Complete v1.0.2 XML Metaschema Reference
The following is a reference for the XML element and attribute types derived from this model’s metaschema.
Short name oscal-complete
XML namespace http://csrc.nist.gov/ns/oscal/1.0
Remarks
This format represents a combination of all of the OSCAL models.
description Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.
Constraints (4)
allowed value for prop/@name
The value may be locally defined, or the following:
- method: The assessment method to use. This typically appears on parts with the name "assessment".
has cardinality for prop[@name='method']
the cardinality of prop[@name='method']
is constrained: 1; maximum unbounded.
allowed values for prop[@name='method']/@value
The value must be one of the following:
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (8):
description The title for this included activity.
description A human-readable description of this included activity.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.
Constraint (1)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step
(in a series of steps) can be used to reference the data item locally or globally
(e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (7):
description The title for this step.
description A human-readable description of this step.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
This can be optionally used to define the set of controls and control objectives that are assessed by this step.
Remarks
Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.
use name related-controls
Remarks
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.
Remarks
Since responsible-role
associates multiple party-uuid
entries with a single role-id
, each role-id must be referenced only once.
description Specifies contents to be added into controls, in resolution
Remarks
When no id-ref
is given, the addition is inserted into the control targeted by the alteration at
the start or end as indicated by position
. Only position
values of "starting" or "ending" are permitted when there is no id-ref
.
id-ref
, when given, should indicate, by its ID, an element inside the control to serve as
the anchor point for the addition. In this case, position
value may be any of the permitted values.
Constraint (1)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- alt-identifier: An alternate or aliased identifier for the parent context.
Attributes (2):
description Where to add the new content with respect to the targeted element (beside it or inside it)
Constraint (1)
allowed values
The value must be one of the following:
- before: Preceding the id-ref target
- after: Following the id-ref target
- starting: Inside the control or id-ref target, at the start
- ending: Inside the control or id-ref target, at the end
description Target location of the addition.
Elements (5):
description A name given to the control, which may be used by a tool for display and navigation.
use name param
Remarks
In a catalog, a parameter is typically used as a placeholder for the future assignment
of a parameter value, although the OSCAL model allows for the direct assignment of
a value if desired by the control author. The value
may be optionally used to specify one or more values. If no value is provided, then
it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation
of one or more values. A label
provides a textual placeholder that can be used in a tool to solicit parameter value
input, or to display in catalog documentation. The desc
provides a short description of what the parameter is used for, which can be used
in tooling to help a user understand how to use the parameter. A constraint
can be used to provide criteria for the allowed values. A guideline
provides a recommendation for the use of a parameter.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
description A single line of an address.
description A postal address for the location.
Attribute (1):
use name type
Elements (5):
description City, town or geographical region for the mailing address.
description State, province or analogous geographical region for mailing address
description Postal or ZIP code for mailing address
description The ISO 3166-1 alpha-2 country code for the mailing address.
Constraint (1)
matches: a target (value) must match the regular expression '[A-Z](2)'.
description If the selected security level is different from the base security level, this contains the justification for the change.
description An Alter element specifies changes to be made to an included control when a profile is resolved.
Remarks
Use @control-id
to indicate the scope of alteration.
It is an error for two alter
elements to apply to the same control. In practice, multiple alterations can be applied
(together), but it creates confusion.
At present, no provision is made for altering many controls at once (for example, to systematically remove properties or add global properties); extending this element to match multiple control IDs could provide for this.
Attribute (1):
Elements (2):
Remarks
Use name-ref
, class-ref
, id-ref
or generic-identifier
to indicate class tokens or ID reference, or the formal name, of the component to
be removed or erased from a control, when a catalog is resolved. The control affected
is indicated by the pointer on the removal's parent (containing) alter
element.
To change an element, use remove
to remove the element, then add
to add it back again with changes.
Remarks
When no id-ref
is given, the addition is inserted into the control targeted by the alteration at
the start or end as indicated by position
. Only position
values of "starting" or "ending" are permitted when there is no id-ref
.
id-ref
, when given, should indicate, by its ID, an element inside the control to serve as
the anchor point for the addition. In this case, position
value may be any of the permitted values.
description Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
Constraint (1)
is unique for component
: any target value must be unique (i.e., occur only once)
Elements (2):
use name component
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
When defining a service
component where are relationship to other components is known, one or more link
entries with rel values of provided-by and used-by can be used to link to the specific
component identifier(s) that provide and use the service respectively.
Used to add any components for tools used during the assessment. These are represented here to avoid mixing with system components.
The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.
description Used to represent the toolset used to perform aspects of the assessment.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or
other OSCAL instances. The locally defined UUID of the assessment platform
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
description The title or name for the assessment platform.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The set of components that are used by the assessment platform.
Constraint (1)
is unique for responsible-party
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented identifier reference to a component that is implemented as part of an inventory item.
Elements (4):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
description A human-readable description of this assessment method.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
use name part
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
description An assessment plan, such as those provided by a FedRAMP assessor.
root name assessment-plan
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (9):
Remarks
Used by the SAP to import information about the system being assessed.
description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Constraints (2)
is unique for component
: any target value must be unique (i.e., occur only once)
is unique for user
: any target value must be unique (i.e., occur only once)
Elements (6):
use name component
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
When defining a service
component where are relationship to other components is known, one or more link
entries with rel values of provided-by and used-by can be used to link to the specific
component identifier(s) that provide and use the service respectively.
Used to add any components, not defined via the System Security Plan (AR->AP->SSP)
Remarks
Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)
use name user
Remarks
Permissible values to be determined closer to the application, such as by a receiving authority.
Used to add any users, not defined via the System Security Plan (AR->AP->SSP)
use name objectives-and-methods
description Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.
Constraint (1)
allowed values for part/@name
The value must be one of the following:
- rules-of-engagement: Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment.
- disclosures: Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure.
- assessment-inclusions: Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment.
- assessment-exclusions: Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment.
- results-delivery: Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom.
- assumptions: Defines any supposition made by the assessor. Has child 'item' parts for each assumption.
- methodology: An explanation of practices, procedures, and rules used in the course of the assessment.
Elements (1):
use name part
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Remarks
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
Remarks
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
description Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.
root name assessment-results
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
Remarks
Used by the SAR to import information about the original plan for assessing the system.
description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Elements (3):
use name objectives-and-methods
use name activity
use name result
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
description Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.
Remarks
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
Attribute (1):
description Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- component: The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
- inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
- location: The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results.
- party: The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results.
- user: The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results.
Elements (6):
description A human-readable description of the collection of subjects being included in this assessment.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
This element provides an alternative to calling controls individually from a catalog.
use name include-subject
use name exclude-subject
description Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.
Attribute (1):
description A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or
an activity that is part of a task. The locally defined UUID of the assessment subject placeholder
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
description A human-readable description of intent of this assessment subject placeholder.
description Assessment subjects will be identified while conducting the referenced activity-instance.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment
activity to be performed as part of the event. The locally defined UUID of the task
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.
Constraint (1)
is unique for diagram
: any target value must be unique (i.e., occur only once)
Elements (5):
description A summary of the system's authorization boundary.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A diagram must include a link
with a rel value of "diagram", who's href references a remote URI or an internal
reference within this document containing the diagram.
A visual depiction of the system's authorization boundary.
description Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
Elements (3):
description A human readable name for the privilege.
description A summary of the privilege's purpose within the system.
description A collection of resources, which may be included directly or by reference.
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
Constraint (1)
index for resource
an index index-back-matter-resource
shall list values returned by targets resource
using keys constructed of key field(s) @uuid
Elements (1):
description A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources.
Remarks
A resource can be used in two ways. 1) it may point to an specific retrievable network
resource using a rlink
, or 2) it may be included as an attachment using a base64
. A resource may contain multiple rlink
and base64
entries that represent alternative download locations (rlink) and attachments (base64)
for the same resource. Both rlink and base64 allow for a media-type
to be specified, which is used to distinguish between different representations of
the same resource (e.g., Microsoft Word, PDF). When multiple rlink
and base64
items are included for a given resource, all items must contain equivalent information.
This allows the document consumer to choose a preferred item to process based on a
the selected item's media-type
. This is extremely important when the items represent OSCAL content that is represented
in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed
from any of the available formats indicated by the items.
When a resource includes a citation, then the title
and citation
properties must both be included.
Constraints (6)
allowed values for prop/@name
The value must be one of the following:
- type: Identifies the type of resource represented.
- version: For resources representing a published document, this represents the version number of that document.
- published: For resources representing a published document, this represents the publication date of that document.
matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='published']/@value
: the target value must match the lexical form of the 'dateTime' data type.
allowed values for prop[@name='type']/@value
The value may be locally defined, or one of the following:
- logo: Indicates the resource is an organization's logo.
- image: Indicates the resource represents an image.
- screen-shot: Indicates the resource represents an image of screen content.
- law: Indicates the resource represents an applicable law.
- regulation: Indicates the resource represents an applicable regulation.
- standard: Indicates the resource represents an applicable standard.
- external-guidance: Indicates the resource represents applicable guidance.
- acronyms: Indicates the resource provides a list of relevant acronyms.
- citation: Indicates the resource cites relevant information.
- policy: Indicates the resource is a policy.
- procedure: Indicates the resource is a procedure.
- system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
- users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
- administrators-guide: Indicates the resource is guidance document a administrator's guide.
- rules-of-behavior: Indicates the resource represents rules of behavior content.
- plan: Indicates the resource represents a plan.
- artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
- evidence: Indicates the resource represents evidence, such as to support an assessment findiing.
- tool-output: Indicates the resource represents output from a tool.
- raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
- interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
- questionnaire: Indicates the resource is a set of questions, possibly with responses.
- report: Indicates the resource is a report.
- agreement: Indicates the resource is a formal agreement between two or more parties.
has cardinality for rlink|base64
the cardinality of rlink|base64
is constrained: 1; maximum unbounded.
is unique for rlink
: any target value must be unique (i.e., occur only once)
is unique for base64
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined resource elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Elements (8):
description A name given to the resource, which may be used by a tool for display and navigation.
description A short summary of the resource used to indicate the purpose of the resource.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
description A citation consisting of end note text and optional structured bibliographic data.
Remarks
The text
is used to define the endnote text, without any required bibliographic structure.
If structured bibliographic data is needed, then the biblio
can be used for this purpose.
A biblio
can be used to capture a structured bibliographical citation in an appropriate format.
Elements (3):
description A line of citation text.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A pointer to an external resource with an optional hash for verification and change detection.
Remarks
This construct is different from link
, which makes no provision for a hash or formal title.
Multiple rlink
can be included for a resource. In such a case, all provided rlink
items are intended to be equivalent in content, but may differ in structure. A media-type
is used to identify the format of a given rlink, and can be used to differentiate
a items in a collection of rlinks. The media-type
also provides a hint to the OSCAL document consumer about the structure of the resource
referenced by the rlink
.
Attributes (2):
description A resolvable URI reference to a resource.
Elements (1):
Remarks
A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.
When appearing as part of a resource/rlink
, the hash applies to the resource referenced by the href
.
description The Base64 alphabet in RFC 2045 - aligned with XSD.
Attributes (2):
description Name of the file before it was encoded as Base64 to be embedded in a resource
. This is the name that will be assigned to the file when the file is decoded.
description The prescribed base (Confidentiality, Integrity, or Availability) security impact level.
description Defines how the referenced component implements a set of controls.
Constraints (2)
allowed values for .//responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
is unique for set-parameter
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented identifier reference to the component
that is implemeting a given control.
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component
entry can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (10):
description An implementation statement that describes how a control or a control statement is implemented within the referenced system component.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
The implementation-status
is used to qualify the status
value to indicate the degree to which the control is implemented.
description Identifies content intended for external consumption, such as with leveraged organizations.
