| AbstractOscalInstance |
|
| Action |
An action applied by a role within a given party to the content.
|
| Activity |
Identifies an assessment or related process that can be performed.
|
| Activity.Step |
Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.
|
| Address |
A postal address for the location.
|
| AssessmentAssets |
Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
|
| AssessmentAssets.AssessmentPlatform |
Used to represent the toolset used to perform aspects of the assessment.
|
| AssessmentAssets.AssessmentPlatform.UsesComponent |
The set of components that are used by the assessment platform.
|
| AssessmentMethod |
A local definition of a control objective.
|
| AssessmentPart |
A partition of an assessment plan or results or a child of another part.
|
| AssessmentPlan |
An assessment plan, such as those provided by a FedRAMP assessor.
|
| AssessmentPlan.LocalDefinitions |
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
|
| AssessmentPlan.TermsAndConditions |
Used to define various terms and conditions under which an assessment, described by the plan, can be performed.
|
| AssessmentResults |
Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.
|
| AssessmentResults.LocalDefinitions |
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
|
| AssessmentSubject |
Identifies system elements being assessed, such as components, inventory items, and locations.
|
| AssessmentSubjectPlaceholder |
Used when the assessment subjects will be determined as part of one or more other assessment activities.
|
| AssessmentSubjectPlaceholder.Source |
Assessment subjects will be identified while conducting the referenced activity-instance.
|
| AuthorizationBoundary |
A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.
|
| AuthorizedPrivilege |
Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
|
| BackMatter |
A collection of resources that may be referenced from within the OSCAL document instance.
|
| BackMatter.Resource |
A resource associated with content in the containing document instance.
|
| BackMatter.Resource.Base64 |
A resource encoded using the Base64 alphabet defined by RFC 2045. |
| BackMatter.Resource.Citation |
An optional citation consisting of end note text using structured markup.
|
| BackMatter.Resource.Rlink |
A URL-based pointer to an external resource with an optional hash for verification and change detection.
|
| ByComponent |
Defines how the referenced component implements a set of controls.
|
| ByComponent.Export |
Identifies content intended for external consumption, such as with leveraged organizations.
|
| ByComponent.Export.Provided |
Describes a capability which may be inherited by a leveraging system.
|
| ByComponent.Export.Responsibility |
Describes a control implementation responsibility imposed on a leveraging system.
|
| ByComponent.Inherited |
Describes a control implementation inherited by a leveraging system.
|
| ByComponent.Satisfied |
Describes how this system satisfies a responsibility imposed by a leveraged system.
|
| Capability |
A grouping of other components and/or capabilities.
|
| Catalog |
|
| CatalogGroup |
A group of controls, or of groups of controls.
|
| Characterization |
A collection of descriptive data about the containing object from a specific origin.
|
| Characterization.Facet |
An individual characteristic that is part of a larger set produced by the same actor.
|
| ComponentControlImplementation |
Defines how the component or capability supports a set of controls.
|
| ComponentDefinition |
A collection of component descriptions, which may optionally be grouped by capability.
|
| ComponentImplementedRequirement |
Describes how the containing component or capability implements an individual control.
|
| ComponentStatement |
Identifies which statements within a control are addressed.
|
| Control |
A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information. |
| ControlImplementation |
Describes how the system satisfies a set of controls.
|
| ControlPart |
An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.
|
| DataFlow |
A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.
|
| DefinedComponent |
A defined component that can be part of an implemented system.
|
| Diagram |
A graphic that provides a visual representation the system, or some aspect of it.
|
| DocumentId |
A document identifier qualified by an identifier scheme.
|
| Finding |
Describes an individual finding.
|
| Finding.AssociatedRisk |
Relates the finding to a set of referenced risks that were used to determine the finding.
|
| Finding.RelatedObservation |
Relates the finding to a set of referenced observations that were used to determine the finding.
|
| FindingTarget |
Captures an assessor's conclusions regarding the degree to which an objective is satisfied.
|
| FindingTarget.Status |
A determination of if the objective is satisfied or not within a given system.
|
| Hash |
A representation of a cryptographic digest generated over a resource using a specified hash algorithm.
