoritative location for this resource. Defined by RFC 6596.
  • alternate: The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard
  • latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
  • predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.

is unique for document-id: any target value must be unique (i.e., occur only once)

Properties (15)

Description A name given to the document, which may be used by a tool for display and navigation.

Description The date and time the document was last made available.


Typically, this date value will be machine-generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material provided in a different format. In such a case, the published value should indicate when the OSCAL document instance was last published, not the source material.

Description The date and time the document was last stored for later retrieval.


This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification. Ideally, this field will be managed by the editing tool or service used to make modifications when storing the modified document.

The intent of the last modified timestamp is to distinguish between significant change milestones when the document may be accessed by multiple entities. This allows a given entity to differentiate between mutiple document states at specific points in time. It is possible to make multiple modifications to the document without storing these changes. In such a case, the last modified timestamp might not be updated until the document is finally stored.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the last modification time of the OSCAL document instance, not the source material.




Document Version

Description Used to distinguish a specific revision of an OSCAL document from other previous and future versions.


A version may be a release number, sequence number, date, or other identifier sufficient to distinguish between different document revisions.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as the version format. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A version is typically set by the document owner or by the tool used to maintain the content.

Description The OSCAL model version the document was authored against and will conform to as valid.


Indicates the version of the OSCAL model to which the document conforms, for example 1.1.0 or 1.0.0-milestone1. That can be used as a hint for a tool indicating which version of the OSCAL XML or JSON schema to use for validation.

The OSCAL version serves a different purpose from the document version and is used to represent a different concept. If both have the same value, this is coincidental.

(array member)


[1 to ∞]

Revision History Entry

Description An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).


While published, last-modified, and oscal-version are not required, values for these entries should be provided if the information is known. A link with a rel of source should be provided if the information is known.

Constraint (1)

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • canonical: The link identifies the authoritative location for this resource. Defined by RFC 6596.
  • alternate: The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard
  • predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • version-history: This link identifies a resource containing the version history of this document. Defined by RFC 5829.
Properties (8)



[0 or 1]

Document Title

Description A name given to the document revision, which may be used by a tool for display and navigation.

Description The date and time the document was last made available.


Typically, this date value will be machine-generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material provided in a different format. In such a case, the published value should indicate when the OSCAL document instance was last published, not the source material.

Description The date and time the document was last stored for later retrieval.


This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification. Ideally, this field will be managed by the editing tool or service used to make modifications when storing the modified document.

The intent of the last modified timestamp is to distinguish between significant change milestones when the document may be accessed by multiple entities. This allows a given entity to differentiate between mutiple document states at specific points in time. It is possible to make multiple modifications to the document without storing these changes. In such a case, the last modified timestamp might not be updated until the document is finally stored.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the last modification time of the OSCAL document instance, not the source material.




Document Version

Description Used to distinguish a specific revision of an OSCAL document from other previous and future versions.


A version may be a release number, sequence number, date, or other identifier sufficient to distinguish between different document revisions.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as the version format. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A version is typically set by the document owner or by the tool used to maintain the content.

Description The OSCAL model version the document was authored against and will conform to as valid.


Indicates the version of the OSCAL model to which the document conforms, for example 1.1.0 or 1.0.0-milestone1. That can be used as a hint for a tool indicating which version of the OSCAL XML or JSON schema to use for validation.

The OSCAL version serves a different purpose from the document version and is used to represent a different concept. If both have the same value, this is coincidental.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)


[0 to ∞]

Document Identifier

Description A document identifier qualified by an identifier scheme.


A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.

A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.

Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.

An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.

Properties (2)



[0 or 1]

Document Identification Scheme

Description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.


This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.



[0 or 1]

(array member)


[1 to ∞]


Description Defines a function, which might be assigned to a party in a specific situation.


Permissible values to be determined closer to the application (e.g. by a receiving authority).

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

Properties (7)




Role Identifier

Description A unique identifier for the role.

Description A name given to the role, which may be used by a tool for display and navigation.



[0 or 1]

Role Short Name

Description A short common name, abbreviation, or acronym for the role.

Description A summary of the role's purpose and associated responsibilities.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)


[1 to ∞]


Description A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.


An address might be sensitive in nature. In such cases a title, mailing address, email-address, and/or phone number may be used instead.

