OSCAL Control Catalog Model JSON Format Reference
OSCAL model OSCAL Control Catalog Model
Version 1.0.0-rc2
JSON Schema oscal_catalog_schema.json
XML to JSON converter oscal_catalog_xml-to-json-converter.xsl (How do I use the converter to convert OSCAL XML to JSON?)
The OSCAL Control Catalog format can be used to describe a collection of security controls and related control enhancements, along with contextualizing documentation and metadata. The root of the Control Catalog format is catalog.
A single line of an address.
A string conforming to the lexical and value-space requirements defined for string.
This object appears as a member of an array property defined for address.
A postal address for the location.
This object appears as a member of an array property defined for party.
Properties (6)
Indicates the type of address.
addr-lines
array [optional] array of stringsA single line of an address.
City, town or geographical region for the mailing address.
State, province or analogous geographical region for mailing address
Postal or ZIP code for mailing address
The ISO 3166-1 alpha-2 country code for the mailing address.
A collection of resources, which may be included directly or by reference.
Remarks
Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference identifier. Other specialized link "rel" values also use this pattern when indicated in that context of use.
Property (1)
resources
array [optional] array of objects(array member) object [1 to ∞] ResourceA resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources.
Remarks
A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a
rlink, or 2) it may be included as an attachment using abase64. A resource may contain multiplerlinkandbase64entries that represent alternative download locations (rlink) and attachments (base64) for the same resource. Both rlink and base64 allow for amedia-typeto be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiplerlinkandbase64items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item'smedia-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.When a resource includes a citation, then the
titleandcitationproperties must both be included.Properties (9):
uuid,title,description,prop,document-id,citation,rlink,base64,remarksA globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.
A name given to the resource, which may be used by a tool for display and navigation.
A short summary of the resource used to indicate the purpose of the resource.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
document-ids
array [optional] array of objects(array member) object [0 to ∞] Document IdentifierA document identifier qualified by an identifier
scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.Remarks (general)
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
citation
object [0 or 1] CitationA citation consisting of end note text and optional structured bibliographic data.
Remarks
The
textis used to define the endnote text, without any required bibliographic structure. If structured bibliographic data is needed, then thebibliocan be used for this purpose.A
bibliocan be used to capture a structured bibliographical citation in an appropriate format.Properties (3):
text,prop,biblioA line of citation text.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
biblio
object [0 or 1] Bibliographic DefinitionA container for structured bibliographic information. The model of this information is undefined by OSCAL.
rlinks
array [optional] array of objects(array member) object [1 to ∞] Resource linkA pointer to an external resource with an optional hash for verification and change detection.
Remarks
This construct is different from
link, which makes no provision for a hash or formal title.Multiple
rlinkcan be included for a resource. In such a case, all providedrlinkitems are intended to be equivalent in content, but may differ in structure. Amedia-typeis used to identify the format of a given rlink, and can be used to differentiate a items in a collection of rlinks. Themedia-typealso provides a hint to the OSCAL document consumer about the structure of the resource referenced by therlink.Properties (3):
href,media-type,hashA resolvable URI reference to a resource.
Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
hashes
array [optional] array of objects(array member) object [0 to ∞] HashA representation of a cryptographic digest generated over a resource using a specified hash algorithm.
Remarks (local)
When appearing as part of a
resource/rlink, the hash applies to the resource referenced by thehref.Remarks (general)
A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.
base64
object [0 or 1] Base64The Base64 alphabet in RFC 2045 - aligned with XSD.
Properties (2):
filename,media-typeName of the file before it was encoded as Base64 to be embedded in a
resource. This is the name that will be assigned to the file when the file is decoded.Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Additional commentary on the containing object.
A collection of controls.
catalog is a root (containing) object for this
schema.
Remarks
Catalogs may use one or more group objects to subdivide the control contents of a catalog.
An OSCAL catalog model provides a structured representation of control information.
Properties (6)
A globally unique identifier for this catalog instance. This UUID should be changed when this document is revised.
