System Security Plan Model v1.0.4 XML Format Reference
The following is the XML format reference for this model, which is organized hierarchically. Each entry represents the corresponding XML element or attribute in the model's XML format, and provides details about the semantics and use of the element or attribute. The XML Format Outline provides a streamlined, hierarchical representation of this model's XML format which can be used along with this reference to better understand the XML representation of this model.
XML namespace http://csrc.nist.gov/ns/oscal/1.0
Description A system security plan, such as those described in NIST SP 800-18
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in
this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6)
Description Provides information about the publication and availability of the containing document.
Constraints (13)
index for role an index index-metadata-role-ids shall list values returned by targets role using keys constructed of key field(s) @id
is unique for document-id: any target value must be unique (i.e., occur only once)
is unique for prop: any target value must be unique (i.e., occur only once)
index for .//prop an index index-metadata-property-uuid shall list values returned by targets .//prop using keys constructed of key field(s) @uuid
is unique for link: any target value must be unique (i.e., occur only once)
index for role an index index-metadata-role-id shall list values returned by targets role using keys constructed of key field(s) @id
index for location an index index-metadata-location-uuid shall list values returned by targets location using keys constructed of key field(s) @uuid
index for party an index index-metadata-party-uuid shall list values returned by targets party using keys constructed of key field(s) @uuid
index for party[@type='organization'] an index index-metadata-party-organizations-uuid shall list values returned by targets party[@type='organization'] using keys constructed of key field(s) @uuid
is unique for responsible-party: any target value must be unique (i.e., occur only once)
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- creator: Indicates the organization that created this content.
- prepared-by: Indicates the organization that prepared this content.
- prepared-for: Indicates the organization for which this content was created.
- content-approver: Indicates the organization responsible for all content represented in the "document".
- contact: Indicates the organization to contact for questions or support related to this content.
allowed value for prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name
The value must be one of the following:
- keywords: The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications.
allowed values for link/@rel
The value may be locally defined, or one of the following:
- canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
- alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
- latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
Elements (14)
Description A name given to the document, which may be used by a tool for display and navigation.
Description The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the published value should indicate when the OSCAL document was published, not the source material.
Where necessary, the publication date of the original source material can be captured
as a named property or custom metadata construct.
A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision in this object.
Description The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source
material.
A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision in this object.
Description A string used to distinguish the current version of the document from other previous (and future) versions.
Remarks
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision in this object.
Description The OSCAL model version the document was authored against.
Remarks
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or 1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML
or JSON schema to use for validation.
Element (1)
Description An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).
Remarks
While published, last-modified, oscal-version, and version are not required, values for these entries should be provided if the information
is known. For a revision entry to be considered valid, at least one of the following
items must be provided: published, last-modified, version, or a link with a rel of source
.
Constraint (1)
allowed values for link/@rel
The value may be locally defined, or one of the following:
- canonical: The link identifies the authoritative location for this file. Defined by RFC 6596.
- alternate: The link identifies an alternative location or format for this file. Defined by the HTML Living Standard
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
Elements (8)
Description A name given to the document revision, which may be used by a tool for display and navigation.
Description The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks
This value represents the point in time when the OSCAL document was published. Typically, this date value will be machine generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the published value should indicate when the OSCAL document was published, not the source material.
Where necessary, the publication date of the original source material can be captured
as a named property or custom metadata construct.
A publisher of OSCAL content can use this data point along with its siblings last-modified and version to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision in this object.
Description The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.
Remarks
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification.
In some cases, an OSCAL document may be derived from some source material in a different
format. In such a case, the last-modified value should indicate the modification time of the OSCAL document, not the source
material.
A publisher of OSCAL content can use this data point along with its siblings published and version to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision in this object.
Description A string used to distinguish the current version of the document from other previous (and future) versions.
Remarks
A version string may be a release number, sequence number, date, or other identifier suffcient to distinguish between different document versions. This version is typically set by the document owner or by the tool used to maintain the content.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as a format for version strings. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A publisher of OSCAL content can use this data point along with its siblings published and last-modified to establish a sequence of successive revisions of a given OSCAL-based publication.
The metadata for previous revisions can be represented as a revision in this object.
Description The OSCAL model version the document was authored against.
Remarks
Indicates the version of the OSCAL model to which this data set conforms, for example
1.1.0
or 1.0.0-M1
. That can be used as a hint by a tool to indicate which version of the OSCAL XML
or JSON schema to use for validation.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions
of the same document. If this element does not appear, or if the value of this element
is empty, the value of "document-id" is equal to the value of the "uuid" flag of the
top-level root element.
Remarks
This element is optional, but it will always have a valid value, as if it is missing the value of "document-id" is assumed to be equal to the UUID of the root. This requirement allows for document creators to retroactively link an update to the original version, by providing a document-id on the new document that is equal to the uuid of the original document.