Constraints (2)
has cardinality for provided|responsibility
the cardinality of provided|responsibility
is constrained: 1; maximum unbounded.
index has key for responsibility
this value must correspond to a listing in the index by-component-export-provided-uuid
using a key constructed of key field(s) @provided-uuid
Elements (6):
description An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Describes a capability which may be inherited by a leveraging system.
Constraint (1)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided
entry can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
description An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Describes a control implementation responsibility imposed on a leveraging system.
Constraint (1)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
description An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A role defined at the by-component level takes precedence over the same role defined on the parent implemented-requirement or on the referenced component.
description Describes a control implementation inherited by a leveraging system.
Constraint (1)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (4):
description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Describes how this system satisfies a responsibility imposed by a leveraged system.
Constraint (1)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere
in this or other OSCAL instances. The locally defined UUID of the control implementation
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
description
[1]
Satisfied Control Implementation Responsibility Description
description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A grouping of other components and/or capabilities.
Constraint (1)
is unique for incorporates-component
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this capability elsewhere in this or other OSCAL instances. The locally defined UUID of the capability
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
description The capability's human-readable name.
Elements (6):
description A summary of the capability.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
Use of set-parameter
in this context, sets the parameter for all related controls referenced in an implemented-requirement
. If the same parameter is also set in a specific implemented-requirement
, then the new value will override this value.
description A collection of controls.
root name catalog
Remarks
Catalogs may use one or more group
objects to subdivide the control contents of a catalog.
An OSCAL catalog model provides a structured representation of control information.
Constraints (2)
allowed value for metadata/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- resolution-tool: The tool used to produce a resolved profile.
allowed value for metadata/link/@rel
The value must be one of the following:
- source-profile: The tool used to produce a resolved profile.
Attribute (1):
description A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised.
Elements (5):
use name param
Remarks
In a catalog, a parameter is typically used as a placeholder for the future assignment
of a parameter value, although the OSCAL model allows for the direct assignment of
a value if desired by the control author. The value
may be optionally used to specify one or more values. If no value is provided, then
it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation
of one or more values. A label
provides a textual placeholder that can be used in a tool to solicit parameter value
input, or to display in catalog documentation. The desc
provides a short description of what the parameter is used for, which can be used
in tooling to help a user understand how to use the parameter. A constraint
can be used to provide criteria for the allowed values. A guideline
provides a recommendation for the use of a parameter.
Remarks
Controls may be grouped using group
, and controls may be partitioned using part
or further enhanced (extended) using control
.
A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
Remarks
Catalogs can use a group
to collect related controls into a single grouping. That can be useful to group controls
into a family or other logical grouping.
A group
may have its own properties, statements, parameters, and references, which are inherited
by all members of that group.
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
Back matter including references and resources.
description A collection of descriptive data about the containing object from a specific origin.
Elements (4):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
metadata about the specific actor that generated this descriptive data.
description An individual characteristic that is part of a larger set produced by the same actor.
Constraints (30)
allowed value for prop/@name
The value must be one of the following:
- state: Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk).
allowed values for prop[@name='risk-state']/@value
The value may be locally defined, or one of the following:
- initial: As first identified.
- adjusted: Indicates that residual risk remains after some adjustments have been made.
allowed values for (.)[@system='http://csrc.nist.gov/oscal']/@name
The value may be locally defined, or one of the following:
- likelihood: General likelihood rating.
- impact: General impact rating.
- risk: General risk rating.
- severity: General severity rating.
allowed values for (.)[@system='http://fedramp.gov']/@name
The value may be locally defined, or one of the following:
- likelihood: Likelihood as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.
- impact: Impact as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.
- risk: Risk as calculated according to FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states.
allowed value for (.)[@system='http://cve.mitre.org']/@name
The value must be one of the following:
- cve-id: An identifier managed by the CVE program (see https://cve.mitre.org/).
allowed values for (.)[@system='http://www.first.org/cvss/v2.0']/@name
The value must be one of the following:
- access-vector: Base: Access Vector
- access-complexity: Base: Access Complexity
- authentication: Base: Authentication
- confidentiality-impact: Base: Confidentiality Impact
- integrity-impact: Base: Integrity Impact
- availability-impact: Base: Availability Impact
- exploitability: Temporal: Exploitability
- remediation-level: Temporal: Remediation Level
- report-confidence: Temporal: Report Confidence
- collateral-damage-potential: Environmental: Collateral Damage Potential
- target-distribution: Environmental: Target Distribution
- confidentiality-requirement: Environmental: Confidentiality Requirement
- integrity-requirement: Environmental: Integrity Requirement
- availability-requirement: Environmental: Availability Requirement
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='access-vector']/@value
The value must be one of the following:
- local: Local
- adjacent-network: Network Adjacent
- network: Network
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='access-complexity']/@value
The value must be one of the following:
- high: High
- medium: Medium
- low: Low
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='authentication']/@value
The value must be one of the following:
- multiple: Multiple
- single: Single
- none: None
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name=('confidentiality-impact',
'integrity-impact', 'availability-impact')]/@value
The value must be one of the following:
- none: None
- partial: Partial
- complete: Complete
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='exploitability']/@value
The value must be one of the following:
- unproven: Unproven
- proof-of-concept: Proof-of-Concept
- functional: Functional
- high: High
- not-defined: Not Defined
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='remediation-level']/@value
The value must be one of the following:
- official-fix: Official Fix
- temporary-fix: Temporary Fix
- workaround: Workaround
- unavailable: Unavailable
- not-defined: Not Defined
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='report-confidence']/@value
The value must be one of the following:
- unconfirmed: Unconfirmed
- uncorroborated: Uncorroborated
- confirmed: Confirmed
- not-defined: Not Defined
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name='collateral-damage-potential']/@value
The value must be one of the following:
- none: None
- low: Low (light loss)
- low-medium: Low Medium
- medium-high: Medium High
- high: High (catastrophic loss)
- not-defined: Not Defined
allowed values for (.)[@system='http://www.first.org/cvss/v2.0' and @name=('target-distribution', 'confidentiality-requirement',
'integrity-requirement', 'availability-requirement')]/@value
The value must be one of the following:
- none
- low
- medium
- high
- not-defined
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1')]/@name
The value must be one of the following:
- attack-vector: Base: Attack Vector
- access-complexity: Base: Attack Complexity
- privileges-required: Base: Privileges Required
- user-interaction: Base: User Interaction
- scope: Base: Scope
- confidentiality-impact: Base: Confidentiality Impact
- integrity-impact: Base: Integrity Impact
- availability-impact: Base: Availability Impact
- exploit-code-maturity: Temporal: Exploit Code Maturity
- remediation-level: Temporal: Remediation Level
- report-confidence: Temporal: Report Confidence
- modified-attack-vector: Environmental: Modified Attack Vector
- modified-attack-complexity: Environmental: Modified Attack Complexity
- modified-privileges-required: Environmental: Modified Privileges Required
- modified-user-interaction: Environmental: Modified User Interaction
- modified-scope: Environmental: Modified Scope
- modified-confidentiality: Environmental: Modified Confidentiality
- modified-integrity: Environmental: Modified Integrity
- modified-availability: Environmental: Modified Availability
- confidentiality-requirement: Environmental: Confidentiality Requirement Modifier
- integrity-requirement: Environmental: Integrity Requirement Modifier
- availability-requirement: Environmental: Availability Requirement Modifier
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='access-vector']/@value
The value must be one of the following:
- network: Network
- adjacent: Adjacent
- local: Local
- physical: Physical
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='access-complexity']/@value
The value must be one of the following:
- high: High
- low: Low
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name=('privileges-required', 'confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value
The value must be one of the following:
- none: None
- low: Low
- high: High
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='user-interaction']/@value
The value must be one of the following:
- none: None
- required: Required
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='scope']/@value
The value must be one of the following:
- unchanged: Unchanged
- changed: Changed
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='exploit-code-maturity']/@value
The value must be one of the following:
- not-defined: Not Defined
- unproven: Unproven
- proof-of-concept: Proof-of-Concept
- functional: Functional
- high: High
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='remediation-level']/@value
The value must be one of the following:
- not-defined: Not Defined
- official-fix: Official Fix
- temporary-fix: Temporary Fix
- workaround: Workaround
- unavailable: Unavailable
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='report-confidence']/@value
The value must be one of the following:
- not-defined: Not Defined
- unknown: Unknown
- reasonable: Reasonable
- confirmed: Confirmed
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name=('confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value
The value must be one of the following:
- not-defined: Not Defined
- low: Low
- medium: Medium
- high: High
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='modified-attack-vector']/@value
The value must be one of the following:
- not-defined: Not Defined
- network: Network
- adjacent: Adjacent
- local: Local
- physical: Physical
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='modified-attack-complexity']/@value
The value must be one of the following:
- not-defined: Not Defined
- high: High
- low: Low
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name=('modified-privileges-required', 'modified-confidentiality', 'modified-integrity',
'modified-availability')]/@value
The value must be one of the following:
- not-defined: Not Defined
- none: None
- low: Low
- high: High
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='modified-user-interaction']/@value
The value must be one of the following:
- not-defined: Not Defined
- none: None
- required: Required
allowed values for (.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and
@name='modified-scope']/@value
The value must be one of the following:
- not-defined: Not Defined
- unchanged: Unchanged
- changed: Changed
Attributes (3):
description The name of the risk metric within the specified system.
description Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- http://fedramp.gov
- http://csrc.nist.gov/ns/oscal
- http://csrc.nist.gov/ns/oscal/unknown: The facet is from an unknown taxonomy. The meaning of the name is tool or organization specific.
- http://cve.mitre.org
- http://www.first.org/cvss/v2.0
- http://www.first.org/cvss/v3.0
- http://www.first.org/cvss/v3.1
description Indicates the value of the facet.
Elements (3):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A collection of component descriptions, which may optionally be grouped by capability.
root name component-definition
Constraints (2)
index for component
an index index-system-component-uuid
shall list values returned by targets component
using keys constructed of key field(s) @uuid
is unique for capability
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component definition elsewhere in this or other OSCAL instances. The locally defined UUID of the component definition
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
use name component
Remarks
Components may be products, services, APIs, policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
A group of components may be aggregated into a capability
. For example, an account management capability that consists of an account management
process, and a Lightweight Directory Access Protocol (LDAP) software implementation.
Capabilities are expressed by combining one or more components.
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
description A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.
Remarks
Controls may be grouped using group
, and controls may be partitioned using part
or further enhanced (extended) using control
.
A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
Constraints (10)
allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- alt-identifier: An alternate or aliased identifier for the parent context.
- status: The status of a control. For example, a value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used.
allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='status']/@value
The value must be one of the following:
- withdrawn: The control is no longer used.
allowed values for link/@rel
The value may be locally defined, or one of the following:
- reference: The link cites an external resource related to this control.
- related: The link identifies another control with bearing to this control.
- required: The link identifies another control that must be present if this control is present.
- incorporated-into: The link identifies other control content where this control content is now addressed.
- moved-to: The containing control definition was moved to the referenced control.
allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- overview: An introduction to a control or a group of controls.
- statement: A set of control implementation requirements.
- guidance: Additional information to consider when selecting, implementing, assessing, and monitoring a control.
- assessment: **(deprecated)** Use 'assessment-method' instead.
- assessment-method: The part describes a method-based assessment over a set of assessment objects.
allowed value for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='statement']//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- item: An individual item within a control statement. Nested statement parts are "item" parts.
allowed values for .//part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- objective: **(deprecated)** Use 'assessment-objective' instead.
- assessment-objective: The part describes a set of assessment objectives. Objectives can be nested.
allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- objects: **(deprecated)** Use 'assessment-objects' instead.
- assessment-objects: Provides a listing of assessment objects. Assessment objects appear on assessment methods.
allowed value for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- method: **(deprecated)** Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment".
allowed value for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name
The value must be one of the following:
- method: The assessment method to use. This typically appears on parts with the name "assessment".
allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf'))
and @name='method']/@value
The value must be one of the following:
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Attributes (2):
description A human-oriented, locally unique identifier with instance scope that can be used to reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same control across revisions of the document.
description A textual label that provides a sub-type or characterization of the control.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
A class
can also be used in an OSCAL profile as a means to target an alteration to control
content.
