OSCAL Assessment Plan Model JSON Format Reference
OSCAL model OSCAL Assessment Plan Model
Version 1.0.0-rc2
JSON Schema oscal_assessment-plan_schema.json
XML to JSON converter oscal_assessment-plan_xml-to-json-converter.xsl (How do I use the converter to convert OSCAL XML to JSON?)
The OSCAL assessment plan format is used to describe the information typically provided by an assessor during the preparation for an assessment.
The root of the OSCAL assessment plan format is assessment-plan.
Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.
This object appears as a member of an array property defined for local-definitions.
Properties (9)
Uniquely identifies this assessment activity. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given included activity across revisions of the document.
The title for this included activity.
A human-readable description of this included activity.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.steps
array [optional] array of objects(array member) object [1 to ∞] StepIdentifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.
Properties (8):
uuid,title,description,prop,link,reviewed-controls,responsible-role,remarksUniquely identifies a step. This UUID may be referenced elsewhere in an OSCAL document when referring to this step. A UUID should be consistently used for a given test step across revisions of the document.
The title for this step.
A human-readable description of this step.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Identifies the controls being assessed and their control objectives.
Remarks (local)
This can be optionally used to define the set of controls and control objectives that are assessed by this step.
Remarks (general)
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
responsible-roles
array [optional] array of objectsA reference to one or more roles with responsibility for performing a function relative to the containing object.
Remarks (local)
Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.
Additional commentary on the containing object.
Identifies the controls being assessed and their control objectives.
Remarks (local)
This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.
Remarks (general)
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
responsible-roles
array [optional] array of objectsA reference to one or more roles with responsibility for performing a function relative to the containing object.
Remarks (local)
Identifies the roles, and optionally the parties, associated with this assessment activity.
Additional commentary on the containing object.
A single line of an address.
A string conforming to the lexical and value-space requirements defined for string.
This object appears as a member of an array property defined for address.
A postal address for the location.
This object appears as a member of an array property defined for party.
Properties (6)
Indicates the type of address.
addr-lines
array [optional] array of stringsA single line of an address.
City, town or geographical region for the mailing address.
State, province or analogous geographical region for mailing address
Postal or ZIP code for mailing address
The ISO 3166-1 alpha-2 country code for the mailing address.
Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
Properties (2)
components
array [optional] array of objectsA defined component that can be part of an implemented system.
Remarks (local)
Used to add any components for tools used during the assessment. These are represented here to avoid mixing with system components.
The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.
Remarks (general)
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The
typeindicates which of these component types is represented.When defining a
servicecomponent where are relationship to other components is known, one or morelinkentries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.assessment-platforms
array [required] array of objects(array member) object [1 to ∞] Assessment PlatformUsed to represent the toolset used to perform aspects of the assessment.
Properties (6):
uuid,title,prop,link,uses-component,remarksUniquely identifies this assessment Platform.
The title or name for the assessment platform.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.uses-components
array [optional] array of objects(array member) object [1 to ∞] Uses ComponentThe set of components that are used by the assessment platform.
Properties (5):
component-uuid,prop,link,responsible-party,remarksA reference to a component that is implemented as part of an inventory item.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.responsible-parties
array [optional] array of objectsA reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Remarks (local)
This construct is used to either: 1) associate a party or parties to a role defined on the component using the
responsible-roleconstruct, or 2) to define a party or parties that are responsible for a role defined within the context of the containinginventory-item.Additional commentary on the containing object.
Additional commentary on the containing object.
An assessment plan, such as those provided by a FedRAMP assessor.
assessment-plan is a root (containing) object for this
schema.
Properties (10)
Uniquely identifies this assessment plan. This UUID must be changed each time the content of the plan changes.
Provides information about the publication and availability of the containing document.
Used by the assessment plan and POA&M to import information about the system.
Remarks (local)
Used by the SAP to import information about the system being assessed.
local-definitions
object [0 or 1] Local DefinitionsUsed to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Properties (6):
component,inventory-item,user,objectives-and-methods,activity,remarkscomponents
array [optional] array of objectsA defined component that can be part of an implemented system.
Remarks (local)
Used to add any components, not defined via the System Security Plan (AR->AP->SSP)
Remarks (general)
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The
typeindicates which of these component types is represented.When defining a
servicecomponent where are relationship to other components is known, one or morelinkentries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.inventory-items
array [optional] array of objectsA single managed inventory item within the system.
Remarks (local)
Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)
users
array [optional] array of objectsA type of user that interacts with the system based on an associated role.
Remarks (local)
Used to add any users, not defined via the System Security Plan (AR->AP->SSP)
Remarks (general)
Permissible values to be determined closer to the application, such as by a receiving authority.
objectives-and-methods
array [optional] array of objectsA local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.
activities
array [optional] array of objectsIdentifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.
Additional commentary on the containing object.
terms-and-conditions
object [0 or 1] Assessment Plan Terms and ConditionsUsed to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.
Property (1):
partparts
array [optional] array of objectsA partition of an assessment plan or results or a child of another part.
Remarks (general)
A
partprovides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). Apartcan have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). Apartcan containpropobjects that allow for enriching prose text with structured name/value information.A
partcan be assigned an optionalid, which allows for internal and external references to the textual concept contained within apart. Aidprovides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within acatalog. For example, anidcan be used to reference or to make modifications to a control statement in a profile.Use of
partandpropprovides for a wide degree of extensibility within the OSCAL catalog model. The optionalnsprovides a means to qualify a part'sname, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign ansvalue that represents the organization, making a given namespace qualifiednameunique to that organization. This allows the combination ofnsandnameto always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If nonsis provided, the name is expected to be in the "OSCAL" namespace.To ensure a
nsis unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use thens"https://fedramp.gov", while DoD will use thens"https://defense.gov" for any organization specificname.Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Identifies the controls being assessed and their control objectives.