Constraints (5)

allowed value for prop[has-oscal-namespace('')]/@name

The value must be one of the following:

  • type: Characterizes the kind of location.

allowed value for prop[has-oscal-namespace('') and @name='type']/@value

The value must be one of the following:

  • data-center: A location that contains computing assets. A class can be used to indicate the sub-type of data-center as primary or alternate.

allowed values for prop[has-oscal-namespace('') and @name='type' and @value='data-center']/@class

The value must be one of the following:

  • primary: The location is a data-center used for normal operations.
  • alternate: The location is a data-center used for fail-over or backup operations.

has cardinality for address the cardinality of address is constrained: 1; maximum unbounded.

has cardinality for title|address|email-address|telephone-number the cardinality of title|address|email-address|telephone-number is constrained: 1; maximum unbounded.

Properties (9)




Location Universally Unique Identifier

Description A unique ID for the location, for reference.



[0 or 1]

Location Title

Description A name given to the location, which may be used by a tool for display and navigation.



[0 or 1]


Description A postal address for the location.


The physical address of the location, which will provided for physical locations. Virtual locations can omit this data item.

Properties (6)


[0 or 1]

Address Type

Description Indicates the type of address.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home address.
  • work: A work address.

(array member)


[0 to ∞]

Address line

Description A single line of an address.

Description City, town or geographical region for the mailing address.

Description State, province or analogous geographical region for a mailing address.

Description Postal or ZIP code for mailing address.



[0 or 1]

Country Code

Description The ISO 3166-1 alpha-2 country code for the mailing address.

Constraint (1)

matches: a target (value) must match the regular expression '[A-Z]{2}'.

(array member)


[0 to ∞]

Email Address

Description An email address as defined by RFC 5322 Section 3.4.1.


A contact email associated with the location.

(array member)


[0 to ∞]

Telephone Number

Description A telephone service number as defined by ITU-T E.164.


A phone number used to contact the location.

Constraint (1)

matches: a target (value) must match the regular expression '^[0-9]{3}[0-9]{1,12}$'.

Properties (2)


[0 or 1]

type flag

Description Indicates the type of phone number.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home phone number.
  • office: An office phone number.
  • mobile: A mobile phone number.



[0 or 1]

(array member)


[0 to ∞]

Location URL

deprecated as of 1.1.0

Description The uniform resource locator (URL) for a web site or other resource associated with the location.


This data field is deprecated in favor of using a link with an appropriate relationship.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)


[1 to ∞]


Description An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.


A party can be optionally associated with either an address or a location. While providing a meaningful location for a party is desired, there are some cases where it might not be possible to provide an exact location or even any location.

Constraint (1)

allowed values for prop[has-oscal-namespace('')]/@name

The value must be one of the following:

  • mail-stop: A mail stop associated with the party.
  • office: The name or number of the party's office.
  • job-title: The formal job title of a person.
Properties (12)




Party Universally Unique Identifier

Description A unique identifier for the party.

Description A category describing the kind of party the object describes.

Constraint (1)

allowed values

The value must be one of the following:

  • person: A human being regarded as an individual.
  • organization: An organized group of one or more person individuals with a specific purpose.



[0 or 1]

Party Name

Description The full name of the party. This is typically the legal name associated with the party.



[0 or 1]

Party Short Name

Description A short common name, abbreviation, or acronym for the party.

(array member)


[0 to ∞]

Party External Identifier

Description An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).

Properties (2)



External Identifier Schema

Description Indicates the type of external identifier.


This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • The identifier is Open Researcher and Contributor ID (ORCID).



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Email Address

Description An email address as defined by RFC 5322 Section 3.4.1.


This is a contact email associated with the party.

(array member)


[0 to ∞]

Telephone Number

Description A telephone service number as defined by ITU-T E.164.


A phone number used to contact the party.

Constraint (1)

matches: a target (value) must match the regular expression '^[0-9]{3}[0-9]{1,12}$'.

Properties (2)


[0 or 1]

type flag

Description Indicates the type of phone number.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home phone number.
  • office: An office phone number.
  • mobile: A mobile phone number.

A choice:

(array member)


[1 to ∞]


Description A postal address for the location.