Elements (6):
description A name given to the control, which may be used by a tool for display and navigation.
use name param
Remarks
In a catalog, a parameter is typically used as a placeholder for the future assignment
of a parameter value, although the OSCAL model allows for the direct assignment of
a value if desired by the control author. The value
may be optionally used to specify one or more values. If no value is provided, then
it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation
of one or more values. A label
provides a textual placeholder that can be used in a tool to solicit parameter value
input, or to display in catalog documentation. The desc
provides a short description of what the parameter is used for, which can be used
in tooling to help a user understand how to use the parameter. A constraint
can be used to provide criteria for the allowed values. A guideline
provides a recommendation for the use of a parameter.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Remarks
Controls may be grouped using group
, and controls may be partitioned using part
or further enhanced (extended) using control
.
A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
description A human-oriented identifier reference to a control with a corresponding id
value. When referencing an externally defined control
, the Control Identifier Reference
must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).
description Defines how the component or capability supports a set of controls.
Remarks
Use of set-parameter
in this context, sets the parameter for all related controls referenced in an implemented-requirement
. If the same parameter is also set in a specific implemented-requirement
, then the new value will override this value.
Constraint (1)
is unique for set-parameter
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a set of implemented controls elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation set
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Remarks
A URL reference to the source catalog or profile for which this component is implementing controls for.
Elements (5):
description A description of how the specified set of controls are implemented for the containing component or capability.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Describes how the system satisfies a set of controls.
Remarks
Use of set-parameter
in this context, sets the parameter for all related controls referenced in an implemented-requirement
. If the same parameter is also set in a specific implemented-requirement
, then the new value will override this value.
Constraints (2)
is unique for set-parameter
: any target value must be unique (i.e., occur only once)
index for implemented-requirement/by-component/export/provided
an index by-component-export-provided-uuid
shall list values returned by targets implemented-requirement/by-component/export/provided
using keys constructed of key field(s) @uuid
Elements (3):
description A statement describing important things to know about how this set of control satisfaction documentation is approached.
description A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.
Constraint (1)
is unique for diagram
: any target value must be unique (i.e., occur only once)
Elements (5):
description A summary of the system's data flow.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A diagram must include a link
with a rel value of "diagram", who's href references a remote URI or an internal
reference within this document containing the diagram.
description The date the system received its authorization.
description A defined component that can be part of an implemented system.
Remarks
Components may be products, services, APIs, policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
A group of components may be aggregated into a capability
. For example, an account management capability that consists of an account management
process, and a Lightweight Directory Access Protocol (LDAP) software implementation.
Capabilities are expressed by combining one or more components.
Constraints (14)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of the component.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
allowed values for link/@rel
The value may be locally defined, or one of the following:
- depends-on: A reference to another component that this component has a dependency on.
- validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
- proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
- baseline-template: A reference to the baseline template used to configure the asset.
- uses-service: This service is used by the referenced component identifier.
- system-security-plan: A link to the system security plan of the external system.
- uses-network: This component uses the network provided by the identified network component.
allowed values for responsible-role/@role-id|control-implementation/implemented-requirement/responsible-role/@role-id|control-implementation/implemented-requirement/statement/responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
allowed values for prop[@name='asset-type']/@value
The value must be one of the following:
- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
allowed values for prop[@name='allows-authenticated-scan']/@value
The value must be one of the following:
- yes: The component allows an authenticated scan.
- no: The component does not allow an authenticated scan.
allowed values for prop[@name='virtual']/@value
The value must be one of the following:
- yes: The component is virtualized.
- no: The component is not virtualized.
allowed values for prop[@name='public']/@value
The value must be one of the following:
- yes: The component is publicly accessible.
- no: The component is not publicly accessible.
allowed values for prop[@name='implementation-point']/@value
The value must be one of the following:
- internal: The component is implemented within the system boundary.
- external: The component is implemented outside the system boundary.
index has key for prop[@name='physical-location']
this value must correspond to a listing in the index index-metadata-location-uuid
using a key constructed of key field(s) @value
matches for prop[@name='inherited-uuid']/@value
: the target value must match the lexical form of the 'uuid' data type.
matches for prop[@name='release-date']/@value
: the target value must match the lexical form of the 'date' data type.
allowed value for (.)[@type='software']/prop/@name
The value may be locally defined, or the following:
- software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.
allowed values for (.)[@type='service']/link/@rel
The value may be locally defined, or one of the following:
- provided-by: This service is provided by the referenced component identifier.
- used-by: This service is used by the referenced component identifier.
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
use name type
Elements (9):
description A human readable name for the component.
description A description of the component, including information about its function.
description A summary of the technological or business purpose of the component.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
Used for service
components to define the protocols supported by the service.
Remarks
Use of set-parameter
in this context, sets the parameter for all related controls referenced in an implemented-requirement
. If the same parameter is also set in a specific implemented-requirement
, then the new value will override this value.
description A category describing the purpose of the component.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- interconnection: A connection to something outside this system.
- software: Any software, operating system, or firmware.
- hardware: A physical device.
- service: A service that may provide APIs.
- policy: An enforceable policy.
- physical: A tangible asset used to provide physical protections or countermeasures.
- process-procedure: A list of steps or actions to take to achieve some end result.
- plan: An applicable plan.
- guidance: Any guideline or recommendation.
- standard: Any organizational or industry standard.
- validation: An external assessment performed on some other component, that has been validated by a third-party.
description A graphic that provides a visual representation the system, or some aspect of it.
Remarks
A diagram must include a link
with a rel value of "diagram", who's href references a remote URI or an internal
reference within this document containing the diagram.
Constraints (4)
allowed value for link/@rel
The value must be one of the following:
- diagram: A reference to the diagram image.
matches for link[@rel='diagram']/@href[starts-with(.,'#')]
: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='diagram' and starts-with(@href,'#')]
this value must correspond to a listing in the index index-back-matter-resource
using a key constructed of key field(s) @href
matches for link[@rel='diagram']/@href[not(starts-with(.,'#'))]
: the target value must match the lexical form of the 'uri' data type.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5):
description A summary of the diagram.
Remarks
This description is intended to be used as alternate text to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A brief caption to annotate the diagram.
description A document identifier qualified by an identifier scheme
. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions
of the same document. If this element does not appear, or if the value of this element
is empty, the value of "document-id" is equal to the value of the "uuid" flag of the
top-level root element.
Remarks
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
Attribute (1):
description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- https://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.
description An email address as defined by RFC 5322 Section 3.4.1.
description Describes an individual finding.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (10):
description The title for this finding.
description A human-readable description of this finding.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
Used to identify the individual and/or tool generated this finding.
use name target
description A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.
description Relates the finding to a set of referenced observations that were used to determine the finding.
Attribute (1):
description A machine-oriented identifier reference to an observation defined in the list of observations.
description Relates the finding to a set of referenced risks that were used to determine the finding.
Attribute (1):
description A machine-oriented identifier reference to a risk defined in the list of risks.
description Captures an assessor's conclusions regarding the degree to which an objective is satisfied.
Attributes (2):
description Identifies the type of the target.
Remarks
The target will always be a reference to: 1) a control statement, or 2) a control objective. In the former case, there is always a single top-level statement within a control. Thus, if the entire control is targeted, this statement identifier can be used.
Constraint (1)
allowed values
The value must be one of the following:
- statement-id: A reference to a control statement identifier within a control.
- objective-id: A reference to a control objective identifier within a control.
description A machine-oriented identifier reference for a specific target qualified by the type
.
Elements (7):
description The title for this objective status.
description A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A determination of if the objective is satisfied or not within a given system.
Attributes (2):
description An indication as to whether the objective is satisfied or not.
Constraint (1)
allowed values
The value must be one of the following:
- satisfied: The objective has been completely satisfied.
- not-satisfied: The objective has not been completely satisfied, but may be partially satisfied.
description The reason the objective was given it's status.
Remarks
Reason may contain any value, and should be used to communicate additional information regarding the status.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- pass: The target system or system component satisfied all the conditions.
- fail: The target system or system component did not satisfy all the conditions.
- other: Some other event took place that is not a pass or a fail.
Elements (1):
Remarks
The implementation-status
is used to qualify the status
value to indicate the degree to which the control was found to be implemented.
description Describes a function performed for a given authorized privilege by this user class.
description A group of controls, or of groups of controls.
Remarks
Catalogs can use a group
to collect related controls into a single grouping. That can be useful to group controls
into a family or other logical grouping.
A group
may have its own properties, statements, parameters, and references, which are inherited
by all members of that group.
Constraints (2)
allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- alt-identifier: An alternate or aliased identifier for the parent context.
allowed value for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- overview: An introduction to a control or a group of controls.
Attributes (2):
description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document.
description A textual label that provides a sub-type or characterization of the group.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
A class
can also be used in an OSCAL profile as a means to target an alteration to control
content.
Elements (6):
description A name given to the group, which may be used by a tool for display and navigation.
use name param
Remarks
In a catalog, a parameter is typically used as a placeholder for the future assignment
of a parameter value, although the OSCAL model allows for the direct assignment of
a value if desired by the control author. The value
may be optionally used to specify one or more values. If no value is provided, then
it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation
of one or more values. A label
provides a textual placeholder that can be used in a tool to solicit parameter value
input, or to display in catalog documentation. The desc
provides a short description of what the parameter is used for, which can be used
in tooling to help a user understand how to use the parameter. A constraint
can be used to provide criteria for the allowed values. A guideline
provides a recommendation for the use of a parameter.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Remarks
Catalogs can use a group
to collect related controls into a single grouping. That can be useful to group controls
into a family or other logical grouping.
A group
may have its own properties, statements, parameters, and references, which are inherited
by all members of that group.
Remarks
Controls may be grouped using group
, and controls may be partitioned using part
or further enhanced (extended) using control
.
A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
description A group of (selected) controls or of groups of controls
Remarks
This construct mirrors the same construct that exists in an OSCAL catalog.
Attributes (2):
description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document.
description A textual label that provides a sub-type or characterization of the group.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
A class
can also be used in an OSCAL profile as a means to target an alteration to control
content.
Elements (6):
description A name given to the group, which may be used by a tool for display and navigation.
use name param
Remarks
In a catalog, a parameter is typically used as a placeholder for the future assignment
of a parameter value, although the OSCAL model allows for the direct assignment of
a value if desired by the control author. The value
may be optionally used to specify one or more values. If no value is provided, then
it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation
of one or more values. A label
provides a textual placeholder that can be used in a tool to solicit parameter value
input, or to display in catalog documentation. The desc
provides a short description of what the parameter is used for, which can be used
in tooling to help a user understand how to use the parameter. A constraint
can be used to provide criteria for the allowed values. A guideline
provides a recommendation for the use of a parameter.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Remarks
This construct mirrors the same construct that exists in an OSCAL catalog.
Remarks
To be schema-valid, this element must contain either (but not both) a single include-all
directive, or a sequence of include-controls
directives.
If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.
description A representation of a cryptographic digest generated over a resource using a specified hash algorithm.
Remarks
A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.
Attribute (1):
description Method by which a hash is derived
Remarks
Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- SHA-224: The SHA-224 algorithm as defined by NIST FIPS 180-4.
- SHA-256: The SHA-256 algorithm as defined by NIST FIPS 180-4.
- SHA-384: The SHA-384 algorithm as defined by NIST FIPS 180-4.
- SHA-512: The SHA-512 algorithm as defined by NIST FIPS 180-4.
- SHA3-224: The SHA3-224 algorithm as defined by NIST FIPS 202.
- SHA3-256: The SHA3-256 algorithm as defined by NIST FIPS 202.
- SHA3-384: The SHA3-384 algorithm as defined by NIST FIPS 202.