Provides information about the publication and availability of the containing document.
params
array [optional] array of objectsParameters provide a mechanism for the dynamic assignment of value(s) in a control.
Remarks (general)
In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The
valuemay be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.A parameter can include a variety of metadata options that support the future solicitation of one or more values. A
labelprovides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. Thedescprovides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. Aconstraintcan be used to provide criteria for the allowed values. Aguidelineprovides a recommendation for the use of a parameter.controls
array [optional] array of objectsA structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.
Remarks (general)
Controls may be grouped using
group, and controls may be partitioned usingpartor further enhanced (extended) usingcontrol.A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
groups
array [optional] array of objectsA group of controls, or of groups of controls.
Remarks (general)
Catalogs can use a
groupto collect related controls into a single grouping. That can be useful to group controls into a family or other logical grouping.A
groupmay have its own properties, statements, parameters, and references, which are inherited by all members of that group.A collection of resources, which may be included directly or by reference.
Remarks (local)
Back matter including references and resources.
Remarks (general)
Provides a collection of identified
resourceobjects that can be referenced by alinkwith arelvalue of "reference" and anhrefvalue that is a fragment "#" followed by a reference to a reference identifier. Other specialized link "rel" values also use this pattern when indicated in that context of use.
A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.
This object appears as a member of an array property defined for catalog, group, and control.
Remarks
Controls may be grouped using group, and controls may be partitioned using part or further enhanced (extended) using control.
A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
Properties (8)
A unique identifier for a specific control instance that can be used to reference the control in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same control across minor revisions of the document.
A textual label that provides a sub-type or characterization of the control.
Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.A
classcan also be used in an OSCAL profile as a means to target an alteration to control content.A name given to the control, which may be used by a tool for display and navigation.
params
array [optional] array of objectsParameters provide a mechanism for the dynamic assignment of value(s) in a control.
Remarks (general)
In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The
valuemay be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.A parameter can include a variety of metadata options that support the future solicitation of one or more values. A
labelprovides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. Thedescprovides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. Aconstraintcan be used to provide criteria for the allowed values. Aguidelineprovides a recommendation for the use of a parameter.props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.parts
array [optional] array of objectsA partition of a control's definition or a child of another part.
Remarks (general)
A
partprovides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). Apartcan have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). Apartcan containpropobjects that allow for enriching prose text with structured name/value information.A
partcan be assigned an optionalid, which allows for internal and external references to the textual concept contained within apart. Aidprovides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within acatalog. For example, anidcan be used to reference or to make modifications to a control statement in a profile.Use of
partandpropprovides for a wide degree of extensibility within the OSCAL catalog model. The optionalnsprovides a means to qualify a part'sname, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign ansvalue that represents the organization, making a given namespace qualifiednameunique to that organization. This allows the combination ofnsandnameto always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If nonsis provided, the name is expected to be in the "OSCAL" namespace.To ensure a
nsis unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use thens"https://fedramp.gov", while DoD will use thens"https://defense.gov" for any organization specificname.Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
controls
array [optional] array of objectsA structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.
Remarks (general)
Controls may be grouped using
group, and controls may be partitioned usingpartor further enhanced (extended) usingcontrol.A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.
This object appears as a member of an array property defined for metadata and resource.
Remarks
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
Properties
This property provides the (nominal) value for this object as a whole.
Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.
allowed value for
document-id/@schemeThe value may be locally defined, or the following:
- https://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.
An email address as defined by RFC 5322 Section 3.4.1.
A string conforming to the lexical and value-space requirements defined for email.
This object appears as a member of an array property defined for location and party.
A group of controls, or of groups of controls.
This object appears as a member of an array property defined for catalog and group.
Remarks
Catalogs can use a group to collect related controls into a single grouping. That can be useful to group controls into a family or other logical grouping.
A group may have its own properties, statements, parameters, and references, which are inherited by all members of that group.
Properties (9)
A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.
A textual label that provides a sub-type or characterization of the group.
Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.A
classcan also be used in an OSCAL profile as a means to target an alteration to control content.A name given to the group, which may be used by a tool for display and navigation.
params
array [optional] array of objectsParameters provide a mechanism for the dynamic assignment of value(s) in a control.
Remarks (general)
In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The
valuemay be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.A parameter can include a variety of metadata options that support the future solicitation of one or more values. A
labelprovides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. Thedescprovides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. Aconstraintcan be used to provide criteria for the allowed values. Aguidelineprovides a recommendation for the use of a parameter.props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.parts
array [optional] array of objectsA partition of a control's definition or a child of another part.
Remarks (general)
A
partprovides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). Apartcan have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). Apartcan containpropobjects that allow for enriching prose text with structured name/value information.A
partcan be assigned an optionalid, which allows for internal and external references to the textual concept contained within apart. Aidprovides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within acatalog. For example, anidcan be used to reference or to make modifications to a control statement in a profile.Use of
partandpropprovides for a wide degree of extensibility within the OSCAL catalog model. The optionalnsprovides a means to qualify a part'sname, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign ansvalue that represents the organization, making a given namespace qualifiednameunique to that organization. This allows the combination ofnsandnameto always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If nonsis provided, the name is expected to be in the "OSCAL" namespace.To ensure a
nsis unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use thens"https://fedramp.gov", while DoD will use thens"https://defense.gov" for any organization specificname.Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
groups
array [optional] array of objectsA group of controls, or of groups of controls.
Remarks (general)
Catalogs can use a
groupto collect related controls into a single grouping. That can be useful to group controls into a family or other logical grouping.A
groupmay have its own properties, statements, parameters, and references, which are inherited by all members of that group.controls
array [optional] array of objectsA structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.
Remarks (general)
Controls may be grouped using
group, and controls may be partitioned usingpartor further enhanced (extended) usingcontrol.A control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text.
A representation of a cryptographic digest generated over a resource using a specified hash algorithm.
This object appears as a member of an array property defined for rlink.
Remarks
A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.
Properties
This property provides the (nominal) value for this object as a whole.
Method by which a hash is derived
Remarks
Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.
allowed values for
hash/@algorithmThe value may be locally defined, or one of the following:
- SHA-224: The SHA-224 algorithm as defined by NIST FIPS 180-4.
- SHA-256: The SHA-256 algorithm as defined by NIST FIPS 180-4.
- SHA-384: The SHA-384 algorithm as defined by NIST FIPS 180-4.
- SHA-512: The SHA-512 algorithm as defined by NIST FIPS 180-4.
- SHA3-224: The SHA3-224 algorithm as defined by NIST FIPS 202.
- SHA3-256: The SHA3-256 algorithm as defined by NIST FIPS 202.
- SHA3-384: The SHA3-384 algorithm as defined by NIST FIPS 202.
- SHA3-512: The SHA3-512 algorithm as defined by NIST FIPS 202.
The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
A string conforming to the lexical and value-space requirements defined for dateTime-with-timezone.
Remarks
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source material.
A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.
A reference to a local or remote resource
This object appears as a member of an array property defined for part, param, metadata, revision, location, party, role, responsible-party, group, and control.
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Properties (4)
A resolvable URL reference to a resource.
Remarks
The value of the
hrefcan be an internet resource, or a local reference using a fragment e.g. #fragment that points to aback-matterresourcein the same document.If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified
resourcein the document'sback-matteror another object that is within the scope of the containing OSCAL document.If an internet resource is used, the
hrefvalue will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
allowed values for
metadata/link/@relThe value may be locally defined, or one of the following:
- canonical: The link identifies the authoritative location for this file.
- alternate: The link identifies an alternative location or format for this file.
- latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. RFC 5829.
allowed value for
revision/link/@relThe value may be locally defined, or the following:
- source: Indicates that the href points to the source resource for the revision entry.
allowed value for
link/@relThe value may be locally defined, or the following:
- reference: Reference
allowed values for
control/link/@relThe value may be locally defined, or one of the following:
- reference: The link cites an external resource related to this control.
