index for resource an index index-back-matter-resource shall list values returned by targets resource using keys constructed of key field(s) @uuid

is unique for incorporates-component: any target value must be unique (i.e., occur only once)

index for component an index index-system-component-uuid shall list values returned by targets component using keys constructed of key field(s) @uuid

is unique for capability: any target value must be unique (i.e., occur only once)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

allowed values for prop/@name

The value may be locally defined, or one of the following:

• version: The version of the component.
• patch-level: The specific patch level of the component.
• model: The model of the component.
• release-date: The date the component was released, such as a software release date or policy publication date.
• validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
• validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
• asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
• asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
• asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
• public: Identifies whether the asset is publicly accessible (yes/no)
• virtual: Identifies whether the asset is virtualized (yes/no)
• vlan-id: Virtual LAN identifier of the asset.
• network-id: The network identifier of the asset.
• label: A human-readable label for the parent context.
• sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
• baseline-configuration-name: The name of the baseline configuration for the asset.
• allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
• function: The function provided by the asset for the system.

allowed values for link/@rel

The value may be locally defined, or one of the following:

• depends-on: A reference to another component that this component has a dependency on.
• validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
• proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
• baseline-template: A reference to the baseline template used to configure the asset.
• uses-service: This service is used by the referenced component identifier.
• system-security-plan: A link to the system security plan of the external system.
• uses-network: This component uses the network provided by the identified network component.

allowed values for responsible-role/@role-id|control-implementation/implemented-requirement/responsible-role/@role-id||control-implementation/implemented-requirement/statement/responsible-role/@role-id

The value may be locally defined, or one of the following:

• asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
• asset-administrator: Responsible for administering a set of assets.
• security-operations: Members of the security operations center (SOC).
• network-operations: Members of the network operations center (NOC).
• incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
• help-desk: Responsible for providing information and support to users.
• configuration-management: Responsible for the configuration management processes governing changes to the asset.
• maintainer: Responsible for the creation and maintenance of a component.
• provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

• operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
• database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
• web-server: A system that delivers content or services to end users over the Internet or an intranet.
• dns-server: A system that resolves domain names to internet protocol (IP) addresses.
• email-server: A computer system that sends and receives electronic mail messages.
• directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
• pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
• firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
• router: A physical or virtual networking device that forwards data packets between computer networks.
• switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
• storage-array: A consolidated, block-level data storage capability.
• appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for property[@name='allows-authenticated-scan']/@value

The value must be one of the following:

• yes: The component allows an authenticated scan.
• no: The component does not allow an authenticated scan.

allowed values for prop[@name='virtual']/@value

The value must be one of the following:

• yes: The component is virtualized.
• no: The component is not virtualized.

allowed values for prop[@name='public']/@value

The value must be one of the following:

• yes: The component is publicly accessible.
• no: The component is not publicly accessible.

allowed values for prop[@name='implementation-point']/@value

The value must be one of the following:

• inteneral: The component is implemented within the system boundary.
• external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[@name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[@name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type='software']/prop/@name

The value may be locally defined, or the following:

• software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

• provided-by: This service is provided by the referenced component identifier.
• used-by: This service is used by the referenced component identifier.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for statement: any target value must be unique (i.e., occur only once)

allowed values for prop/@name

The value may be locally defined, or one of the following:

• ipv4-address: The Internet Protocol v4 Address of the asset.
• ipv6-address: The Internet Protocol v6 Address of the asset.
• fqdn: The full-qualified domain name (FQDN) of the asset.
• uri: A Uniform Resource Identifier (URI) for the asset.
• serial-number: A serial number for the asset.
• netbios-name: The NetBIOS name for the asset.
• mac-address: The media access control (MAC) address for the asset.
• physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
• is-scanned: is the asset subjected to network scans? (yes/no)
• hardware-model: The model number of the hardware used by the asset.
• os-name: The name of the operating system used by the asset.
• os-version: The version of the operating system used by the asset.
• software-name: The software product name used by the asset.
• software-version: The software product version used by the asset.
• software-patch-level: The software product patch level used by the asset.
• asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
• asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
• asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
• public: Identifies whether the asset is publicly accessible (yes/no)
• virtual: Identifies whether the asset is virtualized (yes/no)
• vlan-id: Virtual LAN identifier of the asset.
• network-id: The network identifier of the asset.
• label: A human-readable label for the parent context.
• sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
• baseline-configuration-name: The name of the baseline configuration for the asset.
• allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
• function: The function provided by the asset for the system.

