001package gov.nist.secauto.oscal.lib.model; 002 003import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue; 004import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues; 005import gov.nist.secauto.metaschema.binding.model.annotations.AssemblyConstraints; 006import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly; 007import gov.nist.secauto.metaschema.binding.model.annotations.BoundField; 008import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue; 009import gov.nist.secauto.metaschema.binding.model.annotations.BoundFlag; 010import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs; 011import gov.nist.secauto.metaschema.binding.model.annotations.IsUnique; 012import gov.nist.secauto.metaschema.binding.model.annotations.KeyField; 013import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly; 014import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints; 015import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior; 016import gov.nist.secauto.metaschema.model.common.constraint.IConstraint; 017import gov.nist.secauto.metaschema.model.common.datatype.adapter.UuidAdapter; 018import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline; 019import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter; 020import gov.nist.secauto.metaschema.model.common.util.ObjectUtils; 021import java.lang.Override; 022import java.lang.String; 023import java.util.LinkedList; 024import java.util.List; 025import java.util.UUID; 026import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle; 027import org.apache.commons.lang3.builder.ReflectionToStringBuilder; 028 029/** 030 * An assessment plan, such as those provided by a FedRAMP assessor. 031 */ 032@MetaschemaAssembly( 033 formalName = "Security Assessment Plan (SAP)", 034 description = "An assessment plan, such as those provided by a FedRAMP assessor.", 035 name = "assessment-plan", 036 metaschema = OscalApMetaschema.class, 037 rootName = "assessment-plan" 038) 039public class AssessmentPlan extends AbstractOscalInstance { 040 @BoundFlag( 041 formalName = "Assessment Plan Universally Unique Identifier", 042 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this assessment plan in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#ap-identifiers). The locally defined *UUID* of the `assessment plan` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.", 043 useName = "uuid", 044 required = true, 045 typeAdapter = UuidAdapter.class 046 ) 047 private UUID _uuid; 048 049 @BoundAssembly( 050 formalName = "Document Metadata", 051 description = "Provides information about the containing document, and defines concepts that are shared across the document.", 052 useName = "metadata", 053 minOccurs = 1 054 ) 055 private Metadata _metadata; 056 057 @BoundAssembly( 058 formalName = "Import System Security Plan", 059 description = "Used by the assessment plan and POA\\&M to import information about the system.", 060 useName = "import-ssp", 061 minOccurs = 1, 062 remarks = "Used by the SAP to import information about the system being assessed." 063 ) 064 private ImportSsp _importSsp; 065 066 /** 067 * "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP." 068 */ 069 @BoundAssembly( 070 formalName = "Local Definitions", 071 description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", 072 useName = "local-definitions" 073 ) 074 private LocalDefinitions _localDefinitions; 075 076 /** 077 * "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition." 078 */ 079 @BoundAssembly( 080 formalName = "Assessment Plan Terms and Conditions", 081 description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.", 082 useName = "terms-and-conditions" 083 ) 084 private TermsAndConditions _termsAndConditions; 085 086 @BoundAssembly( 087 formalName = "Reviewed Controls and Control Objectives", 088 description = "Identifies the controls being assessed and their control objectives.", 089 useName = "reviewed-controls", 090 minOccurs = 1 091 ) 092 private ReviewedControls _reviewedControls; 093 094 @BoundAssembly( 095 formalName = "Subject of Assessment", 096 description = "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.", 097 useName = "assessment-subject", 098 maxOccurs = -1 099 ) 100 @GroupAs( 101 name = "assessment-subjects", 102 inJson = JsonGroupAsBehavior.LIST 103 ) 104 private List<AssessmentSubject> _assessmentSubjects; 105 106 @BoundAssembly( 107 formalName = "Assessment Assets", 108 description = "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.", 109 useName = "assessment-assets" 110 ) 111 private AssessmentAssets _assessmentAssets; 112 113 @BoundAssembly( 114 formalName = "Task", 115 description = "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.", 116 useName = "task", 117 maxOccurs = -1 118 ) 119 @GroupAs( 120 name = "tasks", 121 inJson = JsonGroupAsBehavior.LIST 122 ) 123 private List<Task> _tasks; 124 125 @BoundAssembly( 126 formalName = "Back matter", 127 description = "A collection of