- related: The link identifies another control with bearing to this control.
- required: The link identifies another control that must be present if this control is present.
- incorporated-into: The link identifies other control content where this control content is now addressed.
Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks (local)
The
media-typeprovides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.A textual label to associate with the link, which may be used for presentation in a tool.
A location, with associated metadata that can be referenced.
This object appears as a member of an array property defined for metadata.
Properties (9)
A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.
A name given to the location, which may be used by a tool for display and navigation.
A postal address for the location.
Remarks (local)
Typically, the physical address of the location will be used here. If this information is sensitive, then a mailing address can be used instead.
email-addresses
array [optional] array of stringsAn email address as defined by RFC 5322 Section 3.4.1.
Remarks (local)
This is a contact email associated with the location.
telephone-numbers
array [optional] array of objects(array member) object [0 to ∞] Telephone NumberContact number by telephone.
Remarks (local)
A phone number used to contact the location.
urls
array [optional] array of stringsThe uniform resource locator (URL) for a web site or Internet presence associated with the location.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
References a location defined in metadata.
A string conforming to the lexical and value-space requirements defined for uuid.
This object appears as a member of an array property defined for party.
Provides information about the publication and availability of the containing document.
Properties (14)
A name given to the document, which may be used by a tool for display and navigation.
The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
publishedvalue should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.A publisher of OSCAL content can use this data point along with its siblings
last-modifiedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
last-modifiedvalue should indicate the modification time of the OSCAL document, not the source material.A publisher of OSCAL content can use this data point along with its siblings
publishedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.A string used to distinguish the current version of the document from other previous (and future) versions.
Remarks (general)
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings
publishedandlast-modifiedto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The OSCAL model version the document was authored against.
Remarks (general)
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.revisions
array [optional] array of objectsAn entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).
Remarks (general)
While
published,last-modified,oscal-version, andversionare not required, values for these entries should be provided if the information is known. For a revision entry to be considered valid, at least one of the following items must be provided:published,last-modified,version, or alinkwith arelofsource
.document-ids
array [optional] array of objects(array member) object [0 to ∞] Document IdentifierA document identifier qualified by an identifier
scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.Remarks (general)
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.roles
array [optional] array of objectsDefines a function assumed or expected to be assumed by a party in a specific situation.
Remarks (general)
Permissible values to be determined closer to the application (e.g. by a receiving authority).
locations
array [optional] array of objectsA location, with associated metadata that can be referenced.
parties
array [optional] array of objectsA responsible entity which is either a person or an organization.
responsible-parties
array [optional] array of objectsA reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Additional commentary on the containing object.
The OSCAL model version the document was authored against.
A string conforming to the lexical and value-space requirements defined for string.
Remarks
Indicates the version of the OSCAL model to which this data set conforms, for example 1.1.0
or 1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.
Parameters provide a mechanism for the dynamic assignment of value(s) in a control.
This object appears as a member of an array property defined for catalog, group, and control.
Remarks
In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.
Properties (12)
A unique identifier for a specific parameter instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same parameter across minor revisions of the document.
A textual label that provides a characterization of the parameter.
Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.Another parameter invoking this one
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.A short, placeholder name for the parameter, which can be used as a substitute for a
valueif no value is assigned.Remarks
The label value should be suitable for inline display in a rendered catalog.
Describes the purpose and use of a parameter
constraints
array [optional] array of objectsA formal or informal expression of a constraint or test
guidelines
array [optional] array of objectsA prose statement that provides a recommendation for the use of a parameter.
values
array [optional] array of stringsA parameter value or set of values.
Remarks (local)
A set of values provided in a catalog can be redefined at any higher layer of OSCAL (e.g., Profile).
Presenting a choice among alternatives
Remarks (local)
A set of parameter value choices, that may be picked from to set the parameter value.
Remarks (general)
A set of parameter value choices, that may be picked from to set the parameter value.
Additional commentary on the containing object.
