Skip to main content

Component Definition Model v1.0.4 XML Metaschema Reference

The following is a reference for the XML element and attribute types derived from the metaschema for this model.

Short name oscal-component-definition

XML namespace http://csrc.nist.gov/ns/oscal/1.0

Remarks

The OSCAL Component Definition Model can be used to describe the implementation of controls in a component or a set of components grouped as a capability. A component can be either a technical component, or a documentary component. A technical component is a component that is implemented in hardware (physical or virtual) or software. A documentary component is a component implemented in a document, such as a process, procedure, or policy.

The root of the OSCAL Implementation Component format is component-definition.

NOTE: This documentation is a work in progress. As a result, documentation for many of the information elements is missing or incomplete.

addr-line

string

Address line

description A single line of an address.

address

assembly

Address

description A postal address for the location.

Attribute (1):

type

token

[0 or 1]

Address Type

use name type

Elements (5):

addr-line

string

[0 to ∞]

Address line

city

string

[0 or 1]

City

description City, town or geographical region for the mailing address.

state

string

[0 or 1]

State

description State, province or analogous geographical region for mailing address

postal-code

string

[0 or 1]

Postal Code

description Postal or ZIP code for mailing address

country

string

[0 or 1]

Country Code

description The ISO 3166-1 alpha-2 country code for the mailing address.

Constraint (1)

matches: a target (value) must match the regular expression '[A-Z]{2}'.

authorized-privilege

assembly

Privilege

description Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

Elements (3):

title

markup-line

[1]

Privilege Title

description A human readable name for the privilege.

description

markup-multiline

[0 or 1]

Privilege Description

description A summary of the privilege's purpose within the system.

function-performed

string

[1 to ∞]

Functions Performed

back-matter

assembly

Back matter

description A collection of resources, which may be included directly or by reference.

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference identifier. Other specialized link "rel" values also use this pattern when indicated in that context of use.

Constraint (1)

index for resource an index index-back-matter-resource shall list values returned by targets resource using keys constructed of key field(s) @uuid

Elements (1):

resource

assembly

[0 to ∞]

Resource

description A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources.

Remarks

A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource. Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

When a resource includes a citation, then the title and citation properties must both be included.

Constraints (6)

allowed values for prop/@name

The value must be one of the following:

  • type: Identifies the type of resource represented.
  • version: For resources representing a published document, this represents the version number of that document.
  • published: For resources representing a published document, this represents the publication date of that document.

matches for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='published']/@value: the target value must match the lexical form of the 'dateTime' data type.

allowed values for prop[@name='type']/@value

The value may be locally defined, or one of the following:

  • logo: Indicates the resource is an organization's logo.
  • image: Indicates the resource represents an image.
  • screen-shot: Indicates the resource represents an image of screen content.
  • law: Indicates the resource represents an applicable law.
  • regulation: Indicates the resource represents an applicable regulation.
  • standard: Indicates the resource represents an applicable standard.
  • external-guidance: Indicates the resource represents applicable guidance.
  • acronyms: Indicates the resource provides a list of relevant acronyms.
  • citation: Indicates the resource cites relevant information.
  • policy: Indicates the resource is a policy.
  • procedure: Indicates the resource is a procedure.
  • system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
  • users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
  • administrators-guide: Indicates the resource is guidance document a administrator's guide.
  • rules-of-behavior: Indicates the resource represents rules of behavior content.
  • plan: Indicates the resource represents a plan.
  • artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
  • evidence: Indicates the resource represents evidence, such as to support an assessment findiing.
  • tool-output: Indicates the resource represents output from a tool.
  • raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
  • interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
  • questionnaire: Indicates the resource is a set of questions, possibly with responses.
  • report: Indicates the resource is a report.
  • agreement: Indicates the resource is a formal agreement between two or more parties.

has cardinality for rlink|base64 the cardinality of rlink|base64 is constrained: 1; maximum unbounded.

is unique for rlink: any target value must be unique (i.e., occur only once)

is unique for base64: any target value must be unique (i.e., occur only once)

A title is required when a citation is provided.
Attribute (1):

uuid

uuid

[0 or 1]

Resource Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined resource elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (8):

title

markup-line

[0 or 1]

Resource Title

description A name given to the resource, which may be used by a tool for display and navigation.

description

markup-multiline

[0 or 1]

Resource Description

description A short summary of the resource used to indicate the purpose of the resource.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

document-id

string

[0 to ∞]

Document Identifier

Remarks

This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.

citation

assembly

[0 or 1]

Citation

description A citation consisting of end note text and optional structured bibliographic data.

Remarks

The text is used to define the endnote text, without any required bibliographic structure. If structured bibliographic data is needed, then the biblio can be used for this purpose.

A biblio can be used to capture a structured bibliographical citation in an appropriate format.

Elements (3):

text

markup-line

[1]

Citation Text

description A line of citation text.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

assembly

[0 to ∞]

Resource link

description A pointer to an external resource with an optional hash for verification and change detection.

Remarks

This construct is different from link, which makes no provision for a hash or formal title.

Multiple rlink can be included for a resource. In such a case, all provided rlink items are intended to be equivalent in content, but may differ in structure. A media-type is used to identify the format of a given rlink, and can be used to differentiate a items in a collection of rlinks. The media-type also provides a hint to the OSCAL document consumer about the structure of the resource referenced by the rlink.