- SHA3-512: The SHA3-512 algorithm as defined by NIST FIPS 202.
description Indicates the degree to which the a given control is implemented.
Attribute (1):
description Identifies the implementation status of the control or control objective.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- implemented: The control is fully implemented.
- partial: The control is partially implemented.
- planned: There is a plan for implementing the control as explained in the remarks.
- alternative: There is an alternative implementation for this control as explained in the remarks.
- not-applicable: This control does not apply to this system as justified in the remarks.
Elements (1):
description Describes how the containing component or capability implements an individual control.
Constraints (3)
is unique for set-parameter
: any target value must be unique (i.e., occur only once)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
is unique for statement
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a specific control implementation elsewhere in
this or other OSCAL instances. The locally defined UUID of the control implementation
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (7):
description A description of how the specified control is implemented for the containing component or capability.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Describes how the system satisfies an individual control.
Constraints (11)
allowed value for prop/@name
The value may be locally defined, or the following:
- control-origination: Identifies the source of the implemented control.
allowed values for prop[@name='control-origination']/@value
The value must be one of the following:
- organization: The control is implemented by the organization owning the system, but is not specific to the system itself.
- system-specific: The control is implemented specifically to this system.
- customer-configured: The control is provided by the system, but must be configured by the customer.
- customer-provided: The control must be implemented by the customer.
- inherited: This control is inherited from an underlying system.
allowed value for prop/@name
The value may be locally defined, or the following:
- leveraged-authorization: Indicates all or some portion of this control is inherited from an underlying authorized system.
allowed values for responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
index has key for responsible-role|statement/responsible-role|.//by-component//responsible-role
this value must correspond to a listing in the index index-metadata-role-id
using a key constructed of key field(s) @role-id
index has key for responsible-role|statement/responsible-role|.//by-component//responsible-role
this value must correspond to a listing in the index index-metadata-party-uuid
using a key constructed of key field(s) party-uuid
has cardinality for .//by-component
the cardinality of .//by-component
is constrained: 1; maximum unbounded.
is unique for set-parameter
: any target value must be unique (i.e., occur only once)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
is unique for statement
: any target value must be unique (i.e., occur only once)
is unique for by-component
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (7):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The import
designates a catalog or profile to be included (referenced and potentially modified)
by this profile. The import also identifies which controls to select using the include-all
, include-controls
, and exclude-controls
directives.
Remarks
A profile must be based on an existing OSCAL catalog or another OSCAL profile. An
import
indicates such a source whose controls are to be included (referenced and modified)
in a profile. This source will either be a catalog whose controls are given (by value
), or a profile with its own control imports.
The contents of the import
element indicate which controls from the source will be included. Controls from the
source catalog or profile may be either selected, using the include-all
or include-controls
directives, or de-selected (using an exclude-controls
directive).
Attribute (1):
description A resolvable URL reference to the base catalog or profile that this profile is tailoring.
Remarks
The value of the href
can be an internet resource, or an internal reference using a fragment e.g. #fragment
that points to a back-matter
resource
in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references the uuid
value of a resource
in the document's back-matter
.
If an internet resource is used, the href
value will be an absolute or relative URL pointing to the location of the referenced
resource. A relative URL will be resolved relative to the location of the document
containing the link.
Elements (2):
Remarks
This element provides an alternative to calling controls individually from a catalog.
Identifies that all controls are to be included from the imported catalog or profile.
use name include-controls
Remarks
If with-child-controls
is yes
on the call to a control, no sibling call
elements need to be used to call any controls appearing within it. Since generally,
this is how control enhancements are represented (as controls within controls), this
provides a way to include controls with all their dependent controls (enhancements)
without having to call them individually.
Identifies a subset of controls to import from the referenced catalog or profile by control identifier or match pattern.
use name exclude-controls
Remarks
If with-child-controls
is yes
on the call to a control, no sibling call
elements need to be used to call any controls appearing within it. Since generally,
this is how control enhancements are represented (as controls within controls), this
provides a way to include controls with all their dependent controls (enhancements)
without having to call them individually.
Identifies which controls to exclude, or eliminate, from the set of included controls by control identifier or match pattern.
description Used by assessment-results to import information about the original plan for assessing the system.
Attribute (1):
description A resolvable URL reference to the assessment plan governing the assessment activities.
Remarks
The value of the href
can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter
resource
in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource
in the document's back-matter
or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href
value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Elements (1):
description Loads a component definition from another resource.
Attribute (1):
description A link to a resource that defines a set of components and/or capabilities to import into this collection.
description Used to import the OSCAL profile representing the system's control baseline.
Attribute (1):
description A resolvable URL reference to the profile to use as the system's control baseline.
Remarks
The value of the href
can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter
resource
in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource
in the document's back-matter
or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href
value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Elements (1):
description Used by the assessment plan and POA&M to import information about the system.
Attribute (1):
description A resolvable URL reference to the system security plan for the system being assessed.
Remarks
The value of the href
can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter
resource
in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource
in the document's back-matter
or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href
value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Elements (1):
description Include all controls from the imported catalog or profile resources.
Remarks
This element provides an alternative to calling controls individually from a catalog.
description TBD
Attribute (1):
description A machine-oriented identifier reference to a component
.
Elements (1):
description A description of the component, including information about its function.
description Specifies which controls to use in the containing context.
Remarks
To be schema-valid, this element must contain either (but not both) a single include-all
directive, or a sequence of include-controls
directives.
If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.
Attribute (1):
description A designation of how a selection of controls in a profile is to be ordered.
Constraint (1)
allowed values
The value must be one of the following:
- keep
- ascending
- descending
Elements (2):
Remarks
This element provides an alternative to calling controls individually from a catalog.
use name include-controls
Remarks
If with-child-controls
is yes
on the call to a control, no sibling call
elements need to be used to call any controls appearing within it. Since generally,
this is how control enhancements are represented (as controls within controls), this
provides a way to include controls with all their dependent controls (enhancements)
without having to call them individually.
use name exclude-controls
Remarks
If with-child-controls
is yes
on the call to a control, no sibling call
elements need to be used to call any controls appearing within it. Since generally,
this is how control enhancements are represented (as controls within controls), this
provides a way to include controls with all their dependent controls (enhancements)
without having to call them individually.
Identifies which controls to exclude, or eliminate, from the set of matching includes.
description A single managed inventory item within the system.
Constraints (9)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- ipv4-address: The Internet Protocol v4 Address of the asset.
- ipv6-address: The Internet Protocol v6 Address of the asset.
- fqdn: The full-qualified domain name (FQDN) of the asset.
- uri: A Uniform Resource Identifier (URI) for the asset.
- serial-number: A serial number for the asset.
- netbios-name: The NetBIOS name for the asset.
- mac-address: The media access control (MAC) address for the asset.
- physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
- is-scanned: is the asset subjected to network scans? (yes/no)
- hardware-model: The model number of the hardware used by the asset.
- os-name: The name of the operating system used by the asset.
- os-version: The version of the operating system used by the asset.
- software-name: The software product name used by the asset.
- software-version: The software product version used by the asset.
- software-patch-level: The software product patch level used by the asset.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
allowed values for prop[@name='asset-type']/@value
The value must be one of the following:
- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name
The value may be locally defined, or the following:
- vendor-name: The name of the company or organization
allowed values for prop[@name='is-scanned']/@value
The value must be one of the following:
- yes: The asset is included in periodic vulnerability scanning.
- no: The asset is not included in periodic vulnerability scanning.
allowed value for link/@rel
The value may be locally defined, or the following:
- baseline-template: A reference to the baseline template used to configure the asset.
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
index has key for responsible-party
this value must correspond to a listing in the index index-metadata-role-id
using a key constructed of key field(s) @role-id
index has key for responsible-party
this value must correspond to a listing in the index index-metadata-party-uuid
using a key constructed of key field(s) party-uuid
is unique for responsible-party
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6):
description A summary of the inventory item stating its purpose within the system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The set of components that are implemented in a given system inventory item.
Constraints (4)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of the component.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
has cardinality for prop[@name='asset-id']
the cardinality of prop[@name='asset-id']
is constrained: 1; maximum unbounded.
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
is unique for responsible-party
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented identifier reference to a component
that is implemented as part of an inventory item.
Elements (4):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
This construct is used to either: 1) associate a party or parties to a role defined
on the component using the responsible-role
construct, or 2) to define a party or parties that are responsible for a role defined
within the context of the containing inventory-item
.
description The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the last-modified
value should indicate the modification time of the OSCAL document, not the source
material.
A publisher of OSCAL content can use this data point along with its siblings published
and version
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href
: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]
this value must correspond to a listing in the index index-back-matter-resource
using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href
: the target value must match the lexical form of the 'uri' data type.
Attributes (3):
description A resolvable URL reference to a resource.
Remarks
The value of the href
can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter
resource
in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource
in the document's back-matter
or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href
value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Remarks
The media-type
provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Elements (1):
description A textual label to associate with the link, which may be used for presentation in a tool.
description Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.
Constraint (1)
is unique for component
: any target value must be unique (i.e., occur only once)
Elements (3):
use name component
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
When defining a service
component where are relationship to other components is known, one or more link
entries with rel values of provided-by and used-by can be used to link to the specific
component identifier(s) that provide and use the service respectively.
Used to add any components, not defined via the System Security Plan (AR->AP->SSP)
Remarks
Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)
description A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.
Constraints (5)
allowed values for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]
The value must be one of the following:
- objective: **(deprecated)** Use 'assessment-objective' instead.
- assessment: **(deprecated)** Use 'assessment-method' instead
- assessment-objective: The part defines an assessment objective.
- assessment-method: The part defines an assessment method.
has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]
the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]
is constrained: 0; maximum 1.
has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf'))
and @name='method']
the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf'))
and @name='method']
is constrained: 1; maximum 1.
has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')
and @name=('objects','assessment-objects')]
the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')
and @name=('objects','assessment-objects')]
is constrained: 1; maximum 1.
has cardinality for part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')
and @name='method-id']
the cardinality of part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')
and @name='method-id']
is constrained: 1; maximum unbounded.
Attribute (1):
Remarks
The specified control-id
must be a valid value within the baseline identified by the target system's SSP via
the import-profile
statement.
Elements (5):
description A human-readable description of this control objective.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
description A location, with associated metadata that can be referenced.
Constraints (3)
allowed value for prop/@name
The value may be locally defined, or the following:
- type: Characterizes the kind of location.
allowed value for prop[@name='type']/@value
The value may be locally defined, or the following:
- data-center: A location that contains computing assets. A class can be used to indicate the sub-type of data-center as primary or alternate.
allowed values for prop[@name='type' and @value='data-center']/@class
The value may be locally defined, or one of the following:
- primary: The location is a data-center used for normal operations.
- alternate: The location is a data-center used for fail-over or backup operations.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location
can be used to reference the data item locally or globally (e.g., from an importing
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (8):
description A name given to the location, which may be used by a tool for display and navigation.
Remarks
Typically, the physical address of the location will be used here. If this information is sensitive, then a mailing address can be used instead.
Remarks
This is a contact email associated with the location.
Remarks
A phone number used to contact the location.
description The uniform resource locator (URL) for a web site or Internet presence associated with the location.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Indicates the type of address.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- home: A home address.
- work: A work address.
description A machine-oriented identifier reference to a location
defined in the metadata
section of this or another OSCAL instance. The UUID of the location
in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-location-uuid
using a key constructed of key field(s) .
description A machine-oriented identifier reference to a location
defined in the metadata
section of this or another OSCAL instance. The UUID of the location
in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-location-uuid
using a key constructed of key field(s) .
description Used to indicate who created a log entry in what role.
Attributes (2):
description A machine-oriented identifier reference to the party who is making the log entry.
description A point to the role-id of the role in which the party is making the log entry.
description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
description A Merge element provides structuring directives that drive how controls are organized after resolution.