Remarks (general)
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
assessment-subjects
array [optional] array of objectsIdentifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.
Remarks (general)
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
tasks
array [optional] array of objectsRepresents a scheduled event or milestone, which may be associated with a series of assessment actions.
A collection of resources, which may be included directly or by reference.
Remarks (general)
Provides a collection of identified
resourceobjects that can be referenced by alinkwith arelvalue of "reference" and anhrefvalue that is a fragment "#" followed by a reference to a reference identifier. Other specialized link "rel" values also use this pattern when indicated in that context of use.
Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.
This object appears as a member of an array property defined for task, associated-activity, and assessment-plan.
Remarks
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
Properties (8)
Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.
allowed values for
assessment-subject/@typeThe value may be locally defined, or one of the following:
- component: The referenced assessment subject is a component defined in the SSP, or in the
local-definitionsof an Assessment Plan or Assessment Results. - inventory-item: The referenced assessment subject is a inventory item defined in the SSP, or in the
local-definitionsof an Assessment Plan or Assessment Results. - location: The referenced assessment subject is a
locationdefined in themetadataof the SSP, Assessment Plan, or Assessment Results. - party: The referenced assessment subject is a person or team to interview, who is defined as a
partyin themetadataof the SSP, Assessment Plan, or Assessment Results. - user: The referenced assessment subject is a
userdefined in the SSP, or in thelocal-definitionsof an Assessment Plan or Assessment Results.
- component: The referenced assessment subject is a component defined in the SSP, or in the
A human-readable description of the collection of subjects being included in this assessment.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.include-all
object [1] AllA key word to indicate all.
include-subjects
array [required] array of objectsIdentifies a set of assessment subjects to include/exclude by UUID.
exclude-subjects
array [optional] array of objectsIdentifies a set of assessment subjects to include/exclude by UUID.
Additional commentary on the containing object.
Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.
Properties (6)
Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task.
A human-readable description of intent of this assessment subject placeholder.
sources
array [required] array of objects(array member) object [1 to ∞] Assessment Subject SourceAssessment subjects will be identified while conducting the referenced activity-instance.
Property (1):
task-uuidUniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
This object appears as a member of an array property defined for system-user.
Properties (3)
A human readable name for the privilege.
A summary of the privilege's purpose within the system.
functions-performed
array [required] array of stringsDescribes a function performed for a given authorized privilege by this user class.
A collection of resources, which may be included directly or by reference.
Remarks
Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference identifier. Other specialized link "rel" values also use this pattern when indicated in that context of use.
Property (1)
resources
array [optional] array of objects(array member) object [1 to ∞] ResourceA resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources.
Remarks
A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a
rlink, or 2) it may be included as an attachment using abase64. A resource may contain multiplerlinkandbase64entries that represent alternative download locations (rlink) and attachments (base64) for the same resource. Both rlink and base64 allow for amedia-typeto be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiplerlinkandbase64items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item'smedia-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.When a resource includes a citation, then the
titleandcitationproperties must both be included.Properties (9):
uuid,title,description,prop,document-id,citation,rlink,base64,remarksA globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.
A name given to the resource, which may be used by a tool for display and navigation.
A short summary of the resource used to indicate the purpose of the resource.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
document-ids
array [optional] array of objects(array member) object [0 to ∞] Document IdentifierA document identifier qualified by an identifier
scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.Remarks (general)
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
citation
object [0 or 1] CitationA citation consisting of end note text and optional structured bibliographic data.
Remarks
The
textis used to define the endnote text, without any required bibliographic structure. If structured bibliographic data is needed, then thebibliocan be used for this purpose.A
bibliocan be used to capture a structured bibliographical citation in an appropriate format.Properties (3):
text,prop,biblioA line of citation text.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
biblio
object [0 or 1] Bibliographic DefinitionA container for structured bibliographic information. The model of this information is undefined by OSCAL.
rlinks
array [optional] array of objects(array member) object [1 to ∞] Resource linkA pointer to an external resource with an optional hash for verification and change detection.
Remarks
This construct is different from
link, which makes no provision for a hash or formal title.Multiple
rlinkcan be included for a resource. In such a case, all providedrlinkitems are intended to be equivalent in content, but may differ in structure. Amedia-typeis used to identify the format of a given rlink, and can be used to differentiate a items in a collection of rlinks. Themedia-typealso provides a hint to the OSCAL document consumer about the structure of the resource referenced by therlink.Properties (3):
href,media-type,hashA resolvable URI reference to a resource.
Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
hashes
array [optional] array of objects(array member) object [0 to ∞] HashA representation of a cryptographic digest generated over a resource using a specified hash algorithm.
Remarks (local)
When appearing as part of a
resource/rlink, the hash applies to the resource referenced by thehref.Remarks (general)
A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.
base64
object [0 or 1] Base64The Base64 alphabet in RFC 2045 - aligned with XSD.
Properties (2):
filename,media-typeName of the file before it was encoded as Base64 to be embedded in a
resource. This is the name that will be assigned to the file when the file is decoded.Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Additional commentary on the containing object.
A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.
This object appears as a member of an array property defined for metadata and resource.
Remarks
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
Properties
This property provides the (nominal) value for this object as a whole.
Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.
allowed value for
document-id/@schemeThe value may be locally defined, or the following:
- https://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.
An email address as defined by RFC 5322 Section 3.4.1.