|
| Impact |
The expected level of impact resulting from the described information.
|
| ImplementationStatus |
Indicates the degree to which the a given control is implemented.
|
| ImplementedRequirement |
Describes how the system satisfies the requirements of an individual control.
|
| ImportAp |
Used by assessment-results to import information about the original plan for assessing the system.
|
| ImportComponentDefinition |
Loads a component definition from another resource.
|
| ImportProfile |
Used to import the OSCAL profile representing the system's control baseline.
|
| ImportSsp |
Used by the assessment plan and POA&M to import information about the system.
|
| IncludeAll |
Include all controls from the imported catalog or profile resources.
|
| IncorporatesComponent |
The collection of components comprising this capability.
|
| InsertControls |
Specifies which controls to use in the containing context.
|
| InventoryItem |
A single managed inventory item within the system.
|
| InventoryItem.ImplementedComponent |
The set of components that are implemented in a given system inventory item.
|
| Link |
A reference to a local or remote resource, that has a specific relation to the containing object.
|
| LocalDefinitions |
Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.
|
| LocalObjective |
A local definition of a control objective for this assessment.
|
| LoggedBy |
Used to indicate who created a log entry in what role.
|
| Matching |
Selecting a set of controls by matching their IDs with a wildcard pattern.
|
| Merge |
Provides structuring directives that instruct how controls are organized after profile resolution.
|
| Merge.Combine |
A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID).
|
| Merge.Custom |
Provides an alternate grouping structure that selected controls will be placed in.
|
| Merge.Flat |
Directs that controls appear without any grouping structure.
|
| Metadata |
Provides information about the containing document, and defines concepts that are shared across the document.
|
| Metadata.Location |
A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.
|
| Metadata.Party |
An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.
|
| Metadata.Party.ExternalId |
An identifier for a person or organization using a designated scheme.
|
| Metadata.Revision |
An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e.
|
| Metadata.Role |
Defines a function, which might be assigned to a party in a specific situation.
|
| Modify |
Set parameters or amend controls in resolution.
|
| Modify.Alter |
Specifies changes to be made to an included control when a profile is resolved.
|
| Modify.Alter.Add |
Specifies contents to be added into controls, in resolution.
|
| Modify.Alter.Remove |
Specifies objects to be removed from a control based on specific aspects of the object that must all match.
|
| Modify.ProfileSetParameter |
A parameter setting, to be propagated to points of insertion.
|
| NetworkArchitecture |
A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.
|
| Observation |
Describes an individual observation.
|
| Observation.RelevantEvidence |
Links this observation to relevant evidence.
|
| Origin |
Identifies the source of the finding, such as a tool, interviewed person, or activity.
|
| OriginActor |
The actor that produces an observation, a finding, or a risk.
|
| OscalApMetaschema |
|
| OscalArMetaschema |
|
| OscalAssessmentCommonMetaschema |
|
| OscalCatalogMetaschema |
|
| OscalCompleteMetaschema |
|
| OscalComponentDefinitionMetaschema |
|
| OscalControlCommonMetaschema |
|
| OscalImplementationCommonMetaschema |
|
| OscalMetadataMetaschema |
|
| OscalPoamMetaschema |
|
| OscalProfileMetaschema |
|
| OscalSspMetaschema |
|
| Parameter |
Parameters provide a mechanism for the dynamic assignment of value(s) in a control.
|
| ParameterConstraint |
A formal or informal expression of a constraint or test.
|
| ParameterConstraint.Test |
A test expression which is expected to be evaluated by a tool.
|
| ParameterGuideline |
A prose statement that provides a recommendation for the use of a parameter.
|
| ParameterSelection |
Presenting a choice among alternatives.
|
| PlanOfActionAndMilestones |
A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.
|
| PoamItem |
Describes an individual POA&M item.
|
| PoamItem.AssociatedRisk |
Relates the finding to a set of referenced risks that were used to determine the finding.
|
| PoamItem.Origin |
Identifies the source of the finding, such as a tool or person.
|
| PoamItem.RelatedFinding |
Relates the poam-item to referenced finding(s).