Remarks
The contents of the merge
element may be used to reorder
or restructure
controls by indicating an order and/or structure in resolution.
Implicitly, a merge
element is also a filter: controls that are included in a profile, but not included
(implicitly or explicitly) in the scope of a merge
element, will not be merged into (will be dropped) in the resulting resolution.
Elements (2):
description A Combine element defines how to combine multiple (competing) versions of the same control.
Remarks
Whenever combining controls from multiple (import) pathways, an issue arises of what to do with clashing invocations (multiple competing versions of a control).
This setting permits a profile designer to apply a rule for the resolution of such cases. In a well-designed profile (e.g. one that uses mapping), such collisions would ordinarily be avoided, but this setting can be useful for defining what to do when it occurs.
If no combine
element appears, it is considered equivalent to providing a combine
element with a method
of value keep
.
Attribute (1):
description How clashing controls should be handled
Constraint (1)
allowed values
The value must be one of the following:
- use-first: Use the first definition - the first control with a given ID is used; subsequent ones are discarded
- merge: **(deprecated)** **(unspecified)** Merge - controls with the same ID are combined
- keep: Keep - controls with the same ID are kept, retaining the clash
description Use the flat structuring method.
description An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes.
description A Custom element frames a structure for embedding represented controls in resolution.
Remarks
The custom
element represents a custom arrangement or organization of controls in the resolution
of a catalog.
While the as-is
element provides for a restitution of a control set's organization (in one or more
source catalogs), this element permits the definition of an entirely different structure.
Elements (2):
Remarks
This construct mirrors the same construct that exists in an OSCAL catalog.
Remarks
To be schema-valid, this element must contain either (but not both) a single include-all
directive, or a sequence of include-controls
directives.
If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.
description Provides information about the publication and availability of the containing document.
Constraints (13)
index for role
an index index-metadata-role-ids
shall list values returned by targets role
using keys constructed of key field(s) @id
is unique for document-id
: any target value must be unique (i.e., occur only once)
is unique for prop
: any target value must be unique (i.e., occur only once)
index for .//prop
an index index-metadata-property-uuid
shall list values returned by targets .//prop
using keys constructed of key field(s) @uuid
is unique for link
: any target value must be unique (i.e., occur only once)
index for role
an index index-metadata-role-id
shall list values returned by targets role
using keys constructed of key field(s) @id
index for location
an index index-metadata-location-uuid
shall list values returned by targets location
using keys constructed of key field(s) @uuid
index for party
an index index-metadata-party-uuid
shall list values returned by targets party
using keys constructed of key field(s) @uuid
index for party[@type='organization']
an index index-metadata-party-organizations-uuid
shall list values returned by targets party[@type='organization']
using keys constructed of key field(s) @uuid
is unique for responsible-party
: any target value must be unique (i.e., occur only once)
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- creator: Indicates the organization that created this content.
- prepared-by: Indicates the organization that prepared this content.
- prepared-for: Indicates the organization for which this content was created.
- content-approver: Indicates the organization responsible for all content represented in the "document".
- contact: Indicates the organization to contact for questions or support related to this content.
allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- keywords: The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications.
allowed values for link/@rel
The value may be locally defined, or one of the following:
- canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
- alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
- latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
Elements (14):
description A name given to the document, which may be used by a tool for display and navigation.
Remarks
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the published
value should indicate when the OSCAL document was published, not the source material.
Where necessary, the publication date of the original source material can be captured
as a named property or custom metadata construct.
A publisher of OSCAL content can use this data point along with its siblings last-modified
and version
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
Remarks
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the last-modified
value should indicate the modification time of the OSCAL document, not the source
material.
A publisher of OSCAL content can use this data point along with its siblings published
and version
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
Remarks
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings published
and last-modified
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
Remarks
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or 1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML
or JSON schema to use for validation.
wrapper element revisions
Remarks
While published
, last-modified
, oscal-version
, and version
are not required, values for these entries should be provided if the information
is known. For a revision entry to be considered valid, at least one of the following
items must be provided: published
, last-modified
, version
, or a link
with a rel
of source
.
Remarks
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
Permissible values to be determined closer to the application (e.g. by a receiving authority).
OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.
description Set parameters or amend controls in resolution
Constraint (1)
is unique for set-parameter
: any target value must be unique (i.e., occur only once)
Elements (2):
description A parameter setting, to be propagated to points of insertion
Attributes (3):
description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
description A textual label that provides a characterization of the parameter.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
deprecated as of 1.0.1
description **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.
Elements (7):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A short, placeholder name for the parameter, which can be used as a substitute for
a value
if no value is assigned.
Remarks
The label value should be suitable for inline display in a rendered catalog.
description Describes the purpose and use of a parameter
use name constraint
use name guideline
use name select
Remarks
A set of parameter value choices, that may be picked from to set the parameter value.
Remarks
Use @control-id
to indicate the scope of alteration.
It is an error for two alter
elements to apply to the same control. In practice, multiple alterations can be applied
(together), but it creates confusion.
At present, no provision is made for altering many controls at once (for example, to systematically remove properties or add global properties); extending this element to match multiple control IDs could provide for this.
description A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.
Constraint (1)
is unique for diagram
: any target value must be unique (i.e., occur only once)
Elements (5):
description A summary of the system's network architecture.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
A diagram must include a link
with a rel value of "diagram", who's href references a remote URI or an internal
reference within this document containing the diagram.
description Points to an assessment objective.
description Describes an individual observation.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation
can be used to reference the data item locally or globally (e.g., in an imorted OSCAL
instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (12):
description The title for this observation.
description A human-readable description of this assessment observation.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Identifies how the observation was made.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- EXAMINE: An inspection was performed.
- INTERVIEW: An interview was performed.
- TEST: A manual or automated test was performed.
- UNKNOWN: This is only for use when converting historic content to OSCAL, where the conversion process cannot initially identify the appropriate method(s).
description Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- ssp-statement-issue: A difference between the SSP implementation statement, and actual implementation.
- control-objective: An observation about the status of a the associated control objective.
- mitigation: A mitigating factor was identified.
- finding: An assessment finding. Used for observations made by tools, penetration testing, and other means.
- historic: An observation from a past assessment, which was converted to OSCAL at a later date.
Remarks
Used to identify the individual and/or tool that gathered the evidence resulting in the observation identification.
use name subject
Remarks
The subject reference UUID could point to an item defined in the SSP, AP, or AR.
Tools should check look for the ID in every file imported directly or indirectly.
Identifies who was interviewed, or what was tested or inspected.
description Links this observation to relevant evidence.
Attribute (1):
description A resolvable URL reference to relevant evidence.
Remarks
The value of the href
can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter
resource
in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource
in the document's back-matter
or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href
value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Elements (4):
description A human-readable description of this evidence.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Date/time stamp identifying when the finding information was collected.
description Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.
description Identifies the source of the finding, such as a tool, interviewed person, or activity.
Elements (2):
use name actor
description The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.
Attributes (3):
description The kind of actor.
Constraint (1)
allowed values
The value must be one of the following:
- tool: A reference to a tool component defined with the assessment assets.
- assessment-platform: A reference to an assessment-platform defined with the assessment assets.
- party: A reference to a party defined within the document metadata.
description A machine-oriented identifier reference to the tool or person based on the associated type.
description For a party, this can optionally be used to specify the role the actor was performing.
Elements (2):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The OSCAL model version the document was authored against.
Remarks
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or 1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML
or JSON schema to use for validation.
description Parameters provide a mechanism for the dynamic assignment of value(s) in a control.
use name param
Remarks
In a catalog, a parameter is typically used as a placeholder for the future assignment
of a parameter value, although the OSCAL model allows for the direct assignment of
a value if desired by the control author. The value
may be optionally used to specify one or more values. If no value is provided, then
it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation
of one or more values. A label
provides a textual placeholder that can be used in a tool to solicit parameter value
input, or to display in catalog documentation. The desc
provides a short description of what the parameter is used for, which can be used
in tooling to help a user understand how to use the parameter. A constraint
can be used to provide criteria for the allowed values. A guideline
provides a recommendation for the use of a parameter.
Constraints (2)
allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- alt-identifier: An alternate or aliased identifier for the parent context.
- alt-label: An alternate to the value provided by the parameter's label. This will typically be qualified by a class.
allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name
The value must be one of the following:
- aggregates: The parent parameter provides an aggregation of 2 or more other parameters, each described by this property.
Attributes (3):
description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
description A textual label that provides a characterization of the parameter.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
deprecated as of 1.0.1
description **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.
Elements (8):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A short, placeholder name for the parameter, which can be used as a substitute for
a value
if no value is assigned.
Remarks
The label value should be suitable for inline display in a rendered catalog.
description Describes the purpose and use of a parameter
use name constraint
use name guideline
use name value
Remarks
A set of values provided in a catalog can be redefined at any higher layer of OSCAL (e.g., Profile).
use name select
Remarks
A set of parameter value choices, that may be picked from to set the parameter value.
A set of parameter value choices, that may be picked from to set the parameter value.
description A human-oriented reference to a parameter
within a control, who's catalog has been imported into the current implementation
context.
description A formal or informal expression of a constraint or test
Elements (2):
description A textual summary of the constraint to be applied.
description A test expression which is expected to be evaluated by a tool.
Elements (2):
description A formal (executable) expression of a constraint
description A prose statement that provides a recommendation for the use of a parameter.
Elements (1):
description Prose permits multiple paragraphs, lists, tables etc.
description Presenting a choice among alternatives
Remarks
A set of parameter value choices, that may be picked from to set the parameter value.
Attribute (1):
description Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.
Constraint (1)
allowed values
The value must be one of the following:
- one: Only one value is permitted.
- one-or-more: One or more values are permitted.
Elements (1):
description A value selection among several such options
use name choice
description A parameter value or set of values.
description A partition of a control's definition or a child of another part.
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Constraint (1)
allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- alt-identifier: An alternate or aliased identifier for the parent context.
Attributes (4):
description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined part elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
description A textual label that uniquely identifies the part's semantic type.
description A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name
, so that different organizations and individuals can assert control over the allowed
names and associated text used in a part. This allows the semantics associated with
a given name to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns
is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal
and the name should be a name defined by the associated OSCAL model.
description A textual label that provides a sub-type or characterization of the part's name
. This can be used to further distinguish or discriminate between the semantics of
multiple parts of the same control with the same name
and ns
.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
A class
can also be used in an OSCAL profile as a means to target an alteration to control
content.
Elements (5):
description A name given to the part, which may be used by a tool for display and navigation.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
description Permits multiple paragraphs, lists, tables etc.
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A partition of an assessment plan or results or a child of another part.
use name part
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Constraints (3)
allowed value for .[@name='objective']/prop/@name
The value may be locally defined, or the following:
- method: The assessment method to use. This typically appears on parts with the name "objective".
has cardinality for .[@name='objective']/prop[@name='method']
the cardinality of .[@name='objective']/prop[@name='method']
is constrained: 1; maximum unbounded.
allowed values for .[@name='objective']/prop[@name='method']/@value
The value must be one of the following:
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Attributes (4):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part
can be used to reference the data item locally or globally (e.g., in an ported OSCAL
instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
description A textual label that uniquely identifies the part's semantic type.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- asset: An assessment asset.
- method: An assessment method.
- objective: Describes a set of control objectives.
description A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name
, so that different organizations and individuals can assert control over the allowed
names and associated text used in a part. This allows the semantics associated with
a given name to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns
is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal
and the name should be a name defined by the associated OSCAL model.
description A textual label that provides a sub-type or characterization of the part's name
. This can be used to further distinguish or discriminate between the semantics of
multiple parts of the same control with the same name
and ns
.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
A class
can also be used in an OSCAL profile as a means to target an alteration to control
content.
Elements (5):
description A name given to the part, which may be used by a tool for display and navigation.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
description Permits multiple paragraphs, lists, tables etc.
use name part
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A responsible entity which is either a person or an organization.