A string conforming to the lexical and value-space requirements defined for email.
This object appears as a member of an array property defined for location and party.
Describes a function performed for a given authorized privilege by this user class.
A string conforming to the lexical and value-space requirements defined for string.
This object appears as a member of an array property defined for authorized-privilege.
A representation of a cryptographic digest generated over a resource using a specified hash algorithm.
This object appears as a member of an array property defined for rlink.
Remarks
A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.
Properties
This property provides the (nominal) value for this object as a whole.
Method by which a hash is derived
Remarks
Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.
allowed values for
hash/@algorithmThe value may be locally defined, or one of the following:
- SHA-224: The SHA-224 algorithm as defined by NIST FIPS 180-4.
- SHA-256: The SHA-256 algorithm as defined by NIST FIPS 180-4.
- SHA-384: The SHA-384 algorithm as defined by NIST FIPS 180-4.
- SHA-512: The SHA-512 algorithm as defined by NIST FIPS 180-4.
- SHA3-224: The SHA3-224 algorithm as defined by NIST FIPS 202.
- SHA3-256: The SHA3-256 algorithm as defined by NIST FIPS 202.
- SHA3-384: The SHA3-384 algorithm as defined by NIST FIPS 202.
- SHA3-512: The SHA3-512 algorithm as defined by NIST FIPS 202.
Used by the assessment plan and POA&M to import information about the system.
Properties (2)
>A resolvable URL reference to the system security plan for the system being assessed.
Remarks
The value of the
hrefcan be an internet resource, or a local reference using a fragment e.g. #fragment that points to aback-matterresourcein the same document.If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified
resourcein the document'sback-matteror another object that is within the scope of the containing OSCAL document.If an internet resource is used, the
hrefvalue will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.Additional commentary on the containing object.
A single managed inventory item within the system.
This object appears as a member of an array property defined for local-definitions.
Properties (7)
A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.
A summary of the inventory item stating its purpose within the system.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.responsible-parties
array [optional] array of objectsA reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
implemented-components
array [optional] array of objects(array member) object [1 to ∞] Implemented ComponentThe set of components that are implemented in a given system inventory item.
Properties (5):
component-uuid,prop,link,responsible-party,remarksA reference to a component that is implemented as part of an inventory item.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.responsible-parties
array [optional] array of objectsA reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Remarks (local)
This construct is used to either: 1) associate a party or parties to a role defined on the component using the
responsible-roleconstruct, or 2) to define a party or parties that are responsible for a role defined within the context of the containinginventory-item.Additional commentary on the containing object.
Additional commentary on the containing object.
The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
A string conforming to the lexical and value-space requirements defined for dateTime-with-timezone.
Remarks
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source material.
A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.
A reference to a local or remote resource
This object appears as a member of an array property defined for part, metadata, revision, location, party, role, responsible-party, responsible-role, system-component, system-user, inventory-item, implemented-component, local-objective, activity, step, task, associated-activity, reviewed-controls, control-selection, control-objective-selection, assessment-subject-placeholder, assessment-subject, select-subject-by-id, assessment-platform, uses-component, and part.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Properties (4)
A resolvable URL reference to a resource.
Remarks
The value of the
hrefcan be an internet resource, or a local reference using a fragment e.g. #fragment that points to aback-matterresourcein the same document.If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified
resourcein the document'sback-matteror another object that is within the scope of the containing OSCAL document.If an internet resource is used, the
hrefvalue will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
allowed values for
metadata/link/@relThe value may be locally defined, or one of the following:
- canonical: The link identifies the authoritative location for this file.
- alternate: The link identifies an alternative location or format for this file.
- latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. RFC 5829.
allowed value for
revision/link/@relThe value may be locally defined, or the following:
- source: Indicates that the href points to the source resource for the revision entry.
allowed value for
link/@relThe value may be locally defined, or the following:
- reference: Reference
allowed values for
system-component/link/@relThe value may be locally defined, or one of the following:
- depends-on: A reference to another component that this component has a dependency on.
- validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
- proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
- baseline-template: A reference to the baseline template used to configure the asset.
- uses-service: This service is used by the referenced component identifier.
- system-security-plan: A link to the system security plan of the external system.
- uses-network: This component uses the network provided by the identified network component.
allowed value for
inventory-item/link/@relThe value may be locally defined, or the following:
- baseline-template: A reference to the baseline template used to configure the asset.
Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks (local)
The
media-typeprovides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.A textual label to associate with the link, which may be used for presentation in a tool.
A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.
This object appears as a member of an array property defined for local-definitions.
Properties (6)
A reference to a control identifier.
Remarks (local)
The specified
control-idmust be a valid value within the baseline identified by the target system's SSP via theimport-profilestatement.A human-readable description of this control objective.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.parts
array [required] array of objectsA partition of a control's definition or a child of another part.
Remarks (general)
A
partprovides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). Apartcan have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). Apartcan containpropobjects that allow for enriching prose text with structured name/value information.A
partcan be assigned an optionalid, which allows for internal and external references to the textual concept contained within apart. Aidprovides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within acatalog. For example, anidcan be used to reference or to make modifications to a control statement in a profile.Use of
partandpropprovides for a wide degree of extensibility within the OSCAL catalog model. The optionalnsprovides a means to qualify a part'sname, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign ansvalue that represents the organization, making a given namespace qualifiednameunique to that organization. This allows the combination ofnsandnameto always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If nonsis provided, the name is expected to be in the "OSCAL" namespace.To ensure a
nsis unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use thens"https://fedramp.gov", while DoD will use thens"https://defense.gov" for any organization specificname.Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Additional commentary on the containing object.