Attribute (1)
Description Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- http://www.doi.org/: A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Defines a function assumed or expected to be assumed by a party in a specific situation.
Remarks
Permissible values to be determined closer to the application (e.g. by a receiving authority).
OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.
Attribute (1)
Description A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL instance must be referenced in the context of the containing
resource (e.g., import, import-component-definition, import-profile, import-ssp or
import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6)
Description A name given to the role, which may be used by a tool for display and navigation.
Description A short common name, abbreviation, or acronym for the role.
Description A summary of the role's purpose and associated responsibilities.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A location, with associated metadata that can be referenced.
Constraints (3)
allowed value for prop/@name
The value may be locally defined, or the following:
- type: Characterizes the kind of location.
allowed value for prop[@name='type']/@value
The value may be locally defined, or the following:
- data-center: A location that contains computing assets. A class can be used to indicate the sub-type of data-center as primary or alternate.
allowed values for prop[@name='type' and @value='data-center']/@class
The value may be locally defined, or one of the following:
- primary: The location is a data-center used for normal operations.
- alternate: The location is a data-center used for fail-over or backup operations.
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location can be used to reference the data item locally or globally (e.g., from an importing
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (8)
Description A name given to the location, which may be used by a tool for display and navigation.
Description A postal address for the location.
Remarks
Typically, the physical address of the location will be used here. If this information is sensitive, then a mailing address can be used instead.
Attribute (1)
Description Indicates the type of address.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- home: A home address.
- work: A work address.
Elements (5)
Description A single line of an address.
Description City, town or geographical region for the mailing address.
Description State, province or analogous geographical region for mailing address
Description Postal or ZIP code for mailing address
Description The ISO 3166-1 alpha-2 country code for the mailing address.
Constraint (1)
matches: a target (value) must match the regular expression '[A-Z]{2}'.
Description An email address as defined by RFC 5322 Section 3.4.1.
Remarks
This is a contact email associated with the location.
Description Contact number by telephone.
Remarks
A phone number used to contact the location.
Attribute (1)
Description Indicates the type of phone number.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- home: A home phone number.
- office: An office phone number.
- mobile: A mobile phone number.
Description The uniform resource locator (URL) for a web site or Internet presence associated with the location.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A responsible entity which is either a person or an organization.
Constraint (1)
allowed values for prop/@name
The value must be one of the following:
- mail-stop: A mail stop associated with the party.
- office: The name or number of the party's office.
- job-title: The formal job title of a person.
Attributes (2)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party can be used to reference the data item locally or globally (e.g., from an importing
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description A category describing the kind of party the object describes.
Constraint (1)
allowed values
The value must be one of the following:
- person: An individual.
- organization: A group of individuals formed for a specific purpose.
Elements (11)
Description The full name of the party. This is typically the legal name associated with the party.
Description A short common name, abbreviation, or acronym for the party.
Description An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)
Attribute (1)
Description Indicates the type of external identifier.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- http://orcid.org/: The identifier is Open Researcher and Contributor ID (ORCID).
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description An email address as defined by RFC 5322 Section 3.4.1.
Remarks
This is a contact email associated with the party.
Description Contact number by telephone.
Remarks
A phone number used to contact the party.
Attribute (1)
Description Indicates the type of phone number.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- home: A home phone number.
- office: An office phone number.
- mobile: A mobile phone number.
A choice:
Description A postal address for the location.
Attribute (1)
Description Indicates the type of address.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- home: A home address.
- work: A work address.
Elements (5)
Description A single line of an address.
Description City, town or geographical region for the mailing address.
Description State, province or analogous geographical region for mailing address
Description Postal or ZIP code for mailing address
Description The ISO 3166-1 alpha-2 country code for the mailing address.
Constraint (1)
matches: a target (value) must match the regular expression '[A-Z]{2}'.
Description A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) .
Description A machine-oriented identifier reference to another party (person or organization) that this subject is associated with. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
Parties of both the person or organization type can be associated with an organization using the member-of-organization.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-organizations-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Constraints (2)
index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id
index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Attribute (1)
Description A human-oriented identifier reference to roles served by the user.
Elements (4)
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Specifies one or more parties that are responsible for performing the associated role.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Used to import the OSCAL profile representing the system's control baseline.
Attribute (1)
Description A resolvable URL reference to the profile or catalog to use as the system's control baseline.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document. The
identified resource will be used instead as the target resource.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the target
resource. A relative URI will be resolved relative to the location of the document
containing the link.
If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL [profile resolution specification](https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/) to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.
While it is possible to reference a previously resolved OSCAL profile as a catalog, this practice is discouraged since the unresolved form of the profile communicates more information about selections and changes to the underlying catalog. Furthermore, the underlying catalog can be maintained separately from the profile, which also has maintenance advantages for distinct maintainers, ensuring that the best available information is produced through profile resolution.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Contains the characteristics of the system, such as its name, purpose, and security impact level.