Attributes (2):

href

uri-reference

[0 or 1]

Hypertext Reference

description A resolvable URI reference to a resource.

media-type

string

[0 or 1]

Media Type

Remarks

The IANA Media Types Registry should be used, but currently there is no official media type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

Elements (1):

hash

string

[0 to ∞]

Hash

Remarks

A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.

When appearing as part of a resource/rlink, the hash applies to the resource referenced by the href.

base64

base64Binary

[0 or 1]

Base64

description The Base64 alphabet in RFC 2045 - aligned with XSD.

Attributes (2):

filename

uri-reference

[0 or 1]

File Name

description Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.

media-type

string

[0 or 1]

Media Type

Remarks

The IANA Media Types Registry should be used, but currently there is no official media type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

remarks

markup-multiline

[0 or 1]

Remarks

capability

assembly

Capability

description A grouping of other components and/or capabilities.

Constraint (1)

is unique for incorporates-component: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Capability Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this capability elsewhere in this or other OSCAL instances. The locally defined UUID of the capability can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

name

string

[0 or 1]

Capability Name

description The capability's human-readable name.

Elements (6):

description

markup-multiline

[1]

Capability Description

description A summary of the capability.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

incorporates-component

assembly

[0 to ∞]

Incorporates Component

control-implementation

assembly

[0 to ∞]

Control Implementation Set

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

remarks

markup-multiline

[0 or 1]

Remarks

component-definition

assembly

Component Definition

description A collection of component descriptions, which may optionally be grouped by capability.

root name component-definition

Constraints (2)

index for component an index index-system-component-uuid shall list values returned by targets component using keys constructed of key field(s) @uuid

is unique for capability: any target value must be unique (i.e., occur only once)

Attribute (1):

uuid

uuid

[0 or 1]

Component Definition Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component definition elsewhere in this or other OSCAL instances. The locally defined UUID of the component definition can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (5):

metadata

assembly

[1]

Publication metadata

import-component-definition

assembly

[0 to ∞]

Import Component Definition

component

assembly

[0 to ∞]

Component

use name component

Remarks

Components may be products, services, APIs, policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

A group of components may be aggregated into a capability. For example, an account management capability that consists of an account management process, and a Lightweight Directory Access Protocol (LDAP) software implementation.

Capabilities are expressed by combining one or more components.

capability

assembly

[0 to ∞]

Capability

back-matter

assembly

[0 or 1]

Back matter

Remarks

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference identifier. Other specialized link "rel" values also use this pattern when indicated in that context of use.

control-id

token

Control Identifier Reference

description A human-oriented identifier reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).

control-implementation

assembly

Control Implementation Set

description Defines how the component or capability supports a set of controls.

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

Constraint (1)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Control Implementation Set Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a set of implemented controls elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation set can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

source

uri-reference

[0 or 1]

Source Resource Reference

Remarks

A URL reference to the source catalog or profile for which this component is implementing controls for.

Elements (5):

description

markup-multiline

[1]

Control Implementation Description

description A description of how the specified set of controls are implemented for the containing component or capability.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

set-parameter

assembly

[0 to ∞]

Set Parameter Value

implemented-requirement

assembly

[1 to ∞]

Control Implementation

Remarks

Implemented requirements within a component or capability in a component definition provide a means to suggest possible control implementation details, which may be used by a different party when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.

Use of set-parameter in this context, sets the parameter for the referenced control and any associated statements.

defined-component

assembly

Component

description A defined component that can be part of an implemented system.

Remarks

Components may be products, services, APIs, policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

A group of components may be aggregated into a capability. For example, an account management capability that consists of an account management process, and a Lightweight Directory Access Protocol (LDAP) software implementation.

Capabilities are expressed by combining one or more components.

Constraints (14)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • depends-on: A reference to another component that this component has a dependency on.
  • validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
  • proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
  • baseline-template: A reference to the baseline template used to configure the asset.
  • uses-service: This service is used by the referenced component identifier.
  • system-security-plan: A link to the system security plan of the external system.
  • uses-network: This component uses the network provided by the identified network component.

allowed values for responsible-role/@role-id|control-implementation/implemented-requirement/responsible-role/@role-id|control-implementation/implemented-requirement/statement/responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for prop[@name='allows-authenticated-scan']/@value

The value must be one of the following:

  • yes: The component allows an authenticated scan.
  • no: The component does not allow an authenticated scan.

allowed values for prop[@name='virtual']/@value

The value must be one of the following:

  • yes: The component is virtualized.
  • no: The component is not virtualized.

allowed values for prop[@name='public']/@value

The value must be one of the following:

  • yes: The component is publicly accessible.
  • no: The component is not publicly accessible.

allowed values for prop[@name='implementation-point']/@value

The value must be one of the following:

  • internal: The component is implemented within the system boundary.
  • external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[@name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[@name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type='software']/prop/@name

The value may be locally defined, or the following:

  • software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

  • provided-by: This service is provided by the referenced component identifier.
  • used-by: This service is used by the referenced component identifier.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Component Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

type

string

[0 or 1]

Component Type

use name type

Elements (9):

title

markup-line

[1]

Component Title

description A human readable name for the component.

description

markup-multiline

[1]

Component Description

description A description of the component, including information about its function.

purpose

markup-line

[0 or 1]

Purpose

description A summary of the technological or business purpose of the component.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

protocol

assembly

[0 to ∞]

Service Protocol Information

Remarks

Used for service components to define the protocols supported by the service.

control-implementation

assembly

[0 to ∞]

Control Implementation Set

Remarks

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

remarks

markup-multiline

[0 or 1]

Remarks

defined-component-type

string

Component Type

description A category describing the purpose of the component.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • interconnection: A connection to something outside this system.
  • software: Any software, operating system, or firmware.
  • hardware: A physical device.
  • service: A service that may provide APIs.
  • policy: An enforceable policy.
  • physical: A tangible asset used to provide physical protections or countermeasures.
  • process-procedure: A list of steps or actions to take to achieve some end result.
  • plan: An applicable plan.
  • guidance: Any guideline or recommendation.
  • standard: Any organizational or industry standard.
  • validation: An external assessment performed on some other component, that has been validated by a third-party.

document-id

string

Document Identifier

description A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.