A location, with associated metadata that can be referenced.
This object appears as a member of an array property defined for metadata.
Properties (9)
A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.
A name given to the location, which may be used by a tool for display and navigation.
A postal address for the location.
Remarks (local)
Typically, the physical address of the location will be used here. If this information is sensitive, then a mailing address can be used instead.
email-addresses
array [optional] array of stringsAn email address as defined by RFC 5322 Section 3.4.1.
Remarks (local)
This is a contact email associated with the location.
telephone-numbers
array [optional] array of objects(array member) object [0 to ∞] Telephone NumberContact number by telephone.
Remarks (local)
A phone number used to contact the location.
urls
array [optional] array of stringsThe uniform resource locator (URL) for a web site or Internet presence associated with the location.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
References a location defined in metadata.
A string conforming to the lexical and value-space requirements defined for uuid.
This object appears as a member of an array property defined for party.
Provides information about the publication and availability of the containing document.
Properties (14)
A name given to the document, which may be used by a tool for display and navigation.
The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
publishedvalue should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.A publisher of OSCAL content can use this data point along with its siblings
last-modifiedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
last-modifiedvalue should indicate the modification time of the OSCAL document, not the source material.A publisher of OSCAL content can use this data point along with its siblings
publishedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.A string used to distinguish the current version of the document from other previous (and future) versions.
Remarks (general)
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings
publishedandlast-modifiedto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The OSCAL model version the document was authored against.
Remarks (general)
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.revisions
array [optional] array of objectsAn entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).
Remarks (general)
While
published,last-modified,oscal-version, andversionare not required, values for these entries should be provided if the information is known. For a revision entry to be considered valid, at least one of the following items must be provided:published,last-modified,version, or alinkwith arelofsource
.document-ids
array [optional] array of objects(array member) object [0 to ∞] Document IdentifierA document identifier qualified by an identifier
scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.Remarks (general)
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.roles
array [optional] array of objectsDefines a function assumed or expected to be assumed by a party in a specific situation.
Remarks (general)
Permissible values to be determined closer to the application (e.g. by a receiving authority).
locations
array [optional] array of objectsA location, with associated metadata that can be referenced.
parties
array [optional] array of objectsA responsible entity which is either a person or an organization.
responsible-parties
array [optional] array of objectsA reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Additional commentary on the containing object.
The OSCAL model version the document was authored against.
A string conforming to the lexical and value-space requirements defined for string.
Remarks
Indicates the version of the OSCAL model to which this data set conforms, for example 1.1.0
or 1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.
A partition of a control's definition or a child of another part.
This object appears as a member of an array property defined for part and local-objective.
A property of this name is also defined for .
Remarks
A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.
A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.
Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns "https://fedramp.gov", while DoD will use the ns "https://defense.gov" for any organization specific name.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Properties (9)
A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.
A textual label that uniquely identifies the part's semantic type.
allowed values for
part/@nameThe value may be locally defined, or one of the following:
- overview: An introduction to a control or a group of controls.
- statement: A set of control implementation requirements.
- item: An individual item within a control statement.
- guidance: Additional information to consider when selecting, implementing, assessing, and monitoring a control.
- objective: Describes a set of assessment objectives.
- assessment: Describes a method-based assessment over a set of assessment objects.
- objects: Provides a list of assessment objects.
allowed values for
part/@nameThe value may be locally defined, or one of the following:
- asset: An assessment asset.
- method: An assessment method.
- objective: Describes a set of control objectives.
allowed values for
assessment-plan/terms-and-conditions/part/@nameThe value must be one of the following:
- rules-of-engagement: Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment.
- disclosures: Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure.
- assessment-inclusions: Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment.
- assessment-exclusions: Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment.
- results-delivery: Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom.
- assumptions: Defines any supposition made by the assessor. Has child 'item' parts for each assumption.
- methodology: An explanation of practices, procedures, and rules used in the course of the assessment.
A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the
name, so that different organizations and individuals can assert control over the allowed names and associated text used in a part. This allows the semantics associated with a given name to be defined on an organization-by-organization basis.An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a
nsis not provided, its value should be assumed to behttp://csrc.nist.gov/ns/oscaland the name should be a name defined by the associated OSCAL model.A textual label that provides a sub-type or characterization of the part's
name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the samenameandns.Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.A
classcan also be used in an OSCAL profile as a means to target an alteration to control content.A name given to the part, which may be used by a tool for display and navigation.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Permits multiple paragraphs, lists, tables etc.
parts
array [optional] array of objectsA partition of a control's definition or a child of another part.
Remarks (general)
A
partprovides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). Apartcan have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). Apartcan containpropobjects that allow for enriching prose text with structured name/value information.A
partcan be assigned an optionalid, which allows for internal and external references to the textual concept contained within apart. Aidprovides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within acatalog. For example, anidcan be used to reference or to make modifications to a control statement in a profile.Use of
partandpropprovides for a wide degree of extensibility within the OSCAL catalog model. The optionalnsprovides a means to qualify a part'sname, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign ansvalue that represents the organization, making a given namespace qualifiednameunique to that organization. This allows the combination ofnsandnameto always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If nonsis provided, the name is expected to be in the "OSCAL" namespace.To ensure a
nsis unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use thens"https://fedramp.gov", while DoD will use thens"https://defense.gov" for any organization specificname.Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.
allowed values for local-objective/part
The value must be one of the following:
- objective
- assessment
A partition of an assessment plan or results or a child of another part.
This object appears as a member of an array property defined for part and terms-and-conditions.