Properties (6)


[0 or 1]

Address Type

Description Indicates the type of address.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home address.
  • work: A work address.

(array member)


[0 to ∞]

Address line

Description A single line of an address.

Description City, town or geographical region for the mailing address.

Description State, province or analogous geographical region for a mailing address.

Description Postal or ZIP code for mailing address.



[0 or 1]

Country Code

Description The ISO 3166-1 alpha-2 country code for the mailing address.

Constraint (1)

matches: a target (value) must match the regular expression '[A-Z]{2}'.

(array member)


[0 to ∞]

Location Universally Unique Identifier Reference

Description Reference to a location by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) .

(array member)


[0 to ∞]

Organizational Affiliation

Description A reference to another party by UUID, typically an organization, that this subject is associated with.


Since the reference target of an organizational affiliation must be another party (whether further qualified as person or organization) as inidcated by its uuid. As a machine-oriented identifier with uniqueness across document and trans-document scope, this uuid value is sufficient to reference the data item locally or globally across related documents, e.g., in an imported OSCAL instance.

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-organizations-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Responsible Party

Description A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.


A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

Properties (5)




Responsible Role

Description A reference to a role performed by a party.

(array member)


[1 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]


Description An action applied by a role within a given party to the content.

Constraints (4)

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid

allowed value for ./system/@value

The value may be locally defined, or the following:

  • This value identifies action types defined in the NIST OSCAL namespace.

allowed values for ./type[has-oscal-namespace('')]/@value

The value must be one of the following:

  • approval: An approval of a document instance's content.
  • request-changes: A request from the responisble party or parties to change the content.
Properties (8)




Action Universally Unique Identifier

Description A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.



[0 or 1]

Action Occurrence Date

Description The date and time when the action occurred.

Description The type of action documented by the assembly, such as an approval.




Action Type System

Description Specifies the action type system used.


Provides a means to segment the value space for the type, so that different organizations and individuals can assert control over the allowed action's type. This allows the semantics associated with a given type to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Party

Description A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.


A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

Properties (5)



Responsible Role

Description A reference to a role performed by a party.

(array member)


[1 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description The leveraged System Security Plan (SSP) that documents the components implementing inheritable controls.

Properties (11)



[0 or 1]

SSP Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference the sourced SSP in this or other OSCAL instances.



[0 or 1]

Source Title

Description The title of sourced leveraged SSP.

Description The time and date of leveraged SSP initial publication.

Description The time and date of leveraged SSP last modification.



[0 or 1]

Document Version

Description The version of the leveraged SSP.



[0 or 1]

System Authorization Date

Description The date the system received its most recent authorization to operate.




Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .



[0 or 1]

Referenced Profile

Description The OSCAL profile imported by the leveraged SSP.

Property (1)




Hyperlink Reference

Description A link to a resource that defines a set of components and/or capabilities to import into this collection.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.




Control Implementation

Description Describes how the system satisfies a set of controls.


Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

Constraint (1)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

Properties (3)




Control Implementation Description

Description A statement describing important things to know about how this set of control satisfaction documentation is approached.

(array member)

(global definition)

[1 to ∞]

Set Parameter Value

Description Identifies the parameter that will be set by the enclosed value.

Properties (3)

Description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.

(array member)


[1 to ∞]

Parameter Value

Description A parameter value or set of values.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)


[1 to ∞]

Control-based Requirement

Description Describes how the system satisfies the requirements of an individual control.


Use of set-parameter in this context, sets the parameter for the referenced control. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

Constraints (10)

allowed value for (.|statement|.//by-component)/prop[has-oscal-namespace('')]/@name

The value must be one of the following:

  • control-origination: Identifies the source of the implemented control. Any control-origination prop defined in a child context will override the parent value.

allowed values for (.|statement|.//by-component)/prop[has-oscal-namespace('') and @name='control-origination']/@value

The value must be one of the following:

  • organization: The control is implemented by the organization owning the system, but is not specific to the system itself.
  • system-specific: The control is implemented specifically to this system.
  • customer-configured: The control is provided by the system, but must be configured by the customer.
  • customer-provided: The control must be implemented by the customer.
  • inherited: This control is inherited from an underlying system.