resources that may be referenced from within the OSCAL document instance.", 128 useName = "back-matter" 129 ) 130 private BackMatter _backMatter; 131 132 public AssessmentPlan() { 133 } 134 135 public UUID getUuid() { 136 return _uuid; 137 } 138 139 public void setUuid(UUID value) { 140 _uuid = value; 141 } 142 143 public Metadata getMetadata() { 144 return _metadata; 145 } 146 147 public void setMetadata(Metadata value) { 148 _metadata = value; 149 } 150 151 public ImportSsp getImportSsp() { 152 return _importSsp; 153 } 154 155 public void setImportSsp(ImportSsp value) { 156 _importSsp = value; 157 } 158 159 public LocalDefinitions getLocalDefinitions() { 160 return _localDefinitions; 161 } 162 163 public void setLocalDefinitions(LocalDefinitions value) { 164 _localDefinitions = value; 165 } 166 167 public TermsAndConditions getTermsAndConditions() { 168 return _termsAndConditions; 169 } 170 171 public void setTermsAndConditions(TermsAndConditions value) { 172 _termsAndConditions = value; 173 } 174 175 public ReviewedControls getReviewedControls() { 176 return _reviewedControls; 177 } 178 179 public void setReviewedControls(ReviewedControls value) { 180 _reviewedControls = value; 181 } 182 183 public List<AssessmentSubject> getAssessmentSubjects() { 184 return _assessmentSubjects; 185 } 186 187 public void setAssessmentSubjects(List<AssessmentSubject> value) { 188 _assessmentSubjects = value; 189 } 190 191 /** 192 * Add a new {@link AssessmentSubject} item to the underlying collection. 193 * @param item the item to add 194 * @return {@code true} 195 */ 196 public boolean addAssessmentSubject(AssessmentSubject item) { 197 AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null"); 198 if (_assessmentSubjects == null) { 199 _assessmentSubjects = new LinkedList<>(); 200 } 201 return _assessmentSubjects.add(value); 202 } 203 204 /** 205 * Remove the first matching {@link AssessmentSubject} item from the underlying collection. 206 * @param item the item to remove 207 * @return {@code true} if the item was removed or {@code false} otherwise 208 */ 209 public boolean removeAssessmentSubject(AssessmentSubject item) { 210 AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null"); 211 return _assessmentSubjects == null ? false : _assessmentSubjects.remove(value); 212 } 213 214 public AssessmentAssets getAssessmentAssets() { 215 return _assessmentAssets; 216 } 217 218 public void setAssessmentAssets(AssessmentAssets value) { 219 _assessmentAssets = value; 220 } 221 222 public List<Task> getTasks() { 223 return _tasks; 224 } 225 226 public void setTasks(List<Task> value) { 227 _tasks = value; 228 } 229 230 /** 231 * Add a new {@link Task} item to the underlying collection. 232 * @param item the item to add 233 * @return {@code true} 234 */ 235 public boolean addTask(Task item) { 236 Task value = ObjectUtils.requireNonNull(item,"item cannot be null"); 237 if (_tasks == null) { 238 _tasks = new LinkedList<>(); 239 } 240 return _tasks.add(value); 241 } 242 243 /** 244 * Remove the first matching {@link Task} item from the underlying collection. 245 * @param item the item to remove 246 * @return {@code true} if the item was removed or {@code false} otherwise 247 */ 248 public boolean removeTask(Task item) { 249 Task value = ObjectUtils.requireNonNull(item,"item cannot be null"); 250 return _tasks == null ? false : _tasks.remove(value); 251 } 252 253 public BackMatter getBackMatter() { 254 return _backMatter; 255 } 256 257 public void setBackMatter(BackMatter value) { 258 _backMatter = value; 259 } 260 261 @Override 262 public String toString() { 263 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 264 } 265 266 /** 267 * Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition. 268 */ 269 @MetaschemaAssembly( 270 formalName = "Assessment Plan Terms and Conditions", 271 description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.", 272 name = "terms-and-conditions", 273 metaschema = OscalApMetaschema.class 274 ) 275 @ValueConstraints( 276 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, target = "part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "rules-of-engagement", description = "Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment."), @AllowedValue(value = "disclosures", description = "Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure."), @AllowedValue(value = "assessment-inclusions", description = "Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment."), @AllowedValue(value = "assessment-exclusions", description = "Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment."), @AllowedValue(value = "results-delivery", description = "Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom."), @AllowedValue(value = "assumptions", description = "Defines any supposition made by the assessor. Has child 'item' parts for each assumption."), @AllowedValue(value = "methodology", description = "An explanation of practices, procedures, and rules used in the course of the assessment.")