A property of this name is also defined for .
Remarks
A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.
A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.
Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns "https://fedramp.gov", while DoD will use the ns "https://defense.gov" for any organization specific name.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Properties (9)
A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.
A textual label that uniquely identifies the part's semantic type.
allowed values for
part/@nameThe value may be locally defined, or one of the following:
- overview: An introduction to a control or a group of controls.
- statement: A set of control implementation requirements.
- item: An individual item within a control statement.
- guidance: Additional information to consider when selecting, implementing, assessing, and monitoring a control.
- objective: Describes a set of assessment objectives.
- assessment: Describes a method-based assessment over a set of assessment objects.
- objects: Provides a list of assessment objects.
allowed values for
part/@nameThe value may be locally defined, or one of the following:
- asset: An assessment asset.
- method: An assessment method.
- objective: Describes a set of control objectives.
allowed values for
assessment-plan/terms-and-conditions/part/@nameThe value must be one of the following:
- rules-of-engagement: Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment.
- disclosures: Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure.
- assessment-inclusions: Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment.
- assessment-exclusions: Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment.
- results-delivery: Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom.
- assumptions: Defines any supposition made by the assessor. Has child 'item' parts for each assumption.
- methodology: An explanation of practices, procedures, and rules used in the course of the assessment.
A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the
name, so that different organizations and individuals can assert control over the allowed names and associated text used in a part. This allows the semantics associated with a given name to be defined on an organization-by-organization basis.An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a
nsis not provided, its value should be assumed to behttp://csrc.nist.gov/ns/oscaland the name should be a name defined by the associated OSCAL model.A textual label that provides a sub-type or characterization of the part's
name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the samenameandns.Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.A
classcan also be used in an OSCAL profile as a means to target an alteration to control content.A name given to the part, which may be used by a tool for display and navigation.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Permits multiple paragraphs, lists, tables etc.
parts
array [optional] array of objectsA partition of an assessment plan or results or a child of another part.
Remarks (general)
A
partprovides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). Apartcan have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). Apartcan containpropobjects that allow for enriching prose text with structured name/value information.A
partcan be assigned an optionalid, which allows for internal and external references to the textual concept contained within apart. Aidprovides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within acatalog. For example, anidcan be used to reference or to make modifications to a control statement in a profile.Use of
partandpropprovides for a wide degree of extensibility within the OSCAL catalog model. The optionalnsprovides a means to qualify a part'sname, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign ansvalue that represents the organization, making a given namespace qualifiednameunique to that organization. This allows the combination ofnsandnameto always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If nonsis provided, the name is expected to be in the "OSCAL" namespace.To ensure a
nsis unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use thens"https://fedramp.gov", while DoD will use thens"https://defense.gov" for any organization specificname.Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.
allowed values for local-objective/part
The value must be one of the following:
- objective
- assessment
A responsible entity which is either a person or an organization.
This object appears as a member of an array property defined for metadata.
Properties (13)
A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given party across revisions of the document.
A category describing the kind of party the object describes.
allowed values for
party/@typeThe value must be one of the following:
- person: An individual.
- organization: A group of individuals formed for a specific purpose.
The full name of the party. This is typically the legal name associated with the party.
A short common name, abbreviation, or acronym for the party.
external-ids
array [optional] array of objects(array member) object [1 to ∞] Party External IdentifierAn identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)
Property (1):
schemeIndicates the type of external identifier.
allowed value for
party/external-id/@schemeThe value may be locally defined, or the following:
- https://orcid.org/: The identifier is Open Researcher and Contributor ID (ORCID).
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.email-addresses
array [optional] array of stringsAn email address as defined by RFC 5322 Section 3.4.1.
Remarks (local)
This is a contact email associated with the party.
telephone-numbers
array [optional] array of objects(array member) object [0 to ∞] Telephone NumberContact number by telephone.
Remarks (local)
A phone number used to contact the party.
addresses
array [optional] array of objectsA postal address for the location.
location-uuids
array [optional] array of stringsReferences a
locationdefined inmetadata.member-of-organizations
array [optional] array of stringsIdentifies that the party object is a member of the organization associated with the provided UUID.
Remarks
Parties of both the
personororganizationtype can be associated with an organization using themember-of-organization.Additional commentary on the containing object.
References a party defined in metadata.
A string conforming to the lexical and value-space requirements defined for uuid.
This object appears as a member of an array property defined for responsible-party and responsible-role.
Where applicable this is the IPv4 port range on which the service operates.
This object appears as a member of an array property defined for protocol.
Remarks
To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.
Properties (3)
Indicates the starting port number in a port range
Remarks
Should be a number within a permitted range
Indicates the ending port number in a port range
Remarks
Should be a number within a permitted range
Indicates the transport type.
allowed values for
port-range/@transportThe value must be one of the following:
- TCP: Transmission Control Protocol
- UDP: User Datagram Protocol
An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
This object appears as a member of an array property defined for part, metadata, revision, location, party, role, resource, citation, responsible-party, responsible-role, system-component, system-user, inventory-item, implemented-component, local-objective, activity, step, task, associated-activity, reviewed-controls, control-selection, control-objective-selection, assessment-subject-placeholder, assessment-subject, select-subject-by-id, assessment-platform, uses-component, and part.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Properties (6)
A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
allowed values for
part/prop/@nameThe value may be locally defined, or one of the following:
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
allowed value for
part[@name='assessment']/prop/@nameThe value may be locally defined, or the following:
- method: The assessment method to use. This typically appears on parts with the name "assessment".
allowed value for
location/prop/@nameThe value may be locally defined, or the following:
- type: Characterizes the kind of location.
allowed values for
party/prop/@nameThe value must be one of the following:
- mail-stop: A mail stop associated with the party.