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.

index has key for responsible-role|statement/responsible-role|.//by-component//responsible-rolethis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-role|statement/responsible-role|.//by-component//responsible-rolethis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid

has cardinality for .//by-component the cardinality of .//by-component is constrained: 1; maximum unbounded.

is unique for set-parameter: any target value must be unique (i.e., occur only once)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for statement: any target value must be unique (i.e., occur only once)

is unique for by-component: any target value must be unique (i.e., occur only once)

Properties (9)




Control Requirement Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.




Control Identifier Reference

Description A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Set Parameter Value

Description Identifies the parameter that will be set by the enclosed value.

Properties (3)

Description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.

(array member)


[1 to ∞]

Parameter Value

Description A parameter value or set of values.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)



Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)


[1 to ∞]

Specific Control Statement

Description Identifies which statements within a control are addressed.

Constraints (3)

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for by-component: any target value must be unique (i.e., occur only once)

Properties (7)



Control Statement Reference

Description A human-oriented identifier reference to a control statement.


A reference to the specific implemented statement associated with a control.




Control Statement Reference Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)



Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Component Control Implementation

Description Defines how the referenced component implements a set of controls.


Use of set-parameter in this context, sets the parameter for the control referenced in the containing implemented-requirement applied to the referenced component. If the by-component is used as a child of a statement, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the control-implementation or a specific implemented-requirement, then this by-component/set-parameter value will override the other value(s) in the context of the referenced component, control, and statement (if parent).

Constraints (5)

allowed value for link/@rel

The value may be locally defined, or the following:

  • imported-from: The hyperlink identifies a URI pointing to the component in a component-definition that originally described the component this component was based on.

allowed values for .//responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

is unique for set-parameter: any target value must be unique (i.e., occur only once)

allowed value for link/@rel

The value may be locally defined, or the following:

  • provided-by: A reference to the UUID of a control or statement by-component object that is used as evidence of implementation.

index has key for link[@rel='provided-by']this value must correspond to a listing in the index by-component-uuid using a key constructed of key field(s) @href

Properties (13)



Component Universally Unique Identifier Reference

Description A machine-oriented identifier reference to the component that is implemeting a given control.




By-Component Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.




Control Implementation Description

Description An implementation statement that describes how a control or a control statement is implemented within the referenced system component.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Set Parameter Value

Description Identifies the parameter that will be set by the enclosed value.

Properties (3)

Description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.

(array member)


[1 to ∞]

Parameter Value

Description A parameter value or set of values.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Indicates the degree to which the a given control is implemented.


The implementation-status is used to qualify the status value to indicate the degree to which the control is implemented.

Properties (3)

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Implementation State

Description Identifies the implementation status of the control or control objective.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • implemented: The control is fully implemented.
  • partial: The control is partially implemented.
  • planned: There is a plan for implementing the control as explained in the remarks.
  • alternative: There is an alternative implementation for this control as explained in the remarks.
  • not-applicable: This control does not apply to this system as justified in the remarks.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Provided Control Implementation

Description Describes a capability provided by a component of the leveraged system which may be inherited by a leveraging system.


The leveraged system's provided information could be used to document the leveraging system's inherited capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (8)




Provided Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Implementer UUID

Description A machine-oriented, globally unique identifier with cross-instance scope that is used to reference the party responsible for the implemented capability or control. An inheritable capability or control provided by a leveraged system can be inherited by a leveraging system and further provided to leveraging system's customers. The entity responsible for implementing the control is often rederred to as the “Control Originator”.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Provided Control Implementation Description

Description An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Control Implementation Responsibility

Description Describes a control implementation responsibility imposed on a leveraging system.


The leveraged system's responsibity information could be used to docuemnt the leveraged system's satisfied capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (8)




Responsibility Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Provided UUID

Description A machine-oriented identifier reference to an inheritable control implementation that a leveraging system may inherite from a leveraged system.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Control Implementation Responsibility Description

Description An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

A role defined at the by-component level takes precedence over the same role defined on the parent implemented-requirement or on the referenced component.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Inherited Control Implementation

Description Describes a control implementation inherited by a leveraging system.


The leveraged system's provided information could be used to document the leveraging system's inherited capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (8)




Inherited Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Provided UUID

Description A machine-oriented identifier reference to an inheritable control implementation that a leveraging system may inherite from a leveraged system.