Constraints (7)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- identity-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
- authenticator-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
- federation-assurance-level: A value of 1, 2, or 3 as defined by SP 800-63-3.
allowed values for prop[@name=('identity-assurance-level','authenticator-assurance-level','federation-assurance-level')]/@value
The value must be one of the following:
- 1: As defined by SP 800-63-3.
- 2: As defined by SP 800-63-3.
- 3: As defined by SP 800-63-3.
allowed values for prop/@name
The value may be locally defined, or one of the following:
- cloud-deployment-model: The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other.
- cloud-service-model: The associated value is one of: saas, paas, iaas, or other.
allowed values for prop[@name='cloud-deployment-model']/@value
The value must be one of the following:
- public-cloud: The public cloud deployment model as defined by The NIST Definition of Cloud Computing.
- private-cloud: The private cloud deployment model as defined by The NIST Definition of Cloud Computing.
- community-cloud: The community cloud deployment model as defined by The NIST Definition of Cloud Computing.
- government-only-cloud: A specific type of community-cloud for use only by government services.
- other: Any other type of cloud deployment model that is exclusive to the other choices. The hybrid cloud deployment model, as defined by The NIST Definition of Cloud Computing, can be supported by selecting two or more of the existing deployment models.
allowed values for prop[@name='cloud-service-model']/@value
The value must be one of the following:
- saas: Software as a service (SaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
- paas: Platform as a service (PaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
- iaas: Infrastructure as a service (IaaS) cloud service model as defined by The NIST Definition of Cloud Computing.
- other: Any other type of cloud service model that is exclusive to the other choices.
is unique for responsible-party: any target value must be unique (i.e., occur only once)
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- authorizing-official: The authorizing official for this system.
- authorizing-official-poc: The authorizing official's designated point of contact (POC) for this system.
- system-owner: The executive ultimately accountable for the system.
- system-poc-management: The primary management-level point of contact (POC) for the system.
- system-poc-technical: The primary technical point of contact (POC) for the system.
- system-poc-other: Other point of contact (POC) for the system that is not the management or technical POC.
- information-system-security-officer: The primary role responsible for ensuring the organization operates the system securely.
- privacy-poc: The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present.
Elements (16)
Description A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere
in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).
This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions
of the document.
Attribute (1)
Description Identifies the identification system from which the provided identifier was assigned.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- https://fedramp.gov: **deprecated** The identifier was assigned by FedRAMP. This has been deprecated; use http://fedramp.gov/ns/oscal instead.
- http://fedramp.gov/ns/oscal: The identifier was assigned by FedRAMP.
- https://ietf.org/rfc/rfc4122: **deprecated** A Universally Unique Identifier (UUID) as defined by RFC4122. This value has been deprecated; use http://ietf.org/rfc/rfc4122 instead.
- http://ietf.org/rfc/rfc4122: A Universally Unique Identifier (UUID) as defined by RFC4122.
Description The full name of the system.
Description A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.
Description A summary of the system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description The date the system received its authorization.
Description The overall information system sensitivity categorization, such as defined by FIPS-199.
Remarks
Often, organizations require the security sensitivity level to correspond with the
highest confidentiality, integrity, or availability level identified by security-impact-level.
Description Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
Constraints (7)
allowed value for prop/@name
The value may be locally defined, or the following:
- privacy-designation: Is this a privacy sensitive system? yes or no
allowed values for prop[@name='privacy-designation']/@value
The value must be one of the following:
- yes: The system is privacy sensitive.
- no: The system is not privacy sensitive.
allowed value for link/@rel
The value must be one of the following:
- privacy-impact-assessment: A link to the privacy impact assessment.
matches for link[@rel='privacy-impact-assessment']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='privacy-impact-assessment' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for link[@rel='privacy-impact-assessment']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.
allowed values for information-type/(confidentiality-impact|integrity-impact|availability-impact)/(base|selected)
The value must be one of the following:
- fips-199-low: A 'low' sensitivity level as defined in FIPS-199.
- fips-199-moderate: A 'moderate' sensitivity level as defined in FIPS-199.
- fips-199-high: A 'high' sensitivity level as defined in FIPS-199. FIPS-199 taxonomy is provided here as a starting point. We will provide other taxonomies based on community requests.
Elements (3)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (8)
Description A human readable name for the information type. This title should be meaningful within the context of the system.
Description A summary of how this information type is used within the system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.
Attribute (1)
Description Specifies the information type identification system used.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- http://doi.org/10.6028/NIST.SP.800-60v2r1: Based on the section identifiers in NIST Special Publication 800-60 Volume II Revision 1.