Constraint (1)
allowed values for prop/@name
The value must be one of the following:
- mail-stop: A mail stop associated with the party.
- office: The name or number of the party's office.
- job-title: The formal job title of a person.
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party
can be used to reference the data item locally or globally (e.g., from an importing
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
description A category describing the kind of party the object describes.
Constraint (1)
allowed values
The value must be one of the following:
- person: An individual.
- organization: A group of individuals formed for a specific purpose.
Elements (10):
description The full name of the party. This is typically the legal name associated with the party.
description A short common name, abbreviation, or acronym for the party.
description An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)
Attribute (1):
description Indicates the type of external identifier.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- https://orcid.org/: The identifier is Open Researcher and Contributor ID (ORCID).
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
This is a contact email associated with the party.
Remarks
A phone number used to contact the party.
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
description A machine-oriented identifier reference to another party
(person
or organization
) that this subject is associated with. The UUID of the party
in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
Parties of both the person
or organization
type can be associated with an organization using the member-of-organization
.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-organizations-uuid
using a key constructed of key field(s) .
description A machine-oriented identifier reference to another party
defined in metadata
. The UUID of the party
in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid
using a key constructed of key field(s) .
description A glob expression matching the IDs of one or more controls to be selected.
description A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.
root name plan-of-action-and-milestones
Remarks
Either an OSCAL-based SSP must be imported, or a unique system-id must be specified. Both may be present.
Attribute (1):
description A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Elements (8):
Remarks
Used by the POA&M to import information about the system.
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
description Describes an individual POA&M item.
Attribute (1):
description A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Elements (8):
description The title or name for this POA&M item .
description A human-readable description of POA&M item.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Identifies the source of the finding, such as a tool or person.
Remarks
Used to identify the individual and/or tool generated this poam-item.
Elements (1):
use name actor
description Relates the poam-item to a set of referenced observations that were used to determine the finding.
Attribute (1):
description A machine-oriented identifier reference to an observation defined in the list of observations.
description Relates the finding to a set of referenced risks that were used to determine the finding.
Attribute (1):
description A machine-oriented identifier reference to a risk defined in the list of risks.
description Where applicable this is the IPv4 port range on which the service operates.
Remarks
To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.
Attributes (3):
description Indicates the starting port number in a port range
Remarks
Should be a number within a permitted range
description Indicates the ending port number in a port range
Remarks
Should be a number within a permitted range
description Indicates the transport type.
Constraint (1)
allowed values
The value must be one of the following:
- TCP: Transmission Control Protocol
- UDP: User Datagram Protocol
description Each OSCAL profile is defined by a Profile element
root name profile
Remarks
An OSCAL document that describes a tailoring of controls from one or more catalogs,
with possible modification of multiple controls. It provides mechanisms by which controls
may be selected (import
), merged or (re)structured (merge
), and amended (modify
). OSCAL profiles may select subsets of controls, set parameter values for them in
application, and even adjust the representation of controls as given in and by a catalog.
They may also serve as sources for further modification in and by other profiles,
that import them.
See the Concepts - Identifier Use page for additional information regarding this identifier's uniqueness and scope.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this profile elsewhere in this or other OSCAL instances. The locally defined UUID of the profile
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance).This identifier should be assigned per-subject, which means it should be consistently used to identify the same profile across revisions
of the document.
Elements (5):
Remarks
A profile must be based on an existing OSCAL catalog or another OSCAL profile. An
import
indicates such a source whose controls are to be included (referenced and modified)
in a profile. This source will either be a catalog whose controls are given (by value
), or a profile with its own control imports.
The contents of the import
element indicate which controls from the source will be included. Controls from the
source catalog or profile may be either selected, using the include-all
or include-controls
directives, or de-selected (using an exclude-controls
directive).
Remarks
The contents of the merge
element may be used to reorder
or restructure
controls by indicating an order and/or structure in resolution.
Implicitly, a merge
element is also a filter: controls that are included in a profile, but not included
(implicitly or explicitly) in the scope of a merge
element, will not be merged into (will be dropped) in the resulting resolution.
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5):
description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name
, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns
is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal
and the name should be a name defined by the associated OSCAL model.
description Indicates the value of the attribute, characteristic, or quality.
description A textual label that provides a sub-type or characterization of the property's name
. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name
and ns
.
Remarks
A class
can be used in validation rules to express extra constraints over named items of
a specific class
value.
Elements (1):
description Information about the protocol used to provide a service.
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in
this or other OSCAL instances. The locally defined UUID of the service protocol
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
description The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.
Remarks
The short name of the protocol (e.g., https).
Elements (2):
description A human readable name for the protocol (e.g., Transport Layer Security).
Remarks
To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.
description A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.
description The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the published
value should indicate when the OSCAL document was published, not the source material.
Where necessary, the publication date of the original source material can be captured
as a named property or custom metadata construct.
A publisher of OSCAL content can use this data point along with its siblings last-modified
and version
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
description Identifies an individual task for which the containing object is a consequence of.
Constraint (1)
is unique for responsible-party
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented identifier reference to a unique task.
Elements (6):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
Identifies the person or organization responsible for performing a specific role defined by the activity.
use name subject
Remarks
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
The assessment subjects that the task was performed against.
description Used to detail assessment subjects that were identfied by this task.
Attribute (1):
subject-placeholder-uuid
[0 or 1]
Assessment Subject Placeholder Universally Unique Identifier Reference
description A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.
Elements (1):
use name subject
Remarks
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.
description Additional commentary on the containing object.
description Specifies objects to be removed from a control based on specific aspects of the object that must all match.
Remarks
Use name-ref
, class-ref
, id-ref
or generic-identifier
to indicate class tokens or ID reference, or the formal name, of the component to
be removed or erased from a control, when a catalog is resolved. The control affected
is indicated by the pointer on the removal's parent (containing) alter
element.
To change an element, use remove
to remove the element, then add
to add it back again with changes.
Attributes (5):
description Identify items to remove by matching their assigned name
description Identify items to remove by matching their class
.
description Identify items to remove indicated by their id
.
description Identify items to remove by the name of the item's information element name, e.g.
title
or prop
description Identify items to remove by the item's ns
, which is the namespace associated with a part
, or prop
.
description Describes either recommended or an actual plan for addressing the risk.
Constraints (2)
allowed value for prop/@name
The value may be locally defined, or the following:
- type
allowed values for prop[@name='type']/@value
The value may be locally defined, or one of the following:
- avoid: The risk will be eliminated.
- mitigate: The risk will be reduced.
- transfer: The risk will be transferred to another organization or entity.
- accept: The risk will continue to exist without further efforts to address it. (Sometimes referred to as "Operationally required")
- share: The risk will be partially transferred to another organization or entity.
- contingency: Plans will be made to address the risk impact if the risk occurs. (This is a form of mitigation.)
- none: No response, such as when the identified risk is found to be a false positive.
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
description Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- recommendation: Recommended Remediation
- planned: The actions intended to resolve the risk.
- completed: This remediation activities were performed to address the risk.
Elements (8):
description The title for this response activity.
description A human-readable description of this response plan.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
Used to identify the individual and/or tool that generated this recommended or planned response.
description Identifies an asset required to achieve remediation.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6):
use name subject
Remarks
The subject reference UUID could point to an item defined in the SSP, AP, or AR.
Tools should check look for the ID in every file imported directly or indirectly.
Identifies an asset associated with this requirement, such as a party, system component, or inventory-item.
description The title for this required asset.
description A human-readable description of this required asset.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.
description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Constraints (2)
index has keythis value must correspond to a listing in the index index-metadata-role-id
using a key constructed of key field(s) @role-id
index has key for party-uuid
this value must correspond to a listing in the index index-metadata-party-uuid
using a key constructed of key field(s) .
Attribute (1):
description A human-oriented identifier reference to roles
served by the user.
Elements (4):
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Specifies one or more parties that are responsible for performing the associated role
.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1):
description A human-oriented identifier reference to roles
responsible for the business function.
Elements (4):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
description Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (14):
description The title for this set of results.
description A human-readable description of this set of test results.
description Date/time stamp identifying the start of the evidence collection reflected in these results.
description Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Constraints (2)
is unique for component
: any target value must be unique (i.e., occur only once)
is unique for user
: any target value must be unique (i.e., occur only once)
Elements (5):
use name component
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
When defining a service
component where are relationship to other components is known, one or more link
entries with rel values of provided-by and used-by can be used to link to the specific
component identifier(s) that provide and use the service respectively.
Used to add any components, not defined via the System Security Plan (AR->AP->SSP)
Remarks
Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)
use name user
Remarks
Permissible values to be determined closer to the application, such as by a receiving authority.
Used to add any users, not defined via the System Security Plan (AR->AP->SSP)
Remarks
This needs to be defined in the results if an assessment platform used is different from the one described in the assessment plan. Else the platform(s) defined in the plan may be referenced within the results.
use name assessment-task
Remarks
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
The Assessment Results control-selection
ignores any control selection in the Assessment Plan and re-selects controls from
the baseline identified by the SSP.
The Assessment Results control-objective-selection
ignores any control objective selection in the Assessment Plan and re-selects control
objectives from the baseline identified by the SSP.
Any additional control objectives defined in the Assessment Plan local-definitions
do not need to be re-defined in the Assessment Results local-definitions
; however, if they were explicitly referenced with an Assessment Plan control-objective-selection
, they need to be selected again in the Assessment Results control-objective-selection
.
description A set of textual statements, typically written by the assessor.
Constraint (1)
is unique for responsible-party
: any target value must be unique (i.e., occur only once)
Elements (2):
use name part
use name part
Remarks
A part
provides for logical partitioning of prose, and can be thought of as a grouping structure
(e.g., section). A part
can have child parts allowing for arbitrary nesting of prose content (e.g., statement
hierarchy). A part
can contain prop
objects that allow for enriching prose text with structured name/value information.
A part
can be assigned an optional id
, which allows for internal and external references to the textual concept contained
within a part
. A id
provides a means for an OSCAL profile, or a higher layer OSCAL model to reference
a specific part within a catalog
. For example, an id
can be used to reference or to make modifications to a control statement in a profile.
Use of part
and prop
provides for a wide degree of extensibility within the OSCAL catalog model. The optional
ns
provides a means to qualify a part's name
, allowing for organization-specific vocabularies to be defined with clear semantics.
Any organization that extends OSCAL in this way should consistently assign a ns
value that represents the organization, making a given namespace qualified name
unique to that organization. This allows the combination of ns
and name
to always be unique and unambiguous, even when mixed with extensions from other organizations.
Each organization is responsible for governance of their own extensions, and is strongly
encouraged to publish their extensions as standards to their user community. If no
ns
is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns
is unique to an organization and naming conflicts are avoided, a URI containing a
DNS or other globally defined organization name should be used. For example, if FedRAMP
and DoD both extend OSCAL, FedRAMP will use the ns
"https://fedramp.gov", while DoD will use the ns
"https://defense.gov" for any organization specific name
.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
description A log of all assessment-related actions taken.
Elements (1):
description Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (9):
description The title for this event.
description A human-readable description of this event.
description Identifies the start date and time of an event.
description Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Identifies the controls being assessed and their control objectives.
Remarks
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
Elements (6):
description A human-readable description of control objectives.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.
Remarks
The include-all
, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile
statement within the linked SSP.
Any control specified within exclude-controls
must first be within a range of explicitly included controls, via include-controls
or include-all
.
Elements (6):
description A human-readable description of in-scope controls specified for assessment.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
This element provides an alternative to calling controls individually from a catalog.
use name include-control
Remarks
Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.
use name exclude-control
Remarks
Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.
description Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.
Remarks
The include-all
field, specifies all control objectives for any in-scope control. In-scope controls
are defined in the control-selection
.
Any control objective specified within exclude-controls
must first be within a range of explicitly included control objectives, via include-objectives
or include-all
.
