AbstractOscalInstance |
|
Action |
An action applied by a role within a given party to the content.
|
Activity |
Identifies an assessment or related process that can be performed.
|
Activity.Step |
Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.
|
Address |
A postal address for the location.
|
AssessmentAssets |
Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
|
AssessmentAssets.AssessmentPlatform |
Used to represent the toolset used to perform aspects of the assessment.
|
AssessmentAssets.AssessmentPlatform.UsesComponent |
The set of components that are used by the assessment platform.
|
AssessmentPart |
A partition of an assessment plan or results or a child of another part.
|
AssessmentPlan.LocalDefinitions |
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
|
AssessmentPlan.TermsAndConditions |
Used to define various terms and conditions under which an assessment, described by the plan, can be performed.
|
AssessmentResults.LocalDefinitions |
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
|
AssessmentSubject |
Identifies system elements being assessed, such as components, inventory items, and locations.
|
AssessmentSubjectPlaceholder.Source |
Assessment subjects will be identified while conducting the referenced activity-instance.
|
AuthorizationBoundary |
A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.
|
AuthorizedPrivilege |
Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
|
BackMatter |
A collection of resources that may be referenced from within the OSCAL document instance.
|
BackMatter.Resource |
A resource associated with content in the containing document instance.
|
BackMatter.Resource.Base64 |
A resource encoded using the Base64 alphabet defined by RFC 2045.
|
BackMatter.Resource.Citation |
An optional citation consisting of end note text using structured markup.
|
BackMatter.Resource.Rlink |
A URL-based pointer to an external resource with an optional hash for verification and change detection.
|
ByComponent |
Defines how the referenced component implements a set of controls.
|
ByComponent.Export |
Identifies content intended for external consumption, such as with leveraged organizations.
|
ByComponent.Export.Provided |
Describes a capability which may be inherited by a leveraging system.
|
ByComponent.Export.Responsibility |
Describes a control implementation responsibility imposed on a leveraging system.
|
ByComponent.Inherited |
Describes a control implementation inherited by a leveraging system.
|
ByComponent.Satisfied |
Describes how this system satisfies a responsibility imposed by a leveraged system.
|
Capability |
A grouping of other components and/or capabilities.
|
CatalogGroup |
A group of controls, or of groups of controls.
|
Characterization |
A collection of descriptive data about the containing object from a specific origin.
|
Characterization.Facet |
An individual characteristic that is part of a larger set produced by the same actor.
|
ComponentControlImplementation |
Defines how the component or capability supports a set of controls.
|
ComponentImplementedRequirement |
Describes how the containing component or capability implements an individual control.
|
ComponentStatement |
Identifies which statements within a control are addressed.
|
Control |
A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.
|
ControlImplementation |
Describes how the system satisfies a set of controls.
|
ControlPart |
An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.
|
DataFlow |
A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.
|
DefinedComponent |
A defined component that can be part of an implemented system.
|
Diagram |
A graphic that provides a visual representation the system, or some aspect of it.
|
DocumentId |
A document identifier qualified by an identifier scheme .
|
Finding |
Describes an individual finding.
|
Finding.AssociatedRisk |
Relates the finding to a set of referenced risks that were used to determine the finding.
|
Finding.RelatedObservation |
Relates the finding to a set of referenced observations that were used to determine the finding.
|
FindingTarget |
Captures an assessor's conclusions regarding the degree to which an objective is satisfied.
|
FindingTarget.Status |
A determination of if the objective is satisfied or not within a given system.
|
Hash |
A representation of a cryptographic digest generated over a resource using a specified hash algorithm.
|
Impact |
The expected level of impact resulting from the described information.
|
ImplementationStatus |
Indicates the degree to which the a given control is implemented.
|
ImplementedRequirement |
Describes how the system satisfies the requirements of an individual control.
|
ImportAp |
Used by assessment-results to import information about the original plan for assessing the system.
|
ImportComponentDefinition |
Loads a component definition from another resource.
|
ImportProfile |
Used to import the OSCAL profile representing the system's control baseline.
|
ImportSsp |
Used by the assessment plan and POA&M to import information about the system.
|
IncludeAll |
Include all controls from the imported catalog or profile resources.
|
IncorporatesComponent |
The collection of components comprising this capability.
|
InsertControls |
Specifies which controls to use in the containing context.
|
InventoryItem |
A single managed inventory item within the system.
|
InventoryItem.ImplementedComponent |
The set of components that are implemented in a given system inventory item.
|
IOscalInstance |
|
Link |
A reference to a local or remote resource, that has a specific relation to the containing object.
|
LocalDefinitions |
Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.
|
LocalObjective |
A local definition of a control objective for this assessment.
|
LoggedBy |
Used to indicate who created a log entry in what role.
|
Matching |
Selecting a set of controls by matching their IDs with a wildcard pattern.
|
Merge |
Provides structuring directives that instruct how controls are organized after profile resolution.
|
Merge.Combine |
A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID).
|
Merge.Custom |
Provides an alternate grouping structure that selected controls will be placed in.
|
Merge.Flat |
Directs that controls appear without any grouping structure.
|
Metadata |
Provides information about the containing document, and defines concepts that are shared across the document.
|
Metadata.Location |
A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.
|
Metadata.Party |
An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.
|
Metadata.Party.ExternalId |
An identifier for a person or organization using a designated scheme.