}) 277 ) 278 public static class TermsAndConditions { 279 @BoundAssembly( 280 formalName = "Assessment Part", 281 description = "A partition of an assessment plan or results or a child of another part.", 282 useName = "part", 283 maxOccurs = -1 284 ) 285 @GroupAs( 286 name = "parts", 287 inJson = JsonGroupAsBehavior.LIST 288 ) 289 private List<AssessmentPart> _parts; 290 291 public TermsAndConditions() { 292 } 293 294 public List<AssessmentPart> getParts() { 295 return _parts; 296 } 297 298 public void setParts(List<AssessmentPart> value) { 299 _parts = value; 300 } 301 302 /** 303 * Add a new {@link AssessmentPart} item to the underlying collection. 304 * @param item the item to add 305 * @return {@code true} 306 */ 307 public boolean addPart(AssessmentPart item) { 308 AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null"); 309 if (_parts == null) { 310 _parts = new LinkedList<>(); 311 } 312 return _parts.add(value); 313 } 314 315 /** 316 * Remove the first matching {@link AssessmentPart} item from the underlying collection. 317 * @param item the item to remove 318 * @return {@code true} if the item was removed or {@code false} otherwise 319 */ 320 public boolean removePart(AssessmentPart item) { 321 AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null"); 322 return _parts == null ? false : _parts.remove(value); 323 } 324 325 @Override 326 public String toString() { 327 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 328 } 329 } 330 331 /** 332 * Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP. 333 */ 334 @MetaschemaAssembly( 335 formalName = "Local Definitions", 336 description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", 337 name = "local-definitions", 338 metaschema = OscalApMetaschema.class 339 ) 340 @AssemblyConstraints( 341 isUnique = { 342 @IsUnique(id = "unique-ap-local-definitions-component", level = IConstraint.Level.ERROR, target = "component", keyFields = @KeyField(target = "@uuid"), remarks = "Since multiple `component` entries can be provided, each component must have a unique `uuid`."), 343 @IsUnique(id = "unique-ap-local-definitions-user", level = IConstraint.Level.ERROR, target = "user", keyFields = @KeyField(target = "@uuid"), remarks = "A given `uuid` must be assigned only once to a user.") 344 } 345 ) 346 public static class LocalDefinitions { 347 @BoundAssembly( 348 formalName = "Component", 349 description = "A defined component that can be part of an implemented system.", 350 useName = "component", 351 maxOccurs = -1, 352 remarks = "Used to add any components, not defined via the System Security Plan (AR-\\>AP-\\>SSP)" 353 ) 354 @GroupAs( 355 name = "components", 356 inJson = JsonGroupAsBehavior.LIST 357 ) 358 private List<SystemComponent> _components; 359 360 @BoundAssembly( 361 formalName = "Inventory Item", 362 description = "A single managed inventory item within the system.", 363 useName = "inventory-item", 364 maxOccurs = -1, 365 remarks = "Used to add any inventory-items, not defined via the System Security Plan (AR-\\>AP-\\>SSP)" 366 ) 367 @GroupAs( 368 name = "inventory-items", 369 inJson = JsonGroupAsBehavior.LIST 370 ) 371 private List<InventoryItem> _inventoryItems; 372 373 @BoundAssembly( 374 formalName = "System User", 375 description = "A type of user that interacts with the system based on an associated role.", 376 useName = "user", 377 maxOccurs = -1, 378 remarks = "Used to add any users, not defined via the System Security Plan (AR-\\>AP-\\>SSP)" 379 ) 380 @GroupAs( 381 name = "users", 382 inJson = JsonGroupAsBehavior.LIST 383 ) 384 private List<SystemUser> _users; 385 386 @BoundAssembly( 387 formalName = "Assessment-Specific Control Objective", 388 description = "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.", 389 useName = "objectives-and-methods", 390 maxOccurs = -1 391 ) 392 @GroupAs( 393 name = "objectives-and-methods", 394 inJson = JsonGroupAsBehavior.LIST 395 ) 396 private List<LocalObjective> _objectivesAndMethods; 397 398 @BoundAssembly( 399 formalName = "Activity", 400 description = "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.", 401 useName = "activity", 402 maxOccurs = -1 403 ) 404 @GroupAs( 405 name = "activities", 406 inJson = JsonGroupAsBehavior.LIST 407 ) 408 private List<Activity> _activities; 409 410 @BoundField( 411 formalName = "Remarks", 412 description = "Additional commentary about the containing object.", 413 useName = "remarks" 414 ) 415 @BoundFieldValue( 416 typeAdapter = MarkupMultilineAdapter.class 417 ) 418 private MarkupMultiline _remarks; 419 420 public LocalDefinitions() { 421 } 422 423 public List<SystemComponent> getComponents() { 424 return _components; 425 } 426 427 public void setComponents(List<SystemComponent> value) { 428 _components = value; 429 } 430 431 /** 432 * Add a new {@link SystemComponent} item to the underlying collection. 