Remarks

This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.

Attribute (1):

scheme

uri

[0 or 1]

Document Identification Scheme

description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • http://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.

email-address

email

Email Address

description An email address as defined by RFC 5322 Section 3.4.1.

function-performed

string

Functions Performed

description Describes a function performed for a given authorized privilege by this user class.

description A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

Remarks

A hash value can be used to authenticate that a referenced resource is the same resources as was pointed to by the author of the reference.

Attribute (1):

algorithm

string

[0 or 1]

Hash algorithm

description Method by which a hash is derived

Remarks

Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • SHA-224: The SHA-224 algorithm as defined by NIST FIPS 180-4.
  • SHA-256: The SHA-256 algorithm as defined by NIST FIPS 180-4.
  • SHA-384: The SHA-384 algorithm as defined by NIST FIPS 180-4.
  • SHA-512: The SHA-512 algorithm as defined by NIST FIPS 180-4.
  • SHA3-224: The SHA3-224 algorithm as defined by NIST FIPS 202.
  • SHA3-256: The SHA3-256 algorithm as defined by NIST FIPS 202.
  • SHA3-384: The SHA3-384 algorithm as defined by NIST FIPS 202.
  • SHA3-512: The SHA3-512 algorithm as defined by NIST FIPS 202.

implementation-status

assembly

Implementation Status

description Indicates the degree to which the a given control is implemented.

Attribute (1):

state

token

[0 or 1]

Implementation State

description Identifies the implementation status of the control or control objective.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • implemented: The control is fully implemented.
  • partial: The control is partially implemented.
  • planned: There is a plan for implementing the control as explained in the remarks.
  • alternative: There is an alternative implementation for this control as explained in the remarks.
  • not-applicable: This control does not apply to this system as justified in the remarks.
Elements (1):

implemented-requirement

assembly

Control Implementation

description Describes how the containing component or capability implements an individual control.

Remarks

Implemented requirements within a component or capability in a component definition provide a means to suggest possible control implementation details, which may be used by a different party when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.

Use of set-parameter in this context, sets the parameter for the referenced control and any associated statements.

Constraints (3)

is unique for set-parameter: any target value must be unique (i.e., occur only once)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

is unique for statement: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Control Implementation Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a specific control implementation elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

control-id

token

[0 or 1]

Control Identifier Reference

Elements (7):

description

markup-multiline

[1]

Control Implementation Description

description A suggestion for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

set-parameter

assembly

[0 to ∞]

Set Parameter Value

responsible-role

assembly

[0 to ∞]

Responsible Role

statement

assembly

[0 to ∞]

Control Statement Implementation

remarks

markup-multiline

[0 or 1]

Remarks

import-component-definition

assembly

Import Component Definition

description Loads a component definition from another resource.

Attribute (1):

href

uri-reference

[0 or 1]

Hyperlink Reference

description A link to a resource that defines a set of components and/or capabilities to import into this collection.

include-all

assembly

Include All

description Include all controls from the imported catalog or profile resources.

Remarks

This element provides an alternative to calling controls individually from a catalog.

incorporates-component

assembly

Incorporates Component

description TBD

Attribute (1):

component-uuid

uuid

[0 or 1]

Component Reference

description A machine-oriented identifier reference to a component.

Elements (1):

description

markup-multiline

[1]

Component Description

description A description of the component, including information about its function.

inventory-item

assembly

Inventory Item

description A single managed inventory item within the system.

Constraints (9)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • ipv4-address: The Internet Protocol v4 Address of the asset.
  • ipv6-address: The Internet Protocol v6 Address of the asset.
  • fqdn: The full-qualified domain name (FQDN) of the asset.
  • uri: A Uniform Resource Identifier (URI) for the asset.
  • serial-number: A serial number for the asset.
  • netbios-name: The NetBIOS name for the asset.
  • mac-address: The media access control (MAC) address for the asset.
  • physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
  • is-scanned: is the asset subjected to network scans? (yes/no)
  • hardware-model: The model number of the hardware used by the asset.
  • os-name: The name of the operating system used by the asset.
  • os-version: The version of the operating system used by the asset.
  • software-name: The software product name used by the asset.
  • software-version: The software product version used by the asset.
  • software-patch-level: The software product patch level used by the asset.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name

The value may be locally defined, or the following:

  • vendor-name: The name of the company or organization

allowed values for prop[@name='is-scanned']/@value

The value must be one of the following:

  • yes: The asset is included in periodic vulnerability scanning.
  • no: The asset is not included in periodic vulnerability scanning.

allowed value for link/@rel

The value may be locally defined, or the following:

  • baseline-template: A reference to the baseline template used to configure the asset.