- office: The name or number of the party's office.
- job-title: The formal job title of a person.
allowed values for
back-matter/resource/prop/@nameThe value must be one of the following:
- type: Identifies the type of resource represented.
- version: For resources representing a published document, this represents the version number of that document.
- published: For resources representing a published document, this represents the publication date of that document.
allowed value for
prop/@nameThe value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
allowed values for
system-component/prop/@nameThe value may be locally defined, or one of the following:
- implementation-point: Relative placement of component ('internal' or 'external') to the system.
- leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
- inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of the component.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
allowed values for
system-user/prop/@nameThe value may be locally defined, or one of the following:
- type: The type of user, such as internal, external, or general-public.
- privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.
allowed values for
inventory-item/implemented-component/prop/@nameThe value may be locally defined, or one of the following:
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of the component.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
allowed values for
inventory-item/prop/@nameThe value may be locally defined, or one of the following:
- ipv4-address: The Internet Protocol v4 Address of the asset.
- ipv6-address: The Internet Protocol v6 Address of the asset.
- fqdn: The full-qualified domain name (FQDN) of the asset.
- uri: A Uniform Resource Identifier (URI) for the asset.
- serial-number: A serial number for the asset.
- netbios-name: The NetBIOS name for the asset.
- mac-address: The media access control (MAC) address for the asset.
- physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
- is-scanned: is the asset subjected to network scans? (yes/no)
- hardware-model: The model number of the hardware used by the asset.
- os-name: The name of the operating system used by the asset.
- os-version: The version of the operating system used by the asset.
- software-name: The software product name used by the asset.
- software-version: The software product version used by the asset.
- software-patch-level: The software product patch level used by the asset.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
allowed value for
activity/prop/@nameThe value may be locally defined, or the following:
- method: The assessment method to use. This typically appears on parts with the name "assessment".
allowed value for
part[@name='assessment']/prop/@nameThe value may be locally defined, or the following:
- method: The assessment method to use. This typically appears on parts with the name "assessment".
A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.
A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the
name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a
nsis not provided, its value should be assumed to behttp://csrc.nist.gov/ns/oscaland the name should be a name defined by the associated OSCAL model.Indicates the value of the attribute, characteristic, or quality.
allowed values for
part[@name='assessment']/prop[@name='method']/@valueThe value must be one of the following:
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
allowed value for
location/prop[@name='type']/@valueThe value may be locally defined, or the following:
- data-center: A location that contains computing assets. A
classcan be used to indicate a subclass of data-center.
allowed values for
back-matter/resource/prop[@name='type']/@valueThe value may be locally defined, or one of the following:
- logo: Indicates the resource is an organization's logo.
- image: Indicates the resource represents an image.
- screen-shot: Indicates the resource represents an image of screen content.
- law: Indicates the resource represents an applicable law.
- regulation: Indicates the resource represents an applicable regulation.
- standard: Indicates the resource represents an applicable standard.
- external-guidance: Indicates the resource represents applicable guidance.
- acronyms: Indicates the resource provides a list of relevant acronyms.
- citation: Indicates the resource cites relevant information.
- policy: Indicates the resource is a policy.
- procedure: Indicates the resource is a procedure.
- system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
- users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
- administrators-guide: Indicates the resource is guidance document a administrator's guide.
- rules-of-behavior: Indicates the resource represents rules of behavior content.
- plan: Indicates the resource represents a plan.
- artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
- evidence: Indicates the resource represents evidence, such as to support an assessment findiing.
- tool-output: Indicates the resource represents output from a tool.
- raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
- interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
- questionnaire: Indicates the resource is a set of questions, possibly with responses.
- report: Indicates the resource is a report.
- agreement: Indicates the resource is a formal agreement between two or more parties.
allowed values for
system-component/prop[@name='asset-type']/@valueThe value must be one of the following:
- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
allowed values for
system-component/prop[@name='allows-authenticated-scan']/@valueThe value must be one of the following:
- yes: The component allows an authenticated scan.
- no: The component does not allow an authenticated scan.
allowed values for
system-component/prop[@name='public']/@valueThe value must be one of the following:
- yes: The component is publicly accessible.
- no: The component is not publicly accessible.
allowed values for
system-component/prop[@name='virtual']/@valueThe value must be one of the following:
- yes: The component is virtualized.
- no: The component is not virtualized.
allowed values for
system-component/prop[@name='implementation-point']/@valueThe value must be one of the following:
- inteneral: The component is implemented within the system boundary.
- external: The component is implemented outside the system boundary.
allowed values for
system-user/prop[@name='type']/@valueThe value must be one of the following:
- internal: A user account for a person or entity that is part of the organization who owns or operates the system.
- external: A user account for a person or entity that is not part of the organization who owns or operates the system.
- general-public: A user of the system considered to be outside
allowed values for
system-user/prop[@name='privilege-level']/@valueThe value must be one of the following:
- privileged: This role has elevated access to the system, such as a group or system administrator.
- non-privileged: This role has typical user-level access to the system without elevated access.
- no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.
allowed values for
inventory-item/prop[@name='asset-type']/@valueThe value must be one of the following:
- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
allowed values for
inventory-item/prop[@name='is-scanned']/@valueThe value must be one of the following:
- yes: The asset is included in periodic vulnerability scanning.