433 * @param item the item to add 434 * @return {@code true} 435 */ 436 public boolean addComponent(SystemComponent item) { 437 SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null"); 438 if (_components == null) { 439 _components = new LinkedList<>(); 440 } 441 return _components.add(value); 442 } 443 444 /** 445 * Remove the first matching {@link SystemComponent} item from the underlying collection. 446 * @param item the item to remove 447 * @return {@code true} if the item was removed or {@code false} otherwise 448 */ 449 public boolean removeComponent(SystemComponent item) { 450 SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null"); 451 return _components == null ? false : _components.remove(value); 452 } 453 454 public List<InventoryItem> getInventoryItems() { 455 return _inventoryItems; 456 } 457 458 public void setInventoryItems(List<InventoryItem> value) { 459 _inventoryItems = value; 460 } 461 462 /** 463 * Add a new {@link InventoryItem} item to the underlying collection. 464 * @param item the item to add 465 * @return {@code true} 466 */ 467 public boolean addInventoryItem(InventoryItem item) { 468 InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null"); 469 if (_inventoryItems == null) { 470 _inventoryItems = new LinkedList<>(); 471 } 472 return _inventoryItems.add(value); 473 } 474 475 /** 476 * Remove the first matching {@link InventoryItem} item from the underlying collection. 477 * @param item the item to remove 478 * @return {@code true} if the item was removed or {@code false} otherwise 479 */ 480 public boolean removeInventoryItem(InventoryItem item) { 481 InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null"); 482 return _inventoryItems == null ? false : _inventoryItems.remove(value); 483 } 484 485 public List<SystemUser> getUsers() { 486 return _users; 487 } 488 489 public void setUsers(List<SystemUser> value) { 490 _users = value; 491 } 492 493 /** 494 * Add a new {@link SystemUser} item to the underlying collection. 495 * @param item the item to add 496 * @return {@code true} 497 */ 498 public boolean addUser(SystemUser item) { 499 SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null"); 500 if (_users == null) { 501 _users = new LinkedList<>(); 502 } 503 return _users.add(value); 504 } 505 506 /** 507 * Remove the first matching {@link SystemUser} item from the underlying collection. 508 * @param item the item to remove 509 * @return {@code true} if the item was removed or {@code false} otherwise 510 */ 511 public boolean removeUser(SystemUser item) { 512 SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null"); 513 return _users == null ? false : _users.remove(value); 514 } 515 516 public List<LocalObjective> getObjectivesAndMethods() { 517 return _objectivesAndMethods; 518 } 519 520 public void setObjectivesAndMethods(List<LocalObjective> value) { 521 _objectivesAndMethods = value; 522 } 523 524 /** 525 * Add a new {@link LocalObjective} item to the underlying collection. 526 * @param item the item to add 527 * @return {@code true} 528 */ 529 public boolean addObjectivesAndMethods(LocalObjective item) { 530 LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null"); 531 if (_objectivesAndMethods == null) { 532 _objectivesAndMethods = new LinkedList<>(); 533 } 534 return _objectivesAndMethods.add(value); 535 } 536 537 /** 538 * Remove the first matching {@link LocalObjective} item from the underlying collection. 539 * @param item the item to remove 540 * @return {@code true} if the item was removed or {@code false} otherwise 541 */ 542 public boolean removeObjectivesAndMethods(LocalObjective item) { 543 LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null"); 544 return _objectivesAndMethods == null ? false : _objectivesAndMethods.remove(value); 545 } 546 547 public List<Activity> getActivities() { 548 return _activities; 549 } 550 551 public void setActivities(List<Activity> value) { 552 _activities = value; 553 } 554 555 /** 556 * Add a new {@link Activity} item to the underlying collection. 557 * @param item the item to add 558 * @return {@code true} 559 */ 560 public boolean addActivity(Activity item) { 561 Activity value = ObjectUtils.requireNonNull(item,"item cannot be null"); 562 if (_activities == null) { 563 _activities = new LinkedList<>(); 564 } 565 return _activities.add(value); 566 } 567 568 /** 569 * Remove the first matching {@link Activity} item from the underlying collection. 570 * @param item the item to remove 571 * @return {@code true} if the item was removed or {@code false} otherwise 572 */ 573 public boolean removeActivity(Activity item) { 574 Activity value = ObjectUtils.requireNonNull(item,"item cannot be null"); 575 return _activities == null ? false : _activities.remove(value); 576 } 577 578 public MarkupMultiline getRemarks() { 579 return _remarks; 580 } 581 582 public void setRemarks(MarkupMultiline value) { 583 _remarks = value; 584 } 585 586 @Override 587 public String toString() { 588 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 589 } 590 } 591}