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for responsible-partythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid

is unique for responsible-party: any target value must be unique (i.e., occur only once)

Attribute (1):

uuid

uuid

[0 or 1]

Inventory Item Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (6):

description

markup-multiline

[1]

Inventory Item Description

description A summary of the inventory item stating its purpose within the system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-party

assembly

[0 to ∞]

Responsible Party

implemented-component

assembly

[0 to ∞]

Implemented Component

description The set of components that are implemented in a given system inventory item.

Constraints (4)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.

has cardinality for prop[@name='asset-id'] the cardinality of prop[@name='asset-id'] is constrained: 1; maximum unbounded.

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.

is unique for responsible-party: any target value must be unique (i.e., occur only once)

Attribute (1):

component-uuid

uuid

[0 or 1]

Component Universally Unique Identifier Reference

description A machine-oriented identifier reference to a component that is implemented as part of an inventory item.

Elements (4):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-party

assembly

[0 to ∞]

Responsible Party

Remarks

This construct is used to either: 1) associate a party or parties to a role defined on the component using the responsible-role construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing inventory-item.

remarks

markup-multiline

[0 or 1]

Remarks

remarks

markup-multiline

[0 or 1]

Remarks

last-modified

dateTime-with-timezone

Last Modified Timestamp

description The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source material.

A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

link

assembly

Link

description A reference to a local or remote resource

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

Constraints (3)

matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.

index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href

matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.

Attributes (3):

href

uri-reference

[0 or 1]

Hypertext Reference

description A resolvable URL reference to a resource.

Remarks

The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a back-matter resource in the same document.

If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.

If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced resource. A relative URI will be resolved relative to the location of the document containing the link.

rel

token

[0 or 1]

Relation

description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • reference: Reference

media-type

string

[0 or 1]

Media Type

Remarks

The IANA Media Types Registry should be used, but currently there is no official media type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

Elements (1):

text

markup-line

[0 or 1]

Link Text

description A textual label to associate with the link, which may be used for presentation in a tool.

location

assembly

Location

description A location, with associated metadata that can be referenced.

Constraints (3)

allowed value for prop/@name

The value may be locally defined, or the following:

  • type: Characterizes the kind of location.

allowed value for prop[@name='type']/@value

The value may be locally defined, or the following:

  • data-center: A location that contains computing assets. A class can be used to indicate the sub-type of data-center as primary or alternate.

allowed values for prop[@name='type' and @value='data-center']/@class

The value may be locally defined, or one of the following:

  • primary: The location is a data-center used for normal operations.
  • alternate: The location is a data-center used for fail-over or backup operations.
Attribute (1):

uuid

uuid

[0 or 1]

Location Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (8):

title

markup-line

[0 or 1]

Location Title

description A name given to the location, which may be used by a tool for display and navigation.

address

assembly

[1]

Address

Remarks

Typically, the physical address of the location will be used here. If this information is sensitive, then a mailing address can be used instead.

email-address

email

[0 to ∞]

Email Address

Remarks

This is a contact email associated with the location.

telephone-number

string

[0 to ∞]

Telephone Number

Remarks

A phone number used to contact the location.

url

uri

[0 to ∞]

Location URL

description The uniform resource locator (URL) for a web site or Internet presence associated with the location.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

location-type

token

Address Type

description Indicates the type of address.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home address.
  • work: A work address.

location-uuid

uuid

Location Reference

description A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) .

location-uuid

uuid

Location Reference

description A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Remarks

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) .

media-type

string

Media Type

description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Remarks

The IANA Media Types Registry should be used, but currently there is no official media type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

metadata

assembly

Publication metadata

description Provides information about the publication and availability of the containing document.

Constraints (13)

index for role an index index-metadata-role-ids shall list values returned by targets role using keys constructed of key field(s) @id

is unique for document-id: any target value must be unique (i.e., occur only once)

is unique for prop: any target value must be unique (i.e., occur only once)

index for .//prop an index index-metadata-property-uuid shall list values returned by targets .//prop using keys constructed of key field(s) @uuid

is unique for link: any target value must be unique (i.e., occur only once)

index for role an index index-metadata-role-id shall list values returned by targets role using keys constructed of key field(s) @id

index for location an index index-metadata-location-uuid shall list values returned by targets location using keys constructed of key field(s) @uuid

index for party an index index-metadata-party-uuid shall list values returned by targets party using keys constructed of key field(s) @uuid

index for party[@type='organization'] an index index-metadata-party-organizations-uuid shall list values returned by targets party[@type='organization'] using keys constructed of key field(s) @uuid

is unique for responsible-party: any target value must be unique (i.e., occur only once)

allowed values for responsible-party/@role-id

The value may be locally defined, or one of the following:

  • creator: Indicates the organization that created this content.
  • prepared-by: Indicates the organization that prepared this content.
  • prepared-for: Indicates the organization for which this content was created.
  • content-approver: Indicates the organization responsible for all content represented in the "document".
  • contact: Indicates the organization to contact for questions or support related to this content.

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • keywords: The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
  • alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
  • latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
  • predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
Elements (14):

title

markup-line

[1]

Document Title

description A name given to the document, which may be used by a tool for display and navigation.

published

dateTime-with-timezone

[0 or 1]

Publication Timestamp

Remarks

This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the published value should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.

A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

last-modified

dateTime-with-timezone

[1]

Last Modified Timestamp

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source material.