- no: The asset is not included in periodic vulnerability scanning.
allowed values for
activity/prop[@name='method']/@valueThe value must be one of the following:
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
allowed values for
part[@name='assessment']/prop[@name='method']/@valueThe value must be one of the following:
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
A textual label that provides a sub-type or characterization of the property's
name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the samenameandns.Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.allowed values for
location/prop[@name='type' and @value='data-center']/@classThe value may be locally defined, or one of the following:
- primary: The location is a data-center used for normal operations.
- alternate: The location is a data-center used for fail-over or backup operations.
Additional commentary on the containing object.
Information about the protocol used to provide a service.
This object appears as a member of an array property defined for system-component.
Properties (4)
A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.
The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.
Remarks
The short name of the protocol (e.g., https).
A human readable name for the protocol (e.g., Transport Layer Security).
port-ranges
array [optional] array of objectsWhere applicable this is the IPv4 port range on which the service operates.
Remarks (general)
To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.
The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
A string conforming to the lexical and value-space requirements defined for dateTime-with-timezone.
Remarks
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the published value should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.
A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.
Additional commentary on the containing object.
A string conforming to the lexical and value-space requirements defined for markup-multiline.
As such, this value permits expression of marked up text in Markdown format, according to
the rules described for the (text-based) datatype. This datatype permits the expression of
block-level constructs including paragraphs, lists and simple tables,
potentially including simple formatting such as bold or typographic emphasis. This
representation is designed for the relatively unconstrained capture of simple free
text
, i.e. without formatting or decoration
that might serve as ad-hoc and
uncontrolled semantic encoding not subject to detection, regularization or validation.
This data construct is designed to be minimalistic for purposes of ease of development and interchange. It will not fit all operational scenarios; when markup-multiline is not adequate for purposes of necessary (informational) fidelity to information encoded in source formats (and subsequently converted into OSCAL), alternative strategies are available for such data capture. Users and stakeholders who expose requirements in this area are encouraged to provide feedback and request guidance.
A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
This object appears, with any others of its type, grouped as a property of metadata, inventory-item, implemented-component, and uses-component.
Properties (5)
The role that the party is responsible for.
allowed values for
metadata/responsible-party/@role-idThe value may be locally defined, or one of the following:
- prepared-by: Indicates the organization that created this content.
- prepared-for: Indicates the organization for which this content was created.
- content-approver: Indicates the organization responsible for all content represented in the "document".
allowed values for
inventory-item/implemented-component/responsible-party/@role-idThe value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
allowed values for
inventory-item/responsible-party/@role-idThe value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
party-uuids
array [required] array of stringsReferences a
partydefined inmetadata.Remarks (local)
Specifies one or more parties that are responsible for performing the associated
role.props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
A reference to one or more roles with responsibility for performing a function relative to the containing object.
This object appears, with any others of its type, grouped as a property of system-component, activity, step, task, and associated-activity.
Properties (5)
The role that is responsible for the business function.
allowed values for
system-component/responsible-role/@role-idThe value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.party-uuids
array [optional] array of stringsReferences a
partydefined inmetadata.Additional commentary on the containing object.
Identifies the controls being assessed and their control objectives.
Remarks
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
Properties (6)
A human-readable description of control objectives.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.control-selections
array [required] array of objects(array member) object [1 to ∞] Assessed ControlsIdentifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.
Remarks
The
include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by theinclude-profilestatement within the linked SSP.Any control specified within
exclude-controlsmust first be within a range of explicitly included controls, viainclude-controlsorinclude-all.Properties (7):
description,prop,link,include-all,include-control,exclude-control,remarksA human-readable description of in-scope controls specified for assessment.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.include-all
object [1] AllA key word to indicate all.
include-controls
array [required] array of objectsUsed to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.
Remarks (local)
Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.
exclude-controls
array [optional] array of objectsUsed to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.
Remarks (local)
Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.
Additional commentary on the containing object.
control-objective-selections
array [optional] array of objects(array member) object [1 to ∞] Referened Control ObjectivesIdentifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.
Remarks
The
include-allfield, specifies all control objectives for any in-scope control. In-scope controls are defined in thecontrol-selection.Any control objective specified within
exclude-controlsmust first be within a range of explicitly included control objectives, viainclude-objectivesorinclude-all.Properties (7):
description,prop,link,include-all,include-objective,exclude-objective,remarksA human-readable description of this collection of control objectives.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.include-all
object [1] AllA key word to indicate all.
include-objectives
array [required] array of objectsUsed to select a control objective for inclusion/exclusion based on the control objective's identifier.
Remarks (local)
Used to select a control objective for inclusion by the control objective's identifier.
exclude-objectives
array [optional] array of objectsUsed to select a control objective for inclusion/exclusion based on the control objective's identifier.
Remarks (local)
Used to select a control objective for exclusion by the control objective's identifier.
Additional commentary on the containing object.
Additional commentary on the containing object.
An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).
This object appears as a member of an array property defined for metadata.
Remarks
While published, last-modified, oscal-version, and version are not required, values for these entries should be provided if the information is known. For a revision entry to be considered valid, at least one of the following items must be provided: published, last-modified, version, or a link with a rel of source
.
Properties (8)
A name given to the document revision, which may be used by a tool for display and navigation.
The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
publishedvalue should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.A publisher of OSCAL content can use this data point along with its siblings
last-modifiedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
last-modifiedvalue should indicate the modification time of the OSCAL document, not the source material.A publisher of OSCAL content can use this data point along with its siblings
publishedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.A string used to distinguish the current version of the document from other previous (and future) versions.
Remarks (general)
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings
publishedandlast-modifiedto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The OSCAL model version the document was authored against.
Remarks (general)
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
Defines a function assumed or expected to be assumed by a party in a specific situation.