Element (1)
Description A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description The expected level of impact resulting from the unauthorized disclosure of the described information.
Elements (5)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description The prescribed base (Confidentiality, Integrity, or Availability) security impact level.
Description The selected (Confidentiality, Integrity, or Availability) security impact level.
Description If the selected security level is different from the base security level, this contains the justification for the change.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description The expected level of impact resulting from the unauthorized modification of the described information.
Elements (5)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description The prescribed base (Confidentiality, Integrity, or Availability) security impact level.
Description The selected (Confidentiality, Integrity, or Availability) security impact level.
Description If the selected security level is different from the base security level, this contains the justification for the change.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description The expected level of impact resulting from the disruption of access to or use of the described information or the information system.
Elements (5)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description The prescribed base (Confidentiality, Integrity, or Availability) security impact level.
Description The selected (Confidentiality, Integrity, or Availability) security impact level.
Description If the selected security level is different from the base security level, this contains the justification for the change.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.
Elements (3)
Description A target-level of confidentiality for the system, based on the sensitivity of information within the system.
Description A target-level of integrity for the system, based on the sensitivity of information within the system.
Description A target-level of availability for the system, based on the sensitivity of information within the system.
Description Describes the operational status of the system.
Remarks
If 'other' is selected, a remark must be included to describe the current state.
Attribute (1)
Description The current operating status.
Constraint (1)
allowed values
The value must be one of the following:
- operational: The system is currently operating in production.
- under-development: The system is being designed, developed, or implemented
- under-major-modification: The system is undergoing a major change, development, or transition.
- disposition: The system is no longer operational.
- other: Some other state.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.
Constraint (1)
is unique for diagram: any target value must be unique (i.e., occur only once)
Elements (5)
Description A summary of the system's authorization boundary.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A graphic that provides a visual representation the system, or some aspect of it.
Remarks
A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal
reference within this document containing the diagram.
A visual depiction of the system's authorization boundary.
Constraints (4)
allowed value for link/@rel
The value must be one of the following:
- diagram: A reference to the diagram image.
matches for link[@rel='diagram']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='diagram' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for link[@rel='diagram']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5)
Description A summary of the diagram.
Remarks
This description is intended to be used as alternate text to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A brief caption to annotate the diagram.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.
Constraint (1)
is unique for diagram: any target value must be unique (i.e., occur only once)
Elements (5)
Description A summary of the system's network architecture.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A graphic that provides a visual representation the system, or some aspect of it.
Remarks
A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal
reference within this document containing the diagram.
Constraints (4)
allowed value for link/@rel
The value must be one of the following:
- diagram: A reference to the diagram image.
matches for link[@rel='diagram']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='diagram' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for link[@rel='diagram']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5)
Description A summary of the diagram.
Remarks
This description is intended to be used as alternate text to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A brief caption to annotate the diagram.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.
Constraint (1)
is unique for diagram: any target value must be unique (i.e., occur only once)
Elements (5)
Description A summary of the system's data flow.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A graphic that provides a visual representation the system, or some aspect of it.
Remarks
A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal
reference within this document containing the diagram.
Constraints (4)
allowed value for link/@rel
The value must be one of the following:
- diagram: A reference to the diagram image.
matches for link[@rel='diagram']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='diagram' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for link[@rel='diagram']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5)
Description A summary of the diagram.
Remarks
This description is intended to be used as alternate text to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A brief caption to annotate the diagram.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Constraints (2)
index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id
index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Attribute (1)
Description A human-oriented identifier reference to roles served by the user.
Elements (4)
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Specifies one or more parties that are responsible for performing the associated role.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Provides information as to how the system is implemented.
Constraints (13)
index for leveraged-authorization an index index-system-implementation-leveraged-authorization-uuid shall list values returned by targets leveraged-authorization using keys constructed of key field(s) @uuid
index has key for component/prop[@name='leveraged-authorization-uuid']this value must correspond to a listing in the index index-system-implementation-leveraged-authorization-uuid using a key constructed of key field(s) @value
index for component an index index-system-implementation-component-uuid shall list values returned by targets component using keys constructed of key field(s) @uuid
index has key for component/link[@rel='depends-on']this value must correspond to a listing in the index index-system-implementation-component-uuid using a key constructed of key field(s) @href
index for component[@type='validation'] an index index-system-implementation-component-uuid-validation shall list values returned by targets component[@type='validation'] using keys constructed of key field(s) @uuid
index has key for component/link[@rel='validated-by']this value must correspond to a listing in the index index-system-implementation-component-uuid-validation using a key constructed of key field(s) @href
index has key for component/link[@rel='proof-of-compliance']this value must correspond to a listing in the index index-system-implementation-component-uuid-validation using a key constructed of key field(s) @href
index for component[@type='service'] an index index-system-implementation-component-uuid-service shall list values returned by targets component[@type='service'] using keys constructed of key field(s) @uuid
index has key for component/link[@rel='uses-service']this value must correspond to a listing in the index index-system-implementation-component-uuid-service using a key constructed of key field(s) @href
index for component[@type='service'] an index index-system-implementation-component-uuid-software shall list values returned by targets component[@type='service'] using keys constructed of key field(s) @uuid
index has key for component[@type='service']/link[@rel='provided-by']this value must correspond to a listing in the index index-system-implementation-component-uuid-software using a key constructed of key field(s) @href
allowed values for (component | inventory-item)/prop[@name='allows-authenticated-scan']/@value
The value must be one of the following:
- yes: The component allows an authenticated scan.