A formal or informal expression of a constraint or test
This object appears as a member of an array property defined for param.
Properties (2)
A textual summary of the constraint to be applied.
tests
array [optional] array of objects(array member) object [1 to ∞] Constraint TestA test expression which is expected to be evaluated by a tool.
Properties (2):
expression,remarksA formal (executable) expression of a constraint
Additional commentary on the containing object.
A prose statement that provides a recommendation for the use of a parameter.
This object appears as a member of an array property defined for param.
Property (1)
Prose permits multiple paragraphs, lists, tables etc.
Presenting a choice among alternatives
Remarks
A set of parameter value choices, that may be picked from to set the parameter value.
Properties (2)
Describes the number of selections that must occur.
choice
array [optional] array of stringsA value selection among several such options
A parameter value or set of values.
A string conforming to the lexical and value-space requirements defined for string.
This object appears as a member of an array property defined for param.
A partition of a control's definition or a child of another part.
This object appears as a member of an array property defined for part, group, and control.
Remarks
A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.
A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.
Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns "https://fedramp.gov", while DoD will use the ns "https://defense.gov" for any organization specific name.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Properties (9)
A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.
A textual label that uniquely identifies the part's semantic type.
allowed values for
part/@nameThe value may be locally defined, or one of the following:
- overview: An introduction to a control or a group of controls.
- statement: A set of control implementation requirements.
- item: An individual item within a control statement.
- guidance: Additional information to consider when selecting, implementing, assessing, and monitoring a control.
- objective: Describes a set of assessment objectives.
- assessment: Describes a method-based assessment over a set of assessment objects.
- objects: Provides a list of assessment objects.
A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the
name, so that different organizations and individuals can assert control over the allowed names and associated text used in a part. This allows the semantics associated with a given name to be defined on an organization-by-organization basis.An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a
nsis not provided, its value should be assumed to behttp://csrc.nist.gov/ns/oscaland the name should be a name defined by the associated OSCAL model.A textual label that provides a sub-type or characterization of the part's
name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the samenameandns.Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.A
classcan also be used in an OSCAL profile as a means to target an alteration to control content.A name given to the part, which may be used by a tool for display and navigation.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Permits multiple paragraphs, lists, tables etc.
parts
array [optional] array of objectsA partition of a control's definition or a child of another part.
Remarks (general)
A
partprovides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). Apartcan have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). Apartcan containpropobjects that allow for enriching prose text with structured name/value information.A
partcan be assigned an optionalid, which allows for internal and external references to the textual concept contained within apart. Aidprovides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within acatalog. For example, anidcan be used to reference or to make modifications to a control statement in a profile.Use of
partandpropprovides for a wide degree of extensibility within the OSCAL catalog model. The optionalnsprovides a means to qualify a part'sname, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign ansvalue that represents the organization, making a given namespace qualifiednameunique to that organization. This allows the combination ofnsandnameto always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If nonsis provided, the name is expected to be in the "OSCAL" namespace.To ensure a
nsis unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use thens"https://fedramp.gov", while DoD will use thens"https://defense.gov" for any organization specificname.Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.
A responsible entity which is either a person or an organization.
This object appears as a member of an array property defined for metadata.
Properties (13)
A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given party across revisions of the document.
A category describing the kind of party the object describes.
allowed values for
party/@typeThe value must be one of the following:
- person: An individual.
- organization: A group of individuals formed for a specific purpose.
The full name of the party. This is typically the legal name associated with the party.
A short common name, abbreviation, or acronym for the party.
external-ids
array [optional] array of objects(array member) object [1 to ∞] Party External IdentifierAn identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)
Property (1):
schemeIndicates the type of external identifier.
allowed value for
party/external-id/@schemeThe value may be locally defined, or the following:
- https://orcid.org/: The identifier is Open Researcher and Contributor ID (ORCID).
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.email-addresses
array [optional] array of stringsAn email address as defined by RFC 5322 Section 3.4.1.