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

• operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
• database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
• web-server: A system that delivers content or services to end users over the Internet or an intranet.
• dns-server: A system that resolves domain names to internet protocol (IP) addresses.
• email-server: A computer system that sends and receives electronic mail messages.
• directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
• pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
• firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
• router: A physical or virtual networking device that forwards data packets between computer networks.
• switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
• storage-array: A consolidated, block-level data storage capability.
• appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name

The value may be locally defined, or the following:

• vendor-name: The name of the company or organization

allowed values for prop[@name='is-scanned']/@value

The value must be one of the following:

• yes: The asset is included in periodic vulnerability scanning.
• no: The asset is not included in periodic vulnerability scanning.

allowed value for link/@rel

The value may be locally defined, or the following:

• baseline-template: A reference to the baseline template used to configure the asset.

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

• asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
• asset-administrator: Responsible for administering a set of assets.
• security-operations: Members of the security operations center (SOC).
• network-operations: Members of the network operations center (NOC).
• incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
• help-desk: Responsible for providing information and support to users.
• configuration-management: Responsible for the configuration management processes governing changes to the asset.
• maintainer: Responsible for the creation and maintenance of a component.
• provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) @party-uuid

is unique for responsible-party: any target value must be unique (i.e., occur only once)

matches for @href: the target value must match the lexical form of the 'uri-reference' data type.

index has keythis value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for @href: the target value must match the lexical form of the 'uri' data type.

allowed value for prop/@name

The value may be locally defined, or the following:

• type: Characterizes the kind of location.

allowed value for prop[@name='type']/@value

The value may be locally defined, or the following:

• data-center: A location that contains computing assets. A class can be used to indicate a subclass of data-center.

allowed values for prop[@name='type' and @value='data-center']/@class

The value may be locally defined, or one of the following:

• primary: The location is a data-center used for normal operations.
• alternate: The location is a data-center used for fail-over or backup operations.

index for role an index index-metadata-role-ids shall list values returned by targets role using keys constructed of key field(s) @id

is unique for document-id: any target value must be unique (i.e., occur only once)

is unique for prop: any target value must be unique (i.e., occur only once)

index for .//prop an index index-metadata-property-id shall list values returned by targets .//prop using keys constructed of key field(s) @id

is unique for link: any target value must be unique (i.e., occur only once)

index for role an index index-metadata-role-id shall list values returned by targets role using keys constructed of key field(s) @id

index for location an index index-metadata-location-uuid shall list values returned by targets location using keys constructed of key field(s) @uuid

index for party an index index-metadata-party-uuid shall list values returned by targets party using keys constructed of key field(s) @uuid

index for party[@type='organization'] an index index-metadata-party-organizations-uuid shall list values returned by targets party[@type='organization'] using keys constructed of key field(s) @uuid

is unique for responsible-party: any target value must be unique (i.e., occur only once)

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

• prepared-by: Indicates the organization that created this content.
• prepared-for: Indicates the organization for which this content was created.
• content-approver: Indicates the organization responsible for all content represented in the "document".

allowed values for link/@rel

The value may be locally defined, or one of the following:

• canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
• alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
• latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
• predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
• successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.

allowed values for prop/@name

The value may be locally defined, or one of the following:

• label: A human-readable label for the parent context.
• sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.

allowed value for prop/@name

The value may be locally defined, or the following:

• method: The assessment method to use. This typically appears on parts with the name "assessment".

has cardinality for prop[@name='method'] the cardinality of prop[@name='method'] is constrained: 1; maximum unbounded.

allowed values for prop[@name='method']/@value

The value must be one of the following:

• INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
• EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
• TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.

allowed values for prop/@name

The value must be one of the following:

• mail-stop: A mail stop associated with the party.
• office: The name or number of the party's office.
• job-title: The formal job title of a person.

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) value()

has cardinality for published|last-modified|version|link[@rel='canonical'] the cardinality of published|last-modified|version|link[@rel='canonical'] is constrained: 1; maximum unbounded.

allowed values for link/@rel

The value may be locally defined, or one of the following:

• canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
• alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
• predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
• successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

allowed values for prop/@name

The value may be locally defined, or one of the following:

• implementation-point: Relative placement of component ('internal' or 'external') to the system.
• leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
• inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
• asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
• asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
• asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
• public: Identifies whether the asset is publicly accessible (yes/no)
• virtual: Identifies whether the asset is virtualized (yes/no)
• vlan-id: Virtual LAN identifier of the asset.
• network-id: The network identifier of the asset.
• label: A human-readable label for the parent context.
• sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
• baseline-configuration-name: The name of the baseline configuration for the asset.
• allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
• function: The function provided by the asset for the system.
• version: The version of the component.
• patch-level: The specific patch level of the component.
• model: The model of the component.
• release-date: The date the component was released, such as a software release date or policy publication date.
• validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
• validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.

allowed values for link/@rel

The value may be locally defined, or one of the following:

• depends-on: A reference to another component that this component has a dependency on.
• validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
• proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
• baseline-template: A reference to the baseline template used to configure the asset.
• uses-service: This service is used by the referenced component identifier.
• system-security-plan: A link to the system security plan of the external system.
• uses-network: This component uses the network provided by the identified network component.