A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

version

string

[1]

Document Version

Remarks

A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

oscal-version

string

[1]

OSCAL version

Remarks

Indicates the version of the OSCAL model to which this data set conforms, for example 1.1.0 or 1.0.0-M1. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.

revision

assembly

[0 to ∞]

Revision History Entry

wrapper element revisions

Remarks

While published, last-modified, oscal-version, and version are not required, values for these entries should be provided if the information is known. For a revision entry to be considered valid, at least one of the following items must be provided: published, last-modified, version, or a link with a rel of source.

document-id

string

[0 to ∞]

Document Identifier

Remarks

This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

role

assembly

[0 to ∞]

Role

Remarks

Permissible values to be determined closer to the application (e.g. by a receiving authority).

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

location

assembly

[0 to ∞]

Location

party

assembly

[0 to ∞]

Party (organization or person)

responsible-party

assembly

[0 to ∞]

Responsible Party

remarks

markup-multiline

[0 or 1]

Remarks

oscal-version

string

OSCAL version

description The OSCAL model version the document was authored against.

Remarks

Indicates the version of the OSCAL model to which this data set conforms, for example 1.1.0 or 1.0.0-M1. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.

param

assembly

Parameter

description Parameters provide a mechanism for the dynamic assignment of value(s) in a control.

use name param

Remarks

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

Constraints (2)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • alt-identifier: An alternate or aliased identifier for the parent context.
  • alt-label: An alternate to the value provided by the parameter's label. This will typically be qualified by a class.

allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name

The value must be one of the following:

  • aggregates: The parent parameter provides an aggregation of 2 or more other parameters, each described by this property.
depends-on is deprecated
Attributes (3):

id

token

[0 or 1]

Parameter Identifier

description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

class

token

[0 or 1]

Parameter Class

description A textual label that provides a characterization of the parameter.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

depends-on

token

[0 or 1]

Depends on

description **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.

Elements (8):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

label

markup-line

[0 or 1]

Parameter Label

description A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

Remarks

The label value should be suitable for inline display in a rendered catalog.

usage

markup-multiline

[0 or 1]

Parameter Usage Description

description Describes the purpose and use of a parameter

constraint

assembly

[0 to ∞]

Constraint

use name constraint

guideline

assembly

[0 to ∞]

Guideline

use name guideline

value

string

[0 to ∞]

Parameter Value

use name value

Remarks

A set of values provided in a catalog can be redefined at any higher layer of OSCAL (e.g., Profile).

select

assembly

[0 or 1]

Selection

use name select

Remarks

A set of parameter value choices, that may be picked from to set the parameter value.

A set of parameter value choices, that may be picked from to set the parameter value.

remarks

markup-multiline

[0 or 1]

Remarks

param-id

token

Parameter ID

description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.

parameter-constraint

assembly

Constraint

description A formal or informal expression of a constraint or test

Elements (2):

description

markup-multiline

[0 or 1]

Constraint Description

description A textual summary of the constraint to be applied.

test

assembly

[0 to ∞]

Constraint Test

description A test expression which is expected to be evaluated by a tool.

Elements (2):

expression

string

[1]

Constraint test

description A formal (executable) expression of a constraint

remarks

markup-multiline

[0 or 1]

Remarks

parameter-guideline

assembly

Guideline

description A prose statement that provides a recommendation for the use of a parameter.

Elements (1):

(unwrapped)

markup-multiline

[1]

Guideline Text

description Prose permits multiple paragraphs, lists, tables etc.

parameter-selection

assembly

Selection

description Presenting a choice among alternatives

Remarks

A set of parameter value choices, that may be picked from to set the parameter value.

Attribute (1):

how-many

token

[0 or 1]

Parameter Cardinality

description Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.

Constraint (1)

allowed values

The value must be one of the following:

  • one: Only one value is permitted.
  • one-or-more: One or more values are permitted.
Elements (1):

choice

markup-line

[0 to ∞]

Choice

description A value selection among several such options

use name choice

parameter-value

string

Parameter Value

description A parameter value or set of values.

part

assembly

Part

description A partition of a control's definition or a child of another part.

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

Constraint (1)

allowed values for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name

The value must be one of the following:

  • label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • alt-identifier: An alternate or aliased identifier for the parent context.
Attributes (4):

id

token

[0 or 1]

Part Identifier

description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined part elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

name

token

[0 or 1]

Part Name

description A textual label that uniquely identifies the part's semantic type.

ns

uri

[0 or 1]

Part Namespace

description A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated text used in a part. This allows the semantics associated with a given name to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

class

token

[0 or 1]

Part Class

description A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

Elements (5):

title

markup-line

[0 or 1]

Part Title

description A name given to the part, which may be used by a tool for display and navigation.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

(unwrapped)

markup-multiline

[0 or 1]

Part Text

description Permits multiple paragraphs, lists, tables etc.

part

assembly

[0 to ∞]

Part

Remarks

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

party

assembly

Party (organization or person)

description A responsible entity which is either a person or an organization.

Constraint (1)

allowed values for prop/@name

The value must be one of the following:

  • mail-stop: A mail stop associated with the party.
  • office: The name or number of the party's office.
  • job-title: The formal job title of a person.
Attributes (2):

uuid

uuid

[0 or 1]

Party Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

type

string

[0 or 1]

Party Type

description A category describing the kind of party the object describes.

Constraint (1)

allowed values

The value must be one of the following:

  • person: An individual.
  • organization: A group of individuals formed for a specific purpose.
Elements (10):

name

string

[0 or 1]

Party Name

description The full name of the party. This is typically the legal name associated with the party.

short-name

string

[0 or 1]

Party Short Name

description A short common name, abbreviation, or acronym for the party.

external-id

string

[0 to ∞]

Party External Identifier

description An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)

Attribute (1):

scheme

uri

[0 or 1]

External Identifier Schema

description Indicates the type of external identifier.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • http://orcid.org/: The identifier is Open Researcher and Contributor ID (ORCID).