[0 or 1]

Implementer UUID

Description A machine-oriented, globally unique identifier with cross-instance scope that is used to reference the party responsible for the implemented capability or control. An inheritable capability or control provided by a leveraged system can be inherited by a leveraging system and further provided to leveraging system's customers. The entity responsible for implementing the control is often rederred to as the “Control Originator”.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Inherited Control Implementation Description

Description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Satisfied Control Implementation Responsibility

Description Describes how this system satisfies a responsibility imposed by a leveraged system.


The leveraged system's responsibity information could be used to docuemnt the leveraged system's satisfied capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (9)




Satisfied Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Responsibility UUID

Description A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.



[0 or 1]

Inherited UUID

Description A machine-oriented identifier reference to the control inherited by the leveraging system from the leveraged system. The satisfaction of the inherited control might depend on the responsibilities by the leveraging system and must be satisfied by either the leveraging system or be further passed on as customer responsibilities. The flag binds the inherited control information with this control information.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Satisfied Control Implementation Responsibility Description

Description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Component Control Implementation

Description Defines how the referenced component implements a set of controls.


Use of set-parameter in this context, sets the parameter for the control referenced in the containing implemented-requirement applied to the referenced component. If the by-component is used as a child of a statement, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the control-implementation or a specific implemented-requirement, then this by-component/set-parameter value will override the other value(s) in the context of the referenced component, control, and statement (if parent).

Constraints (5)

allowed value for link/@rel

The value may be locally defined, or the following:

  • imported-from: The hyperlink identifies a URI pointing to the component in a component-definition that originally described the component this component was based on.

allowed values for .//responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

is unique for set-parameter: any target value must be unique (i.e., occur only once)

allowed value for link/@rel

The value may be locally defined, or the following:

  • provided-by: A reference to the UUID of a control or statement by-component object that is used as evidence of implementation.

index has key for link[@rel='provided-by']this value must correspond to a listing in the index by-component-uuid using a key constructed of key field(s) @href

Properties (13)



Component Universally Unique Identifier Reference

Description A machine-oriented identifier reference to the component that is implemeting a given control.




By-Component Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.




Control Implementation Description

Description An implementation statement that describes how a control or a control statement is implemented within the referenced system component.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Set Parameter Value

Description Identifies the parameter that will be set by the enclosed value.

Properties (3)

Description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.

(array member)


[1 to ∞]

Parameter Value

Description A parameter value or set of values.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Indicates the degree to which the a given control is implemented.


The implementation-status is used to qualify the status value to indicate the degree to which the control is implemented.

Properties (3)

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Implementation State

Description Identifies the implementation status of the control or control objective.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • implemented: The control is fully implemented.
  • partial: The control is partially implemented.
  • planned: There is a plan for implementing the control as explained in the remarks.
  • alternative: There is an alternative implementation for this control as explained in the remarks.
  • not-applicable: This control does not apply to this system as justified in the remarks.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Provided Control Implementation

Description Describes a capability provided by a component of the leveraged system which may be inherited by a leveraging system.


The leveraged system's provided information could be used to document the leveraging system's inherited capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (8)



Provided Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Implementer UUID

Description A machine-oriented, globally unique identifier with cross-instance scope that is used to reference the party responsible for the implemented capability or control. An inheritable capability or control provided by a leveraged system can be inherited by a leveraging system and further provided to leveraging system's customers. The entity responsible for implementing the control is often rederred to as the “Control Originator”.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Provided Control Implementation Description

Description An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Control Implementation Responsibility

Description Describes a control implementation responsibility imposed on a leveraging system.


The leveraged system's responsibity information could be used to docuemnt the leveraged system's satisfied capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (8)



Responsibility Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Provided UUID

Description A machine-oriented identifier reference to an inheritable control implementation that a leveraging system may inherite from a leveraged system.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Control Implementation Responsibility Description

Description An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

A role defined at the by-component level takes precedence over the same role defined on the parent implemented-requirement or on the referenced component.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Inherited Control Implementation

Description Describes a control implementation inherited by a leveraging system.


The leveraged system's provided information could be used to document the leveraging system's inherited capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (8)



Inherited Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Provided UUID

Description A machine-oriented identifier reference to an inheritable control implementation that a leveraging system may inherite from a leveraged system.