|
Metadata.Revision |
An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e.
|
Metadata.Role |
Defines a function, which might be assigned to a party in a specific situation.
|
Modify |
Set parameters or amend controls in resolution.
|
Modify.Alter |
Specifies changes to be made to an included control when a profile is resolved.
|
Modify.Alter.Add |
Specifies contents to be added into controls, in resolution.
|
Modify.Alter.Remove |
Specifies objects to be removed from a control based on specific aspects of the object that must all match.
|
Modify.ProfileSetParameter |
A parameter setting, to be propagated to points of insertion.
|
NetworkArchitecture |
A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.
|
Observation |
Describes an individual observation.
|
Observation.RelevantEvidence |
Links this observation to relevant evidence.
|
Origin |
Identifies the source of the finding, such as a tool, interviewed person, or activity.
|
OriginActor |
The actor that produces an observation, a finding, or a risk.
|
Parameter |
Parameters provide a mechanism for the dynamic assignment of value(s) in a control.
|
ParameterConstraint |
A formal or informal expression of a constraint or test.
|
ParameterConstraint.Test |
A test expression which is expected to be evaluated by a tool.
|
ParameterGuideline |
A prose statement that provides a recommendation for the use of a parameter.
|
ParameterSelection |
Presenting a choice among alternatives.
|
PoamItem |
Describes an individual POA&M item.
|
PoamItem.AssociatedRisk |
Relates the finding to a set of referenced risks that were used to determine the finding.
|
PoamItem.Origin |
Identifies the source of the finding, such as a tool or person.
|
PoamItem.RelatedFinding |
Relates the poam-item to referenced finding(s).
|
PoamItem.RelatedObservation |
Relates the poam-item to a set of referenced observations that were used to determine the finding.
|
PortRange |
Where applicable this is the IPv4 port range on which the service operates.
|
ProfileGroup |
A group of (selected) controls or of groups of controls.
|
ProfileImport |
Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.
|
ProfileSelectControlById |
Select a control or controls from an imported control set.
|
Property |
An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.
|
Protocol |
Information about the protocol used to provide a service.
|
RelatedTask |
Identifies an individual task for which the containing object is a consequence of.
|
RelatedTask.IdentifiedSubject |
Used to detail assessment subjects that were identfied by this task.
|
Response |
Describes either recommended or an actual plan for addressing the risk.
|
Response.RequiredAsset |
Identifies an asset required to achieve remediation.
|
ResponsibleParty |
A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.
|
ResponsibleRole |
A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.
|
Result |
Used by the assessment results and POA&M.
|
Result.AssessmentLog |
A log of all assessment-related actions taken.
|
Result.AssessmentLog.Entry |
Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.
|
Result.Attestation |
A set of textual statements, typically written by the assessor.
|
Result.LocalDefinitions |
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
|
ReviewedControls |
Identifies the controls being assessed and their control objectives.
|
ReviewedControls.ControlObjectiveSelection |
Identifies the control objectives of the assessment.
|
ReviewedControls.ControlSelection |
Identifies the controls being assessed.
|
Risk |
An identified risk.
|
Risk.MitigatingFactor |
Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.
|
Risk.RelatedObservation |
Relates the finding to a set of referenced observations that were used to determine the finding.
|
Risk.RiskLog |
A log of all risk-related tasks taken.
|
Risk.RiskLog.Entry |
Identifies an individual risk response that occurred as part of managing an identified risk.
|
Risk.RiskLog.Entry.RelatedResponse |
Identifies an individual risk response that this log entry is for.
|
SecurityImpactLevel |
The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.
|
SelectControlById |
Used to select a control for inclusion/exclusion based on one or more control identifiers.
|
SelectObjectiveById |
Used to select a control objective for inclusion/exclusion based on the control objective's identifier.
|
SelectSubjectById |
Identifies a set of assessment subjects to include/exclude by UUID.
|
SetParameter |
Identifies the parameter that will be set by the enclosed value.
|
Statement |
Identifies which statements within a control are addressed.
|
Status |
Describes the operational status of the system.
|
SubjectReference |
|
SystemCharacteristics |
Contains the characteristics of the system, such as its name, purpose, and security impact level.
|
SystemComponent |
A defined component that can be part of an implemented system.
|
SystemComponent.Status |
Describes the operational status of the system component.
|
SystemId |
|
SystemImplementation |
Provides information as to how the system is implemented.
|
SystemImplementation.LeveragedAuthorization |
A description of another authorized system from which this system inherits capabilities that satisfy security requirements.
|
SystemInformation |
Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
|
SystemInformation.InformationType |
Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
|
SystemInformation.InformationType.Categorization |
A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.
|
SystemUser |
A type of user that interacts with the system based on an associated role.
|
Task |
Represents a scheduled event or milestone, which may be associated with a series of assessment actions.
|
Task.AssociatedActivity |
Identifies an individual activity to be performed as part of a task.
|
Task.Dependency |
Used to indicate that a task is dependent on another task.
|
Task.Timing |
The timing under which the task is intended to occur.
|
Task.Timing.AtFrequency |
The task is intended to occur at the specified frequency.
|
Task.Timing.OnDate |
The task is intended to occur on the specified date.
|
Task.Timing.WithinDateRange |
The task is intended to occur within the specified date range.
|
TelephoneNumber |
|
ThreatId |
A pointer, by ID, to an externally-defined threat.
|