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

email-address

email

[0 to ∞]

Email Address

Remarks

This is a contact email associated with the party.

telephone-number

string

[0 to ∞]

Telephone Number

Remarks

A phone number used to contact the party.

address

assembly

[0 to ∞]

Address

location-uuid

uuid

[0 to ∞]

Location Reference

Remarks

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

member-of-organization

uuid

[0 to ∞]

Organizational Affiliation

description A machine-oriented identifier reference to another party (person or organization) that this subject is associated with. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Remarks

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-organizations-uuid using a key constructed of key field(s) .

remarks

markup-multiline

[0 or 1]

Remarks

party-uuid

uuid

Party Reference

description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Remarks

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

port-range

assembly

Port Range

description Where applicable this is the IPv4 port range on which the service operates.

Remarks

To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.

Attributes (3):

description Indicates the starting port number in a port range

Remarks

Should be a number within a permitted range

description Indicates the ending port number in a port range

Remarks

Should be a number within a permitted range

transport

token

[0 or 1]

Transport

description Indicates the transport type.

Constraint (1)

allowed values

The value must be one of the following:

  • TCP: Transmission Control Protocol
  • UDP: User Datagram Protocol

prop

assembly

Property

description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

Attributes (5):

name

token

[0 or 1]

Property Name

description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Constraint (1)

allowed value

The value may be locally defined, or the following:

  • marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.

uuid

uuid

[0 or 1]

Property Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

ns

uri

[0 or 1]

Property Namespace

description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Remarks

Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed names and associated values used in a property. This allows the semantics associated with a given name/value pair to be defined on an organization-by-organization basis.

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

value

string

[0 or 1]

Property Value

description Indicates the value of the attribute, characteristic, or quality.

class

token

[0 or 1]

Property Class

description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Remarks

A class can be used in validation rules to express extra constraints over named items of a specific class value.

Elements (1):

protocol

assembly

Service Protocol Information

description Information about the protocol used to provide a service.

Attributes (2):

uuid

uuid

[0 or 1]

Service Protocol Information Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

name

string

[0 or 1]

Protocol Name

description The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.

Remarks

The short name of the protocol (e.g., https).

Elements (2):

title

markup-line

[0 or 1]

Protocol Title

description A human readable name for the protocol (e.g., Transport Layer Security).

port-range

assembly

[0 to ∞]

Port Range

Remarks

To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.

published

dateTime-with-timezone

Publication Timestamp

description The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Remarks

This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the published value should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.

A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

description Additional commentary on the containing object.

responsible-party

assembly

Responsible Party

description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Constraints (2)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id

index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .

Attribute (1):

role-id

token

[0 or 1]

Responsible Role

description A human-oriented identifier reference to roles served by the user.

Elements (4):

party-uuid

uuid

[1 to ∞]

Party Reference

Remarks

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

Specifies one or more parties that are responsible for performing the associated role.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

responsible-role

assembly

Responsible Role

description A reference to one or more roles with responsibility for performing a function relative to the containing object.

Attribute (1):

role-id

token

[0 or 1]

Responsible Role ID

description A human-oriented identifier reference to roles responsible for the business function.

Elements (4):

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

party-uuid

uuid

[0 to ∞]

Party Reference

Remarks

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

remarks

markup-multiline

[0 or 1]

Remarks

revision

assembly

Revision History Entry

description An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).

Remarks

While published, last-modified, oscal-version, and version are not required, values for these entries should be provided if the information is known. For a revision entry to be considered valid, at least one of the following items must be provided: published, last-modified, version, or a link with a rel of source.

Constraint (1)

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
  • alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
  • predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
  • successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
Elements (8):

title

markup-line

[0 or 1]

Document Title

description A name given to the document revision, which may be used by a tool for display and navigation.

published

dateTime-with-timezone

[0 or 1]

Publication Timestamp

Remarks

This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the published value should indicate when the OSCAL document was published, not the source material. Where necessary, the publication date of the original source material can be captured as a named property or custom metadata construct.

A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

last-modified

dateTime-with-timezone

[0 or 1]

Last Modified Timestamp

Remarks

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source material.

A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

version

string

[1]

Document Version

Remarks

A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

oscal-version

string

[0 or 1]

OSCAL version

Remarks

Indicates the version of the OSCAL model to which this data set conforms, for example 1.1.0 or 1.0.0-M1. That can be used as a hint by a tool to indicate which version of the OSCAL XML or JSON schema to use for validation.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

role

assembly

Role

description Defines a function assumed or expected to be assumed by a party in a specific situation.

Remarks

Permissible values to be determined closer to the application (e.g. by a receiving authority).

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

Attribute (1):

id

token

[0 or 1]

Role Identifier

description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL instance must be referenced in the context of the containing resource (e.g., import, import-component-definition, import-profile, import-ssp or import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (6):

title

markup-line

[1]

Role Title

description A name given to the role, which may be used by a tool for display and navigation.

short-name

string

[0 or 1]

Role Short Name

description A short common name, abbreviation, or acronym for the role.

description

markup-multiline

[0 or 1]

Role Description

description A summary of the role's purpose and associated responsibilities.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

remarks

markup-multiline

[0 or 1]

Remarks

role-id

token

Role Identifier Reference

description A human-oriented identifier reference to roles served by the user.