[0 or 1]

Implementer UUID

Description A machine-oriented, globally unique identifier with cross-instance scope that is used to reference the party responsible for the implemented capability or control. An inheritable capability or control provided by a leveraged system can be inherited by a leveraging system and further provided to leveraging system's customers. The entity responsible for implementing the control is often rederred to as the “Control Originator”.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Inherited Control Implementation Description

Description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Satisfied Control Implementation Responsibility

Description Describes how this system satisfies a responsibility imposed by a leveraged system.


The leveraged system's responsibity information could be used to docuemnt the leveraged system's satisfied capability.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Properties (9)



Satisfied Universally Unique Identifier

Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.



[0 or 1]

Responsibility UUID

Description A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.



[0 or 1]

Inherited UUID

Description A machine-oriented identifier reference to the control inherited by the leveraging system from the leveraged system. The satisfaction of the inherited control might depend on the responsibilities by the leveraging system and must be satisfied by either the leveraging system or be further passed on as customer responsibilities. The flag binds the inherited control information with this control information.

Description Indicates that the information is exportable for external consumption, such as with leveraged organizations, customer responsibility documentation, and shared security responsibility documentation.




Satisfied Control Implementation Responsibility Description

Description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)




Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)

(global definition)

[1 to ∞]

Responsible Role

Description A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.


A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

Properties (5)



Responsible Role ID

Description A human-oriented identifier reference to a role performed.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)




Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)




Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.



[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.

(array member)


[0 to ∞]

Party Universally Unique Identifier Reference

Description Reference to a party by UUID.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

Description A collection of resources that may be referenced from within the OSCAL document instance.


Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

Constraint (1)

index for resource an index index-back-matter-resource shall list values returned by targets resource using keys constructed of key field(s) @uuid

Property (1)

(array member)


[1 to ∞]


Description A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.


A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource.

Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

When a resource includes a citation, then the title and citation properties must both be included.

Constraints (6)

allowed values for prop[has-oscal-namespace('')]/@name

The value must be one of the following:

  • type: Identifies the type of resource represented. The most specific appropriate type value SHOULD be used.
  • version: For resources representing a published document, this represents the version number of that document.
  • published: For resources representing a published document, this represents the publication date of that document.

matches for prop[has-oscal-namespace('') and @name='published']/@value: the target value must match the lexical form of the 'dateTime-with-timezone' data type.

allowed values for prop[has-oscal-namespace('') and @name='type']/@value

The value must be one of the following:

  • logo: Indicates the resource is an organization's logo.
  • image: Indicates the resource represents an image.
  • screen-shot: Indicates the resource represents an image of screen content.
  • law: Indicates the resource represents an applicable law.
  • regulation: Indicates the resource represents an applicable regulation.
  • standard: Indicates the resource represents an applicable standard.
  • external-guidance: Indicates the resource represents applicable guidance.
  • acronyms: Indicates the resource provides a list of relevant acronyms.
  • citation: Indicates the resource cites relevant information.
  • policy: Indicates the resource is a policy.
  • procedure: Indicates the resource is a procedure.
  • system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
  • users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
  • administrators-guide: Indicates the resource is guidance document a administrator's guide.
  • rules-of-behavior: Indicates the resource represents rules of behavior content.
  • plan: Indicates the resource represents a plan.
  • artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
  • evidence: Indicates the resource represents evidence, such as to support an assessment finding.
  • tool-output: Indicates the resource represents output from a tool.
  • raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
  • interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
  • questionnaire: Indicates the resource is a set of questions, possibly with responses.
  • report: Indicates the resource is a report.
  • agreement: Indicates the resource is a formal agreement between two or more parties.

has cardinality for rlink|base64 the cardinality of rlink|base64 is constrained: 1; maximum unbounded.

is unique for rlink: any target value must be unique (i.e., occur only once)

is unique for base64: any target value must be unique (i.e., occur only once)

Properties (9)




Resource Universally Unique Identifier

Description A unique identifier for a resource.



[0 or 1]

Resource Title

Description An optional name given to the resource, which may be used by a tool for display and navigation.



[0 or 1]

Resource Description

Description An optional short summary of the resource used to indicate the purpose of the resource.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

(array member)


[0 to ∞]

Document Identifier

Description A document identifier qualified by an identifier scheme.