|
| PoamItem.RelatedObservation |
Relates the poam-item to a set of referenced observations that were used to determine the finding.
|
| PortRange |
Where applicable this is the IPv4 port range on which the service operates.
|
| Profile |
Each OSCAL profile is defined by a profile element.
|
| ProfileGroup |
A group of (selected) controls or of groups of controls.
|
| ProfileImport |
Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.
|
| ProfileSelectControlById |
Select a control or controls from an imported control set.
|
| Property |
An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.
|
| Protocol |
Information about the protocol used to provide a service.
|
| RelatedTask |
Identifies an individual task for which the containing object is a consequence of.
|
| RelatedTask.IdentifiedSubject |
Used to detail assessment subjects that were identfied by this task.
|
| Response |
Describes either recommended or an actual plan for addressing the risk.
|
| Response.RequiredAsset |
Identifies an asset required to achieve remediation.
|
| ResponsibleParty |
A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.
|
| ResponsibleRole |
A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.
|
| Result |
Used by the assessment results and POA&M.
|
| Result.AssessmentLog |
A log of all assessment-related actions taken.
|
| Result.AssessmentLog.Entry |
Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.
|
| Result.Attestation |
A set of textual statements, typically written by the assessor.
|
| Result.LocalDefinitions |
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
|
| ReviewedControls |
Identifies the controls being assessed and their control objectives.
|
| ReviewedControls.ControlObjectiveSelection |
Identifies the control objectives of the assessment.
|
| ReviewedControls.ControlSelection |
Identifies the controls being assessed.
|
| Risk |
An identified risk.
|
| Risk.MitigatingFactor |
Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.
|
| Risk.RelatedObservation |
Relates the finding to a set of referenced observations that were used to determine the finding.
|
| Risk.RiskLog |
A log of all risk-related tasks taken.
|
| Risk.RiskLog.Entry |
Identifies an individual risk response that occurred as part of managing an identified risk.
|
| Risk.RiskLog.Entry.RelatedResponse |
Identifies an individual risk response that this log entry is for.
|
| SecurityImpactLevel |
The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.
|
| SelectControlById |
Used to select a control for inclusion/exclusion based on one or more control identifiers.
|
| SelectObjectiveById |
Used to select a control objective for inclusion/exclusion based on the control objective's identifier.
|
| SelectSubjectById |
Identifies a set of assessment subjects to include/exclude by UUID.
|
| SetParameter |
Identifies the parameter that will be set by the enclosed value.
|
| Statement |
Identifies which statements within a control are addressed.
|
| Status |
Describes the operational status of the system.
|
| SubjectReference |
|
| SystemCharacteristics |
Contains the characteristics of the system, such as its name, purpose, and security impact level.
|
| SystemComponent |
A defined component that can be part of an implemented system.
|
| SystemComponent.Status |
Describes the operational status of the system component.
|
| SystemId |
|
| SystemImplementation |
Provides information as to how the system is implemented.
|
| SystemImplementation.LeveragedAuthorization |
A description of another authorized system from which this system inherits capabilities that satisfy security requirements.
|
| SystemInformation |
Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. |
| SystemInformation.InformationType |
Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. |
| SystemInformation.InformationType.Categorization |
A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.
|
| SystemSecurityPlan |
A system security plan, such as those described in NIST SP 800-18.
|
| SystemUser |
A type of user that interacts with the system based on an associated role.
|
| Task |
Represents a scheduled event or milestone, which may be associated with a series of assessment actions.
|
| Task.AssociatedActivity |
Identifies an individual activity to be performed as part of a task.
|
| Task.Dependency |
Used to indicate that a task is dependent on another task.
|
| Task.Timing |
The timing under which the task is intended to occur.
|
| Task.Timing.AtFrequency |
The task is intended to occur at the specified frequency.
|
| Task.Timing.OnDate |
The task is intended to occur on the specified date.
|
| Task.Timing.WithinDateRange |
The task is intended to occur within the specified date range.
|
| TelephoneNumber |
|
| ThreatId |
A pointer, by ID, to an externally-defined threat.
|