Constraint (1)

index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) .

set-parameter

assembly

Set Parameter Value

description Identifies the parameter that will be set by the enclosed value.

Attribute (1):

param-id

token

[0 or 1]

Parameter ID

Elements (2):

value

string

[1 to ∞]

Parameter Value

description A parameter value or set of values.

use name value

remarks

markup-multiline

[0 or 1]

Remarks

source

uri-reference

Source Resource Reference

description A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.

statement

assembly

Control Statement Implementation

description Identifies which statements within a control are addressed.

Constraint (1)

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

statement-id

token

[0 or 1]

Control Statement Reference

Remarks

A reference to the specific implemented statement associated with a control.

uuid

uuid

[0 or 1]

Control Statement Reference Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Elements (5):

description

markup-multiline

[1]

Statement Implementation Description

description A summary of how the containing control statement is implemented by the component or capability.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

responsible-role

assembly

[0 to ∞]

Responsible Role

remarks

markup-multiline

[0 or 1]

Remarks

statement-id

token

Control Statement Reference

description A human-oriented identifier reference to a control statement.

system-component

assembly

Component

description A defined component that can be part of an implemented system.

Remarks

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

The type indicates which of these component types is represented.

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

Constraints (24)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • implementation-point: Relative placement of component ('internal' or 'external') to the system.
  • leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
  • inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
  • asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
  • asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
  • asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
  • public: Identifies whether the asset is publicly accessible (yes/no)
  • virtual: Identifies whether the asset is virtualized (yes/no)
  • vlan-id: Virtual LAN identifier of the asset.
  • network-id: The network identifier of the asset.
  • label: A human-readable label for the parent context.
  • sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
  • baseline-configuration-name: The name of the baseline configuration for the asset.
  • allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
  • function: The function provided by the asset for the system.
  • version: The version of the component.
  • patch-level: The specific patch level of the component.
  • model: The model of the component.
  • release-date: The date the component was released, such as a software release date or policy publication date.
  • validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
  • validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.

allowed values for link/@rel

The value may be locally defined, or one of the following:

  • depends-on: A reference to another component that this component has a dependency on.
  • validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
  • proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
  • baseline-template: A reference to the baseline template used to configure the asset.
  • uses-service: This service is used by the referenced component identifier.
  • system-security-plan: A link to the system security plan of the external system.
  • uses-network: This component uses the network provided by the identified network component.

allowed values for responsible-role/@role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
  • maintainer: Responsible for the creation and maintenance of a component.
  • provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).

allowed values for prop[@name='asset-type']/@value

The value must be one of the following:

  • operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
  • database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
  • web-server: A system that delivers content or services to end users over the Internet or an intranet.
  • dns-server: A system that resolves domain names to internet protocol (IP) addresses.
  • email-server: A computer system that sends and receives electronic mail messages.
  • directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
  • pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
  • firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • router: A physical or virtual networking device that forwards data packets between computer networks.
  • switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
  • storage-array: A consolidated, block-level data storage capability.
  • appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.

allowed values for prop[@name='allows-authenticated-scan']/@value

The value must be one of the following:

  • yes: The component allows an authenticated scan.
  • no: The component does not allow an authenticated scan.

allowed values for prop[@name='public']/@value

The value must be one of the following:

  • yes: The component is publicly accessible.
  • no: The component is not publicly accessible.

allowed values for prop[@name='virtual']/@value

The value must be one of the following:

  • yes: The component is virtualized.
  • no: The component is not virtualized.

allowed values for prop[@name='implementation-point']/@value

The value must be one of the following:

  • internal: The component is implemented within the system boundary.
  • external: The component is implemented outside the system boundary.

index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value

matches for prop[@name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.

matches for prop[@name='release-date']/@value: the target value must match the lexical form of the 'date' data type.

allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name

The value may be locally defined, or the following:

  • vendor-name: The name of the company or organization

allowed value for (.)[@type='validation']/link/@rel

The value may be locally defined, or the following:

  • validation-details: A link to an online information provided by the authorizing body.

allowed value for (.)[@type='software']/prop/@name

The value may be locally defined, or the following:

  • software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.

allowed values for (.)[@type='service']/link/@rel

The value may be locally defined, or one of the following:

  • provided-by: This service is provided by the referenced component identifier.
  • used-by: This service is used by the referenced component identifier.

allowed values for (.)[@type='interconnection']/prop/@name

The value may be locally defined, or one of the following:

  • isa-title: Title of the Interconnection Security Agreement (ISA).
  • isa-date: Date of the Interconnection Security Agreement (ISA).
  • isa-remote-system-name: The name of the remote interconnected system.
  • ipv4-address: An Internet Protocol Version 4 interconnection address
  • ipv6-address: An Internet Protocol Version 6 interconnection address
  • direction: An Internet Protocol Version 6 interconnection address

allowed values for prop[@name=('ipv4-address','ipv6-address')]/@class

The value may be locally defined, or one of the following:

  • local: The identified IP address is for this system.
  • remote: The identified IP address is for the remote system to which this system is connected.

allowed value for (.)[@type='interconnection']/link/@rel

The value may be locally defined, or the following:

  • isa-agreement: A link to the system interconnection agreement.

allowed values for (.)[@type='interconnection']/responsible-role/@role-id

The value may be locally defined, or one of the following:

  • isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
  • isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
  • isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
  • isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.

matches for prop[@name='isa-date']/@value: the target value must match the lexical form of the 'dateTime' data type.