Remarks (local)
This is a contact email associated with the party.
telephone-numbers
array [optional] array of objects(array member) object [0 to ∞] Telephone NumberContact number by telephone.
Remarks (local)
A phone number used to contact the party.
addresses
array [optional] array of objectsA postal address for the location.
location-uuids
array [optional] array of stringsReferences a
locationdefined inmetadata.member-of-organizations
array [optional] array of stringsIdentifies that the party object is a member of the organization associated with the provided UUID.
Remarks
Parties of both the
personororganizationtype can be associated with an organization using themember-of-organization.Additional commentary on the containing object.
References a party defined in metadata.
A string conforming to the lexical and value-space requirements defined for uuid.
This object appears as a member of an array property defined for responsible-party.
An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
This object appears as a member of an array property defined for part, param, metadata, revision, location, party, role, resource, citation, responsible-party, group, and control.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Properties (6)
A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
allowed values for
part/prop/@nameThe value may be locally defined, or one of the following:
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
allowed value for
part[@name='assessment']/prop/@nameThe value may be locally defined, or the following:
- method: The assessment method to use. This typically appears on parts with the name "assessment".
allowed value for
location/prop/@nameThe value may be locally defined, or the following:
- type: Characterizes the kind of location.
allowed values for
party/prop/@nameThe value must be one of the following:
- mail-stop: A mail stop associated with the party.
- office: The name or number of the party's office.
- job-title: The formal job title of a person.
allowed values for
back-matter/resource/prop/@nameThe value must be one of the following:
- type: Identifies the type of resource represented.
- version: For resources representing a published document, this represents the version number of that document.
- published: For resources representing a published document, this represents the publication date of that document.
allowed value for
prop/@nameThe value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
allowed values for
group/prop/@nameThe value may be locally defined, or one of the following:
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
allowed values for
control/prop/@nameThe value may be locally defined, or one of the following:
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- status: The status of a
control. For example, a value of 'withdrawn' can indicate that thecontrolhas been withdrawn and should no longer be used.
A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.
A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the
name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a
nsis not provided, its value should be assumed to behttp://csrc.nist.gov/ns/oscaland the name should be a name defined by the associated OSCAL model.Indicates the value of the attribute, characteristic, or quality.
allowed values for
part[@name='assessment']/prop[@name='method']/@valueThe value must be one of the following:
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
allowed value for
location/prop[@name='type']/@valueThe value may be locally defined, or the following:
- data-center: A location that contains computing assets. A
classcan be used to indicate a subclass of data-center.
allowed values for
back-matter/resource/prop[@name='type']/@valueThe value may be locally defined, or one of the following:
- logo: Indicates the resource is an organization's logo.
- image: Indicates the resource represents an image.
- screen-shot: Indicates the resource represents an image of screen content.
- law: Indicates the resource represents an applicable law.
- regulation: Indicates the resource represents an applicable regulation.
- standard: Indicates the resource represents an applicable standard.
- external-guidance: Indicates the resource represents applicable guidance.
- acronyms: Indicates the resource provides a list of relevant acronyms.
- citation: Indicates the resource cites relevant information.
- policy: Indicates the resource is a policy.
- procedure: Indicates the resource is a procedure.
- system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
- users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
- administrators-guide: Indicates the resource is guidance document a administrator's guide.
- rules-of-behavior: Indicates the resource represents rules of behavior content.
- plan: Indicates the resource represents a plan.
- artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
- evidence: Indicates the resource represents evidence, such as to support an assessment findiing.
- tool-output: Indicates the resource represents output from a tool.
- raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
- interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
- questionnaire: Indicates the resource is a set of questions, possibly with responses.
- report: Indicates the resource is a report.
- agreement: Indicates the resource is a formal agreement between two or more parties.
allowed value for
control/prop[@name='status']/@valueThe value must be the following:
- withdrawn: The control is no longer used.