- no: The component does not allow an authenticated scan.
is unique for user: any target value must be unique (i.e., occur only once)
Elements (7)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.
Constraints (4)
allowed value for link/@rel
The value must be one of the following:
- system-security-plan: A reference to the system security plan for the leveraged authorization.
matches for link[@rel='system-security-plan']/@href[starts-with(.,'#')]: the target value must match the lexical form of the 'uri-reference' data type.
index has key for link[@rel='system-security-plan' and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for link[@rel='system-security-plan']/@href[not(starts-with(.,'#'))]: the target value must match the lexical form of the 'uri' data type.
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6)
Description A human readable name for the leveraged authorization in the context of the system.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to the party that manages the leveraged system.
Description The date the system received its authorization.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A type of user that interacts with the system based on an associated role.
Remarks
Permissible values to be determined closer to the application, such as by a receiving authority.
Constraints (4)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- type: The type of user, such as internal, external, or general-public.
- privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.
allowed values for prop[@name='type']/@value
The value must be one of the following:
- internal: A user account for a person or entity that is part of the organization who owns or operates the system.
- external: A user account for a person or entity that is not part of the organization who owns or operates the system.
- general-public: A user of the system considered to be outside
allowed values for prop[@name='privilege-level']/@value
The value must be one of the following:
- privileged: This role has elevated access to the system, such as a group or system administrator.
- non-privileged: This role has typical user-level access to the system without elevated access.
- no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.
allowed values for role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (8)
Description A name given to the user, which may be used by a tool for display and navigation.
Description A short common name, abbreviation, or acronym for the user.
Description A summary of the user's purpose within the system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A human-oriented identifier reference to roles served by the user.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) .
Description Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
Elements (3)
Description A human readable name for the privilege.
Description A summary of the privilege's purpose within the system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Describes a function performed for a given authorized privilege by this user class.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A defined component that can be part of an implemented system.
Remarks
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type indicates which of these component types is represented.
When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific
component identifier(s) that provide and use the service respectively.
Constraints (24)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- implementation-point: Relative placement of component ('internal' or 'external') to the system.
- leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
- inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of the component.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
allowed values for link/@rel
The value may be locally defined, or one of the following:
- depends-on: A reference to another component that this component has a dependency on.
- validation: A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component
- proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
- baseline-template: A reference to the baseline template used to configure the asset.
- uses-service: This service is used by the referenced component identifier.
- system-security-plan: A link to the system security plan of the external system.
- uses-network: This component uses the network provided by the identified network component.
allowed values for responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
allowed values for prop[@name='asset-type']/@value
The value must be one of the following:
- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
allowed values for prop[@name='allows-authenticated-scan']/@value
The value must be one of the following:
- yes: The component allows an authenticated scan.
- no: The component does not allow an authenticated scan.
allowed values for prop[@name='public']/@value
The value must be one of the following:
- yes: The component is publicly accessible.
- no: The component is not publicly accessible.
allowed values for prop[@name='virtual']/@value
The value must be one of the following:
- yes: The component is virtualized.
- no: The component is not virtualized.
allowed values for prop[@name='implementation-point']/@value
The value must be one of the following:
- internal: The component is implemented within the system boundary.
- external: The component is implemented outside the system boundary.
index has key for prop[@name='physical-location']this value must correspond to a listing in the index index-metadata-location-uuid using a key constructed of key field(s) @value
matches for prop[@name='inherited-uuid']/@value: the target value must match the lexical form of the 'uuid' data type.
matches for prop[@name='release-date']/@value: the target value must match the lexical form of the 'date' data type.
allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name
The value may be locally defined, or the following:
- vendor-name: The name of the company or organization
allowed value for (.)[@type='validation']/link/@rel
The value may be locally defined, or the following:
- validation-details: A link to an online information provided by the authorizing body.
allowed value for (.)[@type='software']/prop/@name
The value may be locally defined, or the following:
- software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.
allowed values for (.)[@type='service']/link/@rel
The value may be locally defined, or one of the following:
- provided-by: This service is provided by the referenced component identifier.