matches for prop[@name='ipv4-address']/@value: the target value must match the lexical form of the 'ip-v4-address' data type.

matches for prop[@name='ipv6-address']/@value: the target value must match the lexical form of the 'ip-v6-address' data type.

allowed values for prop[@name='direction']/@value

The value may be locally defined, or one of the following:

  • incoming: Data from the remote system flows into this system.
  • outgoing: Data from this system flows to the remote system.

is unique for responsible-role: any target value must be unique (i.e., occur only once)

Attributes (2):

uuid

uuid

[0 or 1]

Component Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

type

string

[0 or 1]

Component Type

use name type

Elements (9):

title

markup-line

[1]

Component Title

description A human readable name for the system component.

description

markup-multiline

[1]

Component Description

description A description of the component, including information about its function.

purpose

markup-line

[0 or 1]

Purpose

description A summary of the technological or business purpose of the component.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

status

assembly

[1]

Status

description Describes the operational status of the system component.

Attribute (1):

state

token

[0 or 1]

State

description The operational status.

Constraint (1)

allowed values

The value must be one of the following:

  • under-development: The component is being designed, developed, or implemented.
  • operational: The component is currently operational and is available for use in the system.
  • disposition: The component is no longer operational.
  • other: Some other state.
Elements (1):

responsible-role

assembly

[0 to ∞]

Responsible Role

protocol

assembly

[0 to ∞]

Service Protocol Information

Remarks

Used for service components to define the protocols supported by the service.

remarks

markup-multiline

[0 or 1]

Remarks

system-component-type

string

Component Type

description A category describing the purpose of the component.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • this-system: The system as a whole.
  • system: An external system, which may be a leveraged system or the other side of an interconnection.
  • interconnection: A connection to something outside this system.
  • software: Any software, operating system, or firmware.
  • hardware: A physical device.
  • service: A service that may provide APIs.
  • policy: An enforceable policy.
  • physical: A tangible asset used to provide physical protections or countermeasures.
  • process-procedure: A list of steps or actions to take to achieve some end result.
  • plan: An applicable plan.
  • guidance: Any guideline or recommendation.
  • standard: Any organizational or industry standard.
  • validation: An external assessment performed on some other component, that has been validated by a third-party.
  • network: A physical or virtual network.

system-id

string

System Identification

description A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.

Attribute (1):

identifier-type

uri

[0 or 1]

Identification System Type

description Identifies the identification system from which the provided identifier was assigned.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • https://fedramp.gov: **deprecated** The identifier was assigned by FedRAMP. This has been deprecated; use http://fedramp.gov/ns/oscal instead.
  • http://fedramp.gov/ns/oscal: The identifier was assigned by FedRAMP.
  • https://ietf.org/rfc/rfc4122: **deprecated** A Universally Unique Identifier (UUID) as defined by RFC4122. This value has been deprecated; use http://ietf.org/rfc/rfc4122 instead.
  • http://ietf.org/rfc/rfc4122: A Universally Unique Identifier (UUID) as defined by RFC4122.

system-user

assembly

System User

description A type of user that interacts with the system based on an associated role.

Remarks

Permissible values to be determined closer to the application, such as by a receiving authority.

Constraints (4)

allowed values for prop/@name

The value may be locally defined, or one of the following:

  • type: The type of user, such as internal, external, or general-public.
  • privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.

allowed values for prop[@name='type']/@value

The value must be one of the following:

  • internal: A user account for a person or entity that is part of the organization who owns or operates the system.
  • external: A user account for a person or entity that is not part of the organization who owns or operates the system.
  • general-public: A user of the system considered to be outside

allowed values for prop[@name='privilege-level']/@value

The value must be one of the following:

  • privileged: This role has elevated access to the system, such as a group or system administrator.
  • non-privileged: This role has typical user-level access to the system without elevated access.
  • no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.

allowed values for role-id

The value may be locally defined, or one of the following:

  • asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
  • asset-administrator: Responsible for administering a set of assets.
  • security-operations: Members of the security operations center (SOC).
  • network-operations: Members of the network operations center (NOC).
  • incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
  • help-desk: Responsible for providing information and support to users.
  • configuration-management: Responsible for the configuration management processes governing changes to the asset.
Attribute (1):

uuid

uuid

[0 or 1]

User Universally Unique Identifier

description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Elements (8):

title

markup-line

[0 or 1]

User Title

description A name given to the user, which may be used by a tool for display and navigation.

short-name

string

[0 or 1]

User Short Name

description A short common name, abbreviation, or acronym for the user.

description

markup-multiline

[0 or 1]

User Description

description A summary of the user's purpose within the system.

property

assembly

[0 to ∞]

Property

use name prop

Remarks

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

assembly

[0 to ∞]

Link

Remarks

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

The OSCAL link is a roughly based on the HTML link element.

role-id

token

[0 to ∞]

Role Identifier Reference

authorized-privilege

assembly

[0 to ∞]

Privilege

remarks

markup-multiline

[0 or 1]

Remarks

telephone-number

string

Telephone Number

description Contact number by telephone.

Attribute (1):

type

string

[0 or 1]

type flag

description Indicates the type of phone number.

Constraint (1)

allowed values

The value may be locally defined, or one of the following:

  • home: A home phone number.
  • office: An office phone number.
  • mobile: A mobile phone number.

version

string

Document Version

description A string used to distinguish the current version of the document from other previous (and future) versions.

Remarks

A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.

While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication. The metadata for previous revisions can be represented as a revision in this object.

This page was last updated on June 24, 2022.