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

• asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
• asset-administrator: Responsible for administering a set of assets.
• security-operations: Members of the security operations center (SOC).
• network-operations: Members of the network operations center (NOC).
• incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
• help-desk: Responsible for providing information and support to users.
• configuration-management: Responsible for the configuration management processes governing changes to the asset.
• maintainer: Responsible for the creation and maintenance of a component.
• provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

• operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
• database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
• web-server: A system that delivers content or services to end users over the Internet or an intranet.
• dns-server: A system that resolves domain names to internet protocol (IP) addresses.
• email-server: A computer system that sends and receives electronic mail messages.
• directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
• pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
• firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
• router: A physical or virtual networking device that forwards data packets between computer networks.
• switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
• storage-array: A consolidated, block-level data storage capability.
• appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for prop[@name='allows-authenticated-scan']/@value

The value must be one of the following:

• yes: The component allows an authenticated scan.
• no: The component does not allow an authenticated scan.

allowed values for prop[@name='public']/@value

The value must be one of the following:

• yes: The component is publicly accessible.
• no: The component is not publicly accessible.

allowed values for prop[@name='virtual']/@value

The value must be one of the following:

• yes: The component is virtualized.
• no: The component is not virtualized.

allowed values for prop[@name='implementation-point']/@value

The value must be one of the following:

• inteneral: The component is implemented within the system boundary.
• external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[@name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[@name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name

The value may be locally defined, or the following:

• vendor-name: The name of the company or organization

allowed value for (.)[@type='validation']/link/@rel

The value may be locally defined, or the following:

• validation-details: A link to an online information provided by the authorizing body.

allowed value for (.)[@type='software']/prop/@name

The value may be locally defined, or the following:

• software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

• provided-by: This service is provided by the referenced component identifier.
• used-by: This service is used by the referenced component identifier.

allowed values for (.)[@type='interconnection']/prop/@name

The value may be locally defined, or one of the following:

• isa-title: Title of the Interconnection Security Agreement (ISA).
• isa-date: Date of the Interconnection Security Agreement (ISA).
• isa-remote-system-name: The name of the remote interconnected system.
• ipv4-address: An Internet Protocol Version 4 interconnection address
• ipv6-address: An Internet Protocol Version 6 interconnection address
• direction: An Internet Protocol Version 6 interconnection address

allowed values for prop[(@name=('ipv4-address','ipv6-address')]/@class

The value may be locally defined, or one of the following:

• local: The identified IP address is for this system.
• remote: The identified IP address is for the remote system to which this system is connected.

allowed value for (.)[@type='interconnection']/link/@rel

The value may be locally defined, or the following:

• isa-agreement: A link to the system interconnection agreement.

allowed values for (.)[@type='interconnection']/responsible-role/@role-id

The value may be locally defined, or one of the following:

• isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
• isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
• isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
• isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.

matches for prop[@name='isa-date']/@value: the target value must match the lexical form of the 'dateTime' data type.

matches for prop[@name='ipv4-address']/@value: the target value must match the lexical form of the 'ip-v4-address' data type.

matches for prop[@name='ipv6-address']/@value: the target value must match the lexical form of the 'ip-v6-address' data type.

allowed values for prop[@name='direction')]/@value

The value may be locally defined, or one of the following:

• incoming: Data from the remote system flows into this system.
• outgoing: Data from this system flows to the remote system.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

allowed values for prop/@name

The value may be locally defined, or one of the following:

• type: The type of user, such as internal, external, or general-public.
• privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.

allowed values for prop[@name='type']/@value

The value must be one of the following:

• internal: A user account for a person or entity that is part of the organization who owns or operates the system.
• external: A user account for a person or entity that is not part of the organization who owns or operates the system.
• general-public: A user of the system considered to be outside

allowed values for prop[@name='privilege-level']/@value

The value must be one of the following:

• privileged: This role has elevated access to the system, such as a group or system administrator.
• non-privileged: This role has typical user-level access to the system without elevated access.
• no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.

allowed values for role-id

The value may be locally defined, or one of the following:

• asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
• asset-administrator: Responsible for administering a set of assets.
• security-operations: Members of the security operations center (SOC).
• network-operations: Members of the network operations center (NOC).
• incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
• help-desk: Responsible for providing information and support to users.
• configuration-management: Responsible for the configuration management processes governing changes to the asset.