A textual label that provides a sub-type or characterization of the property's
name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the samenameandns.Remarks
A
classcan be used in validation rules to express extra constraints over named items of a specificclassvalue.allowed values for
location/prop[@name='type' and @value='data-center']/@classThe value may be locally defined, or one of the following:
- primary: The location is a data-center used for normal operations.
- alternate: The location is a data-center used for fail-over or backup operations.
Additional commentary on the containing object.
The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
A string conforming to the lexical and value-space requirements defined for dateTime-with-timezone.
Remarks
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the published value should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.
A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.
Additional commentary on the containing object.
A string conforming to the lexical and value-space requirements defined for markup-multiline.
As such, this value permits expression of marked up text in Markdown format, according to
the rules described for the (text-based) datatype. This datatype permits the expression of
block-level constructs including paragraphs, lists and simple tables,
potentially including simple formatting such as bold or typographic emphasis. This
representation is designed for the relatively unconstrained capture of simple free
text
, i.e. without formatting or decoration
that might serve as ad-hoc and
uncontrolled semantic encoding not subject to detection, regularization or validation.
This data construct is designed to be minimalistic for purposes of ease of development and interchange. It will not fit all operational scenarios; when markup-multiline is not adequate for purposes of necessary (informational) fidelity to information encoded in source formats (and subsequently converted into OSCAL), alternative strategies are available for such data capture. Users and stakeholders who expose requirements in this area are encouraged to provide feedback and request guidance.
A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
This object appears, with any others of its type, grouped as a property of metadata.
Properties (5)
The role that the party is responsible for.
allowed values for
metadata/responsible-party/@role-idThe value may be locally defined, or one of the following:
- prepared-by: Indicates the organization that created this content.
- prepared-for: Indicates the organization for which this content was created.
- content-approver: Indicates the organization responsible for all content represented in the "document".
party-uuids
array [required] array of stringsReferences a
partydefined inmetadata.Remarks (local)
Specifies one or more parties that are responsible for performing the associated
role.props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).
This object appears as a member of an array property defined for metadata.
Remarks
While published, last-modified, oscal-version, and version are not required, values for these entries should be provided if the information is known. For a revision entry to be considered valid, at least one of the following items must be provided: published, last-modified, version, or a link with a rel of source
.
Properties (8)
A name given to the document revision, which may be used by a tool for display and navigation.
The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
publishedvalue should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.A publisher of OSCAL content can use this data point along with its siblings
last-modifiedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks (general)
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the
last-modifiedvalue should indicate the modification time of the OSCAL document, not the source material.A publisher of OSCAL content can use this data point along with its siblings
publishedandversionto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.A string used to distinguish the current version of the document from other previous (and future) versions.
Remarks (general)
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings
publishedandlast-modifiedto establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as arevisionin this object.The OSCAL model version the document was authored against.
Remarks (general)
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
Defines a function assumed or expected to be assumed by a party in a specific situation.
This object appears as a member of an array property defined for metadata.
Remarks
Permissible values to be determined closer to the application (e.g. by a receiving authority).
Properties (7)
A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document.
Remarks
OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.
A name given to the role, which may be used by a tool for display and navigation.
A short common name, abbreviation, or acronym for the role.
A summary of the role's purpose and associated responsibilities.
props
array [optional] array of objectsAn attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks (general)
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
links
array [optional] array of objectsA reference to a local or remote resource
Remarks (general)
To provide a cryptographic hash for a remote target resource, a local reference to a back matter
resourceis needed. The resource allows one or more hash values to be provided using therlink/hashobject.The OSCAL
linkis a roughly based on the HTML link element.Additional commentary on the containing object.
Contact number by telephone.
This object appears as a member of an array property defined for location and party.
Properties
This property provides the (nominal) value for this object as a whole.
Indicates the type of phone number.
allowed values for
telephone-number/@typeThe value may be locally defined, or one of the following:
- home: A home phone number.
- office: An office phone number.
- mobile: A mobile phone number.
A string used to distinguish the current version of the document from other previous (and future) versions.
A string conforming to the lexical and value-space requirements defined for string.
Remarks
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.