Elements (6):
description A human-readable description of this collection of control objectives.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
This element provides an alternative to calling controls individually from a catalog.
use name include-objective
Remarks
Used to select a control objective for inclusion by the control objective's identifier.
use name exclude-objective
Remarks
Used to select a control objective for exclusion by the control objective's identifier.
description An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).
Remarks
While published
, last-modified
, oscal-version
, and version
are not required, values for these entries should be provided if the information
is known. For a revision entry to be considered valid, at least one of the following
items must be provided: published
, last-modified
, version
, or a link
with a rel
of source
.
Constraint (1)
allowed values for link/@rel
The value may be locally defined, or one of the following:
- canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
- alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
Elements (8):
description A name given to the document revision, which may be used by a tool for display and navigation.
Remarks
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the published
value should indicate when the OSCAL document was published, not the source material.
Where necessary, the publication date of the original source material can be captured
as a named property or custom metadata construct.
A publisher of OSCAL content can use this data point along with its siblings last-modified
and version
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
Remarks
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the last-modified
value should indicate the modification time of the OSCAL document, not the source
material.
A publisher of OSCAL content can use this data point along with its siblings published
and version
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
Remarks
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings published
and last-modified
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
Remarks
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or 1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML
or JSON schema to use for validation.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description An identified risk.
Constraints (2)
allowed values for prop/@name
The value must be one of the following:
- false-positive: The risk has been confirmed to be a false positive.
- accepted: The risk has been accepted. No further action will be taken.
- risk-adjusted: The risk has been adjusted.
- priority: A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)
matches for prop[@name='priority']/@value
: the target value must match the lexical form of the 'integer' data type.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (14):
description The title for this risk.
description A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.
description An summary of impact for how the risk affects the system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
use name status
Remarks
Used to identify the individual and/or tool that identified this risk.
description Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (4):
description A human-readable description of this mitigating factor.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
use name subject
Remarks
The subject reference UUID could point to an item defined in the SSP, AP, or AR.
Tools should check look for the ID in every file imported directly or indirectly.
Links identifiable elements of the system to this mitigating factor, such as an inventory-item or component.
description The date/time by which the risk must be resolved.
description A log of all risk-related tasks taken.
Elements (1):
description Identifies an individual risk response that occurred as part of managing an identified risk.
Constraints (2)
allowed value for prop/@name
The value may be locally defined, or the following:
- type: The type of remediation tracking entry. Can be multi-valued.
allowed values for prop[@name='type']/@value
The value may be locally defined, or one of the following:
- vendor-check-in: Contacted vendor to determine the status of a pending fix to a known vulnerability.
- status-update: Information related to the current state of response to this risk.
- milestone-complete: A significant step in the response plan has been achieved.
- mitigation: An activity was completed that reduces the likelihood or impact of this risk.
- remediated: An activity was completed that eliminates the likelihood or impact of this risk.
- closed: The risk is no longer applicable to the system.
- dr-submission: A deviation request was made to the authorizing official.
- dr-updated: A previously submitted deviation request has been modified.
- dr-approved: The authorizing official approved the deviation.
- dr-rejected: The authorizing official rejected the deviation.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (10):
description The title for this risk log entry.
description A human-readable description of what was done regarding the risk.
description Identifies the start date and time of the event.
description Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
use name status-change
Remarks
Identifies a change in risk status made resulting from the task described by this risk log entry. This allows the risk's status history to be captured as a sequence of risk log entries.
description Identifies an individual risk response that this log entry is for.
Attribute (1):
description A machine-oriented identifier reference to a unique risk response.
Elements (4):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
This is used to identify the task(s) that this log entry was generated for.
description Relates the finding to a set of referenced observations that were used to determine the finding.
Attribute (1):
description A machine-oriented identifier reference to an observation defined in the list of observations.
description Describes the status of the associated risk.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- open: The risk has been identified.
- investigating: The identified risk is being investigated. (Open risk)
- remediating: Remediation activities are underway, but are not yet complete. (Open risk)
- deviation-requested: A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)
- deviation-approved: A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)
- closed: The risk has been resolved.
description Defines a function assumed or expected to be assumed by a party in a specific situation.
Remarks
Permissible values to be determined closer to the application (e.g. by a receiving authority).
OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.
Attribute (1):
description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role
from the imported OSCAL instance must be referenced in the context of the containing
resource (e.g., import, import-component-definition, import-profile, import-ssp or
import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6):
description A name given to the role, which may be used by a tool for display and navigation.
description A short common name, abbreviation, or acronym for the role.
description A summary of the role's purpose and associated responsibilities.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A human-oriented identifier reference to roles
served by the user.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-role-id
using a key constructed of key field(s) .
description The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.
Elements (3):
description A target-level of confidentiality for the system, based on the sensitivity of information within the system.
description A target-level of integrity for the system, based on the sensitivity of information within the system.
description A target-level of availability for the system, based on the sensitivity of information within the system.
description Call a control by its ID
Remarks
If with-child-controls
is yes
on the call to a control, no sibling call
elements need to be used to call any controls appearing within it. Since generally,
this is how control enhancements are represented (as controls within controls), this
provides a way to include controls with all their dependent controls (enhancements)
without having to call them individually.
Attribute (1):
Elements (2):
description
description Select controls by (regular expression) match on ID
Attribute (1):
description Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.
Attribute (1):
Elements (1):
description Used to constrain the selection to only specificity identified statements.
description Used to select a control objective for inclusion/exclusion based on the control objective's identifier.
Attribute (1):
description Identifies a set of assessment subjects to include/exclude by UUID.
Attributes (2):
use name type
Elements (3):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The selected (Confidentiality, Integrity, or Availability) security impact level.
description Identifies the parameter that will be set by the enclosed value.
Attribute (1):
Elements (2):
description A parameter value or set of values.
use name value
description A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.
description Identifies which statements within a control are addressed.
Constraint (1)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attributes (2):
Remarks
A reference to the specific implemented statement associated with a control.
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement
in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Elements (5):
description A summary of how the containing control statement is implemented by the component or capability.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Identifies which statements within a control are addressed.
Constraints (3)
allowed values for responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
is unique for by-component
: any target value must be unique (i.e., occur only once)
Attributes (2):
Remarks
A reference to the specific implemented statement associated with a control.
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement
in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Elements (5):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A human-oriented identifier reference to a control statement
.
description Describes the operational status of the system.
Remarks
If 'other' is selected, a remark must be included to describe the current state.
Attribute (1):
description The current operating status.
Constraint (1)
allowed values
The value must be one of the following:
- operational: The system is currently operating in production.
- under-development: The system is being designed, developed, or implemented
- under-major-modification: The system is undergoing a major change, development, or transition.
- disposition: The system is no longer operational.
- other: Some other state.
Elements (1):
description A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.
Remarks
The subject reference UUID could point to an item defined in the SSP, AP, or AR.
Tools should check look for the ID in every file imported directly or indirectly.
Attributes (2):
use name type
Elements (4):
description The title or name for the referenced subject.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Used to indicate the type of object pointed to by the uuid-ref
within a subject.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- component: Component
- inventory-item: Inventory Item
- location: Location
- party: Interview Party
- user: User
- resource: Resource or Artifact
description A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.
description Contains the characteristics of the system, such as its name, purpose, and security impact level.
Constraints (7)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- identity-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
- authenticator-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
- federation-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
allowed values for prop[@name=('identity-assurance-level','authenticator-assurance-level','federation-assurance-level')]/@value
The value must be one of the following:
- 1: As defined by SP 800-63-3.
- 2: As defined by SP 800-63-3.
- 3: As defined by SP 800-63-3.
allowed values for prop/@name
The value may be locally defined, or one of the following:
- cloud-deployment-model: The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other.
- cloud-service-model: The associated value is one of: saas, paas, iaas, or other.
allowed values for prop[@name='cloud-deployment-model']/@value
The value must be one of the following:
- public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing.
- private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing.
- community-cloud: The community cloud deployment model as defined by The NIST Definition of Cloud Computing.
- government-only-cloud: A specific type of community-cloud for use only by government services.
- other: Any other type of cloud deployment model that is exclusive to the other choices. The hybrid cloud deployment model, as defined by The NIST Definition of Cloud Computing, can be supported by selecting two or more of the existing deployment models.
allowed values for prop[@name='cloud-service-model']/@value
The value must be one of the following:
- saas: Software as a service (SaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
- paas: Platform as a service (PaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
- iaas: Infrastructure as a service (IaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
- other: Any other type of cloud service model that is exclusive to the other choices.
is unique for responsible-party
: any target value must be unique (i.e., occur only once)
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- authorizing-official: The authorizing official for this system.
- authorizing-official-poc: The authorizing official's designated point of contact (POC) for this system.
- system-owner: The executive ultimately accountable for the system.
- system-poc-management: The primary management-level point of contact (POC) for the system.
- system-poc-technical: The primary technical point of contact (POC) for the system.
- system-poc-other: Other point of contact (POC) for the system that is not the management or technical POC.
- information-system-security-officer: The primary role responsible for ensuring the organization operates the system securely.
- privacy-poc: The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present.
Elements (16):
description The full name of the system.
description A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.
description A summary of the system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The overall information system sensitivity categorization, such as defined by FIPS-199.
Remarks
Often, organizations require the security sensitivity level to correspond with the
highest confidentiality, integrity, or availability level identified by security-impact-level
.
Remarks
If 'other' is selected, a remark must be included to describe the current state.
description A defined component that can be part of an implemented system.
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
When defining a service
component where are relationship to other components is known, one or more link
entries with rel values of provided-by and used-by can be used to link to the specific
component identifier(s) that provide and use the service respectively.
Constraints (24)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- implementation-point: Relative placement of component ('internal' or 'external') to the system.
- leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
- inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of the component.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
allowed values for link/@rel
The value may be locally defined, or one of the following:
- depends-on: A reference to another component that this component has a dependency on.
- validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
- proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
- baseline-template: A reference to the baseline template used to configure the asset.
- uses-service: This service is used by the referenced component identifier.
- system-security-plan: A link to the system security plan of the external system.
- uses-network: This component uses the network provided by the identified network component.
allowed values for responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
allowed values for prop[@name='asset-type']/@value
The value must be one of the following:
- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
allowed values for prop[@name='allows-authenticated-scan']/@value
The value must be one of the following:
- yes: The component allows an authenticated scan.
- no: The component does not allow an authenticated scan.
allowed values for prop[@name='public']/@value
The value must be one of the following:
- yes: The component is publicly accessible.
- no: The component is not publicly accessible.
allowed values for prop[@name='virtual']/@value
The value must be one of the following:
- yes: The component is virtualized.
- no: The component is not virtualized.
allowed values for prop[@name='implementation-point']/@value
The value must be one of the following:
- internal: The component is implemented within the system boundary.
- external: The component is implemented outside the system boundary.
index has key for prop[@name='physical-location']
this value must correspond to a listing in the index index-metadata-location-uuid
using a key constructed of key field(s) @value
matches for prop[@name='inherited-uuid']/@value
: the target value must match the lexical form of the 'uuid' data type.
matches for prop[@name='release-date']/@value
: the target value must match the lexical form of the 'date' data type.
allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name
The value may be locally defined, or the following:
- vendor-name: The name of the company or organization
allowed value for (.)[@type='validation']/link/@rel
The value may be locally defined, or the following:
- validation-details: A link to an online information provided by the authorizing body.
allowed value for (.)[@type='software']/prop/@name
The value may be locally defined, or the following:
- software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.
allowed values for (.)[@type='service']/link/@rel
The value may be locally defined, or one of the following:
- provided-by: This service is provided by the referenced component identifier.
- used-by: This service is used by the referenced component identifier.
allowed values for (.)[@type='interconnection']/prop/@name
The value may be locally defined, or one of the following:
- isa-title: Title of the Interconnection Security Agreement (ISA).