A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.

A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.

Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.

An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.

Properties (2)


[0 or 1]

Document Identification Scheme

Description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.


This value must be an absolute URI that serves as a naming system identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.



[0 or 1]


Description An optional citation consisting of end note text using structured markup.

Properties (3)

Description A line of citation text.



[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.


Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Constraint (1)

allowed value for .[has-oscal-namespace('')]/@name

The value must be one of the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Properties (7)



Property Name

Description A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.



[0 or 1]

Property Universally Unique Identifier

Description A unique identifier for a property.



[0 or 1]

Property Namespace

Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.


This value must be an absolute URI that serves as a naming system identifier.

When a ns is not provided, its value should be assumed to be and the name should be a name defined by the associated OSCAL model.




Property Value

Description Indicates the value of the attribute, characteristic, or quality.



[0 or 1]

Property Class

Description A textual label that provides a sub-type or characterization of the property's name.


This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.



[0 or 1]

Property Group

Description An identifier for relating distinct sets of properties.


Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.


[0 or 1]

(array member)

(global definition)

[1 to ∞]


Description A reference to a local or remote resource, that has a specific relation to the containing object.


To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (4)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

matches for @resource-fragment: a target (value) must match the regular expression '(?:[0-9a-zA-Z-._~/?!$&'()*+,;=:@]|%[0-9A-F][0-9A-F])+'.

Properties (5)



Hypertext Reference

Description A resolvable URL reference to a resource.


This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.


[0 or 1]

Link Relation Type

Description Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.



[0 or 1]

Resource Fragment

Description In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.

Description A textual label to associate with the link, which may be used for presentation in a tool.


[0 or 1]

(array member)


[1 to ∞]

Resource link

Description A URL-based pointer to an external resource with an optional hash for verification and change detection.


Multiple rlink objects can be included for a resource. In such a case, all provided rlink items are intended to be equivalent in content, but may differ in structure or format.

A media-type is used to identify the format of a given rlink, and can be used to differentiate items in a collection of rlinks. The media-type provides a hint to the OSCAL document consumer about the structure of the resource referenced by the rlink.

Properties (3)



Hypertext Reference

Description A resolvable URL pointing to the referenced resource.


This value may be either:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.



[0 or 1]

(array member)


[0 to ∞]


Description A representation of a cryptographic digest generated over a resource using a specified hash algorithm.


The hash value can be used to confirm that the resource referenced by the href is the same resources that was hashed by retrieving the resource, calculating a hash, and comparing the result to this value.

Constraints (4)

matches for .[@algorithm=('SHA-224','SHA3-224')]: a target (value) must match the regular expression '^[0-9a-fA-F]{28}$'.

matches for .[@algorithm=('SHA-256','SHA3-256')]: a target (value) must match the regular expression '^[0-9a-fA-F]{32}$'.

matches for .[@algorithm=('SHA-384','SHA3-384')]: a target (value) must match the regular expression '^[0-9a-fA-F]{48}$'.

matches for .[@algorithm=('SHA-512','SHA3-512')]: a target (value) must match the regular expression '^[0-9a-fA-F]{64}$'.

Properties (2)

Description The digest method by which a hash is derived.


Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • SHA-224: The SHA-224 algorithm as defined by NIST FIPS 180-4.
  • SHA-256: The SHA-256 algorithm as defined by NIST FIPS 180-4.
  • SHA-384: The SHA-384 algorithm as defined by NIST FIPS 180-4.
  • SHA-512: The SHA-512 algorithm as defined by NIST FIPS 180-4.
  • SHA3-224: The SHA3-224 algorithm as defined by NIST FIPS 202.
  • SHA3-256: The SHA3-256 algorithm as defined by NIST FIPS 202.
  • SHA3-384: The SHA3-384 algorithm as defined by NIST FIPS 202.
  • SHA3-512: The SHA3-512 algorithm as defined by NIST FIPS 202.

Description A resource encoded using the Base64 alphabet defined by RFC 2045.

Properties (3)

Description Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.

Description A label that indicates the nature of a resource, as a data serialization or format.


The Internet Assigned Numbers Authority (IANA) Media Types Registry defines a standardized set of media types, which may be used here.

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

Description Additional commentary about the containing object.


The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

This page was last updated on January 1, 0001.