- used-by: This service is used by the referenced component identifier.
allowed values for (.)[@type='interconnection']/prop/@name
The value may be locally defined, or one of the following:
- isa-title: Title of the Interconnection Security Agreement (ISA).
- isa-date: Date of the Interconnection Security Agreement (ISA).
- isa-remote-system-name: The name of the remote interconnected system.
- ipv4-address: An Internet Protocol Version 4 interconnection address
- ipv6-address: An Internet Protocol Version 6 interconnection address
- direction: An Internet Protocol Version 6 interconnection address
allowed values for prop[@name=('ipv4-address','ipv6-address')]/@class
The value may be locally defined, or one of the following:
- local: The identified IP address is for this system.
- remote: The identified IP address is for the remote system to which this system is connected.
allowed value for (.)[@type='interconnection']/link/@rel
The value may be locally defined, or the following:
- isa-agreement: A link to the system interconnection agreement.
allowed values for (.)[@type='interconnection']/responsible-role/@role-id
The value may be locally defined, or one of the following:
- isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
- isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
- isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
- isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.
matches for prop[@name='isa-date']/@value: the target value must match the lexical form of the 'dateTime' data type.
matches for prop[@name='ipv4-address']/@value: the target value must match the lexical form of the 'ip-v4-address' data type.
matches for prop[@name='ipv6-address']/@value: the target value must match the lexical form of the 'ip-v6-address' data type.
allowed values for prop[@name='direction']/@value
The value may be locally defined, or one of the following:
- incoming: Data from the remote system flows into this system.
- outgoing: Data from this system flows to the remote system.
is unique for responsible-role: any target value must be unique (i.e., occur only once)
Attributes (2)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description A category describing the purpose of the component.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- this-system: The system as a whole.
- system: An external system, which may be a leveraged system or the other side of an interconnection.
- interconnection: A connection to something outside this system.
- software: Any software, operating system, or firmware.
- hardware: A physical device.
- service: A service that may provide APIs.
- policy: An enforceable policy.
- physical: A tangible asset used to provide physical protections or countermeasures.
- process-procedure: A list of steps or actions to take to achieve some end result.
- plan: An applicable plan.
- guidance: Any guideline or recommendation.
- standard: Any organizational or industry standard.
- validation: An external assessment performed on some other component, that has been validated by a third-party.
- network: A physical or virtual network.
Elements (9)
Description A human readable name for the system component.
Description A description of the component, including information about its function.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A summary of the technological or business purpose of the component.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Describes the operational status of the system component.
Attribute (1)
Description The operational status.
Constraint (1)
allowed values
The value must be one of the following:
- under-development: The component is being designed, developed, or implemented.
- operational: The component is currently operational and is available for use in the system.
- disposition: The component is no longer operational.
- other: Some other state.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Information about the protocol used to provide a service.
Remarks
Used for service components to define the protocols supported by the service.
Attributes (2)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in
this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.
Remarks
The short name of the protocol (e.g., https).
Elements (2)
Description A human readable name for the protocol (e.g., Transport Layer Security).
Description Where applicable this is the IPv4 port range on which the service operates.
Remarks
To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.
Attributes (3)
Description Indicates the starting port number in a port range
Remarks
Should be a number within a permitted range
Description Indicates the ending port number in a port range
Remarks
Should be a number within a permitted range
Description Indicates the transport type.
Constraint (1)
allowed values
The value must be one of the following:
- TCP: Transmission Control Protocol
- UDP: User Datagram Protocol
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A single managed inventory item within the system.
Remarks
A set of inventory-item entries that represent the managed inventory instances of the system.
Constraints (9)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- ipv4-address: The Internet Protocol v4 Address of the asset.
- ipv6-address: The Internet Protocol v6 Address of the asset.
- fqdn: The full-qualified domain name (FQDN) of the asset.
- uri: A Uniform Resource Identifier (URI) for the asset.
- serial-number: A serial number for the asset.
- netbios-name: The NetBIOS name for the asset.
- mac-address: The media access control (MAC) address for the asset.
- physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
- is-scanned: is the asset subjected to network scans? (yes/no)
- hardware-model: The model number of the hardware used by the asset.
- os-name: The name of the operating system used by the asset.
- os-version: The version of the operating system used by the asset.
- software-name: The software product name used by the asset.
- software-version: The software product version used by the asset.
- software-patch-level: The software product patch level used by the asset.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
allowed values for prop[@name='asset-type']/@value
The value must be one of the following:
- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
allowed value for (.)[@type=('software', 'hardware', 'service')]/prop/@name
The value may be locally defined, or the following:
- vendor-name: The name of the company or organization
allowed values for prop[@name='is-scanned']/@value
The value must be one of the following:
- yes: The asset is included in periodic vulnerability scanning.
- no: The asset is not included in periodic vulnerability scanning.
allowed value for link/@rel
The value may be locally defined, or the following:
- baseline-template: A reference to the baseline template used to configure the asset.