- isa-date: Date of the Interconnection Security Agreement (ISA).
- isa-remote-system-name: The name of the remote interconnected system.
- ipv4-address: An Internet Protocol Version 4 interconnection address
- ipv6-address: An Internet Protocol Version 6 interconnection address
- direction: An Internet Protocol Version 6 interconnection address
allowed values for prop[@name=('ipv4-address','ipv6-address')]/@class
The value may be locally defined, or one of the following:
- local: The identified IP address is for this system.
- remote: The identified IP address is for the remote system to which this system is connected.
allowed value for (.)[@type='interconnection']/link/@rel
The value may be locally defined, or the following:
- isa-agreement: A link to the system interconnection agreement.
allowed values for (.)[@type='interconnection']/responsible-role/@role-id
The value may be locally defined, or one of the following:
- isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
- isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
- isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
- isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.
matches for prop[@name='isa-date']/@value
: the target value must match the lexical form of the 'dateTime' data type.
matches for prop[@name='ipv4-address']/@value
: the target value must match the lexical form of the 'ip-v4-address' data type.
matches for prop[@name='ipv6-address']/@value
: the target value must match the lexical form of the 'ip-v6-address' data type.
allowed values for prop[@name='direction']/@value
The value may be locally defined, or one of the following:
- incoming: Data from the remote system flows into this system.
- outgoing: Data from this system flows to the remote system.
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
use name type
Elements (9):
description A human readable name for the system component.
description A description of the component, including information about its function.
description A summary of the technological or business purpose of the component.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Describes the operational status of the system component.
Attribute (1):
description The operational status.
Constraint (1)
allowed values
The value must be one of the following:
- under-development: The component is being designed, developed, or implemented.
- operational: The component is currently operational and is available for use in the system.
- disposition: The component is no longer operational.
- other: Some other state.
Elements (1):
Remarks
Used for service
components to define the protocols supported by the service.
description A category describing the purpose of the component.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- this-system: The system as a whole.
- system: An external system, which may be a leveraged system or the other side of an interconnection.
- interconnection: A connection to something outside this system.
- software: Any software, operating system, or firmware.
- hardware: A physical device.
- service: A service that may provide APIs.
- policy: An enforceable policy.
- physical: A tangible asset used to provide physical protections or countermeasures.
- process-procedure: A list of steps or actions to take to achieve some end result.
- plan: An applicable plan.
- guidance: Any guideline or recommendation.
- standard: Any organizational or industry standard.
- validation: An external assessment performed on some other component, that has been validated by a third-party.
- network: A physical or virtual network.
description A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere
in this or other OSCAL instances. When referencing an externally defined system identification
, the system identification
must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).
This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions
of the document.
Attribute (1):
description Identifies the identification system from which the provided identifier was assigned.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- https://fedramp.gov: The identifier was assigned by FedRAMP.
- https://ietf.org/rfc/rfc4122: A Universally Unique Identifier (UUID) as defined by RFC4122.
description Provides information as to how the system is implemented.
Constraints (13)
index for leveraged-authorization
an index index-system-implementation-leveraged-authorization-uuid
shall list values returned by targets leveraged-authorization
using keys constructed of key field(s) @uuid
index has key for component/prop[@name='leveraged-authorization-uuid']
this value must correspond to a listing in the index index-system-implementation-leveraged-authorization-uuid
using a key constructed of key field(s) @value
index for component
an index index-system-implementation-component-uuid
shall list values returned by targets component
using keys constructed of key field(s) @uuid
index has key for component/link[@rel='depends-on']
this value must correspond to a listing in the index index-system-implementation-component-uuid
using a key constructed of key field(s) @href
index for component[@type='validation']
an index index-system-implementation-component-uuid-validation
shall list values returned by targets component[@type='validation']
using keys constructed of key field(s) @uuid
index has key for component/link[@rel='validated-by']
this value must correspond to a listing in the index index-system-implementation-component-uuid-validation
using a key constructed of key field(s) @href
index has key for component/link[@rel='proof-of-compliance']
this value must correspond to a listing in the index index-system-implementation-component-uuid-validation
using a key constructed of key field(s) @href
index for component[@type='service']
an index index-system-implementation-component-uuid-service
shall list values returned by targets component[@type='service']
using keys constructed of key field(s) @uuid
index has key for component/link[@rel='uses-service']
this value must correspond to a listing in the index index-system-implementation-component-uuid-service
using a key constructed of key field(s) @href
index for component[@type='service']
an index index-system-implementation-component-uuid-software
shall list values returned by targets component[@type='service']
using keys constructed of key field(s) @uuid
index has key for component[@type='service']/link[@rel='provided-by']
this value must correspond to a listing in the index index-system-implementation-component-uuid-software
using a key constructed of key field(s) @href
allowed values for (component | inventory-item)/prop[@name='allows-authenticated-scan']/@value
The value must be one of the following:
- yes: The component allows an authenticated scan.
- no: The component does not allow an authenticated scan.
is unique for user
: any target value must be unique (i.e., occur only once)
Elements (7):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.
Constraints (4)
allowed value for link/@rel
The value must be one of the following:
- system-security-plan: A reference to the system security plan for the leveraged authorization.
matches for link[@rel='system-security-plan']/@href[starts-with(.,'#')]
: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='system-security-plan' and starts-with(@href,'#')]
this value must correspond to a listing in the index index-back-matter-resource
using a key constructed of key field(s) @href
matches for link[@rel='system-security-plan']/@href[not(starts-with(.,'#'))]
: the target value must match the lexical form of the 'uri' data type.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6):
description A human readable name for the leveraged authorization in the context of the system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A machine-oriented identifier reference to the party
that manages the leveraged system.
use name user
Remarks
Permissible values to be determined closer to the application, such as by a receiving authority.
use name component
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type
indicates which of these component types is represented.
When defining a service
component where are relationship to other components is known, one or more link
entries with rel values of provided-by and used-by can be used to link to the specific
component identifier(s) that provide and use the service respectively.
Remarks
A set of inventory-item
entries that represent the managed inventory instances of the system.
description Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
Constraints (7)
allowed value for prop/@name
The value may be locally defined, or the following:
- privacy-designation: Is this a privacy sensitive system? yes or no
allowed values for prop[@name='privacy-designation']/@value
The value must be one of the following:
- yes: The system is privacy sensitive.
- no: The system isnot privacy sensitive.
allowed value for link/@rel
The value must be one of the following:
- privacy-impact-assessment: A link to the privacy impact assessment.
matches for link[@rel='privacy-impact-assessment']/@href[starts-with(.,'#')]
: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='privacy-impact-assessment' and starts-with(@href,'#')]
this value must correspond to a listing in the index index-back-matter-resource
using a key constructed of key field(s) @href
matches for link[@rel='privacy-impact-assessment']/@href[not(starts-with(.,'#'))]
: the target value must match the lexical form of the 'uri' data type.
allowed values for information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)
The value must be one of the following:
- fips-199-low: A 'low' sensitivity level as defined in FIPS-199.
- fips-199-moderate: A 'moderate' sensitivity level as defined in FIPS-199.
- fips-199-high: A 'high' sensitivity level as defined in FIPS-199. FIPS-199 taxonomy is provided here as a starting point. We will provide other taxonomies based on community requests.
Elements (3):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (8):
description A human readable name for the information type. This title should be meaningful within the context of the system.
description A summary of how this information type is used within the system.
description A set of information type identifiers qualified by the given identification system
used, such as NIST SP 800-60.
Attribute (1):
description Specifies the information type identification system used.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- https://doi.org/10.6028/NIST.SP.800-60v2r1: Based on the section identifiers in NIST Special Publication 800-60 Volume II Revision 1.
Elements (1):
description A human-oriented, globally unique identifier qualified by the given identification system
used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The expected level of impact resulting from the unauthorized disclosure of the described information.
Elements (5):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The expected level of impact resulting from the unauthorized modification of the described information.
Elements (5):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The expected level of impact resulting from the disruption of access to or use of the described information or the information system.
Elements (5):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description A system security plan, such as those described in NIST SP 800-18
root name system-security-plan
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in
this or other OSCAL instances. The locally defined UUID of the SSP
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6):
Remarks
Use of set-parameter
in this context, sets the parameter for all related controls referenced in an implemented-requirement
. If the same parameter is also set in a specific implemented-requirement
, then the new value will override this value.
Remarks
Provides a collection of identified resource
objects that can be referenced by a link
with a rel
value of "reference" and an href
value that is a fragment "#" followed by a reference to a reference identifier. Other
specialized link "rel" values also use this pattern when indicated in that context
of use.
description A type of user that interacts with the system based on an associated role.
Remarks
Permissible values to be determined closer to the application, such as by a receiving authority.
Constraints (4)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- type: The type of user, such as internal, external, or general-public.
- privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.
allowed values for prop[@name='type']/@value
The value must be one of the following:
- internal: A user account for a person or entity that is part of the organization who owns or operates the system.
- external: A user account for a person or entity that is not part of the organization who owns or operates the system.
- general-public: A user of the system considered to be outside
allowed values for prop[@name='privilege-level']/@value
The value must be one of the following:
- privileged: This role has elevated access to the system, such as a group or system administrator.
- non-privileged: This role has typical user-level access to the system without elevated access.
- no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.
allowed values for role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
Attribute (1):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (8):
description A name given to the user, which may be used by a tool for display and navigation.
description A short common name, abbreviation, or acronym for the user.
description A summary of the user's purpose within the system.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description Represents a scheduled event or milestone, which may be associated with a series of assessment actions.
Attributes (2):
description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task
can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
description The type of task.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- milestone: The task represents a planned milestone.
- action: The task represents a specific assessment action to be performed.
Elements (11):
description The title for this task.
description A human-readable description of this task.
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
description The timing under which the task is intended to occur.
Elements (1):
description The task is intended to occur on the specified date.
Attribute (1):
description The task must occur on the specified date.
description The task is intended to occur within the specified date range.
Attributes (2):
description The task must occur on or after the specified date.
description The task must occur on or before the specified date.
description The task is intended to occur at the specified frequency.
Attributes (2):
description The task must occur after the specified period has elapsed.
description The unit of time for the period.
Constraint (1)
allowed values
The value must be one of the following:
- seconds: The period is specified in seconds.
- minutes: The period is specified in minutes.
- hours: The period is specified in hours.
- days: The period is specified in days.
- months: The period is specified in calendar months.
- years: The period is specified in calendar years.
description Used to indicate that a task is dependent on another task.
Attribute (1):
description A machine-oriented identifier reference to a unique task.
Elements (1):
description Identifies an individual activity to be performed as part of a task.
Constraint (1)
is unique for responsible-role
: any target value must be unique (i.e., occur only once)
Attribute (1):
description A machine-oriented identifier reference to an activity defined in the list of activities.
Elements (5):
use name prop
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource
is needed. The resource allows one or more hash values to be provided using the rlink/hash
object.
The OSCAL link
is a roughly based on the HTML link element.
Remarks
Identifies the person or organization responsible for performing a specific role defined by the activity.
use name subject
Remarks
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
use name subject
Remarks
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
The assessment subjects that the activity was performed against.
Remarks
Identifies the person or organization responsible for performing a specific role related to the task.
description Contact number by telephone.
Attribute (1):
description Indicates the type of phone number.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- home: A home phone number.
- office: An office phone number.
- mobile: A mobile phone number.
description A pointer, by ID, to an externally-defined threat.
Attributes (2):
description Specifies the source of the threat information.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- https://fedramp.gov: The value conforms to FedRAMP definitions.
description An optional location for the threat data, from which this ID originates.
description A string used to distinguish the current version of the document from other previous (and future) versions.
Remarks
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings published
and last-modified
to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision
in this object.
description When a control is included, whether its child (dependent) controls are also included.
Constraint (1)
allowed values
The value must be one of the following:
- yes: Include child controls with an included control.
- no: When importing a control, only include child controls that are also explicitly called.