This object appears as a member of an array property defined for metadata.
Remarks
Permissible values to be determined closer to the application (e.g. by a receiving authority).
Properties (7)
A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document.
Remarks
OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.
A name given to the role, which may be used by a tool for display and navigation.
A short common name, abbreviation, or acronym for the role.
A summary of the role's purpose and associated responsibilities.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
A reference to the roles served by the user.
A string conforming to the lexical and value-space requirements defined for NCName.
This object appears as a member of an array property defined for system-user.
Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.
This object appears as a member of an array property defined for control-selection.
Used to select a control objective for inclusion/exclusion based on the control objective's identifier.
This object appears as a member of an array property defined for control-objective-selection.
Property (1)
Points to an assessment objective.
Identifies a set of assessment subjects to include/exclude by UUID.
This object appears as a member of an array property defined for assessment-subject.
Properties (4)
A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
A defined component that can be part of an implemented system.
This object appears, with any others of its type, grouped as a property of assessment-assets and local-definitions.
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type indicates which of these component types is represented.
When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.
Properties (11)
The unique identifier for the component.
A category describing the purpose of the component.
A human readable name for the system component.
A description of the component, including information about its function.
A summary of the technological or business purpose of the component.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.status
object [1] StatusDescribes the operational status of the system component.
Properties (2):
state,remarksThe operational status.
allowed values for
system-component/status/@stateThe value must be one of the following:
- under-development: The component is being designed, developed, or implemented.
- operational: The component is currently operational and is available for use in the system.
- disposition: The component is no longer operational.
- other: Some other state.
Additional commentary on the containing object.
responsible-roles
array [optional] array of objectsA reference to one or more roles with responsibility for performing a function relative to the containing object.
protocols
array [optional] array of objectsInformation about the protocol used to provide a service.
Remarks (local)
Used for
servicecomponents to define the protocols supported by the service.Additional commentary on the containing object.
A type of user that interacts with the system based on an associated role.
This object appears, with any others of its type, grouped as a property of local-definitions.
Remarks
Permissible values to be determined closer to the application, such as by a receiving authority.
Properties (9)
The unique identifier for the user class.
A name given to the user, which may be used by a tool for display and navigation.
A short common name, abbreviation, or acronym for the user.
A summary of the user's purpose within the system.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.role-ids
array [optional] array of stringsA reference to the roles served by the user.
authorized-privileges
array [optional] array of objectsIdentifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
Additional commentary on the containing object.
Represents a scheduled event or milestone, which may be associated with a series of assessment actions.
This object appears as a member of an array property defined for task and assessment-plan.
Properties (13)
Uniquely identifies this assessment task.
The type of task.
allowed values for
task/@typeThe value may be locally defined, or one of the following:
- milestone: The task represents a planned milestone.
- action: The task represents a specific assessment action to be performed.
The title for this task.
A human-readable description of this task.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.timing
object [0 or 1] Event TimingThe timing under which the task is intended to occur.
Properties (3):
on-date,within-date-range,at-frequencyon-date
object [1] On Date ConditionThe task is intended to occur on the specified date.
Property (1):
dateThe task must occur on the specified date.
within-date-range
object [1] On Date Range ConditionThe task is intended to occur within the specified date range.
Properties (2):
start,endThe task must occur on or after the specified date.
The task must occur on or before the specified date.
at-frequency
object [1] Frequency ConditionThe task is intended to occur at the specified frequency.
Properties (2):
period,unitThe task must occur after the specified period has elapsed.
The unit of time for the period.
allowed values for
task/timing/at-frequency/@unitThe value must be one of the following:
- seconds: The period is specified in seconds.
- minutes: The period is specified in minutes.
- hours: The period is specified in hours.
- days: The period is specified in days.
- months: The period is specified in calendar months.
- years: The period is specified in calendar years.
dependencies
array [optional] array of objects(array member) object [1 to ∞] Task DependencyUsed to indicate that a task is dependent on another task.
Properties (2):
task-uuid,remarksReferences a unique task by UUID.
Additional commentary on the containing object.
tasks
array [optional] array of objectsRepresents a scheduled event or milestone, which may be associated with a series of assessment actions.
associated-activities
array [optional] array of objects(array member) object [1 to ∞] Associated ActivityIdentifies an individual activity to be performed as part of a task.
Properties (7):
activity-uuid,prop,link,responsible-role,subject,subject-placeholder,remarksReferences an activity defined in the list of activities.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.responsible-roles
array [optional] array of objectsA reference to one or more roles with responsibility for performing a function relative to the containing object.
Remarks (local)
Identifies the person or organization responsible for performing a specific role defined by the activity.
subjects
array [required] array of objectsIdentifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.
Remarks (general)
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.
Additional commentary on the containing object.
subjects
array [optional] array of objectsIdentifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.
Remarks (local)
The assessment subjects that the activity was performed against.
Remarks (general)
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
responsible-roles
array [optional] array of objectsA reference to one or more roles with responsibility for performing a function relative to the containing object.
Remarks (local)
Identifies the person or organization responsible for performing a specific role related to the task.
Additional commentary on the containing object.
Contact number by telephone.
This object appears as a member of an array property defined for location and party.
Properties
This property provides the (nominal) value for this object as a whole.
Indicates the type of phone number.
allowed values for
telephone-number/@typeThe value may be locally defined, or one of the following:
- home: A home phone number.
- office: An office phone number.
- mobile: A mobile phone number.
A string used to distinguish the current version of the document from other previous (and future) versions.
A string conforming to the lexical and value-space requirements defined for string.
Remarks
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.