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
index has key for responsible-partythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id
index has key for responsible-partythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid
is unique for responsible-party: any target value must be unique (i.e., occur only once)
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (6)
Description A summary of the inventory item stating its purpose within the system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Constraints (2)
index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id
index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Attribute (1)
Description A human-oriented identifier reference to roles served by the user.
Elements (4)
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Specifies one or more parties that are responsible for performing the associated role.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description The set of components that are implemented in a given system inventory item.
Constraints (4)
allowed values for prop/@name
The value may be locally defined, or one of the following:
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of the component.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
has cardinality for prop[@name='asset-id'] the cardinality of prop[@name='asset-id'] is constrained: 1; maximum unbounded.
allowed values for responsible-party/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
is unique for responsible-party: any target value must be unique (i.e., occur only once)
Attribute (1)
Description A machine-oriented identifier reference to a component that is implemented as part of an inventory item.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.
Remarks
This construct is used to either: 1) associate a party or parties to a role defined
on the component using the responsible-role construct, or 2) to define a party or parties that are responsible for a role defined
within the context of the containing inventory-item.
Constraints (2)
index has keythis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id
index has key for party-uuidthis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Attribute (1)
Description A human-oriented identifier reference to roles served by the user.
Elements (4)
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Specifies one or more parties that are responsible for performing the associated role.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Describes how the system satisfies a set of controls.
Remarks
Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child,
this value applies in the child context.
Constraints (2)
is unique for set-parameter: any target value must be unique (i.e., occur only once)
index for implemented-requirement/by-component/export/provided an index by-component-export-provided-uuid shall list values returned by targets implemented-requirement/by-component/export/provided using keys constructed of key field(s) @uuid
Elements (3)
Description A statement describing important things to know about how this set of control satisfaction documentation is approached.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Identifies the parameter that will be set by the enclosed value.
Attribute (1)
Description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation
context.
Elements (2)
Description A parameter value or set of values.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Describes how the system satisfies the requirements of an individual control.
Remarks
Use of set-parameter in this context, sets the parameter for the referenced control. Any set-parameter defined in a child context will override this value. If not overridden by a child,
this value applies in the child context.
Constraints (11)
allowed value for prop/@name
The value may be locally defined, or the following:
- control-origination: Identifies the source of the implemented control.
allowed values for prop[@name='control-origination']/@value
The value must be one of the following:
- organization: The control is implemented by the organization owning the system, but is not specific to the system itself.
- system-specific: The control is implemented specifically to this system.
- customer-configured: The control is provided by the system, but must be configured by the customer.
- customer-provided: The control must be implemented by the customer.
- inherited: This control is inherited from an underlying system.
allowed value for prop/@name
The value may be locally defined, or the following:
- leveraged-authorization: Indicates all or some portion of this control is inherited from an underlying authorized system.
allowed values for responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
index has key for responsible-role|statement/responsible-role|.//by-component//responsible-rolethis value must correspond to a listing in the index index-metadata-role-id using a key constructed of key field(s) @role-id
index has key for responsible-role|statement/responsible-role|.//by-component//responsible-rolethis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) party-uuid
has cardinality for .//by-component the cardinality of .//by-component is constrained: 1; maximum unbounded.
is unique for set-parameter: any target value must be unique (i.e., occur only once)
is unique for responsible-role: any target value must be unique (i.e., occur only once)
is unique for statement: any target value must be unique (i.e., occur only once)
is unique for by-component: any target value must be unique (i.e., occur only once)
Attributes (2)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description A human-oriented identifier reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).
Elements (7)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Identifies the parameter that will be set by the enclosed value.
Attribute (1)
Description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation
context.
Elements (2)
Description A parameter value or set of values.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Identifies which statements within a control are addressed.
Constraints (3)
allowed values for responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
is unique for responsible-role: any target value must be unique (i.e., occur only once)
is unique for by-component: any target value must be unique (i.e., occur only once)
Attributes (2)
Description A human-oriented identifier reference to a control statement.
Remarks
A reference to the specific implemented statement associated with a control.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Elements (5)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Defines how the referenced component implements a set of controls.
Remarks
Use of set-parameter in this context, sets the parameter for the control referenced in the containing
implemented-requirement applied to the referenced component. If the by-component is used as a child of a statement, then the parameter value also applies only in the context of the referenced statement.
If the same parameter is also set in the control-implementation or a specific implemented-requirement, then this by-component/set-parameter value will override the other value(s) in the context of the referenced component,
control, and statement (if parent).
Constraints (2)
allowed values for .//responsible-role/@role-id
The value may be locally defined, or one of the following:
- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
is unique for set-parameter: any target value must be unique (i.e., occur only once)
Attributes (2)
Description A machine-oriented identifier reference to the component that is implemeting a given control.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (10)
Description An implementation statement that describes how a control or a control statement is implemented within the referenced system component.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Identifies the parameter that will be set by the enclosed value.
Attribute (1)
Description A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation
context.
Elements (2)
Description A parameter value or set of values.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Indicates the degree to which the a given control is implemented.
Remarks
The implementation-status is used to qualify the status value to indicate the degree to which the control is implemented.
Attribute (1)
Description Identifies the implementation status of the control or control objective.
Constraint (1)
allowed values
The value may be locally defined, or one of the following:
- implemented: The control is fully implemented.
- partial: The control is partially implemented.
- planned: There is a plan for implementing the control as explained in the remarks.
- alternative: There is an alternative implementation for this control as explained in the remarks.
- not-applicable: This control does not apply to this system as justified in the remarks.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Identifies content intended for external consumption, such as with leveraged organizations.
Constraints (2)
has cardinality for provided|responsibility the cardinality of provided|responsibility is constrained: 1; maximum unbounded.
index has key for responsibilitythis value must correspond to a listing in the index by-component-export-provided-uuid using a key constructed of key field(s) @provided-uuid
Elements (6)
Description An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description Describes a capability which may be inherited by a leveraging system.
Constraint (1)
is unique for responsible-role: any target value must be unique (i.e., occur only once)
Attribute (1)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Elements (5)
Description An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Describes a control implementation responsibility imposed on a leveraging system.
Constraint (1)
is unique for responsible-role: any target value must be unique (i.e., occur only once)
Attributes (2)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.
Elements (5)
Description An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Remarks
A role defined at the by-component level takes precedence over the same role defined on the parent implemented-requirement or on the referenced component.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Describes a control implementation inherited by a leveraging system.
Constraint (1)
is unique for responsible-role: any target value must be unique (i.e., occur only once)
Attributes (2)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.
Elements (4)
Description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Describes how this system satisfies a responsibility imposed by a leveraged system.
Constraint (1)
is unique for responsible-role: any target value must be unique (i.e., occur only once)
Attributes (2)
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere
in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported
OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions
of the document.
Description A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.
Elements (5)
description
[1]
Satisfied Control Implementation Responsibility Description
Description An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.
Remarks
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes (5)
Description A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
Description A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Description A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.
Remarks
Provides a means to segment the value space for the name, so that different organizations and individuals can assert control over the allowed
names and associated values used in a property. This allows the semantics associated
with a given name/value pair to be defined on an organization-by-organization basis.
An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.
When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.
Description Indicates the value of the attribute, characteristic, or quality.
Description A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of
multiple properties of the same object with the same name and ns.
Remarks
A class can be used in validation rules to express extra constraints over named items of
a specific class value.
Element (1)
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to a local or remote resource
Remarks
To provide a cryptographic hash for a remote target resource, a local reference to
a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Constraints (3)
matches for .[@rel=('reference') and starts-with(@href,'#')]/@href: the target value must match the lexical form of the 'uri-reference' data type.
index has key for .[@rel=('reference') and starts-with(@href,'#')]this value must correspond to a listing in the index index-back-matter-resource using a key constructed of key field(s) @href
matches for .[@rel=('reference') and not(starts-with(@href,'#'))]/@href: the target value must match the lexical form of the 'uri' data type.
Attributes (3)
Description A resolvable URL reference to a resource.
Remarks
The value of the href can be an internet resource, or a local reference using a fragment e.g. #fragment
that points to a back-matter resource in the same document.
If a local reference using a fragment is used, this will be indicated by a fragment
"#" followed by an identifier which references an identified resource in the document's back-matter or another object that is within the scope of the containing OSCAL document.
If an internet resource is used, the href value will be an absolute or relative URI pointing to the location of the referenced
resource. A relative URI will be resolved relative to the location of the document
containing the link.
Description Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.
Constraint (1)
allowed value
The value may be locally defined, or the following:
- reference: Reference
Description Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.
Remarks
The IANA Media Types Registry should be used, but currently there is no official media
type for YAML. OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name
suffix, per RFC 6838 Section 4.2.8.
The media-type provides a hint about the content model of the referenced resource. A valid entry
from the IANA Media Types registry SHOULD be used.
Element (1)
Description A textual label to associate with the link, which may be used for presentation in a tool.
Description A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or
globally (e.g., in an imported OSCAL instance).
Remarks
See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.
Constraint (1)
index has keythis value must correspond to a listing in the index index-metadata-party-uuid using a key constructed of key field(s) .
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description Additional commentary on the containing object.
Element (0+)
This use of the markup-multiline type permits unwrapped block-level markup.
Description A reference to one or more roles with responsibility for performing a function relative to the containing object.
Attribute (1)
Description A human-oriented identifier reference to roles responsible for the business function.
Elements (4)
Description An attribute, char